feat: Track SSL policy source to prevent LB recreation on CLI changes (#774)

- Add HasSSLPolicyAnnotation field to distinguish annotation-based SSL
policy from CLI defaults
- Only enforce SSL policy matching for shared LBs when ingress has
explicit annotation
- Add SSL policy to inSync() check to trigger updates instead of new LB
creation
- Update load balancer SSL policy when adding ingress to allow CLI
changes to propagate
- Add comprehensive unit tests for SSL policy annotation detection and
matching logic

Fixes issue where changing --ssl-policy command-line flag would create
new load balancers instead of updating existing ones. Now only ingresses
with explicit SSL policy annotations will create separate load
balancers, while CLI changes will update existing LBs.

Fixes #772"

Signed-off-by: Lambert Pandian <lambert_pandian@trimble.com>

Author: lambertpandian

kubernetes/adapter.go

@@ -93,12 +93,13 @@ type Ingress struct {
 	Name             string
 	Shared           bool
 	HTTP2            bool
-	ClusterLocal     bool
-	CertificateARN   string
-	Hostname         string
-	Scheme           string
-	SecurityGroup    string
-	SSLPolicy        string
+	ClusterLocal           bool
+	CertificateARN          string
+	Hostname                string
+	Scheme                  string
+	SecurityGroup           string
+	SSLPolicy               string
+	HasSSLPolicyAnnotation  bool
 	IPAddressType    string
 	LoadBalancerType string
 	WAFWebACLID      string
@@ -205,8 +206,13 @@ func (a *Adapter) newIngress(typ IngressType, metadata kubeItemMetadata, host st
 	ipAddressType := getAnnotationsString(annotations, ingressALBIPAddressType, a.ingressIpAddressType)
 
 	sslPolicy := getAnnotationsString(annotations, ingressSSLPolicyAnnotation, a.ingressDefaultSSLPolicy)
+	hasSSLPolicyAnnotation := false
+	if _, ok := annotations[ingressSSLPolicyAnnotation]; ok {
+		hasSSLPolicyAnnotation = true
+	}
 	if _, ok := aws.SSLPolicies[sslPolicy]; !ok {
 		sslPolicy = a.ingressDefaultSSLPolicy
+		hasSSLPolicyAnnotation = false
 	}
 
 	loadBalancerType, hasLB := annotations[ingressLoadBalancerTypeAnnotation]
@@ -248,21 +254,22 @@ func (a *Adapter) newIngress(typ IngressType, metadata kubeItemMetadata, host st
 	}
 
 	return &Ingress{
-		ResourceType:     typ,
-		Namespace:        metadata.Namespace,
-		Name:             metadata.Name,
-		Hostname:         host,
-		Hostnames:        hostnames,
-		ClusterLocal:     len(hostnames) < 1,
-		CertificateARN:   getAnnotationsString(annotations, ingressCertificateARNAnnotation, ""),
-		Scheme:           string(scheme),
-		Shared:           shared,
-		SecurityGroup:    securityGroup,
-		SSLPolicy:        sslPolicy,
-		IPAddressType:    ipAddressType,
-		LoadBalancerType: loadBalancerType,
-		WAFWebACLID:      wafWebAclId,
-		HTTP2:            http2,
+		ResourceType:           typ,
+		Namespace:              metadata.Namespace,
+		Name:                   metadata.Name,
+		Hostname:               host,
+		Hostnames:              hostnames,
+		ClusterLocal:           len(hostnames) < 1,
+		CertificateARN:         getAnnotationsString(annotations, ingressCertificateARNAnnotation, ""),
+		Scheme:                 string(scheme),
+		Shared:                 shared,
+		SecurityGroup:          securityGroup,
+		SSLPolicy:              sslPolicy,
+		HasSSLPolicyAnnotation: hasSSLPolicyAnnotation,
+		IPAddressType:          ipAddressType,
+		LoadBalancerType:       loadBalancerType,
+		WAFWebACLID:            wafWebAclId,
+		HTTP2:                  http2,
 	}, nil
 }
 

kubernetes/adapter_ssl_policy_test.go

@@ -0,0 +1,86 @@
+package kubernetes
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/zalando-incubator/kube-ingress-aws-controller/aws"
+)
+
+func TestHasSSLPolicyAnnotation(t *testing.T) {
+	defaultSSLPolicy := "ELBSecurityPolicy-2016-08"
+	customSSLPolicy := "ELBSecurityPolicy-TLS-1-2-2017-01"
+
+	tests := []struct {
+		name                      string
+		annotations               map[string]string
+		expectedSSLPolicy         string
+		expectedHasAnnotation     bool
+	}{
+		{
+			name:                  "no SSL policy annotation - uses default",
+			annotations:           map[string]string{},
+			expectedSSLPolicy:     defaultSSLPolicy,
+			expectedHasAnnotation: false,
+		},
+		{
+			name: "explicit SSL policy annotation",
+			annotations: map[string]string{
+				ingressSSLPolicyAnnotation: customSSLPolicy,
+			},
+			expectedSSLPolicy:     customSSLPolicy,
+			expectedHasAnnotation: true,
+		},
+		{
+			name: "invalid SSL policy annotation - falls back to default",
+			annotations: map[string]string{
+				ingressSSLPolicyAnnotation: "InvalidPolicy",
+			},
+			expectedSSLPolicy:     defaultSSLPolicy,
+			expectedHasAnnotation: false,
+		},
+		{
+			name: "valid SSL policy same as default - still marked as annotation",
+			annotations: map[string]string{
+				ingressSSLPolicyAnnotation: defaultSSLPolicy,
+			},
+			expectedSSLPolicy:     defaultSSLPolicy,
+			expectedHasAnnotation: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			adapter, err := NewAdapter(
+				testConfig,
+				IngressAPIVersionNetworking,
+				[]string{},
+				"sg-123",
+				defaultSSLPolicy,
+				aws.LoadBalancerTypeApplication,
+				"",
+				aws.IPAddressTypeIPV4,
+				false,
+			)
+			assert.NoError(t, err)
+
+			kubeIngress := &ingress{
+				Metadata: kubeItemMetadata{
+					Namespace:   "default",
+					Name:        "test-ingress",
+					Annotations: tt.annotations,
+				},
+				Spec: ingressSpec{
+					Rules: []ingressItemRule{
+						{Host: "example.com"},
+					},
+				},
+			}
+
+			result, err := adapter.newIngressFromKube(kubeIngress)
+			assert.NoError(t, err)
+			assert.Equal(t, tt.expectedSSLPolicy, result.SSLPolicy, "SSL policy mismatch")
+			assert.Equal(t, tt.expectedHasAnnotation, result.HasSSLPolicyAnnotation, "HasSSLPolicyAnnotation mismatch")
+		})
+	}
+}

kubernetes/adapter_test.go

@@ -38,20 +38,21 @@ func TestNewIngressFromKube(tt *testing.T) {
 			msg:                     "test parsing a simple ingress object",
 			defaultLoadBalancerType: aws.LoadBalancerTypeApplication,
 			ingress: &Ingress{
-				Namespace:        "default",
-				Name:             "foo",
-				Hostname:         "bar",
-				Scheme:           "internal",
-				CertificateARN:   "zbr",
-				Shared:           true,
-				HTTP2:            true,
-				Hostnames:        []string{"domain.example.org"},
-				SecurityGroup:    testSecurityGroup,
-				SSLPolicy:        testSSLPolicy,
-				IPAddressType:    testIPAddressTypeDefault,
-				LoadBalancerType: aws.LoadBalancerTypeApplication,
-				ResourceType:     TypeIngress,
-				WAFWebACLID:      testWAFWebACLID,
+				Namespace:              "default",
+				Name:                   "foo",
+				Hostname:               "bar",
+				Scheme:                 "internal",
+				CertificateARN:         "zbr",
+				Shared:                 true,
+				HTTP2:                  true,
+				Hostnames:              []string{"domain.example.org"},
+				SecurityGroup:          testSecurityGroup,
+				SSLPolicy:              testSSLPolicy,
+				HasSSLPolicyAnnotation: true,
+				IPAddressType:          testIPAddressTypeDefault,
+				LoadBalancerType:       aws.LoadBalancerTypeApplication,
+				ResourceType:           TypeIngress,
+				WAFWebACLID:            testWAFWebACLID,
 			},
 			kubeIngress: &ingress{
 				Metadata: kubeItemMetadata{
@@ -90,20 +91,21 @@ func TestNewIngressFromKube(tt *testing.T) {
 			msg:                     "test parsing an ingress object with cluster.local domain",
 			defaultLoadBalancerType: aws.LoadBalancerTypeApplication,
 			ingress: &Ingress{
-				Namespace:        "default",
-				Name:             "foo",
-				Hostname:         "bar",
-				Scheme:           "internal",
-				CertificateARN:   "zbr",
-				Shared:           true,
-				HTTP2:            true,
-				ClusterLocal:     true,
-				SecurityGroup:    testSecurityGroup,
-				SSLPolicy:        testSSLPolicy,
-				IPAddressType:    testIPAddressTypeDefault,
-				LoadBalancerType: aws.LoadBalancerTypeApplication,
-				ResourceType:     TypeIngress,
-				WAFWebACLID:      testWAFWebACLID,
+			Namespace:              "default",
+			Name:                   "foo",
+			Hostname:               "bar",
+			Scheme:                 "internal",
+			CertificateARN:         "zbr",
+			Shared:                 true,
+			HTTP2:                  true,
+			ClusterLocal:           true,
+			SecurityGroup:          testSecurityGroup,
+			SSLPolicy:              testSSLPolicy,
+			HasSSLPolicyAnnotation: true,
+			IPAddressType:          testIPAddressTypeDefault,
+			LoadBalancerType:       aws.LoadBalancerTypeApplication,
+			ResourceType:           TypeIngress,
+			WAFWebACLID:            testWAFWebACLID,
 			},
 			kubeIngress: &ingress{
 				Metadata: kubeItemMetadata{
@@ -142,20 +144,21 @@ func TestNewIngressFromKube(tt *testing.T) {
 			msg:                     "test parsing an ingress object with shared=false,h2-enabled=false annotations",
 			defaultLoadBalancerType: aws.LoadBalancerTypeApplication,
 			ingress: &Ingress{
-				Namespace:        "default",
-				Name:             "foo",
-				Hostname:         "bar",
-				Scheme:           "internal",
-				CertificateARN:   "zbr",
-				Shared:           false,
-				HTTP2:            false,
-				ClusterLocal:     true,
-				SecurityGroup:    testSecurityGroup,
-				SSLPolicy:        testSSLPolicy,
-				IPAddressType:    testIPAddressTypeDefault,
-				LoadBalancerType: aws.LoadBalancerTypeApplication,
-				ResourceType:     TypeIngress,
-				WAFWebACLID:      testWAFWebACLID,
+			Namespace:              "default",
+			Name:                   "foo",
+			Hostname:               "bar",
+			Scheme:                 "internal",
+			CertificateARN:         "zbr",
+			Shared:                 false,
+			HTTP2:                  false,
+			ClusterLocal:           true,
+			SecurityGroup:          testSecurityGroup,
+			SSLPolicy:              testSSLPolicy,
+			HasSSLPolicyAnnotation: true,
+			IPAddressType:          testIPAddressTypeDefault,
+			LoadBalancerType:       aws.LoadBalancerTypeApplication,
+			ResourceType:           TypeIngress,
+			WAFWebACLID:            testWAFWebACLID,
 			},
 			kubeIngress: &ingress{
 				Metadata: kubeItemMetadata{
@@ -187,20 +190,21 @@ func TestNewIngressFromKube(tt *testing.T) {
 			msg:                     "test parsing an ingress object with dualstack annotation",
 			defaultLoadBalancerType: aws.LoadBalancerTypeApplication,
 			ingress: &Ingress{
-				Namespace:        "default",
-				Name:             "foo",
-				Hostname:         "bar",
-				Scheme:           "internal",
-				CertificateARN:   "zbr",
-				Shared:           true,
-				HTTP2:            true,
-				ClusterLocal:     true,
-				SecurityGroup:    testSecurityGroup,
-				SSLPolicy:        testSSLPolicy,
-				IPAddressType:    testIPAddressTypeDualStack,
-				LoadBalancerType: aws.LoadBalancerTypeApplication,
-				ResourceType:     TypeIngress,
-				WAFWebACLID:      testWAFWebACLID,
+			Namespace:              "default",
+			Name:                   "foo",
+			Hostname:               "bar",
+			Scheme:                 "internal",
+			CertificateARN:         "zbr",
+			Shared:                 true,
+			HTTP2:                  true,
+			ClusterLocal:           true,
+			SecurityGroup:          testSecurityGroup,
+			SSLPolicy:              testSSLPolicy,
+			HasSSLPolicyAnnotation: true,
+			IPAddressType:          testIPAddressTypeDualStack,
+			LoadBalancerType:       aws.LoadBalancerTypeApplication,
+			ResourceType:           TypeIngress,
+			WAFWebACLID:            testWAFWebACLID,
 			},
 			kubeIngress: &ingress{
 				Metadata: kubeItemMetadata{

worker.go

@@ -88,7 +88,8 @@ func (l *loadBalancer) Status() int {
 func (l *loadBalancer) inSync() bool {
 	return reflect.DeepEqual(l.CertificateARNs(), l.stack.CertificateARNs) &&
 		l.stack.CWAlarmConfigHash == l.cwAlarms.Hash() &&
-		l.wafWebACLID == l.stack.WAFWebACLID
+		l.wafWebACLID == l.stack.WAFWebACLID &&
+		l.sslPolicy == l.stack.SSLPolicy
 }
 
 // addIngress adds an ingress object to the load balancer.
@@ -132,7 +133,7 @@ func (l *loadBalancer) addIngress(certificateARNs []string, ingress *kubernetes.
 	// settings that can be changed on an existing load balancer if it's
 	// NOT shared.
 	if ingress.Shared && (l.securityGroup != ingress.SecurityGroup ||
-		l.sslPolicy != ingress.SSLPolicy ||
+		(ingress.HasSSLPolicyAnnotation && l.sslPolicy != ingress.SSLPolicy) ||
 		l.wafWebACLID != ingress.WAFWebACLID) {
 		return false
 	}
@@ -158,6 +159,7 @@ func (l *loadBalancer) addIngress(certificateARNs []string, ingress *kubernetes.
 	}
 
 	l.shared = ingress.Shared
+	l.sslPolicy = ingress.SSLPolicy
 	return true
 }