Skip to content

Commit 1d6fe8c

Browse files
M00nF1shM00nF1sh
committed
add TLS support for NLB
1 parent d0c3b70 commit 1d6fe8c

File tree

2 files changed

+153
-95
lines changed

2 files changed

+153
-95
lines changed

pkg/cloudprovider/providers/aws/aws.go

Lines changed: 22 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -3398,7 +3398,7 @@ func (c *Cloud) EnsureLoadBalancer(ctx context.Context, clusterName string, apiS
33983398
listeners := []*elb.Listener{}
33993399
v2Mappings := []nlbPortMapping{}
34003400

3401-
portList := getPortSets(annotations[ServiceAnnotationLoadBalancerSSLPorts])
3401+
sslPorts := getPortSets(annotations[ServiceAnnotationLoadBalancerSSLPorts])
34023402
for _, port := range apiService.Spec.Ports {
34033403
if port.Protocol != v1.ProtocolTCP {
34043404
return nil, fmt.Errorf("Only TCP LoadBalancer is supported for AWS ELB")
@@ -3409,16 +3409,32 @@ func (c *Cloud) EnsureLoadBalancer(ctx context.Context, clusterName string, apiS
34093409
}
34103410

34113411
if isNLB(annotations) {
3412-
v2Mappings = append(v2Mappings, nlbPortMapping{
3413-
FrontendPort: int64(port.Port),
3414-
TrafficPort: int64(port.NodePort),
3412+
portMapping := nlbPortMapping{
3413+
FrontendPort: int64(port.Port),
3414+
FrontendProtocol: string(port.Protocol),
3415+
TrafficPort: int64(port.NodePort),
3416+
TrafficProtocol: string(port.Protocol),
3417+
34153418
// if externalTrafficPolicy == "Local", we'll override the
34163419
// health check later
34173420
HealthCheckPort: int64(port.NodePort),
34183421
HealthCheckProtocol: elbv2.ProtocolEnumTcp,
3419-
})
3422+
}
3423+
3424+
certificateARN := annotations[ServiceAnnotationLoadBalancerCertificate]
3425+
if certificateARN != "" && (sslPorts == nil || sslPorts.numbers.Has(int64(port.Port)) || sslPorts.names.Has(port.Name)) {
3426+
portMapping.FrontendProtocol = elbv2.ProtocolEnumTls
3427+
portMapping.SSLCertificateARN = certificateARN
3428+
portMapping.SSLPolicy = annotations[ServiceAnnotationLoadBalancerSSLNegotiationPolicy]
3429+
3430+
if backendProtocol := annotations[ServiceAnnotationLoadBalancerBEProtocol]; backendProtocol == "ssl" {
3431+
portMapping.TrafficProtocol = elbv2.ProtocolEnumTls
3432+
}
3433+
}
3434+
3435+
v2Mappings = append(v2Mappings, portMapping)
34203436
}
3421-
listener, err := buildListener(port, annotations, portList)
3437+
listener, err := buildListener(port, annotations, sslPorts)
34223438
if err != nil {
34233439
return nil, err
34243440
}

0 commit comments

Comments
 (0)