Skip to content

Commit 4f08ea9

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request kubernetes#74910 from M00nF1sh/nlb_tls
add TLS support for NLB / fix several NLB bugs
2 parents 1e01523 + 1d6fe8c commit 4f08ea9

File tree

2 files changed

+153
-95
lines changed

2 files changed

+153
-95
lines changed

pkg/cloudprovider/providers/aws/aws.go

Lines changed: 22 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -3396,7 +3396,7 @@ func (c *Cloud) EnsureLoadBalancer(ctx context.Context, clusterName string, apiS
33963396
listeners := []*elb.Listener{}
33973397
v2Mappings := []nlbPortMapping{}
33983398

3399-
portList := getPortSets(annotations[ServiceAnnotationLoadBalancerSSLPorts])
3399+
sslPorts := getPortSets(annotations[ServiceAnnotationLoadBalancerSSLPorts])
34003400
for _, port := range apiService.Spec.Ports {
34013401
if port.Protocol != v1.ProtocolTCP {
34023402
return nil, fmt.Errorf("Only TCP LoadBalancer is supported for AWS ELB")
@@ -3407,16 +3407,32 @@ func (c *Cloud) EnsureLoadBalancer(ctx context.Context, clusterName string, apiS
34073407
}
34083408

34093409
if isNLB(annotations) {
3410-
v2Mappings = append(v2Mappings, nlbPortMapping{
3411-
FrontendPort: int64(port.Port),
3412-
TrafficPort: int64(port.NodePort),
3410+
portMapping := nlbPortMapping{
3411+
FrontendPort: int64(port.Port),
3412+
FrontendProtocol: string(port.Protocol),
3413+
TrafficPort: int64(port.NodePort),
3414+
TrafficProtocol: string(port.Protocol),
3415+
34133416
// if externalTrafficPolicy == "Local", we'll override the
34143417
// health check later
34153418
HealthCheckPort: int64(port.NodePort),
34163419
HealthCheckProtocol: elbv2.ProtocolEnumTcp,
3417-
})
3420+
}
3421+
3422+
certificateARN := annotations[ServiceAnnotationLoadBalancerCertificate]
3423+
if certificateARN != "" && (sslPorts == nil || sslPorts.numbers.Has(int64(port.Port)) || sslPorts.names.Has(port.Name)) {
3424+
portMapping.FrontendProtocol = elbv2.ProtocolEnumTls
3425+
portMapping.SSLCertificateARN = certificateARN
3426+
portMapping.SSLPolicy = annotations[ServiceAnnotationLoadBalancerSSLNegotiationPolicy]
3427+
3428+
if backendProtocol := annotations[ServiceAnnotationLoadBalancerBEProtocol]; backendProtocol == "ssl" {
3429+
portMapping.TrafficProtocol = elbv2.ProtocolEnumTls
3430+
}
3431+
}
3432+
3433+
v2Mappings = append(v2Mappings, portMapping)
34183434
}
3419-
listener, err := buildListener(port, annotations, portList)
3435+
listener, err := buildListener(port, annotations, sslPorts)
34203436
if err != nil {
34213437
return nil, err
34223438
}

0 commit comments

Comments
 (0)