Split annotation in two

2025-08-06 02:34:03 +00:00 · 2016-05-02 17:43:26 -04:00 · 2016-05-02 17:43:26 -04:00 · 61471965d8
commit 61471965d8
parent 7b7dd7861f
2 changed files with 42 additions and 38 deletions
--- a/pkg/cloudprovider/providers/aws/aws.go
+++ b/pkg/cloudprovider/providers/aws/aws.go
@ -69,15 +69,20 @@ const TagNameSubnetPublicELB = "kubernetes.io/role/elb"
 // This lets us define more advanced semantics in future.
 const ServiceAnnotationLoadBalancerInternal = "service.beta.kubernetes.io/aws-load-balancer-internal"
-// Service annotation requesting a secure listener. Value is [InstanceProtocol=]CertARN
+// Service annotation requesting a secure listener. Value is a valid certificate ARN.
 // If InstanceProtocol is `http` (default) or `https`, an HTTPS listener that terminates the connection and parses headers is created.
 // If it is set to `ssl` or `tcp`, a "raw" SSL listener is used.
 // For more, see http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-listener-config.html
 // CertARN is an IAM or CM certificate ARN, e.g. arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012
-const ServiceAnnotationLoadBalancerCertificate = "service.beta.kubernetes.io/aws-load-balancer-certarn"
+const ServiceAnnotationLoadBalancerCertificate = "service.beta.kubernetes.io/aws-load-balancer-ssl-cert"
-// Maps from instance protocol to ELB protocol
+// Service annotation specifying the protocol spoken by the backend (pod) behind a secure listener.
-var protocolMapping = map[string]string{
+// Only inspected when `aws-load-balancer-ssl-cert` is used.
 // If `http` (default) or `https`, an HTTPS listener that terminates the connection and parses headers is created.
 // If set to `ssl` or `tcp`, a "raw" SSL listener is used.
 const ServiceAnnotationLoadBalancerBEProtocol = "service.beta.kubernetes.io/aws-load-balancer-backend-protocol"
 // Maps from backend protocol to ELB protocol
 var backendProtocolMapping = map[string]string{
 	"https": "https",
 	"http":  "https",
 	"ssl":   "ssl",
@ -2125,19 +2130,15 @@ func getListener(port api.ServicePort, annotations map[string]string) (*elb.List
 	listener.LoadBalancerPort = &loadBalancerPort
 	certID := annotations[ServiceAnnotationLoadBalancerCertificate]
 	if certID != "" {
-		parts := strings.Split(certID, "=")
+		instanceProtocol = annotations[ServiceAnnotationLoadBalancerBEProtocol]
-		if len(parts) == 1 {
+		if instanceProtocol == "" {
 			protocol = "https"
 			instanceProtocol = "http"
 		} else if len(parts) == 2 {
 			instanceProtocol = strings.ToLower(parts[0])
 			protocol = protocolMapping[instanceProtocol]
 			if protocol == "" {
 				return nil, fmt.Errorf("Invalid protocol %s in %s", instanceProtocol, certID)
 			}
 			certID = parts[1]
 		} else {
-			return nil, fmt.Errorf("Invalid certificate annotation %s", certID)
+			protocol = backendProtocolMapping[instanceProtocol]
 			if protocol == "" {
 				return nil, fmt.Errorf("Invalid backend protocol %s in %s", instanceProtocol, certID)
 			}
 		}
 		listener.SSLCertificateId = &certID
 	}
--- a/pkg/cloudprovider/providers/aws/aws_test.go
+++ b/pkg/cloudprovider/providers/aws/aws_test.go
@ -1206,52 +1206,52 @@ func TestGetListener(t *testing.T) {
 		lbPort                    int64
 		instancePort              int64
-		annotation   string
+		backendProtocolAnnotation string
 		certAnnotation            string
 		expectError      bool
 		lbProtocol       string
 		instanceProtocol string
 		certID           string
 		//listener    *elb.Listener
 	}{
 		{
-			"No annotation, passthrough",
+			"No cert or BE protocol annotation, passthrough",
-			80, 8000, "",
+			80, 8000, "", "",
 			false, "tcp", "tcp", "",
 		},
 		{
-			"Invalid cert annotation, no protocol before equal sign",
+			"BE protocol without cert annotation, passthrough",
-			443, 8000, "=foo",
+			443, 8001, "https", "",
 			false, "tcp", "tcp", "",
 		},
 		{
 			"Invalid cert annotation, bogus backend protocol",
 			443, 8002, "bacon", "foo",
 			true, "tcp", "tcp", "cert",
 		},
 		{
-			"Invalid cert annotation, bogus protocol before equal sign",
+			"Invalid cert annotation, protocol followed by equal sign",
-			443, 8000, "bacon=foo",
+			443, 8003, "http=", "=",
 			true, "tcp", "tcp", "cert",
 		},
 		{
 			"Invalid cert annotation, too many equal signs",
 			443, 8000, "==",
 			true, "tcp", "tcp", "cert",
 		},
 		{
 			"HTTPS->HTTPS",
-			443, 8000, "https=cert",
+			443, 8004, "https", "cert",
 			false, "https", "https", "cert",
 		},
 		{
 			"HTTPS->HTTP",
-			443, 8000, "http=cert",
+			443, 8005, "http", "cert",
 			false, "https", "http", "cert",
 		},
 		{
 			"SSL->SSL",
-			443, 8000, "ssl=cert",
+			443, 8006, "ssl", "cert",
 			false, "ssl", "ssl", "cert",
 		},
 		{
 			"SSL->TCP",
-			443, 8000, "tcp=cert",
+			443, 8007, "tcp", "cert",
 			false, "ssl", "tcp", "cert",
 		},
 	}
@ -1259,8 +1259,11 @@ func TestGetListener(t *testing.T) {
 	for _, test := range tests {
 		t.Logf("Running test case %s", test.name)
 		annotations := make(map[string]string)
-		if test.annotation != "" {
+		if test.backendProtocolAnnotation != "" {
-			annotations[ServiceAnnotationLoadBalancerCertificate] = test.annotation
+			annotations[ServiceAnnotationLoadBalancerBEProtocol] = test.backendProtocolAnnotation
 		}
 		if test.certAnnotation != "" {
 			annotations[ServiceAnnotationLoadBalancerCertificate] = test.certAnnotation
 		}
 		l, err := getListener(api.ServicePort{
 			NodePort: int(test.instancePort),
@ -1287,7 +1290,7 @@ func TestGetListener(t *testing.T) {
 					SSLCertificateId: cert,
 				}
 				if !reflect.DeepEqual(l, expected) {
-					t.Errorf("Incorrect listener (%v vs %v) for case: %s",
+					t.Errorf("Incorrect listener (%v vs expected %v) for case: %s",
 						l, expected, test.name)
 				}
 			}