From 1709ae0abc8506539035a11eaa05ea420e5ed615 Mon Sep 17 00:00:00 2001 From: guessi Date: Tue, 30 Jan 2024 11:23:35 +0800 Subject: [PATCH 1/3] Improvement for the error log while Subnet Discovery failed --- pkg/networking/subnet_resolver.go | 6 ++++- pkg/networking/subnet_resolver_test.go | 35 ++++++++++++++++++++++++-- 2 files changed, 38 insertions(+), 3 deletions(-) diff --git a/pkg/networking/subnet_resolver.go b/pkg/networking/subnet_resolver.go index db90fa057d..5186299d77 100644 --- a/pkg/networking/subnet_resolver.go +++ b/pkg/networking/subnet_resolver.go @@ -198,7 +198,10 @@ func (r *defaultSubnetsResolver) ResolveViaSelector(ctx context.Context, selecto }, }, } + + targetTagKeys := []string{} for key, values := range selector.Tags { + targetTagKeys = append(targetTagKeys, key) req.Filters = append(req.Filters, &ec2sdk.Filter{ Name: awssdk.String("tag:" + key), Values: awssdk.StringSlice(values), @@ -209,7 +212,8 @@ func (r *defaultSubnetsResolver) ResolveViaSelector(ctx context.Context, selecto if err != nil { return nil, err } - explanation = fmt.Sprintf("%d match VPC and tags", len(allSubnets)) + explanation = fmt.Sprintf("%d match VPC and tags: %s", len(allSubnets), targetTagKeys) + var subnets []*ec2sdk.Subnet taggedOtherCluster := 0 for _, subnet := range allSubnets { diff --git a/pkg/networking/subnet_resolver_test.go b/pkg/networking/subnet_resolver_test.go index 5de8d060ab..8859e01239 100644 --- a/pkg/networking/subnet_resolver_test.go +++ b/pkg/networking/subnet_resolver_test.go @@ -203,7 +203,7 @@ func Test_defaultSubnetsResolver_ResolveViaDiscovery(t *testing.T) { }, }, { - name: "ALB with no matching subnets", + name: "ALB with no matching subnets (internal)", fields: fields{ vpcID: "vpc-1", clusterName: "kube-cluster", @@ -231,7 +231,38 @@ func Test_defaultSubnetsResolver_ResolveViaDiscovery(t *testing.T) { WithSubnetsResolveLBScheme(elbv2model.LoadBalancerSchemeInternal), }, }, - wantErr: errors.New("unable to resolve at least one subnet (0 match VPC and tags)"), + wantErr: errors.New("unable to resolve at least one subnet (0 match VPC and tags: [kubernetes.io/role/internal-elb])"), + }, + { + name: "ALB with no matching subnets (internet-facing)", + fields: fields{ + vpcID: "vpc-1", + clusterName: "kube-cluster", + describeSubnetsAsListCalls: []describeSubnetsAsListCall{ + { + input: &ec2sdk.DescribeSubnetsInput{ + Filters: []*ec2sdk.Filter{ + { + Name: awssdk.String("vpc-id"), + Values: awssdk.StringSlice([]string{"vpc-1"}), + }, + { + Name: awssdk.String("tag:kubernetes.io/role/elb"), + Values: awssdk.StringSlice([]string{"", "1"}), + }, + }, + }, + output: nil, + }, + }, + }, + args: args{ + opts: []SubnetsResolveOption{ + WithSubnetsResolveLBType(elbv2model.LoadBalancerTypeApplication), + WithSubnetsResolveLBScheme(elbv2model.LoadBalancerSchemeInternetFacing), + }, + }, + wantErr: errors.New("unable to resolve at least one subnet (0 match VPC and tags: [kubernetes.io/role/elb])"), }, { name: "NLB with one matching subnet", From 41ebb0b485556417a0820d1624ac0d5e1d37cd1b Mon Sep 17 00:00:00 2001 From: Matt Dainty Date: Tue, 30 Jan 2024 21:19:58 +0000 Subject: [PATCH 2/3] fix: Add revisionHistoryLimit override (#3486) Signed-off-by: Matt Dainty --- helm/aws-load-balancer-controller/README.md | 1 + helm/aws-load-balancer-controller/templates/deployment.yaml | 1 + helm/aws-load-balancer-controller/values.yaml | 2 ++ 3 files changed, 4 insertions(+) diff --git a/helm/aws-load-balancer-controller/README.md b/helm/aws-load-balancer-controller/README.md index 02b47ea152..dbb5aaf04f 100644 --- a/helm/aws-load-balancer-controller/README.md +++ b/helm/aws-load-balancer-controller/README.md @@ -246,6 +246,7 @@ The default values set by the application itself can be confirmed [here](https:/ | `extraVolumes` | Extra volumes for the pod | `[]` | | `defaultTags` | Default tags to apply to all AWS resources managed by this controller | `{}` | | `replicaCount` | Number of controller pods to run, only one will be active due to leader election | `2` | +| `revisionHistoryLimit` | Number of revisions to keep | `10` | | `podDisruptionBudget` | Limit the disruption for controller pods. Require at least 2 controller replicas and 3 worker nodes | `{}` | | `updateStrategy` | Defines the update strategy for the deployment | `{}` | | `enableCertManager` | If enabled, cert-manager issues the webhook certificates instead of the helm template, requires cert-manager and it's CRDs to be installed | `false` | diff --git a/helm/aws-load-balancer-controller/templates/deployment.yaml b/helm/aws-load-balancer-controller/templates/deployment.yaml index 73967b5cdc..3984bf4500 100644 --- a/helm/aws-load-balancer-controller/templates/deployment.yaml +++ b/helm/aws-load-balancer-controller/templates/deployment.yaml @@ -11,6 +11,7 @@ metadata: {{- include "aws-load-balancer-controller.labels" . | nindent 4 }} spec: replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} selector: matchLabels: {{- include "aws-load-balancer-controller.selectorLabels" . | nindent 6 }} diff --git a/helm/aws-load-balancer-controller/values.yaml b/helm/aws-load-balancer-controller/values.yaml index b4fbab46c9..da7c6e039e 100644 --- a/helm/aws-load-balancer-controller/values.yaml +++ b/helm/aws-load-balancer-controller/values.yaml @@ -4,6 +4,8 @@ replicaCount: 2 +revisionHistoryLimit: 10 + image: repository: public.ecr.aws/eks/aws-load-balancer-controller tag: v2.6.1 From a95e471872811f76635bb555acf7bad20f663b0f Mon Sep 17 00:00:00 2001 From: Shraddha Bang <18206078+shraddhabang@users.noreply.github.com> Date: Tue, 30 Jan 2024 18:07:13 -0800 Subject: [PATCH 3/3] Doc updates for mTLS feature and minor documentation bugs (#3547) * Doc updates for mTLS feature and minor documentation bugs * Addressing comment --- docs/deploy/configurations.md | 25 +++--- docs/deploy/installation.md | 2 +- docs/guide/ingress/annotations.md | 122 +++++++++++++++++++----------- docs/guide/ingress/spec.md | 1 + docs/guide/service/annotations.md | 1 + 5 files changed, 94 insertions(+), 57 deletions(-) diff --git a/docs/deploy/configurations.md b/docs/deploy/configurations.md index baacbd5200..2374a8fe4c 100644 --- a/docs/deploy/configurations.md +++ b/docs/deploy/configurations.md @@ -161,15 +161,16 @@ If running on EC2, the default values are obtained from the instance metadata se ### Feature Gates They are a set of kye=value pairs that describe AWS load balance controller features. You can use it as flags `--feature-gates=key1=value1,key2=value2` -|Features-gate Supported Key | Type | Default Value | Description | -|---------------------------------------|---------------------------------|-----------------|-------------| -| ListenerRulesTagging | string | true | Enable or disable tagging AWS load balancer listeners and rules | -| WeightedTargetGroups | string | true | Enable or disable weighted target groups | -| ServiceTypeLoadBalancerOnly | string | false | If enabled, controller will be limited to reconciling service of type `LoadBalancer`| -| EndpointsFailOpen | string | true | Enable or disable allowing endpoints with `ready:unknown` state in the target groups. | -| EnableServiceController | string | true | Toggles support for `Service` type resources. | -| EnableIPTargetType | string | true | Used to toggle support for target-type `ip` across `Ingress` and `Service` type resources. | -| EnableRGTAPI | string | false | If enabled, the tagging manager will describe resource tags via RGT APIs, otherwise via ELB APIs. In order to enable RGT API, `tag:GetResources` is needed in controller IAM policy. | -| SubnetsClusterTagCheck | string | true | Enable or disable the check for `kubernetes.io/cluster/${cluster-name}` during subnet auto-discovery | -| NLBHealthCheckAdvancedConfiguration | string | true | Enable or disable advanced health check configuration for NLB, for example health check timeout | -| ALBSingleSubnet | string | false | If enabled, controller will allow using only 1 subnet for provisioning ALB, which need to get whitelisted by ELB in advance | +|Features-gate Supported Key | Type | Default Value | Description | +|---------------------------------------|---------------------------------|---------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| ListenerRulesTagging | string | true | Enable or disable tagging AWS load balancer listeners and rules | +| WeightedTargetGroups | string | true | Enable or disable weighted target groups | +| ServiceTypeLoadBalancerOnly | string | false | If enabled, controller will be limited to reconciling service of type `LoadBalancer` | +| EndpointsFailOpen | string | true | Enable or disable allowing endpoints with `ready:unknown` state in the target groups. | +| EnableServiceController | string | true | Toggles support for `Service` type resources. | +| EnableIPTargetType | string | true | Used to toggle support for target-type `ip` across `Ingress` and `Service` type resources. | +| EnableRGTAPI | string | false | If enabled, the tagging manager will describe resource tags via RGT APIs, otherwise via ELB APIs. In order to enable RGT API, `tag:GetResources` is needed in controller IAM policy. | +| SubnetsClusterTagCheck | string | true | Enable or disable the check for `kubernetes.io/cluster/${cluster-name}` during subnet auto-discovery | +| NLBHealthCheckAdvancedConfiguration | string | true | Enable or disable advanced health check configuration for NLB, for example health check timeout | +| ALBSingleSubnet | string | false | If enabled, controller will allow using only 1 subnet for provisioning ALB, which need to get whitelisted by ELB in advance | +| NLBSecurityGroup | string | true | Enable or disable all NLB security groups actions including frontend sg creation, backend sg creation, and backend sg modifications | diff --git a/docs/deploy/installation.md b/docs/deploy/installation.md index 399142032e..8fbd97b213 100644 --- a/docs/deploy/installation.md +++ b/docs/deploy/installation.md @@ -203,7 +203,7 @@ We recommend using the Helm chart to install the controller. The chart supports ### Install `cert-manager` ``` - kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.5.4/cert-manager.yaml + kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.12.3/cert-manager.yaml ``` ### Apply YAML diff --git a/docs/guide/ingress/annotations.md b/docs/guide/ingress/annotations.md index fadcd6dfe8..ff8a893f07 100644 --- a/docs/guide/ingress/annotations.md +++ b/docs/guide/ingress/annotations.md @@ -14,49 +14,50 @@ You can add annotations to kubernetes Ingress and Service objects to customize t - Merge: such annotation can be specified on all Ingresses within IngressGroup, and will be merged together. ## Annotations -|Name | Type |Default|Location|MergeBehavior| -|---------------------------|------|-------|--------|------| -|[alb.ingress.kubernetes.io/load-balancer-name](#load-balancer-name)|string|N/A|Ingress|Exclusive| -|[alb.ingress.kubernetes.io/group.name](#group.name)|string|N/A|Ingress|N/A| -|[alb.ingress.kubernetes.io/group.order](#group.order)|integer|0|Ingress|N/A| -|[alb.ingress.kubernetes.io/tags](#tags)|stringMap|N/A|Ingress,Service|Merge| -|[alb.ingress.kubernetes.io/ip-address-type](#ip-address-type)|ipv4 \| dualstack|ipv4|Ingress|Exclusive| -|[alb.ingress.kubernetes.io/scheme](#scheme)|internal \| internet-facing|internal|Ingress|Exclusive| -|[alb.ingress.kubernetes.io/subnets](#subnets)|stringList|N/A|Ingress|Exclusive| -|[alb.ingress.kubernetes.io/security-groups](#security-groups)|stringList|N/A|Ingress|Exclusive| -|[alb.ingress.kubernetes.io/manage-backend-security-group-rules](#manage-backend-security-group-rules)|boolean|N/A|Ingress|Exclusive| -|[alb.ingress.kubernetes.io/customer-owned-ipv4-pool](#customer-owned-ipv4-pool)|string|N/A|Ingress|Exclusive| -|[alb.ingress.kubernetes.io/load-balancer-attributes](#load-balancer-attributes)|stringMap|N/A|Ingress|Exclusive| -|[alb.ingress.kubernetes.io/wafv2-acl-arn](#wafv2-acl-arn)|string|N/A|Ingress|Exclusive| -|[alb.ingress.kubernetes.io/waf-acl-id](#waf-acl-id)|string|N/A|Ingress|Exclusive| -|[alb.ingress.kubernetes.io/shield-advanced-protection](#shield-advanced-protection)|boolean|N/A|Ingress|Exclusive| -|[alb.ingress.kubernetes.io/listen-ports](#listen-ports)|json|'[{"HTTP": 80}]' \| '[{"HTTPS": 443}]'|Ingress|Merge| -|[alb.ingress.kubernetes.io/ssl-redirect](#ssl-redirect)|integer|N/A|Ingress|Exclusive| -|[alb.ingress.kubernetes.io/inbound-cidrs](#inbound-cidrs)|stringList|0.0.0.0/0, ::/0|Ingress|Exclusive| -|[alb.ingress.kubernetes.io/certificate-arn](#certificate-arn)|stringList|N/A|Ingress|Merge| -|[alb.ingress.kubernetes.io/ssl-policy](#ssl-policy)|string|ELBSecurityPolicy-2016-08|Ingress|Exclusive| -|[alb.ingress.kubernetes.io/target-type](#target-type)|instance \| ip|instance|Ingress,Service|N/A| -|[alb.ingress.kubernetes.io/backend-protocol](#backend-protocol)|HTTP \| HTTPS|HTTP|Ingress,Service|N/A| -|[alb.ingress.kubernetes.io/backend-protocol-version](#backend-protocol-version)|string | HTTP1 |Ingress,Service|N/A| -|[alb.ingress.kubernetes.io/target-group-attributes](#target-group-attributes)|stringMap|N/A|Ingress,Service|N/A| -|[alb.ingress.kubernetes.io/healthcheck-port](#healthcheck-port)|integer \| traffic-port|traffic-port|Ingress,Service|N/A| -|[alb.ingress.kubernetes.io/healthcheck-protocol](#healthcheck-protocol)|HTTP \| HTTPS|HTTP|Ingress,Service|N/A| -|[alb.ingress.kubernetes.io/healthcheck-path](#healthcheck-path)|string|/ \| /AWS.ALB/healthcheck |Ingress,Service|N/A| -|[alb.ingress.kubernetes.io/healthcheck-interval-seconds](#healthcheck-interval-seconds)|integer|'15'|Ingress,Service|N/A| -|[alb.ingress.kubernetes.io/healthcheck-timeout-seconds](#healthcheck-timeout-seconds)|integer|'5'|Ingress,Service|N/A| -|[alb.ingress.kubernetes.io/healthy-threshold-count](#healthy-threshold-count)|integer|'2'|Ingress,Service|N/A| -|[alb.ingress.kubernetes.io/unhealthy-threshold-count](#unhealthy-threshold-count)|integer|'2'|Ingress,Service|N/A| -|[alb.ingress.kubernetes.io/success-codes](#success-codes)|string|'200' \| '12' |Ingress,Service|N/A| -|[alb.ingress.kubernetes.io/auth-type](#auth-type)|none\|oidc\|cognito|none|Ingress,Service|N/A| -|[alb.ingress.kubernetes.io/auth-idp-cognito](#auth-idp-cognito)|json|N/A|Ingress,Service|N/A| -|[alb.ingress.kubernetes.io/auth-idp-oidc](#auth-idp-oidc)|json|N/A|Ingress,Service|N/A| -|[alb.ingress.kubernetes.io/auth-on-unauthenticated-request](#auth-on-unauthenticated-request)|authenticate\|allow\|deny|authenticate|Ingress,Service|N/A| -|[alb.ingress.kubernetes.io/auth-scope](#auth-scope)|string|openid|Ingress,Service|N/A| -|[alb.ingress.kubernetes.io/auth-session-cookie](#auth-session-cookie)|string|AWSELBAuthSessionCookie|Ingress,Service|N/A| -|[alb.ingress.kubernetes.io/auth-session-timeout](#auth-session-timeout)|integer|'604800'|Ingress,Service|N/A| -|[alb.ingress.kubernetes.io/actions.${action-name}](#actions)|json|N/A|Ingress|N/A| -|[alb.ingress.kubernetes.io/conditions.${conditions-name}](#conditions)|json|N/A|Ingress|N/A| -|[alb.ingress.kubernetes.io/target-node-labels](#target-node-labels)|stringMap|N/A|Ingress,Service|N/A| +| Name | Type |Default|Location|MergeBehavior| +|-------------------------------------------------------------------------------------------------------|-----------------------------|-------|--------|------| +| [alb.ingress.kubernetes.io/load-balancer-name](#load-balancer-name) | string |N/A|Ingress|Exclusive| +| [alb.ingress.kubernetes.io/group.name](#group.name) | string |N/A|Ingress|N/A| +| [alb.ingress.kubernetes.io/group.order](#group.order) | integer |0|Ingress|N/A| +| [alb.ingress.kubernetes.io/tags](#tags) | stringMap |N/A|Ingress,Service|Merge| +| [alb.ingress.kubernetes.io/ip-address-type](#ip-address-type) | ipv4 \| dualstack |ipv4|Ingress|Exclusive| +| [alb.ingress.kubernetes.io/scheme](#scheme) | internal \| internet-facing |internal|Ingress|Exclusive| +| [alb.ingress.kubernetes.io/subnets](#subnets) | stringList |N/A|Ingress|Exclusive| +| [alb.ingress.kubernetes.io/security-groups](#security-groups) | stringList |N/A|Ingress|Exclusive| +| [alb.ingress.kubernetes.io/manage-backend-security-group-rules](#manage-backend-security-group-rules) | boolean |N/A|Ingress|Exclusive| +| [alb.ingress.kubernetes.io/customer-owned-ipv4-pool](#customer-owned-ipv4-pool) | string |N/A|Ingress|Exclusive| +| [alb.ingress.kubernetes.io/load-balancer-attributes](#load-balancer-attributes) | stringMap |N/A|Ingress|Exclusive| +| [alb.ingress.kubernetes.io/wafv2-acl-arn](#wafv2-acl-arn) | string |N/A|Ingress|Exclusive| +| [alb.ingress.kubernetes.io/waf-acl-id](#waf-acl-id) | string |N/A|Ingress|Exclusive| +| [alb.ingress.kubernetes.io/shield-advanced-protection](#shield-advanced-protection) | boolean |N/A|Ingress|Exclusive| +| [alb.ingress.kubernetes.io/listen-ports](#listen-ports) | json |'[{"HTTP": 80}]' \| '[{"HTTPS": 443}]'|Ingress|Merge| +| [alb.ingress.kubernetes.io/ssl-redirect](#ssl-redirect) | integer |N/A|Ingress|Exclusive| +| [alb.ingress.kubernetes.io/inbound-cidrs](#inbound-cidrs) | stringList |0.0.0.0/0, ::/0|Ingress|Exclusive| +| [alb.ingress.kubernetes.io/certificate-arn](#certificate-arn) | stringList |N/A|Ingress|Merge| +| [alb.ingress.kubernetes.io/ssl-policy](#ssl-policy) | string |ELBSecurityPolicy-2016-08|Ingress|Exclusive| +| [alb.ingress.kubernetes.io/target-type](#target-type) | instance \| ip |instance|Ingress,Service|N/A| +| [alb.ingress.kubernetes.io/backend-protocol](#backend-protocol) | HTTP \| HTTPS |HTTP|Ingress,Service|N/A| +| [alb.ingress.kubernetes.io/backend-protocol-version](#backend-protocol-version) | string | HTTP1 |Ingress,Service|N/A| +| [alb.ingress.kubernetes.io/target-group-attributes](#target-group-attributes) | stringMap |N/A|Ingress,Service|N/A| +| [alb.ingress.kubernetes.io/healthcheck-port](#healthcheck-port) | integer \| traffic-port |traffic-port|Ingress,Service|N/A| +| [alb.ingress.kubernetes.io/healthcheck-protocol](#healthcheck-protocol) | HTTP \| HTTPS |HTTP|Ingress,Service|N/A| +| [alb.ingress.kubernetes.io/healthcheck-path](#healthcheck-path) | string |/ \| /AWS.ALB/healthcheck |Ingress,Service|N/A| +| [alb.ingress.kubernetes.io/healthcheck-interval-seconds](#healthcheck-interval-seconds) | integer |'15'|Ingress,Service|N/A| +| [alb.ingress.kubernetes.io/healthcheck-timeout-seconds](#healthcheck-timeout-seconds) | integer |'5'|Ingress,Service|N/A| +| [alb.ingress.kubernetes.io/healthy-threshold-count](#healthy-threshold-count) | integer |'2'|Ingress,Service|N/A| +| [alb.ingress.kubernetes.io/unhealthy-threshold-count](#unhealthy-threshold-count) | integer |'2'|Ingress,Service|N/A| +| [alb.ingress.kubernetes.io/success-codes](#success-codes) | string |'200' \| '12' |Ingress,Service|N/A| +| [alb.ingress.kubernetes.io/auth-type](#auth-type) | none\|oidc\|cognito |none|Ingress,Service|N/A| +| [alb.ingress.kubernetes.io/auth-idp-cognito](#auth-idp-cognito) | json |N/A|Ingress,Service|N/A| +| [alb.ingress.kubernetes.io/auth-idp-oidc](#auth-idp-oidc) | json |N/A|Ingress,Service|N/A| +| [alb.ingress.kubernetes.io/auth-on-unauthenticated-request](#auth-on-unauthenticated-request) | authenticate\|allow\|deny |authenticate|Ingress,Service|N/A| +| [alb.ingress.kubernetes.io/auth-scope](#auth-scope) | string |openid|Ingress,Service|N/A| +| [alb.ingress.kubernetes.io/auth-session-cookie](#auth-session-cookie) | string |AWSELBAuthSessionCookie|Ingress,Service|N/A| +| [alb.ingress.kubernetes.io/auth-session-timeout](#auth-session-timeout) | integer |'604800'|Ingress,Service|N/A| +| [alb.ingress.kubernetes.io/actions.${action-name}](#actions) | json |N/A|Ingress|N/A| +| [alb.ingress.kubernetes.io/conditions.${conditions-name}](#conditions) | json |N/A|Ingress|N/A| +| [alb.ingress.kubernetes.io/target-node-labels](#target-node-labels) | stringMap |N/A|Ingress,Service|N/A| +| [alb.ingress.kubernetes.io/mutual-authentication](#mutual-authentication) | json |'[{"port": 443, "mode": "off"}]'|Ingress|Exclusive| ## IngressGroup IngressGroup feature enables you to group multiple Ingress resources together. @@ -761,6 +762,36 @@ TLS support can be controlled with the following annotations: alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-1-2017-01 ``` +- `alb.ingress.kubernetes.io/mutual-authentication` specifies the mutual authentication configuration that should be assigned to the Application Load Balancer secure listener ports. See [Mutual authentication with TLS](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html) in the AWS documentation for more details. + + !!!note "Configuration Options" + - `port: listen port ` + - Must be a HTTPS port specified by [listen-ports](#listen-ports). + - `mode: "off" (default) | "passthrough" | "verify"` + - `verify` mode requires an existing trust store resource. + - See [Create a trust store](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html#create-trust-store) in the AWS documentation for more details. + - `trustStore: ARN (arn:aws:elasticloadbalancing:trustStoreArn) | Name (my-trust-store)` + - Both ARN and Name of trustStore are supported values. + - `trustStore` is required when mode is `verify`. + - `ignoreClientCertificateExpiry : true | false (default)` + + !!!example + - [listen-ports](#listen-ports) specifies four HTTPS ports: `80, 443, 8080, 8443` + - listener `HTTPS:80` will be set to `passthrough` mode + - listener `HTTPS:443` will be set to `verify` mode, associated with trust store arn `arn:aws:elasticloadbalancing:trustStoreArn` and have `ignoreClientCertificateExpiry` set to `true` + - listeners `HTTPS:8080` and `HTTPS:8443` remain in the default mode `off`. + ``` + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 80}, {"HTTPS": 443}, {"HTTPS": 8080}, {"HTTPS": 8443}]' + alb.ingress.kubernetes.io/mutual-authentication: '[{"port": 80, "mode": "passthrough"}, + {"port": 443, "mode": "verify", "trustStore": "arn:aws:elasticloadbalancing:trustStoreArn", "ignoreClientCertificateExpiry" : true}]' + ``` + + !!!note "Note" + To avoid conflict errors in IngressGroup, this annotation should only be specified on a single Ingress within IngressGroup or specified with same value across all Ingresses within IngressGroup. + + !!!warning "Trust stores limit per Application Load Balancer" + A maximum of two different trust stores can be associated among listeners on the same ingress. See [Quotas for your Application Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-limits.html) in the AWS documentation for more details. + ## Custom attributes Custom attributes to LoadBalancers and TargetGroups can be controlled with following annotations: @@ -794,7 +825,10 @@ Custom attributes to LoadBalancers and TargetGroups can be controlled with follo ``` alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=600 ``` - + - enable [connection logs](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-connection-logs.html) + ``` + alb.ingress.kubernetes.io/load-balancer-attributes: connection_logs.s3.enabled=true,connection_logs.s3.bucket=my-connection-log-bucket,connection_logs.s3.prefix=my-app + ``` - `alb.ingress.kubernetes.io/target-group-attributes` specifies [Target Group Attributes](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html#target-group-attributes) which should be applied to Target Groups. !!!example diff --git a/docs/guide/ingress/spec.md b/docs/guide/ingress/spec.md index 8377aee253..f8bf48b8e0 100644 --- a/docs/guide/ingress/spec.md +++ b/docs/guide/ingress/spec.md @@ -24,6 +24,7 @@ spec: http: paths: - path: /* + pathType: ImplementationSpecific backend: service: name: "service-2048" diff --git a/docs/guide/service/annotations.md b/docs/guide/service/annotations.md index f070c09547..e3a9bfe764 100644 --- a/docs/guide/service/annotations.md +++ b/docs/guide/service/annotations.md @@ -295,6 +295,7 @@ Health check on target groups can be configured with following annotations: - you can specify `tcp`, or `http` or `https`, `tcp` is the default - `tcp` is the default health check protocol if the service `spec.externalTrafficPolicy` is `Cluster`, `http` if `Local` - if the service `spec.externalTrafficPolicy` is `Local`, do **not** use `tcp` for health check + - Supports only single protocol per service !!!example ```service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: http