From 14565f05d6299fdecf2659a46d748fc5896b41b9 Mon Sep 17 00:00:00 2001 From: Andrew Garrett Date: Fri, 26 Oct 2018 22:07:41 +0000 Subject: [PATCH 1/2] Use SSL/HTTPS health checks for ELBs when backend protocol is SSL/HTTPS Fixes #45746 --- pkg/cloudprovider/providers/aws/aws.go | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/pkg/cloudprovider/providers/aws/aws.go b/pkg/cloudprovider/providers/aws/aws.go index dbad7cdd750..bf301bfc0cd 100644 --- a/pkg/cloudprovider/providers/aws/aws.go +++ b/pkg/cloudprovider/providers/aws/aws.go @@ -3604,9 +3604,16 @@ func (c *Cloud) EnsureLoadBalancer(ctx context.Context, clusterName string, apiS } } + annotationProtocol := strings.ToLower(annotations[ServiceAnnotationLoadBalancerBEProtocol]) + var hcProtocol string if path, healthCheckNodePort := service.GetServiceHealthCheckPathPort(apiService); path != "" { glog.V(4).Infof("service %v (%v) needs health checks on :%d%s)", apiService.Name, loadBalancerName, healthCheckNodePort, path) - err = c.ensureLoadBalancerHealthCheck(loadBalancer, "HTTP", healthCheckNodePort, path, annotations) + if annotationProtocol == "https" || annotationProtocol == "ssl" { + hcProtocol = "HTTPS" + } else { + hcProtocol = "HTTP" + } + err = c.ensureLoadBalancerHealthCheck(loadBalancer, hcProtocol, healthCheckNodePort, path, annotations) if err != nil { return nil, fmt.Errorf("Failed to ensure health check for localized service %v on node port %v: %q", loadBalancerName, healthCheckNodePort, err) } @@ -3621,8 +3628,13 @@ func (c *Cloud) EnsureLoadBalancer(ctx context.Context, clusterName string, apiS tcpHealthCheckPort = int32(*listener.InstancePort) break } + if annotationProtocol == "https" || annotationProtocol == "ssl" { + hcProtocol = "SSL" + } else { + hcProtocol = "TCP" + } // there must be no path on TCP health check - err = c.ensureLoadBalancerHealthCheck(loadBalancer, "TCP", tcpHealthCheckPort, "", annotations) + err = c.ensureLoadBalancerHealthCheck(loadBalancer, hcProtocol, tcpHealthCheckPort, "", annotations) if err != nil { return nil, err } From 72895a84a9670d6f6f8921681c5bbe4b2745319e Mon Sep 17 00:00:00 2001 From: Andrew Garrett Date: Thu, 3 Jan 2019 17:55:36 +0000 Subject: [PATCH 2/2] PR feedback - do not change protocol for externalTrafficPolicy = Local --- pkg/cloudprovider/providers/aws/aws.go | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/pkg/cloudprovider/providers/aws/aws.go b/pkg/cloudprovider/providers/aws/aws.go index 5487f92dde1..c88c9aff2f8 100644 --- a/pkg/cloudprovider/providers/aws/aws.go +++ b/pkg/cloudprovider/providers/aws/aws.go @@ -3589,16 +3589,9 @@ func (c *Cloud) EnsureLoadBalancer(ctx context.Context, clusterName string, apiS } } - annotationProtocol := strings.ToLower(annotations[ServiceAnnotationLoadBalancerBEProtocol]) - var hcProtocol string if path, healthCheckNodePort := service.GetServiceHealthCheckPathPort(apiService); path != "" { klog.V(4).Infof("service %v (%v) needs health checks on :%d%s)", apiService.Name, loadBalancerName, healthCheckNodePort, path) - if annotationProtocol == "https" || annotationProtocol == "ssl" { - hcProtocol = "HTTPS" - } else { - hcProtocol = "HTTP" - } - err = c.ensureLoadBalancerHealthCheck(loadBalancer, hcProtocol, healthCheckNodePort, path, annotations) + err = c.ensureLoadBalancerHealthCheck(loadBalancer, "HTTP", healthCheckNodePort, path, annotations) if err != nil { return nil, fmt.Errorf("Failed to ensure health check for localized service %v on node port %v: %q", loadBalancerName, healthCheckNodePort, err) } @@ -3613,6 +3606,8 @@ func (c *Cloud) EnsureLoadBalancer(ctx context.Context, clusterName string, apiS tcpHealthCheckPort = int32(*listener.InstancePort) break } + annotationProtocol := strings.ToLower(annotations[ServiceAnnotationLoadBalancerBEProtocol]) + var hcProtocol string if annotationProtocol == "https" || annotationProtocol == "ssl" { hcProtocol = "SSL" } else {