From d0c13bf1576965a3b65fc09ebce94ed9f86833a2 Mon Sep 17 00:00:00 2001 From: Shraddha Bang <18206078+shraddhabang@users.noreply.github.com> Date: Fri, 26 Jan 2024 13:51:34 -0800 Subject: [PATCH] Implement mutual TLS authentication support for Ingress (#3532) * Implement mutual TLS authentication support for Ingress * Addressing comments and adding policy updates * Adding dependency for maps * removing ingressClassParam support --- .github/workflows/test.yaml | 2 +- controllers/ingress/group_controller.go | 2 +- docs/install/iam_policy.json | 3 +- docs/install/iam_policy_us-gov.json | 3 +- go.mod | 6 +- go.sum | 2 + pkg/annotations/constants.go | 1 + pkg/aws/services/ec2_mocks.go | 300 +++++++++++ pkg/aws/services/elbv2_mocks.go | 599 ++++++++++++++++++++++ pkg/deploy/elbv2/listener_manager.go | 25 +- pkg/deploy/elbv2/listener_manager_test.go | 97 +++- pkg/ingress/model_build_listener.go | 183 ++++++- pkg/ingress/model_builder.go | 38 +- pkg/ingress/model_builder_test.go | 12 +- pkg/model/elbv2/listener.go | 22 + test/e2e/ingress/vanilla_ingress_test.go | 6 +- 16 files changed, 1264 insertions(+), 37 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 3b1078cc7..7708a7220 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -10,7 +10,7 @@ jobs: - name: Set up Go 1.x uses: actions/setup-go@v2 with: - go-version: ^1.19 + go-version: ^1.21 - name: Check out code into the Go module directory uses: actions/checkout@v2 diff --git a/controllers/ingress/group_controller.go b/controllers/ingress/group_controller.go index af9d8f755..5fd4ae287 100644 --- a/controllers/ingress/group_controller.go +++ b/controllers/ingress/group_controller.go @@ -56,7 +56,7 @@ func NewGroupReconciler(cloud aws.Cloud, k8sClient client.Client, eventRecorder trackingProvider := tracking.NewDefaultProvider(ingressTagPrefix, controllerConfig.ClusterName) elbv2TaggingManager := elbv2deploy.NewDefaultTaggingManager(cloud.ELBV2(), cloud.VpcID(), controllerConfig.FeatureGates, cloud.RGT(), logger) modelBuilder := ingress.NewDefaultModelBuilder(k8sClient, eventRecorder, - cloud.EC2(), cloud.ACM(), + cloud.EC2(), cloud.ELBV2(), cloud.ACM(), annotationParser, subnetsResolver, authConfigBuilder, enhancedBackendBuilder, trackingProvider, elbv2TaggingManager, controllerConfig.FeatureGates, cloud.VpcID(), controllerConfig.ClusterName, controllerConfig.DefaultTags, controllerConfig.ExternalManagedTags, diff --git a/docs/install/iam_policy.json b/docs/install/iam_policy.json index 7944f2a12..e8a05f8e6 100644 --- a/docs/install/iam_policy.json +++ b/docs/install/iam_policy.json @@ -38,7 +38,8 @@ "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:DescribeTags" + "elasticloadbalancing:DescribeTags", + "elasticloadbalancing:DescribeTrustStores" ], "Resource": "*" }, diff --git a/docs/install/iam_policy_us-gov.json b/docs/install/iam_policy_us-gov.json index 85a4ba214..97ccf2ebb 100644 --- a/docs/install/iam_policy_us-gov.json +++ b/docs/install/iam_policy_us-gov.json @@ -38,7 +38,8 @@ "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:DescribeTags" + "elasticloadbalancing:DescribeTags", + "elasticloadbalancing:DescribeTrustStores" ], "Resource": "*" }, diff --git a/go.mod b/go.mod index 131af9805..a78e2063c 100644 --- a/go.mod +++ b/go.mod @@ -1,9 +1,9 @@ module sigs.k8s.io/aws-load-balancer-controller -go 1.20 +go 1.21 require ( - github.com/aws/aws-sdk-go v1.47.13 + github.com/aws/aws-sdk-go v1.48.10 github.com/evanphx/json-patch v5.6.0+incompatible github.com/gavv/httpexpect/v2 v2.9.0 github.com/go-logr/logr v1.2.4 @@ -23,6 +23,7 @@ require ( k8s.io/apimachinery v0.26.5 k8s.io/cli-runtime v0.26.3 k8s.io/client-go v0.26.5 + k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 sigs.k8s.io/controller-runtime v0.14.6 sigs.k8s.io/yaml v1.3.0 ) @@ -156,7 +157,6 @@ require ( k8s.io/klog/v2 v2.80.1 // indirect k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect k8s.io/kubectl v0.26.0 // indirect - k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 // indirect moul.io/http2curl/v2 v2.3.0 // indirect oras.land/oras-go v1.2.2 // indirect sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect diff --git a/go.sum b/go.sum index d924ceac8..da3033051 100644 --- a/go.sum +++ b/go.sum @@ -79,6 +79,8 @@ github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 h1:4daAzAu0 github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535/go.mod h1:oGkLhpf+kjZl6xBf758TQhh5XrAeiJv/7FRz/2spLIg= github.com/aws/aws-sdk-go v1.47.13 h1:pJgCtldg5azDAFoEcE0fz6n+FnCc1/FY4krtUa5uvZQ= github.com/aws/aws-sdk-go v1.47.13/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= +github.com/aws/aws-sdk-go v1.48.10 h1:0LIFG3wp2Dt6PsxKWCg1Y1xRrn2vZnW5/gWdgaBalKg= +github.com/aws/aws-sdk-go v1.48.10/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= diff --git a/pkg/annotations/constants.go b/pkg/annotations/constants.go index 7f7f1becd..c3e686e08 100644 --- a/pkg/annotations/constants.go +++ b/pkg/annotations/constants.go @@ -46,6 +46,7 @@ const ( IngressSuffixAuthSessionTimeout = "auth-session-timeout" IngressSuffixTargetNodeLabels = "target-node-labels" IngressSuffixManageSecurityGroupRules = "manage-backend-security-group-rules" + IngressSuffixMutualAuthentication = "mutual-authentication" // NLB annotation suffixes // prefixes service.beta.kubernetes.io, service.kubernetes.io diff --git a/pkg/aws/services/ec2_mocks.go b/pkg/aws/services/ec2_mocks.go index 3f7a69830..0e2419f51 100644 --- a/pkg/aws/services/ec2_mocks.go +++ b/pkg/aws/services/ec2_mocks.go @@ -1086,6 +1086,56 @@ func (mr *MockEC2MockRecorder) AssociateInstanceEventWindowWithContext(arg0, arg return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AssociateInstanceEventWindowWithContext", reflect.TypeOf((*MockEC2)(nil).AssociateInstanceEventWindowWithContext), varargs...) } +// AssociateIpamByoasn mocks base method. +func (m *MockEC2) AssociateIpamByoasn(arg0 *ec2.AssociateIpamByoasnInput) (*ec2.AssociateIpamByoasnOutput, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "AssociateIpamByoasn", arg0) + ret0, _ := ret[0].(*ec2.AssociateIpamByoasnOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// AssociateIpamByoasn indicates an expected call of AssociateIpamByoasn. +func (mr *MockEC2MockRecorder) AssociateIpamByoasn(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AssociateIpamByoasn", reflect.TypeOf((*MockEC2)(nil).AssociateIpamByoasn), arg0) +} + +// AssociateIpamByoasnRequest mocks base method. +func (m *MockEC2) AssociateIpamByoasnRequest(arg0 *ec2.AssociateIpamByoasnInput) (*request.Request, *ec2.AssociateIpamByoasnOutput) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "AssociateIpamByoasnRequest", arg0) + ret0, _ := ret[0].(*request.Request) + ret1, _ := ret[1].(*ec2.AssociateIpamByoasnOutput) + return ret0, ret1 +} + +// AssociateIpamByoasnRequest indicates an expected call of AssociateIpamByoasnRequest. +func (mr *MockEC2MockRecorder) AssociateIpamByoasnRequest(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AssociateIpamByoasnRequest", reflect.TypeOf((*MockEC2)(nil).AssociateIpamByoasnRequest), arg0) +} + +// AssociateIpamByoasnWithContext mocks base method. +func (m *MockEC2) AssociateIpamByoasnWithContext(arg0 context.Context, arg1 *ec2.AssociateIpamByoasnInput, arg2 ...request.Option) (*ec2.AssociateIpamByoasnOutput, error) { + m.ctrl.T.Helper() + varargs := []interface{}{arg0, arg1} + for _, a := range arg2 { + varargs = append(varargs, a) + } + ret := m.ctrl.Call(m, "AssociateIpamByoasnWithContext", varargs...) + ret0, _ := ret[0].(*ec2.AssociateIpamByoasnOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// AssociateIpamByoasnWithContext indicates an expected call of AssociateIpamByoasnWithContext. +func (mr *MockEC2MockRecorder) AssociateIpamByoasnWithContext(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + varargs := append([]interface{}{arg0, arg1}, arg2...) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AssociateIpamByoasnWithContext", reflect.TypeOf((*MockEC2)(nil).AssociateIpamByoasnWithContext), varargs...) +} + // AssociateIpamResourceDiscovery mocks base method. func (m *MockEC2) AssociateIpamResourceDiscovery(arg0 *ec2.AssociateIpamResourceDiscoveryInput) (*ec2.AssociateIpamResourceDiscoveryOutput, error) { m.ctrl.T.Helper() @@ -10586,6 +10636,56 @@ func (mr *MockEC2MockRecorder) DeprovisionByoipCidrWithContext(arg0, arg1 interf return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeprovisionByoipCidrWithContext", reflect.TypeOf((*MockEC2)(nil).DeprovisionByoipCidrWithContext), varargs...) } +// DeprovisionIpamByoasn mocks base method. +func (m *MockEC2) DeprovisionIpamByoasn(arg0 *ec2.DeprovisionIpamByoasnInput) (*ec2.DeprovisionIpamByoasnOutput, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "DeprovisionIpamByoasn", arg0) + ret0, _ := ret[0].(*ec2.DeprovisionIpamByoasnOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// DeprovisionIpamByoasn indicates an expected call of DeprovisionIpamByoasn. +func (mr *MockEC2MockRecorder) DeprovisionIpamByoasn(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeprovisionIpamByoasn", reflect.TypeOf((*MockEC2)(nil).DeprovisionIpamByoasn), arg0) +} + +// DeprovisionIpamByoasnRequest mocks base method. +func (m *MockEC2) DeprovisionIpamByoasnRequest(arg0 *ec2.DeprovisionIpamByoasnInput) (*request.Request, *ec2.DeprovisionIpamByoasnOutput) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "DeprovisionIpamByoasnRequest", arg0) + ret0, _ := ret[0].(*request.Request) + ret1, _ := ret[1].(*ec2.DeprovisionIpamByoasnOutput) + return ret0, ret1 +} + +// DeprovisionIpamByoasnRequest indicates an expected call of DeprovisionIpamByoasnRequest. +func (mr *MockEC2MockRecorder) DeprovisionIpamByoasnRequest(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeprovisionIpamByoasnRequest", reflect.TypeOf((*MockEC2)(nil).DeprovisionIpamByoasnRequest), arg0) +} + +// DeprovisionIpamByoasnWithContext mocks base method. +func (m *MockEC2) DeprovisionIpamByoasnWithContext(arg0 context.Context, arg1 *ec2.DeprovisionIpamByoasnInput, arg2 ...request.Option) (*ec2.DeprovisionIpamByoasnOutput, error) { + m.ctrl.T.Helper() + varargs := []interface{}{arg0, arg1} + for _, a := range arg2 { + varargs = append(varargs, a) + } + ret := m.ctrl.Call(m, "DeprovisionIpamByoasnWithContext", varargs...) + ret0, _ := ret[0].(*ec2.DeprovisionIpamByoasnOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// DeprovisionIpamByoasnWithContext indicates an expected call of DeprovisionIpamByoasnWithContext. +func (mr *MockEC2MockRecorder) DeprovisionIpamByoasnWithContext(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + varargs := append([]interface{}{arg0, arg1}, arg2...) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeprovisionIpamByoasnWithContext", reflect.TypeOf((*MockEC2)(nil).DeprovisionIpamByoasnWithContext), varargs...) +} + // DeprovisionIpamPoolCidr mocks base method. func (m *MockEC2) DeprovisionIpamPoolCidr(arg0 *ec2.DeprovisionIpamPoolCidrInput) (*ec2.DeprovisionIpamPoolCidrOutput, error) { m.ctrl.T.Helper() @@ -14988,6 +15088,56 @@ func (mr *MockEC2MockRecorder) DescribeInternetGatewaysWithContext(arg0, arg1 in return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DescribeInternetGatewaysWithContext", reflect.TypeOf((*MockEC2)(nil).DescribeInternetGatewaysWithContext), varargs...) } +// DescribeIpamByoasn mocks base method. +func (m *MockEC2) DescribeIpamByoasn(arg0 *ec2.DescribeIpamByoasnInput) (*ec2.DescribeIpamByoasnOutput, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "DescribeIpamByoasn", arg0) + ret0, _ := ret[0].(*ec2.DescribeIpamByoasnOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// DescribeIpamByoasn indicates an expected call of DescribeIpamByoasn. +func (mr *MockEC2MockRecorder) DescribeIpamByoasn(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DescribeIpamByoasn", reflect.TypeOf((*MockEC2)(nil).DescribeIpamByoasn), arg0) +} + +// DescribeIpamByoasnRequest mocks base method. +func (m *MockEC2) DescribeIpamByoasnRequest(arg0 *ec2.DescribeIpamByoasnInput) (*request.Request, *ec2.DescribeIpamByoasnOutput) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "DescribeIpamByoasnRequest", arg0) + ret0, _ := ret[0].(*request.Request) + ret1, _ := ret[1].(*ec2.DescribeIpamByoasnOutput) + return ret0, ret1 +} + +// DescribeIpamByoasnRequest indicates an expected call of DescribeIpamByoasnRequest. +func (mr *MockEC2MockRecorder) DescribeIpamByoasnRequest(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DescribeIpamByoasnRequest", reflect.TypeOf((*MockEC2)(nil).DescribeIpamByoasnRequest), arg0) +} + +// DescribeIpamByoasnWithContext mocks base method. +func (m *MockEC2) DescribeIpamByoasnWithContext(arg0 context.Context, arg1 *ec2.DescribeIpamByoasnInput, arg2 ...request.Option) (*ec2.DescribeIpamByoasnOutput, error) { + m.ctrl.T.Helper() + varargs := []interface{}{arg0, arg1} + for _, a := range arg2 { + varargs = append(varargs, a) + } + ret := m.ctrl.Call(m, "DescribeIpamByoasnWithContext", varargs...) + ret0, _ := ret[0].(*ec2.DescribeIpamByoasnOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// DescribeIpamByoasnWithContext indicates an expected call of DescribeIpamByoasnWithContext. +func (mr *MockEC2MockRecorder) DescribeIpamByoasnWithContext(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + varargs := append([]interface{}{arg0, arg1}, arg2...) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DescribeIpamByoasnWithContext", reflect.TypeOf((*MockEC2)(nil).DescribeIpamByoasnWithContext), varargs...) +} + // DescribeIpamPools mocks base method. func (m *MockEC2) DescribeIpamPools(arg0 *ec2.DescribeIpamPoolsInput) (*ec2.DescribeIpamPoolsOutput, error) { m.ctrl.T.Helper() @@ -23375,6 +23525,56 @@ func (mr *MockEC2MockRecorder) DisassociateInstanceEventWindowWithContext(arg0, return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DisassociateInstanceEventWindowWithContext", reflect.TypeOf((*MockEC2)(nil).DisassociateInstanceEventWindowWithContext), varargs...) } +// DisassociateIpamByoasn mocks base method. +func (m *MockEC2) DisassociateIpamByoasn(arg0 *ec2.DisassociateIpamByoasnInput) (*ec2.DisassociateIpamByoasnOutput, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "DisassociateIpamByoasn", arg0) + ret0, _ := ret[0].(*ec2.DisassociateIpamByoasnOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// DisassociateIpamByoasn indicates an expected call of DisassociateIpamByoasn. +func (mr *MockEC2MockRecorder) DisassociateIpamByoasn(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DisassociateIpamByoasn", reflect.TypeOf((*MockEC2)(nil).DisassociateIpamByoasn), arg0) +} + +// DisassociateIpamByoasnRequest mocks base method. +func (m *MockEC2) DisassociateIpamByoasnRequest(arg0 *ec2.DisassociateIpamByoasnInput) (*request.Request, *ec2.DisassociateIpamByoasnOutput) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "DisassociateIpamByoasnRequest", arg0) + ret0, _ := ret[0].(*request.Request) + ret1, _ := ret[1].(*ec2.DisassociateIpamByoasnOutput) + return ret0, ret1 +} + +// DisassociateIpamByoasnRequest indicates an expected call of DisassociateIpamByoasnRequest. +func (mr *MockEC2MockRecorder) DisassociateIpamByoasnRequest(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DisassociateIpamByoasnRequest", reflect.TypeOf((*MockEC2)(nil).DisassociateIpamByoasnRequest), arg0) +} + +// DisassociateIpamByoasnWithContext mocks base method. +func (m *MockEC2) DisassociateIpamByoasnWithContext(arg0 context.Context, arg1 *ec2.DisassociateIpamByoasnInput, arg2 ...request.Option) (*ec2.DisassociateIpamByoasnOutput, error) { + m.ctrl.T.Helper() + varargs := []interface{}{arg0, arg1} + for _, a := range arg2 { + varargs = append(varargs, a) + } + ret := m.ctrl.Call(m, "DisassociateIpamByoasnWithContext", varargs...) + ret0, _ := ret[0].(*ec2.DisassociateIpamByoasnOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// DisassociateIpamByoasnWithContext indicates an expected call of DisassociateIpamByoasnWithContext. +func (mr *MockEC2MockRecorder) DisassociateIpamByoasnWithContext(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + varargs := append([]interface{}{arg0, arg1}, arg2...) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DisassociateIpamByoasnWithContext", reflect.TypeOf((*MockEC2)(nil).DisassociateIpamByoasnWithContext), varargs...) +} + // DisassociateIpamResourceDiscovery mocks base method. func (m *MockEC2) DisassociateIpamResourceDiscovery(arg0 *ec2.DisassociateIpamResourceDiscoveryInput) (*ec2.DisassociateIpamResourceDiscoveryOutput, error) { m.ctrl.T.Helper() @@ -25973,6 +26173,56 @@ func (mr *MockEC2MockRecorder) GetIpamDiscoveredAccountsWithContext(arg0, arg1 i return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetIpamDiscoveredAccountsWithContext", reflect.TypeOf((*MockEC2)(nil).GetIpamDiscoveredAccountsWithContext), varargs...) } +// GetIpamDiscoveredPublicAddresses mocks base method. +func (m *MockEC2) GetIpamDiscoveredPublicAddresses(arg0 *ec2.GetIpamDiscoveredPublicAddressesInput) (*ec2.GetIpamDiscoveredPublicAddressesOutput, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "GetIpamDiscoveredPublicAddresses", arg0) + ret0, _ := ret[0].(*ec2.GetIpamDiscoveredPublicAddressesOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// GetIpamDiscoveredPublicAddresses indicates an expected call of GetIpamDiscoveredPublicAddresses. +func (mr *MockEC2MockRecorder) GetIpamDiscoveredPublicAddresses(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetIpamDiscoveredPublicAddresses", reflect.TypeOf((*MockEC2)(nil).GetIpamDiscoveredPublicAddresses), arg0) +} + +// GetIpamDiscoveredPublicAddressesRequest mocks base method. +func (m *MockEC2) GetIpamDiscoveredPublicAddressesRequest(arg0 *ec2.GetIpamDiscoveredPublicAddressesInput) (*request.Request, *ec2.GetIpamDiscoveredPublicAddressesOutput) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "GetIpamDiscoveredPublicAddressesRequest", arg0) + ret0, _ := ret[0].(*request.Request) + ret1, _ := ret[1].(*ec2.GetIpamDiscoveredPublicAddressesOutput) + return ret0, ret1 +} + +// GetIpamDiscoveredPublicAddressesRequest indicates an expected call of GetIpamDiscoveredPublicAddressesRequest. +func (mr *MockEC2MockRecorder) GetIpamDiscoveredPublicAddressesRequest(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetIpamDiscoveredPublicAddressesRequest", reflect.TypeOf((*MockEC2)(nil).GetIpamDiscoveredPublicAddressesRequest), arg0) +} + +// GetIpamDiscoveredPublicAddressesWithContext mocks base method. +func (m *MockEC2) GetIpamDiscoveredPublicAddressesWithContext(arg0 context.Context, arg1 *ec2.GetIpamDiscoveredPublicAddressesInput, arg2 ...request.Option) (*ec2.GetIpamDiscoveredPublicAddressesOutput, error) { + m.ctrl.T.Helper() + varargs := []interface{}{arg0, arg1} + for _, a := range arg2 { + varargs = append(varargs, a) + } + ret := m.ctrl.Call(m, "GetIpamDiscoveredPublicAddressesWithContext", varargs...) + ret0, _ := ret[0].(*ec2.GetIpamDiscoveredPublicAddressesOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// GetIpamDiscoveredPublicAddressesWithContext indicates an expected call of GetIpamDiscoveredPublicAddressesWithContext. +func (mr *MockEC2MockRecorder) GetIpamDiscoveredPublicAddressesWithContext(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + varargs := append([]interface{}{arg0, arg1}, arg2...) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetIpamDiscoveredPublicAddressesWithContext", reflect.TypeOf((*MockEC2)(nil).GetIpamDiscoveredPublicAddressesWithContext), varargs...) +} + // GetIpamDiscoveredResourceCidrs mocks base method. func (m *MockEC2) GetIpamDiscoveredResourceCidrs(arg0 *ec2.GetIpamDiscoveredResourceCidrsInput) (*ec2.GetIpamDiscoveredResourceCidrsOutput, error) { m.ctrl.T.Helper() @@ -31817,6 +32067,56 @@ func (mr *MockEC2MockRecorder) ProvisionByoipCidrWithContext(arg0, arg1 interfac return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ProvisionByoipCidrWithContext", reflect.TypeOf((*MockEC2)(nil).ProvisionByoipCidrWithContext), varargs...) } +// ProvisionIpamByoasn mocks base method. +func (m *MockEC2) ProvisionIpamByoasn(arg0 *ec2.ProvisionIpamByoasnInput) (*ec2.ProvisionIpamByoasnOutput, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "ProvisionIpamByoasn", arg0) + ret0, _ := ret[0].(*ec2.ProvisionIpamByoasnOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// ProvisionIpamByoasn indicates an expected call of ProvisionIpamByoasn. +func (mr *MockEC2MockRecorder) ProvisionIpamByoasn(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ProvisionIpamByoasn", reflect.TypeOf((*MockEC2)(nil).ProvisionIpamByoasn), arg0) +} + +// ProvisionIpamByoasnRequest mocks base method. +func (m *MockEC2) ProvisionIpamByoasnRequest(arg0 *ec2.ProvisionIpamByoasnInput) (*request.Request, *ec2.ProvisionIpamByoasnOutput) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "ProvisionIpamByoasnRequest", arg0) + ret0, _ := ret[0].(*request.Request) + ret1, _ := ret[1].(*ec2.ProvisionIpamByoasnOutput) + return ret0, ret1 +} + +// ProvisionIpamByoasnRequest indicates an expected call of ProvisionIpamByoasnRequest. +func (mr *MockEC2MockRecorder) ProvisionIpamByoasnRequest(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ProvisionIpamByoasnRequest", reflect.TypeOf((*MockEC2)(nil).ProvisionIpamByoasnRequest), arg0) +} + +// ProvisionIpamByoasnWithContext mocks base method. +func (m *MockEC2) ProvisionIpamByoasnWithContext(arg0 context.Context, arg1 *ec2.ProvisionIpamByoasnInput, arg2 ...request.Option) (*ec2.ProvisionIpamByoasnOutput, error) { + m.ctrl.T.Helper() + varargs := []interface{}{arg0, arg1} + for _, a := range arg2 { + varargs = append(varargs, a) + } + ret := m.ctrl.Call(m, "ProvisionIpamByoasnWithContext", varargs...) + ret0, _ := ret[0].(*ec2.ProvisionIpamByoasnOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// ProvisionIpamByoasnWithContext indicates an expected call of ProvisionIpamByoasnWithContext. +func (mr *MockEC2MockRecorder) ProvisionIpamByoasnWithContext(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + varargs := append([]interface{}{arg0, arg1}, arg2...) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ProvisionIpamByoasnWithContext", reflect.TypeOf((*MockEC2)(nil).ProvisionIpamByoasnWithContext), varargs...) +} + // ProvisionIpamPoolCidr mocks base method. func (m *MockEC2) ProvisionIpamPoolCidr(arg0 *ec2.ProvisionIpamPoolCidrInput) (*ec2.ProvisionIpamPoolCidrOutput, error) { m.ctrl.T.Helper() diff --git a/pkg/aws/services/elbv2_mocks.go b/pkg/aws/services/elbv2_mocks.go index c96d3a24d..3a5478ccb 100644 --- a/pkg/aws/services/elbv2_mocks.go +++ b/pkg/aws/services/elbv2_mocks.go @@ -136,6 +136,56 @@ func (mr *MockELBV2MockRecorder) AddTagsWithContext(arg0, arg1 interface{}, arg2 return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddTagsWithContext", reflect.TypeOf((*MockELBV2)(nil).AddTagsWithContext), varargs...) } +// AddTrustStoreRevocations mocks base method. +func (m *MockELBV2) AddTrustStoreRevocations(arg0 *elbv2.AddTrustStoreRevocationsInput) (*elbv2.AddTrustStoreRevocationsOutput, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "AddTrustStoreRevocations", arg0) + ret0, _ := ret[0].(*elbv2.AddTrustStoreRevocationsOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// AddTrustStoreRevocations indicates an expected call of AddTrustStoreRevocations. +func (mr *MockELBV2MockRecorder) AddTrustStoreRevocations(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddTrustStoreRevocations", reflect.TypeOf((*MockELBV2)(nil).AddTrustStoreRevocations), arg0) +} + +// AddTrustStoreRevocationsRequest mocks base method. +func (m *MockELBV2) AddTrustStoreRevocationsRequest(arg0 *elbv2.AddTrustStoreRevocationsInput) (*request.Request, *elbv2.AddTrustStoreRevocationsOutput) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "AddTrustStoreRevocationsRequest", arg0) + ret0, _ := ret[0].(*request.Request) + ret1, _ := ret[1].(*elbv2.AddTrustStoreRevocationsOutput) + return ret0, ret1 +} + +// AddTrustStoreRevocationsRequest indicates an expected call of AddTrustStoreRevocationsRequest. +func (mr *MockELBV2MockRecorder) AddTrustStoreRevocationsRequest(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddTrustStoreRevocationsRequest", reflect.TypeOf((*MockELBV2)(nil).AddTrustStoreRevocationsRequest), arg0) +} + +// AddTrustStoreRevocationsWithContext mocks base method. +func (m *MockELBV2) AddTrustStoreRevocationsWithContext(arg0 context.Context, arg1 *elbv2.AddTrustStoreRevocationsInput, arg2 ...request.Option) (*elbv2.AddTrustStoreRevocationsOutput, error) { + m.ctrl.T.Helper() + varargs := []interface{}{arg0, arg1} + for _, a := range arg2 { + varargs = append(varargs, a) + } + ret := m.ctrl.Call(m, "AddTrustStoreRevocationsWithContext", varargs...) + ret0, _ := ret[0].(*elbv2.AddTrustStoreRevocationsOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// AddTrustStoreRevocationsWithContext indicates an expected call of AddTrustStoreRevocationsWithContext. +func (mr *MockELBV2MockRecorder) AddTrustStoreRevocationsWithContext(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + varargs := append([]interface{}{arg0, arg1}, arg2...) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddTrustStoreRevocationsWithContext", reflect.TypeOf((*MockELBV2)(nil).AddTrustStoreRevocationsWithContext), varargs...) +} + // CreateListener mocks base method. func (m *MockELBV2) CreateListener(arg0 *elbv2.CreateListenerInput) (*elbv2.CreateListenerOutput, error) { m.ctrl.T.Helper() @@ -336,6 +386,56 @@ func (mr *MockELBV2MockRecorder) CreateTargetGroupWithContext(arg0, arg1 interfa return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateTargetGroupWithContext", reflect.TypeOf((*MockELBV2)(nil).CreateTargetGroupWithContext), varargs...) } +// CreateTrustStore mocks base method. +func (m *MockELBV2) CreateTrustStore(arg0 *elbv2.CreateTrustStoreInput) (*elbv2.CreateTrustStoreOutput, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "CreateTrustStore", arg0) + ret0, _ := ret[0].(*elbv2.CreateTrustStoreOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// CreateTrustStore indicates an expected call of CreateTrustStore. +func (mr *MockELBV2MockRecorder) CreateTrustStore(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateTrustStore", reflect.TypeOf((*MockELBV2)(nil).CreateTrustStore), arg0) +} + +// CreateTrustStoreRequest mocks base method. +func (m *MockELBV2) CreateTrustStoreRequest(arg0 *elbv2.CreateTrustStoreInput) (*request.Request, *elbv2.CreateTrustStoreOutput) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "CreateTrustStoreRequest", arg0) + ret0, _ := ret[0].(*request.Request) + ret1, _ := ret[1].(*elbv2.CreateTrustStoreOutput) + return ret0, ret1 +} + +// CreateTrustStoreRequest indicates an expected call of CreateTrustStoreRequest. +func (mr *MockELBV2MockRecorder) CreateTrustStoreRequest(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateTrustStoreRequest", reflect.TypeOf((*MockELBV2)(nil).CreateTrustStoreRequest), arg0) +} + +// CreateTrustStoreWithContext mocks base method. +func (m *MockELBV2) CreateTrustStoreWithContext(arg0 context.Context, arg1 *elbv2.CreateTrustStoreInput, arg2 ...request.Option) (*elbv2.CreateTrustStoreOutput, error) { + m.ctrl.T.Helper() + varargs := []interface{}{arg0, arg1} + for _, a := range arg2 { + varargs = append(varargs, a) + } + ret := m.ctrl.Call(m, "CreateTrustStoreWithContext", varargs...) + ret0, _ := ret[0].(*elbv2.CreateTrustStoreOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// CreateTrustStoreWithContext indicates an expected call of CreateTrustStoreWithContext. +func (mr *MockELBV2MockRecorder) CreateTrustStoreWithContext(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + varargs := append([]interface{}{arg0, arg1}, arg2...) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateTrustStoreWithContext", reflect.TypeOf((*MockELBV2)(nil).CreateTrustStoreWithContext), varargs...) +} + // DeleteListener mocks base method. func (m *MockELBV2) DeleteListener(arg0 *elbv2.DeleteListenerInput) (*elbv2.DeleteListenerOutput, error) { m.ctrl.T.Helper() @@ -536,6 +636,56 @@ func (mr *MockELBV2MockRecorder) DeleteTargetGroupWithContext(arg0, arg1 interfa return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteTargetGroupWithContext", reflect.TypeOf((*MockELBV2)(nil).DeleteTargetGroupWithContext), varargs...) } +// DeleteTrustStore mocks base method. +func (m *MockELBV2) DeleteTrustStore(arg0 *elbv2.DeleteTrustStoreInput) (*elbv2.DeleteTrustStoreOutput, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "DeleteTrustStore", arg0) + ret0, _ := ret[0].(*elbv2.DeleteTrustStoreOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// DeleteTrustStore indicates an expected call of DeleteTrustStore. +func (mr *MockELBV2MockRecorder) DeleteTrustStore(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteTrustStore", reflect.TypeOf((*MockELBV2)(nil).DeleteTrustStore), arg0) +} + +// DeleteTrustStoreRequest mocks base method. +func (m *MockELBV2) DeleteTrustStoreRequest(arg0 *elbv2.DeleteTrustStoreInput) (*request.Request, *elbv2.DeleteTrustStoreOutput) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "DeleteTrustStoreRequest", arg0) + ret0, _ := ret[0].(*request.Request) + ret1, _ := ret[1].(*elbv2.DeleteTrustStoreOutput) + return ret0, ret1 +} + +// DeleteTrustStoreRequest indicates an expected call of DeleteTrustStoreRequest. +func (mr *MockELBV2MockRecorder) DeleteTrustStoreRequest(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteTrustStoreRequest", reflect.TypeOf((*MockELBV2)(nil).DeleteTrustStoreRequest), arg0) +} + +// DeleteTrustStoreWithContext mocks base method. +func (m *MockELBV2) DeleteTrustStoreWithContext(arg0 context.Context, arg1 *elbv2.DeleteTrustStoreInput, arg2 ...request.Option) (*elbv2.DeleteTrustStoreOutput, error) { + m.ctrl.T.Helper() + varargs := []interface{}{arg0, arg1} + for _, a := range arg2 { + varargs = append(varargs, a) + } + ret := m.ctrl.Call(m, "DeleteTrustStoreWithContext", varargs...) + ret0, _ := ret[0].(*elbv2.DeleteTrustStoreOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// DeleteTrustStoreWithContext indicates an expected call of DeleteTrustStoreWithContext. +func (mr *MockELBV2MockRecorder) DeleteTrustStoreWithContext(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + varargs := append([]interface{}{arg0, arg1}, arg2...) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteTrustStoreWithContext", reflect.TypeOf((*MockELBV2)(nil).DeleteTrustStoreWithContext), varargs...) +} + // DeregisterTargets mocks base method. func (m *MockELBV2) DeregisterTargets(arg0 *elbv2.DeregisterTargetsInput) (*elbv2.DeregisterTargetsOutput, error) { m.ctrl.T.Helper() @@ -1310,6 +1460,355 @@ func (mr *MockELBV2MockRecorder) DescribeTargetHealthWithContext(arg0, arg1 inte return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DescribeTargetHealthWithContext", reflect.TypeOf((*MockELBV2)(nil).DescribeTargetHealthWithContext), varargs...) } +// DescribeTrustStoreAssociations mocks base method. +func (m *MockELBV2) DescribeTrustStoreAssociations(arg0 *elbv2.DescribeTrustStoreAssociationsInput) (*elbv2.DescribeTrustStoreAssociationsOutput, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "DescribeTrustStoreAssociations", arg0) + ret0, _ := ret[0].(*elbv2.DescribeTrustStoreAssociationsOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// DescribeTrustStoreAssociations indicates an expected call of DescribeTrustStoreAssociations. +func (mr *MockELBV2MockRecorder) DescribeTrustStoreAssociations(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DescribeTrustStoreAssociations", reflect.TypeOf((*MockELBV2)(nil).DescribeTrustStoreAssociations), arg0) +} + +// DescribeTrustStoreAssociationsPages mocks base method. +func (m *MockELBV2) DescribeTrustStoreAssociationsPages(arg0 *elbv2.DescribeTrustStoreAssociationsInput, arg1 func(*elbv2.DescribeTrustStoreAssociationsOutput, bool) bool) error { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "DescribeTrustStoreAssociationsPages", arg0, arg1) + ret0, _ := ret[0].(error) + return ret0 +} + +// DescribeTrustStoreAssociationsPages indicates an expected call of DescribeTrustStoreAssociationsPages. +func (mr *MockELBV2MockRecorder) DescribeTrustStoreAssociationsPages(arg0, arg1 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DescribeTrustStoreAssociationsPages", reflect.TypeOf((*MockELBV2)(nil).DescribeTrustStoreAssociationsPages), arg0, arg1) +} + +// DescribeTrustStoreAssociationsPagesWithContext mocks base method. +func (m *MockELBV2) DescribeTrustStoreAssociationsPagesWithContext(arg0 context.Context, arg1 *elbv2.DescribeTrustStoreAssociationsInput, arg2 func(*elbv2.DescribeTrustStoreAssociationsOutput, bool) bool, arg3 ...request.Option) error { + m.ctrl.T.Helper() + varargs := []interface{}{arg0, arg1, arg2} + for _, a := range arg3 { + varargs = append(varargs, a) + } + ret := m.ctrl.Call(m, "DescribeTrustStoreAssociationsPagesWithContext", varargs...) + ret0, _ := ret[0].(error) + return ret0 +} + +// DescribeTrustStoreAssociationsPagesWithContext indicates an expected call of DescribeTrustStoreAssociationsPagesWithContext. +func (mr *MockELBV2MockRecorder) DescribeTrustStoreAssociationsPagesWithContext(arg0, arg1, arg2 interface{}, arg3 ...interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + varargs := append([]interface{}{arg0, arg1, arg2}, arg3...) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DescribeTrustStoreAssociationsPagesWithContext", reflect.TypeOf((*MockELBV2)(nil).DescribeTrustStoreAssociationsPagesWithContext), varargs...) +} + +// DescribeTrustStoreAssociationsRequest mocks base method. +func (m *MockELBV2) DescribeTrustStoreAssociationsRequest(arg0 *elbv2.DescribeTrustStoreAssociationsInput) (*request.Request, *elbv2.DescribeTrustStoreAssociationsOutput) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "DescribeTrustStoreAssociationsRequest", arg0) + ret0, _ := ret[0].(*request.Request) + ret1, _ := ret[1].(*elbv2.DescribeTrustStoreAssociationsOutput) + return ret0, ret1 +} + +// DescribeTrustStoreAssociationsRequest indicates an expected call of DescribeTrustStoreAssociationsRequest. +func (mr *MockELBV2MockRecorder) DescribeTrustStoreAssociationsRequest(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DescribeTrustStoreAssociationsRequest", reflect.TypeOf((*MockELBV2)(nil).DescribeTrustStoreAssociationsRequest), arg0) +} + +// DescribeTrustStoreAssociationsWithContext mocks base method. +func (m *MockELBV2) DescribeTrustStoreAssociationsWithContext(arg0 context.Context, arg1 *elbv2.DescribeTrustStoreAssociationsInput, arg2 ...request.Option) (*elbv2.DescribeTrustStoreAssociationsOutput, error) { + m.ctrl.T.Helper() + varargs := []interface{}{arg0, arg1} + for _, a := range arg2 { + varargs = append(varargs, a) + } + ret := m.ctrl.Call(m, "DescribeTrustStoreAssociationsWithContext", varargs...) + ret0, _ := ret[0].(*elbv2.DescribeTrustStoreAssociationsOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// DescribeTrustStoreAssociationsWithContext indicates an expected call of DescribeTrustStoreAssociationsWithContext. +func (mr *MockELBV2MockRecorder) DescribeTrustStoreAssociationsWithContext(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + varargs := append([]interface{}{arg0, arg1}, arg2...) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DescribeTrustStoreAssociationsWithContext", reflect.TypeOf((*MockELBV2)(nil).DescribeTrustStoreAssociationsWithContext), varargs...) +} + +// DescribeTrustStoreRevocations mocks base method. +func (m *MockELBV2) DescribeTrustStoreRevocations(arg0 *elbv2.DescribeTrustStoreRevocationsInput) (*elbv2.DescribeTrustStoreRevocationsOutput, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "DescribeTrustStoreRevocations", arg0) + ret0, _ := ret[0].(*elbv2.DescribeTrustStoreRevocationsOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// DescribeTrustStoreRevocations indicates an expected call of DescribeTrustStoreRevocations. +func (mr *MockELBV2MockRecorder) DescribeTrustStoreRevocations(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DescribeTrustStoreRevocations", reflect.TypeOf((*MockELBV2)(nil).DescribeTrustStoreRevocations), arg0) +} + +// DescribeTrustStoreRevocationsPages mocks base method. +func (m *MockELBV2) DescribeTrustStoreRevocationsPages(arg0 *elbv2.DescribeTrustStoreRevocationsInput, arg1 func(*elbv2.DescribeTrustStoreRevocationsOutput, bool) bool) error { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "DescribeTrustStoreRevocationsPages", arg0, arg1) + ret0, _ := ret[0].(error) + return ret0 +} + +// DescribeTrustStoreRevocationsPages indicates an expected call of DescribeTrustStoreRevocationsPages. +func (mr *MockELBV2MockRecorder) DescribeTrustStoreRevocationsPages(arg0, arg1 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DescribeTrustStoreRevocationsPages", reflect.TypeOf((*MockELBV2)(nil).DescribeTrustStoreRevocationsPages), arg0, arg1) +} + +// DescribeTrustStoreRevocationsPagesWithContext mocks base method. +func (m *MockELBV2) DescribeTrustStoreRevocationsPagesWithContext(arg0 context.Context, arg1 *elbv2.DescribeTrustStoreRevocationsInput, arg2 func(*elbv2.DescribeTrustStoreRevocationsOutput, bool) bool, arg3 ...request.Option) error { + m.ctrl.T.Helper() + varargs := []interface{}{arg0, arg1, arg2} + for _, a := range arg3 { + varargs = append(varargs, a) + } + ret := m.ctrl.Call(m, "DescribeTrustStoreRevocationsPagesWithContext", varargs...) + ret0, _ := ret[0].(error) + return ret0 +} + +// DescribeTrustStoreRevocationsPagesWithContext indicates an expected call of DescribeTrustStoreRevocationsPagesWithContext. +func (mr *MockELBV2MockRecorder) DescribeTrustStoreRevocationsPagesWithContext(arg0, arg1, arg2 interface{}, arg3 ...interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + varargs := append([]interface{}{arg0, arg1, arg2}, arg3...) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DescribeTrustStoreRevocationsPagesWithContext", reflect.TypeOf((*MockELBV2)(nil).DescribeTrustStoreRevocationsPagesWithContext), varargs...) +} + +// DescribeTrustStoreRevocationsRequest mocks base method. +func (m *MockELBV2) DescribeTrustStoreRevocationsRequest(arg0 *elbv2.DescribeTrustStoreRevocationsInput) (*request.Request, *elbv2.DescribeTrustStoreRevocationsOutput) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "DescribeTrustStoreRevocationsRequest", arg0) + ret0, _ := ret[0].(*request.Request) + ret1, _ := ret[1].(*elbv2.DescribeTrustStoreRevocationsOutput) + return ret0, ret1 +} + +// DescribeTrustStoreRevocationsRequest indicates an expected call of DescribeTrustStoreRevocationsRequest. +func (mr *MockELBV2MockRecorder) DescribeTrustStoreRevocationsRequest(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DescribeTrustStoreRevocationsRequest", reflect.TypeOf((*MockELBV2)(nil).DescribeTrustStoreRevocationsRequest), arg0) +} + +// DescribeTrustStoreRevocationsWithContext mocks base method. +func (m *MockELBV2) DescribeTrustStoreRevocationsWithContext(arg0 context.Context, arg1 *elbv2.DescribeTrustStoreRevocationsInput, arg2 ...request.Option) (*elbv2.DescribeTrustStoreRevocationsOutput, error) { + m.ctrl.T.Helper() + varargs := []interface{}{arg0, arg1} + for _, a := range arg2 { + varargs = append(varargs, a) + } + ret := m.ctrl.Call(m, "DescribeTrustStoreRevocationsWithContext", varargs...) + ret0, _ := ret[0].(*elbv2.DescribeTrustStoreRevocationsOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// DescribeTrustStoreRevocationsWithContext indicates an expected call of DescribeTrustStoreRevocationsWithContext. +func (mr *MockELBV2MockRecorder) DescribeTrustStoreRevocationsWithContext(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + varargs := append([]interface{}{arg0, arg1}, arg2...) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DescribeTrustStoreRevocationsWithContext", reflect.TypeOf((*MockELBV2)(nil).DescribeTrustStoreRevocationsWithContext), varargs...) +} + +// DescribeTrustStores mocks base method. +func (m *MockELBV2) DescribeTrustStores(arg0 *elbv2.DescribeTrustStoresInput) (*elbv2.DescribeTrustStoresOutput, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "DescribeTrustStores", arg0) + ret0, _ := ret[0].(*elbv2.DescribeTrustStoresOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// DescribeTrustStores indicates an expected call of DescribeTrustStores. +func (mr *MockELBV2MockRecorder) DescribeTrustStores(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DescribeTrustStores", reflect.TypeOf((*MockELBV2)(nil).DescribeTrustStores), arg0) +} + +// DescribeTrustStoresPages mocks base method. +func (m *MockELBV2) DescribeTrustStoresPages(arg0 *elbv2.DescribeTrustStoresInput, arg1 func(*elbv2.DescribeTrustStoresOutput, bool) bool) error { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "DescribeTrustStoresPages", arg0, arg1) + ret0, _ := ret[0].(error) + return ret0 +} + +// DescribeTrustStoresPages indicates an expected call of DescribeTrustStoresPages. +func (mr *MockELBV2MockRecorder) DescribeTrustStoresPages(arg0, arg1 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DescribeTrustStoresPages", reflect.TypeOf((*MockELBV2)(nil).DescribeTrustStoresPages), arg0, arg1) +} + +// DescribeTrustStoresPagesWithContext mocks base method. +func (m *MockELBV2) DescribeTrustStoresPagesWithContext(arg0 context.Context, arg1 *elbv2.DescribeTrustStoresInput, arg2 func(*elbv2.DescribeTrustStoresOutput, bool) bool, arg3 ...request.Option) error { + m.ctrl.T.Helper() + varargs := []interface{}{arg0, arg1, arg2} + for _, a := range arg3 { + varargs = append(varargs, a) + } + ret := m.ctrl.Call(m, "DescribeTrustStoresPagesWithContext", varargs...) + ret0, _ := ret[0].(error) + return ret0 +} + +// DescribeTrustStoresPagesWithContext indicates an expected call of DescribeTrustStoresPagesWithContext. +func (mr *MockELBV2MockRecorder) DescribeTrustStoresPagesWithContext(arg0, arg1, arg2 interface{}, arg3 ...interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + varargs := append([]interface{}{arg0, arg1, arg2}, arg3...) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DescribeTrustStoresPagesWithContext", reflect.TypeOf((*MockELBV2)(nil).DescribeTrustStoresPagesWithContext), varargs...) +} + +// DescribeTrustStoresRequest mocks base method. +func (m *MockELBV2) DescribeTrustStoresRequest(arg0 *elbv2.DescribeTrustStoresInput) (*request.Request, *elbv2.DescribeTrustStoresOutput) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "DescribeTrustStoresRequest", arg0) + ret0, _ := ret[0].(*request.Request) + ret1, _ := ret[1].(*elbv2.DescribeTrustStoresOutput) + return ret0, ret1 +} + +// DescribeTrustStoresRequest indicates an expected call of DescribeTrustStoresRequest. +func (mr *MockELBV2MockRecorder) DescribeTrustStoresRequest(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DescribeTrustStoresRequest", reflect.TypeOf((*MockELBV2)(nil).DescribeTrustStoresRequest), arg0) +} + +// DescribeTrustStoresWithContext mocks base method. +func (m *MockELBV2) DescribeTrustStoresWithContext(arg0 context.Context, arg1 *elbv2.DescribeTrustStoresInput, arg2 ...request.Option) (*elbv2.DescribeTrustStoresOutput, error) { + m.ctrl.T.Helper() + varargs := []interface{}{arg0, arg1} + for _, a := range arg2 { + varargs = append(varargs, a) + } + ret := m.ctrl.Call(m, "DescribeTrustStoresWithContext", varargs...) + ret0, _ := ret[0].(*elbv2.DescribeTrustStoresOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// DescribeTrustStoresWithContext indicates an expected call of DescribeTrustStoresWithContext. +func (mr *MockELBV2MockRecorder) DescribeTrustStoresWithContext(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + varargs := append([]interface{}{arg0, arg1}, arg2...) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DescribeTrustStoresWithContext", reflect.TypeOf((*MockELBV2)(nil).DescribeTrustStoresWithContext), varargs...) +} + +// GetTrustStoreCaCertificatesBundle mocks base method. +func (m *MockELBV2) GetTrustStoreCaCertificatesBundle(arg0 *elbv2.GetTrustStoreCaCertificatesBundleInput) (*elbv2.GetTrustStoreCaCertificatesBundleOutput, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "GetTrustStoreCaCertificatesBundle", arg0) + ret0, _ := ret[0].(*elbv2.GetTrustStoreCaCertificatesBundleOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// GetTrustStoreCaCertificatesBundle indicates an expected call of GetTrustStoreCaCertificatesBundle. +func (mr *MockELBV2MockRecorder) GetTrustStoreCaCertificatesBundle(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetTrustStoreCaCertificatesBundle", reflect.TypeOf((*MockELBV2)(nil).GetTrustStoreCaCertificatesBundle), arg0) +} + +// GetTrustStoreCaCertificatesBundleRequest mocks base method. +func (m *MockELBV2) GetTrustStoreCaCertificatesBundleRequest(arg0 *elbv2.GetTrustStoreCaCertificatesBundleInput) (*request.Request, *elbv2.GetTrustStoreCaCertificatesBundleOutput) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "GetTrustStoreCaCertificatesBundleRequest", arg0) + ret0, _ := ret[0].(*request.Request) + ret1, _ := ret[1].(*elbv2.GetTrustStoreCaCertificatesBundleOutput) + return ret0, ret1 +} + +// GetTrustStoreCaCertificatesBundleRequest indicates an expected call of GetTrustStoreCaCertificatesBundleRequest. +func (mr *MockELBV2MockRecorder) GetTrustStoreCaCertificatesBundleRequest(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetTrustStoreCaCertificatesBundleRequest", reflect.TypeOf((*MockELBV2)(nil).GetTrustStoreCaCertificatesBundleRequest), arg0) +} + +// GetTrustStoreCaCertificatesBundleWithContext mocks base method. +func (m *MockELBV2) GetTrustStoreCaCertificatesBundleWithContext(arg0 context.Context, arg1 *elbv2.GetTrustStoreCaCertificatesBundleInput, arg2 ...request.Option) (*elbv2.GetTrustStoreCaCertificatesBundleOutput, error) { + m.ctrl.T.Helper() + varargs := []interface{}{arg0, arg1} + for _, a := range arg2 { + varargs = append(varargs, a) + } + ret := m.ctrl.Call(m, "GetTrustStoreCaCertificatesBundleWithContext", varargs...) + ret0, _ := ret[0].(*elbv2.GetTrustStoreCaCertificatesBundleOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// GetTrustStoreCaCertificatesBundleWithContext indicates an expected call of GetTrustStoreCaCertificatesBundleWithContext. +func (mr *MockELBV2MockRecorder) GetTrustStoreCaCertificatesBundleWithContext(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + varargs := append([]interface{}{arg0, arg1}, arg2...) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetTrustStoreCaCertificatesBundleWithContext", reflect.TypeOf((*MockELBV2)(nil).GetTrustStoreCaCertificatesBundleWithContext), varargs...) +} + +// GetTrustStoreRevocationContent mocks base method. +func (m *MockELBV2) GetTrustStoreRevocationContent(arg0 *elbv2.GetTrustStoreRevocationContentInput) (*elbv2.GetTrustStoreRevocationContentOutput, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "GetTrustStoreRevocationContent", arg0) + ret0, _ := ret[0].(*elbv2.GetTrustStoreRevocationContentOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// GetTrustStoreRevocationContent indicates an expected call of GetTrustStoreRevocationContent. +func (mr *MockELBV2MockRecorder) GetTrustStoreRevocationContent(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetTrustStoreRevocationContent", reflect.TypeOf((*MockELBV2)(nil).GetTrustStoreRevocationContent), arg0) +} + +// GetTrustStoreRevocationContentRequest mocks base method. +func (m *MockELBV2) GetTrustStoreRevocationContentRequest(arg0 *elbv2.GetTrustStoreRevocationContentInput) (*request.Request, *elbv2.GetTrustStoreRevocationContentOutput) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "GetTrustStoreRevocationContentRequest", arg0) + ret0, _ := ret[0].(*request.Request) + ret1, _ := ret[1].(*elbv2.GetTrustStoreRevocationContentOutput) + return ret0, ret1 +} + +// GetTrustStoreRevocationContentRequest indicates an expected call of GetTrustStoreRevocationContentRequest. +func (mr *MockELBV2MockRecorder) GetTrustStoreRevocationContentRequest(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetTrustStoreRevocationContentRequest", reflect.TypeOf((*MockELBV2)(nil).GetTrustStoreRevocationContentRequest), arg0) +} + +// GetTrustStoreRevocationContentWithContext mocks base method. +func (m *MockELBV2) GetTrustStoreRevocationContentWithContext(arg0 context.Context, arg1 *elbv2.GetTrustStoreRevocationContentInput, arg2 ...request.Option) (*elbv2.GetTrustStoreRevocationContentOutput, error) { + m.ctrl.T.Helper() + varargs := []interface{}{arg0, arg1} + for _, a := range arg2 { + varargs = append(varargs, a) + } + ret := m.ctrl.Call(m, "GetTrustStoreRevocationContentWithContext", varargs...) + ret0, _ := ret[0].(*elbv2.GetTrustStoreRevocationContentOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// GetTrustStoreRevocationContentWithContext indicates an expected call of GetTrustStoreRevocationContentWithContext. +func (mr *MockELBV2MockRecorder) GetTrustStoreRevocationContentWithContext(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + varargs := append([]interface{}{arg0, arg1}, arg2...) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetTrustStoreRevocationContentWithContext", reflect.TypeOf((*MockELBV2)(nil).GetTrustStoreRevocationContentWithContext), varargs...) +} + // ModifyListener mocks base method. func (m *MockELBV2) ModifyListener(arg0 *elbv2.ModifyListenerInput) (*elbv2.ModifyListenerOutput, error) { m.ctrl.T.Helper() @@ -1560,6 +2059,56 @@ func (mr *MockELBV2MockRecorder) ModifyTargetGroupWithContext(arg0, arg1 interfa return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ModifyTargetGroupWithContext", reflect.TypeOf((*MockELBV2)(nil).ModifyTargetGroupWithContext), varargs...) } +// ModifyTrustStore mocks base method. +func (m *MockELBV2) ModifyTrustStore(arg0 *elbv2.ModifyTrustStoreInput) (*elbv2.ModifyTrustStoreOutput, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "ModifyTrustStore", arg0) + ret0, _ := ret[0].(*elbv2.ModifyTrustStoreOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// ModifyTrustStore indicates an expected call of ModifyTrustStore. +func (mr *MockELBV2MockRecorder) ModifyTrustStore(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ModifyTrustStore", reflect.TypeOf((*MockELBV2)(nil).ModifyTrustStore), arg0) +} + +// ModifyTrustStoreRequest mocks base method. +func (m *MockELBV2) ModifyTrustStoreRequest(arg0 *elbv2.ModifyTrustStoreInput) (*request.Request, *elbv2.ModifyTrustStoreOutput) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "ModifyTrustStoreRequest", arg0) + ret0, _ := ret[0].(*request.Request) + ret1, _ := ret[1].(*elbv2.ModifyTrustStoreOutput) + return ret0, ret1 +} + +// ModifyTrustStoreRequest indicates an expected call of ModifyTrustStoreRequest. +func (mr *MockELBV2MockRecorder) ModifyTrustStoreRequest(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ModifyTrustStoreRequest", reflect.TypeOf((*MockELBV2)(nil).ModifyTrustStoreRequest), arg0) +} + +// ModifyTrustStoreWithContext mocks base method. +func (m *MockELBV2) ModifyTrustStoreWithContext(arg0 context.Context, arg1 *elbv2.ModifyTrustStoreInput, arg2 ...request.Option) (*elbv2.ModifyTrustStoreOutput, error) { + m.ctrl.T.Helper() + varargs := []interface{}{arg0, arg1} + for _, a := range arg2 { + varargs = append(varargs, a) + } + ret := m.ctrl.Call(m, "ModifyTrustStoreWithContext", varargs...) + ret0, _ := ret[0].(*elbv2.ModifyTrustStoreOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// ModifyTrustStoreWithContext indicates an expected call of ModifyTrustStoreWithContext. +func (mr *MockELBV2MockRecorder) ModifyTrustStoreWithContext(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + varargs := append([]interface{}{arg0, arg1}, arg2...) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ModifyTrustStoreWithContext", reflect.TypeOf((*MockELBV2)(nil).ModifyTrustStoreWithContext), varargs...) +} + // RegisterTargets mocks base method. func (m *MockELBV2) RegisterTargets(arg0 *elbv2.RegisterTargetsInput) (*elbv2.RegisterTargetsOutput, error) { m.ctrl.T.Helper() @@ -1710,6 +2259,56 @@ func (mr *MockELBV2MockRecorder) RemoveTagsWithContext(arg0, arg1 interface{}, a return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveTagsWithContext", reflect.TypeOf((*MockELBV2)(nil).RemoveTagsWithContext), varargs...) } +// RemoveTrustStoreRevocations mocks base method. +func (m *MockELBV2) RemoveTrustStoreRevocations(arg0 *elbv2.RemoveTrustStoreRevocationsInput) (*elbv2.RemoveTrustStoreRevocationsOutput, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "RemoveTrustStoreRevocations", arg0) + ret0, _ := ret[0].(*elbv2.RemoveTrustStoreRevocationsOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// RemoveTrustStoreRevocations indicates an expected call of RemoveTrustStoreRevocations. +func (mr *MockELBV2MockRecorder) RemoveTrustStoreRevocations(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveTrustStoreRevocations", reflect.TypeOf((*MockELBV2)(nil).RemoveTrustStoreRevocations), arg0) +} + +// RemoveTrustStoreRevocationsRequest mocks base method. +func (m *MockELBV2) RemoveTrustStoreRevocationsRequest(arg0 *elbv2.RemoveTrustStoreRevocationsInput) (*request.Request, *elbv2.RemoveTrustStoreRevocationsOutput) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "RemoveTrustStoreRevocationsRequest", arg0) + ret0, _ := ret[0].(*request.Request) + ret1, _ := ret[1].(*elbv2.RemoveTrustStoreRevocationsOutput) + return ret0, ret1 +} + +// RemoveTrustStoreRevocationsRequest indicates an expected call of RemoveTrustStoreRevocationsRequest. +func (mr *MockELBV2MockRecorder) RemoveTrustStoreRevocationsRequest(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveTrustStoreRevocationsRequest", reflect.TypeOf((*MockELBV2)(nil).RemoveTrustStoreRevocationsRequest), arg0) +} + +// RemoveTrustStoreRevocationsWithContext mocks base method. +func (m *MockELBV2) RemoveTrustStoreRevocationsWithContext(arg0 context.Context, arg1 *elbv2.RemoveTrustStoreRevocationsInput, arg2 ...request.Option) (*elbv2.RemoveTrustStoreRevocationsOutput, error) { + m.ctrl.T.Helper() + varargs := []interface{}{arg0, arg1} + for _, a := range arg2 { + varargs = append(varargs, a) + } + ret := m.ctrl.Call(m, "RemoveTrustStoreRevocationsWithContext", varargs...) + ret0, _ := ret[0].(*elbv2.RemoveTrustStoreRevocationsOutput) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// RemoveTrustStoreRevocationsWithContext indicates an expected call of RemoveTrustStoreRevocationsWithContext. +func (mr *MockELBV2MockRecorder) RemoveTrustStoreRevocationsWithContext(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + varargs := append([]interface{}{arg0, arg1}, arg2...) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveTrustStoreRevocationsWithContext", reflect.TypeOf((*MockELBV2)(nil).RemoveTrustStoreRevocationsWithContext), varargs...) +} + // SetIpAddressType mocks base method. func (m *MockELBV2) SetIpAddressType(arg0 *elbv2.SetIpAddressTypeInput) (*elbv2.SetIpAddressTypeOutput, error) { m.ctrl.T.Helper() diff --git a/pkg/deploy/elbv2/listener_manager.go b/pkg/deploy/elbv2/listener_manager.go index 86967c94f..0fff98231 100644 --- a/pkg/deploy/elbv2/listener_manager.go +++ b/pkg/deploy/elbv2/listener_manager.go @@ -2,6 +2,7 @@ package elbv2 import ( "context" + "reflect" "time" awssdk "github.com/aws/aws-sdk-go/aws" @@ -134,7 +135,8 @@ func (m *defaultListenerManager) updateSDKListenerWithSettings(ctx context.Conte return err } desiredDefaultCerts, _ := buildSDKCertificates(resLS.Spec.Certificates) - if !isSDKListenerSettingsDrifted(resLS.Spec, sdkLS, desiredDefaultActions, desiredDefaultCerts) { + desiredDefaultMutualAuthentication := buildSDKMutualAuthenticationConfig(resLS.Spec.MutualAuthentication) + if !isSDKListenerSettingsDrifted(resLS.Spec, sdkLS, desiredDefaultActions, desiredDefaultCerts, desiredDefaultMutualAuthentication) { return nil } req := buildSDKModifyListenerInput(resLS.Spec, desiredDefaultActions, desiredDefaultCerts) @@ -246,7 +248,7 @@ func (m *defaultListenerManager) fetchSDKListenerExtraCertificateARNs(ctx contex } func isSDKListenerSettingsDrifted(lsSpec elbv2model.ListenerSpec, sdkLS ListenerWithTags, - desiredDefaultActions []*elbv2sdk.Action, desiredDefaultCerts []*elbv2sdk.Certificate) bool { + desiredDefaultActions []*elbv2sdk.Action, desiredDefaultCerts []*elbv2sdk.Certificate, desiredDefaultMutualAuthentication *elbv2sdk.MutualAuthenticationAttributes) bool { if lsSpec.Port != awssdk.Int64Value(sdkLS.Listener.Port) { return true } @@ -265,6 +267,9 @@ func isSDKListenerSettingsDrifted(lsSpec elbv2model.ListenerSpec, sdkLS Listener if len(lsSpec.ALPNPolicy) != 0 && !cmp.Equal(lsSpec.ALPNPolicy, awssdk.StringValueSlice(sdkLS.Listener.AlpnPolicy), cmpopts.EquateEmpty()) { return true } + if !reflect.DeepEqual(desiredDefaultMutualAuthentication, sdkLS.Listener.MutualAuthentication) { + return true + } return false } @@ -289,6 +294,8 @@ func buildSDKCreateListenerInput(lsSpec elbv2model.ListenerSpec, featureGates co if len(lsSpec.ALPNPolicy) != 0 { sdkObj.AlpnPolicy = awssdk.StringSlice(lsSpec.ALPNPolicy) } + sdkObj.MutualAuthentication = buildSDKMutualAuthenticationConfig(lsSpec.MutualAuthentication) + return sdkObj, nil } @@ -302,6 +309,8 @@ func buildSDKModifyListenerInput(lsSpec elbv2model.ListenerSpec, desiredDefaultA if len(lsSpec.ALPNPolicy) != 0 { sdkObj.AlpnPolicy = awssdk.StringSlice(lsSpec.ALPNPolicy) } + sdkObj.MutualAuthentication = buildSDKMutualAuthenticationConfig(lsSpec.MutualAuthentication) + return sdkObj } @@ -327,6 +336,18 @@ func buildSDKCertificate(modelCert elbv2model.Certificate) *elbv2sdk.Certificate } } +// buildSDKMutualAuthenticationConfig builds the mutual TLS authentication config for listener +func buildSDKMutualAuthenticationConfig(modelMutualAuthenticationCfg *elbv2model.MutualAuthenticationAttributes) *elbv2sdk.MutualAuthenticationAttributes { + if modelMutualAuthenticationCfg == nil { + return nil + } + return &elbv2sdk.MutualAuthenticationAttributes{ + IgnoreClientCertificateExpiry: modelMutualAuthenticationCfg.IgnoreClientCertificateExpiry, + Mode: awssdk.String(modelMutualAuthenticationCfg.Mode), + TrustStoreArn: modelMutualAuthenticationCfg.TrustStoreArn, + } +} + func buildResListenerStatus(sdkLS ListenerWithTags) elbv2model.ListenerStatus { return elbv2model.ListenerStatus{ ListenerARN: awssdk.StringValue(sdkLS.Listener.ListenerArn), diff --git a/pkg/deploy/elbv2/listener_manager_test.go b/pkg/deploy/elbv2/listener_manager_test.go index 33da89a18..d356c7f5c 100644 --- a/pkg/deploy/elbv2/listener_manager_test.go +++ b/pkg/deploy/elbv2/listener_manager_test.go @@ -10,10 +10,11 @@ import ( func Test_isSDKListenerSettingsDrifted(t *testing.T) { type args struct { - lsSpec elbv2model.ListenerSpec - sdkLS ListenerWithTags - desiredDefaultActions []*elbv2sdk.Action - desiredDefaultCerts []*elbv2sdk.Certificate + lsSpec elbv2model.ListenerSpec + sdkLS ListenerWithTags + desiredDefaultActions []*elbv2sdk.Action + desiredDefaultCerts []*elbv2sdk.Certificate + desiredDefaultMutualAuthentication *elbv2sdk.MutualAuthenticationAttributes } tests := []struct { name string @@ -49,6 +50,9 @@ func Test_isSDKListenerSettingsDrifted(t *testing.T) { }, SslPolicy: awssdk.String("ELBSecurityPolicy-FS-1-2-Res-2019-08"), AlpnPolicy: awssdk.StringSlice([]string{"HTTP2Preferred"}), + MutualAuthentication: &elbv2sdk.MutualAuthenticationAttributes{ + Mode: awssdk.String("off"), + }, }, }, desiredDefaultCerts: []*elbv2sdk.Certificate{ @@ -65,6 +69,9 @@ func Test_isSDKListenerSettingsDrifted(t *testing.T) { }, }, }, + desiredDefaultMutualAuthentication: &elbv2sdk.MutualAuthenticationAttributes{ + Mode: awssdk.String("off"), + }, }, }, { @@ -104,6 +111,9 @@ func Test_isSDKListenerSettingsDrifted(t *testing.T) { }, SslPolicy: awssdk.String("ELBSecurityPolicy-FS-1-2-Res-2019-08"), AlpnPolicy: awssdk.StringSlice([]string{"HTTP2Preferred"}), + MutualAuthentication: &elbv2sdk.MutualAuthenticationAttributes{ + Mode: awssdk.String("off"), + }, }, }, desiredDefaultCerts: []*elbv2sdk.Certificate{ @@ -120,6 +130,9 @@ func Test_isSDKListenerSettingsDrifted(t *testing.T) { }, }, }, + desiredDefaultMutualAuthentication: &elbv2sdk.MutualAuthenticationAttributes{ + Mode: awssdk.String("off"), + }, }, }, { @@ -154,6 +167,75 @@ func Test_isSDKListenerSettingsDrifted(t *testing.T) { }, SslPolicy: awssdk.String("ELBSecurityPolicy-FS-1-2-Res-2019-08"), AlpnPolicy: awssdk.StringSlice([]string{"HTTP2Preferred"}), + MutualAuthentication: &elbv2sdk.MutualAuthenticationAttributes{ + Mode: awssdk.String("off"), + }, + }, + }, + desiredDefaultCerts: []*elbv2sdk.Certificate{ + { + CertificateArn: awssdk.String("cert-arn1"), + IsDefault: awssdk.Bool(true), + }, + }, + desiredDefaultActions: []*elbv2sdk.Action{ + { + Type: awssdk.String("forward-config"), + ForwardConfig: &elbv2sdk.ForwardActionConfig{ + TargetGroups: []*elbv2sdk.TargetGroupTuple{ + { + TargetGroupArn: awssdk.String("target-group"), + }, + }, + }, + }, + }, + desiredDefaultMutualAuthentication: &elbv2sdk.MutualAuthenticationAttributes{ + Mode: awssdk.String("off"), + }, + }, + }, + { + name: "listener hasn't drifted if mutualAuthentication verify mode specified", + args: args{ + lsSpec: elbv2model.ListenerSpec{ + Port: 80, + Protocol: elbv2model.ProtocolHTTPS, + SSLPolicy: awssdk.String("ELBSecurityPolicy-FS-1-2-Res-2019-08"), + MutualAuthentication: &elbv2model.MutualAuthenticationAttributes{ + Mode: "verify", + TrustStoreArn: awssdk.String("arn:aws:elasticloadbalancing:us-east-1:123456789123:truststore/ts-1/8786hghf"), + }, + }, + sdkLS: ListenerWithTags{ + Listener: &elbv2sdk.Listener{ + Port: awssdk.Int64(80), + Protocol: awssdk.String("HTTPS"), + Certificates: []*elbv2sdk.Certificate{ + { + CertificateArn: awssdk.String("cert-arn1"), + IsDefault: awssdk.Bool(true), + }, + }, + DefaultActions: []*elbv2sdk.Action{ + { + Type: awssdk.String("forward-config"), + ForwardConfig: &elbv2sdk.ForwardActionConfig{ + TargetGroups: []*elbv2sdk.TargetGroupTuple{ + { + TargetGroupArn: awssdk.String("target-group"), + }, + }, + }, + }, + }, + SslPolicy: awssdk.String("ELBSecurityPolicy-FS-1-2-Res-2019-08"), + AlpnPolicy: awssdk.StringSlice([]string{"HTTP2Preferred"}), + MutualAuthentication: &elbv2sdk.MutualAuthenticationAttributes{ + Mode: awssdk.String("verify"), + TrustStoreArn: awssdk.String("arn:aws:elasticloadbalancing:us-east-1:123456789123:truststore/ts-1/8786hghf"), + IgnoreClientCertificateExpiry: awssdk.Bool(false), + }, }, }, desiredDefaultCerts: []*elbv2sdk.Certificate{ @@ -174,12 +256,17 @@ func Test_isSDKListenerSettingsDrifted(t *testing.T) { }, }, }, + desiredDefaultMutualAuthentication: &elbv2sdk.MutualAuthenticationAttributes{ + Mode: awssdk.String("verify"), + TrustStoreArn: awssdk.String("arn:aws:elasticloadbalancing:us-east-1:123456789123:truststore/ts-1/8786hghf"), + IgnoreClientCertificateExpiry: awssdk.Bool(false), + }, }, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got := isSDKListenerSettingsDrifted(tt.args.lsSpec, tt.args.sdkLS, tt.args.desiredDefaultActions, tt.args.desiredDefaultCerts) + got := isSDKListenerSettingsDrifted(tt.args.lsSpec, tt.args.sdkLS, tt.args.desiredDefaultActions, tt.args.desiredDefaultCerts, tt.args.desiredDefaultMutualAuthentication) assert.Equal(t, tt.want, got) }) } diff --git a/pkg/ingress/model_build_listener.go b/pkg/ingress/model_build_listener.go index 1dc6b2451..9b2dba948 100644 --- a/pkg/ingress/model_build_listener.go +++ b/pkg/ingress/model_build_listener.go @@ -4,6 +4,8 @@ import ( "context" "encoding/json" "fmt" + elbv2sdk "github.com/aws/aws-sdk-go/service/elbv2" + "k8s.io/utils/strings/slices" "net" "strings" @@ -45,13 +47,14 @@ func (t *defaultModelBuildTask) buildListenerSpec(ctx context.Context, lbARN cor }) } return elbv2model.ListenerSpec{ - LoadBalancerARN: lbARN, - Port: port, - Protocol: config.protocol, - DefaultActions: defaultActions, - Certificates: certs, - SSLPolicy: config.sslPolicy, - Tags: tags, + LoadBalancerARN: lbARN, + Port: port, + Protocol: config.protocol, + DefaultActions: defaultActions, + Certificates: certs, + SSLPolicy: config.sslPolicy, + MutualAuthentication: config.mutualAuthentication, + Tags: tags, }, nil } @@ -97,11 +100,12 @@ func (t *defaultModelBuildTask) buildListenerTags(_ context.Context, ingList []C // the listen port config for specific listener port. type listenPortConfig struct { - protocol elbv2model.Protocol - inboundCIDRv4s []string - inboundCIDRv6s []string - sslPolicy *string - tlsCerts []string + protocol elbv2model.Protocol + inboundCIDRv4s []string + inboundCIDRv6s []string + sslPolicy *string + tlsCerts []string + mutualAuthentication *elbv2model.MutualAuthenticationAttributes } func (t *defaultModelBuildTask) computeIngressListenPortConfigByPort(ctx context.Context, ing *ClassifiedIngress) (map[int64]listenPortConfig, error) { @@ -111,6 +115,10 @@ func (t *defaultModelBuildTask) computeIngressListenPortConfigByPort(ctx context if err != nil { return nil, err } + mutualAuthenticationAttributes, err := t.computeIngressMutualAuthentication(ctx, ing) + if err != nil { + return nil, err + } preferTLS := len(explicitTLSCertARNs) != 0 listenPorts, err := t.computeIngressListenPorts(ctx, ing.Ing, preferTLS) if err != nil { @@ -146,6 +154,7 @@ func (t *defaultModelBuildTask) computeIngressListenPortConfigByPort(ctx context cfg.tlsCerts = explicitTLSCertARNs } cfg.sslPolicy = explicitSSLPolicy + cfg.mutualAuthentication = mutualAuthenticationAttributes[port] } listenPortConfigByPort[port] = cfg } @@ -247,3 +256,153 @@ func (t *defaultModelBuildTask) computeIngressExplicitSSLPolicy(_ context.Contex } return &rawSSLPolicy } + +type MutualAuthenticationConfig struct { + Port int64 `json:"port"` + Mode string `json:"mode"` + TrustStore *string `json:"trustStore,omitempty"` + IgnoreClientCertificateExpiry *bool `json:"ignoreClientCertificateExpiry,omitempty"` +} + +func (t *defaultModelBuildTask) computeIngressMutualAuthentication(ctx context.Context, ing *ClassifiedIngress) (map[int64]*elbv2model.MutualAuthenticationAttributes, error) { + var rawMtlsConfigString string + + // If both Ingress annotation is missing mutual-authentication config, return default mutualAuthentication mode + if exists := t.annotationParser.ParseStringAnnotation(annotations.IngressSuffixMutualAuthentication, &rawMtlsConfigString, ing.Ing.Annotations); !exists { + return map[int64]*elbv2model.MutualAuthenticationAttributes{443: { + Mode: string(elbv2model.MutualAuthenticationOffMode), + }}, nil + + } + var ingressAnnotationEntries []MutualAuthenticationConfig + + if err := json.Unmarshal([]byte(rawMtlsConfigString), &ingressAnnotationEntries); err != nil { + return nil, errors.Wrapf(err, "failed to parse mutualAuthentication configuration from ingress annotation: `%s`", rawMtlsConfigString) + } + if len(ingressAnnotationEntries) == 0 { + return nil, errors.Errorf("empty mutualAuthentication configuration from ingress annotation: `%s`", rawMtlsConfigString) + } + portAndMtlsAttributesMap, err := t.parseMtlsConfigEntries(ctx, ingressAnnotationEntries) + if err != nil { + return nil, err + } + + parsedPortAndMtlsAttributes, err := t.parseMtlsAttributesForTrustStoreNames(ctx, portAndMtlsAttributesMap) + if err != nil { + return nil, err + } + return parsedPortAndMtlsAttributes, nil +} + +func (t *defaultModelBuildTask) parseMtlsConfigEntries(_ context.Context, entries []MutualAuthenticationConfig) (map[int64]*elbv2model.MutualAuthenticationAttributes, error) { + portAndMtlsAttributes := make(map[int64]*elbv2model.MutualAuthenticationAttributes, len(entries)) + + for _, mutualAuthenticationConfig := range entries { + port := mutualAuthenticationConfig.Port + mode := mutualAuthenticationConfig.Mode + truststoreNameOrArn := awssdk.StringValue(mutualAuthenticationConfig.TrustStore) + ignoreClientCert := mutualAuthenticationConfig.IgnoreClientCertificateExpiry + + err := t.validateMutualAuthenticationConfig(port, mode, truststoreNameOrArn, ignoreClientCert) + if err != nil { + return nil, err + } + + if mode == string(elbv2model.MutualAuthenticationVerifyMode) && ignoreClientCert == nil { + ignoreClientCert = awssdk.Bool(false) + } + portAndMtlsAttributes[port] = &elbv2model.MutualAuthenticationAttributes{Mode: mode, TrustStoreArn: awssdk.String(truststoreNameOrArn), IgnoreClientCertificateExpiry: ignoreClientCert} + } + return portAndMtlsAttributes, nil +} + +func (t *defaultModelBuildTask) validateMutualAuthenticationConfig(port int64, mode string, truststoreNameOrArn string, ignoreClientCert *bool) error { + // Verify port value is valid for ALB: [1, 65535] + if port < 1 || port > 65535 { + return errors.Errorf("listen port must be within [1, 65535]: %v", port) + } + //Verify if the mutualAuthentication mode is not empty for a port + if mode == "" { + return errors.Errorf("mutualAuthentication mode cannot be empty for port %v", port) + } + //Verify if the mutualAuthentication mode is valid + validMutualAuthenticationModes := []string{string(elbv2model.MutualAuthenticationOffMode), string(elbv2model.MutualAuthenticationPassthroughMode), string(elbv2model.MutualAuthenticationVerifyMode)} + if !slices.Contains(validMutualAuthenticationModes, mode) { + return errors.Errorf("mutualAuthentication mode value must be among [%v, %v, %v] for port %v : %s", elbv2model.MutualAuthenticationOffMode, elbv2model.MutualAuthenticationPassthroughMode, elbv2model.MutualAuthenticationVerifyMode, port, mode) + } + //Verify if the mutualAuthentication truststoreNameOrArn is not empty for Verify mode + if mode == string(elbv2model.MutualAuthenticationVerifyMode) && truststoreNameOrArn == "" { + return errors.Errorf("trustStore is required when mutualAuthentication mode is verify for port %v", port) + } + //Verify if the mutualAuthentication truststoreNameOrArn is empty for Off and Passthrough modes + if (mode == string(elbv2model.MutualAuthenticationOffMode) || mode == string(elbv2model.MutualAuthenticationPassthroughMode)) && truststoreNameOrArn != "" { + return errors.Errorf("Mutual Authentication mode %s does not support trustStore for port %v", mode, port) + } + //Verify if the mutualAuthentication ignoreClientCert is valid for Off and Passthrough modes + if (mode == string(elbv2model.MutualAuthenticationOffMode) || mode == string(elbv2model.MutualAuthenticationPassthroughMode)) && ignoreClientCert != nil { + return errors.Errorf("Mutual Authentication mode %s does not support ignoring client certificate expiry for port %v", mode, port) + } + + return nil +} + +func (t *defaultModelBuildTask) parseMtlsAttributesForTrustStoreNames(ctx context.Context, portAndMtlsAttributes map[int64]*elbv2model.MutualAuthenticationAttributes) (map[int64]*elbv2model.MutualAuthenticationAttributes, error) { + var trustStoreNames []string + trustStoreNameAndPortMap := make(map[string][]int64) + + for port, attributes := range portAndMtlsAttributes { + mode := attributes.Mode + truststoreNameOrArn := awssdk.StringValue(attributes.TrustStoreArn) + if mode == string(elbv2model.MutualAuthenticationVerifyMode) && !strings.HasPrefix(truststoreNameOrArn, "arn:") { + trustStoreNameAndPortMap[truststoreNameOrArn] = append(trustStoreNameAndPortMap[truststoreNameOrArn], port) + } + } + + if len(trustStoreNameAndPortMap) != 0 { + for names := range trustStoreNameAndPortMap { + trustStoreNames = append(trustStoreNames, names) + } + tsNameAndArnMap, err := t.fetchTrustStoreArnFromName(ctx, trustStoreNames) + if err != nil { + return nil, err + } + for name, ports := range trustStoreNameAndPortMap { + for _, port := range ports { + attributes := portAndMtlsAttributes[port] + if awssdk.StringValue(attributes.TrustStoreArn) != "" { + attributes.TrustStoreArn = tsNameAndArnMap[name] + } + portAndMtlsAttributes[port] = attributes + } + } + } + return portAndMtlsAttributes, nil +} + +func (t *defaultModelBuildTask) fetchTrustStoreArnFromName(ctx context.Context, trustStoreNames []string) (map[string]*string, error) { + tsNameAndArnMap := make(map[string]*string, len(trustStoreNames)) + req := &elbv2sdk.DescribeTrustStoresInput{ + Names: awssdk.StringSlice(trustStoreNames), + } + trustStores, err := t.elbv2Client.DescribeTrustStoresWithContext(ctx, req) + if err != nil { + return nil, err + } + if len(trustStores.TrustStores) == 0 { + return nil, errors.Errorf("couldn't find TrustStore with names %v", trustStoreNames) + } + for _, tsName := range trustStoreNames { + for _, ts := range trustStores.TrustStores { + if tsName == awssdk.StringValue(ts.Name) { + tsNameAndArnMap[tsName] = ts.TrustStoreArn + } + } + } + for _, tsName := range trustStoreNames { + _, exists := tsNameAndArnMap[tsName] + if !exists { + return nil, errors.Errorf("couldn't find TrustStore with name %v", tsName) + } + } + return tsNameAndArnMap, nil +} diff --git a/pkg/ingress/model_builder.go b/pkg/ingress/model_builder.go index bdc348dcf..17939f5bf 100644 --- a/pkg/ingress/model_builder.go +++ b/pkg/ingress/model_builder.go @@ -2,6 +2,7 @@ package ingress import ( "context" + "reflect" "strconv" awssdk "github.com/aws/aws-sdk-go/aws" @@ -37,7 +38,7 @@ type ModelBuilder interface { // NewDefaultModelBuilder constructs new defaultModelBuilder. func NewDefaultModelBuilder(k8sClient client.Client, eventRecorder record.EventRecorder, - ec2Client services.EC2, acmClient services.ACM, + ec2Client services.EC2, elbv2Client services.ELBV2, acmClient services.ACM, annotationParser annotations.Parser, subnetsResolver networkingpkg.SubnetsResolver, authConfigBuilder AuthConfigBuilder, enhancedBackendBuilder EnhancedBackendBuilder, trackingProvider tracking.Provider, elbv2TaggingManager elbv2deploy.TaggingManager, featureGates config.FeatureGates, @@ -50,6 +51,7 @@ func NewDefaultModelBuilder(k8sClient client.Client, eventRecorder record.EventR k8sClient: k8sClient, eventRecorder: eventRecorder, ec2Client: ec2Client, + elbv2Client: elbv2Client, vpcID: vpcID, clusterName: clusterName, annotationParser: annotationParser, @@ -81,6 +83,7 @@ type defaultModelBuilder struct { k8sClient client.Client eventRecorder record.EventRecorder ec2Client services.EC2 + elbv2Client services.ELBV2 vpcID string clusterName string @@ -114,6 +117,7 @@ func (b *defaultModelBuilder) Build(ctx context.Context, ingGroup Group) (core.S k8sClient: b.k8sClient, eventRecorder: b.eventRecorder, ec2Client: b.ec2Client, + elbv2Client: b.elbv2Client, vpcID: b.vpcID, clusterName: b.clusterName, annotationParser: b.annotationParser, @@ -167,6 +171,7 @@ type defaultModelBuildTask struct { k8sClient client.Client eventRecorder record.EventRecorder ec2Client services.EC2 + elbv2Client services.ELBV2 vpcID string clusterName string annotationParser annotations.Parser @@ -299,6 +304,9 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen var mergedTLSCerts []string mergedTLSCertsSet := sets.NewString() + var mergedMtlsAttributesProvider *types.NamespacedName + var mergedMtlsAttributes *elbv2model.MutualAuthenticationAttributes + for _, cfg := range listenPortConfigs { if mergedProtocolProvider == nil { mergedProtocolProvider = &cfg.ingKey @@ -338,6 +346,17 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen mergedTLSCertsSet.Insert(cert) mergedTLSCerts = append(mergedTLSCerts, cert) } + + if cfg.listenPortConfig.mutualAuthentication != nil { + if mergedMtlsAttributesProvider == nil { + mergedMtlsAttributesProvider = &cfg.ingKey + mergedMtlsAttributes = cfg.listenPortConfig.mutualAuthentication + } else if !reflect.DeepEqual(mergedMtlsAttributes, cfg.listenPortConfig.mutualAuthentication) { + return listenPortConfig{}, errors.Errorf("conflicting mTLS Attributes, %v: %v | %v: %v", + *mergedMtlsAttributesProvider, mergedMtlsAttributes, cfg.ingKey, cfg.listenPortConfig.mutualAuthentication) + } + } + } if len(mergedInboundCIDRv4s) == 0 && len(mergedInboundCIDRv6s) == 0 { @@ -348,12 +367,19 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen mergedSSLPolicy = awssdk.String(t.defaultSSLPolicy) } + if mergedProtocol == elbv2model.ProtocolHTTPS && mergedMtlsAttributes == nil { + mergedMtlsAttributes = &elbv2model.MutualAuthenticationAttributes{ + Mode: string(elbv2model.MutualAuthenticationOffMode), + } + } + return listenPortConfig{ - protocol: mergedProtocol, - inboundCIDRv4s: mergedInboundCIDRv4s.List(), - inboundCIDRv6s: mergedInboundCIDRv6s.List(), - sslPolicy: mergedSSLPolicy, - tlsCerts: mergedTLSCerts, + protocol: mergedProtocol, + inboundCIDRv4s: mergedInboundCIDRv4s.List(), + inboundCIDRv6s: mergedInboundCIDRv6s.List(), + sslPolicy: mergedSSLPolicy, + tlsCerts: mergedTLSCerts, + mutualAuthentication: mergedMtlsAttributes, }, nil } diff --git a/pkg/ingress/model_builder_test.go b/pkg/ingress/model_builder_test.go index 6fc0f19c1..f82ceac32 100644 --- a/pkg/ingress/model_builder_test.go +++ b/pkg/ingress/model_builder_test.go @@ -1130,7 +1130,10 @@ func Test_defaultModelBuilder_Build(t *testing.T) { }, "port": 443, "protocol": "HTTPS", - "sslPolicy": "ELBSecurityPolicy-2016-08" + "sslPolicy": "ELBSecurityPolicy-2016-08", + "mutualAuthentication" : { + "mode" : "off" + } } }, "80": null @@ -1735,7 +1738,10 @@ func Test_defaultModelBuilder_Build(t *testing.T) { }, "port": 443, "protocol": "HTTPS", - "sslPolicy": "ingress-class-policy" + "sslPolicy": "ingress-class-policy", + "mutualAuthentication": { + "mode" : "off" + } } }, "80": null @@ -2904,6 +2910,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) { vpcID := "vpc-dummy" clusterName := "cluster-dummy" ec2Client := services.NewMockEC2(ctrl) + elbv2Client := services.NewMockELBV2(ctrl) for _, res := range tt.fields.describeSecurityGroupsResult { ec2Client.EXPECT().DescribeSecurityGroupsAsList(gomock.Any(), gomock.Any()).Return(res.securityGroups, res.err) } @@ -2938,6 +2945,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) { k8sClient: k8sClient, eventRecorder: eventRecorder, ec2Client: ec2Client, + elbv2Client: elbv2Client, vpcID: vpcID, clusterName: clusterName, annotationParser: annotationParser, diff --git a/pkg/model/elbv2/listener.go b/pkg/model/elbv2/listener.go index f43f3979f..b36013e86 100644 --- a/pkg/model/elbv2/listener.go +++ b/pkg/model/elbv2/listener.go @@ -88,6 +88,24 @@ const ( ActionTypeRedirect ActionType = "redirect" ) +// MutualAuthenticationMode mTLS mode for mutual TLS authentication config for listener +type MutualAuthenticationMode string + +// Supported mTLS modes +const ( + MutualAuthenticationOffMode MutualAuthenticationMode = "off" + MutualAuthenticationPassthroughMode MutualAuthenticationMode = "passthrough" + MutualAuthenticationVerifyMode MutualAuthenticationMode = "verify" +) + +type MutualAuthenticationAttributes struct { + Mode string `json:"mode"` + + TrustStoreArn *string `json:"trustStoreArn,omitempty"` + + IgnoreClientCertificateExpiry *bool `json:"ignoreClientCertificateExpiry,omitempty"` +} + type AuthenticateCognitoActionConditionalBehavior string const ( @@ -332,6 +350,10 @@ type ListenerSpec struct { // +optional ALPNPolicy []string `json:"alpnPolicy,omitempty"` + // [HTTPS listener] The mutual TLS authentication config for a secure ALB listener. + // +optional + MutualAuthentication *MutualAuthenticationAttributes `json:"mutualAuthentication,omitempty"` + // The tags. // +optional Tags map[string]string `json:"tags,omitempty"` diff --git a/test/e2e/ingress/vanilla_ingress_test.go b/test/e2e/ingress/vanilla_ingress_test.go index 8337728cb..a63622a0b 100644 --- a/test/e2e/ingress/vanilla_ingress_test.go +++ b/test/e2e/ingress/vanilla_ingress_test.go @@ -91,7 +91,7 @@ var _ = Describe("vanilla ingress tests", func() { }, } annotation := map[string]string{ - "alb.ingress.kubernetes.io/scheme": "internet-facing", + "alb.ingress.kubernetes.io/scheme": "internet-facing", "alb.ingress.kubernetes.io/target-type": "ip", } if tf.Options.IPFamily == "IPv6" { @@ -173,8 +173,8 @@ var _ = Describe("vanilla ingress tests", func() { }, } annotation := map[string]string{ - "kubernetes.io/ingress.class": "alb", - "alb.ingress.kubernetes.io/scheme": "internet-facing", + "kubernetes.io/ingress.class": "alb", + "alb.ingress.kubernetes.io/scheme": "internet-facing", "alb.ingress.kubernetes.io/target-type": "ip", } if tf.Options.IPFamily == "IPv6" {