Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

add TLS support for NLB / fix several NLB bugs #74910

Merged
merged 1 commit into from May 1, 2019

Conversation

@M00nF1sh
Copy link
Contributor

commented Mar 4, 2019

What type of PR is this?
/kind feature

What this PR does / why we need it:
Add TLS support for NLB
Fix several NLB bugs(around targetGroup naming/tagging)

Which issue(s) this PR fixes:

Fixes #73297
Fixes #69264
Fixes #75006

Special notes for your reviewer:

  1. new targetGroups will get name k8s-{namespace:8}-{name:8}-{uuid:10}.
  2. TLS is an upgrade version of SSL protocol, in CLB, both SSL/TLS is identified as SSL, however, in ALB/NLB, both SSL/TLS is identified as TLS. To avoid confusing and ease migration from CLB to NLB, service.beta.kubernetes.io/aws-load-balancer-backend-protocol:ssl is re-used for denoting backend SSL in NLB as well.
  3. Test done:
    • migration from TCP to TLS termination:

      1. create NLB service with TCP port(443), which forward to backend HTTPS port(443).
      2. access the NLB, observed TLS termination at backend works fine(cert by backend).
      3. migrate to NLB TLS termination by adding two annotation: service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arnOfACMCert and service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
      4. access the NLB, observed TLS termination at NLB works fine(cert by ACM), and NLB still talks to backend in TLS 馃槃 .
      5. migrate to TCP backend by remove annotation service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl, and change service targetPort to an HTTP port.
      6. access the NLB, observed TLS termination at NLB works fine(cert by ACM), and NLB still talks to backend in TCP(HTTP) 馃槃 .
      7. migrate back to TLS backend by add annotation service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl, and change service targetPort to an TLS port
      8. access the NLB, observed TLS termination at NLB works fine(cert by ACM), and NLB still talks to backend in TCP(HTTP) 馃槃 .
    • create NLB service with multiple TLS/TCP port.

      1. create NLB service with TCP port(80), which forward to backend HTTP port(80), and TLS port(443) which forward to backend HTTP port(80), by adding annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arnOfACMCert, and service.beta.kubernetes.io/aws-load-balancer-ssl-ports: 443
      2. observed both port(80:TCP, 443:TLS) works as expected.
    • add TLS port to existing NLB service.

      1. create NLB service with TCP port(80), which forward to backend HTTP port(80).
      2. add an TLS port(443), which forward to backend HTTP port(80) by adding annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arnOfACMCert, and service.beta.kubernetes.io/aws-load-balancer-ssl-ports: 443
      3. observed both port(80:TCP, 443:TLS) works as expected.
    • modify SSL policy

      1. create NLB service with TLS port.
      2. modify SSL policy by adding annotation service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-2016-08
      3. verify SSL policy updated.
    • targetGroup names/ tagging

      1. during the above testing, all new targetGroups are tagged properly, and named properly. targetGroups are recreated as need(while old targetGroup get deleted).

Does this PR introduce a user-facing change?:

Add TLS termination support for NLB

@k8s-ci-robot k8s-ci-robot requested review from gnufied and jsafrane Mar 4, 2019

@M00nF1sh M00nF1sh force-pushed the M00nF1sh:nlb_tls branch from 81eb49d to dac7f67 Mar 5, 2019

@k8s-ci-robot k8s-ci-robot added size/L and removed size/M labels Mar 5, 2019

@M00nF1sh M00nF1sh force-pushed the M00nF1sh:nlb_tls branch 4 times, most recently from b892012 to a30a909 Mar 5, 2019

@M00nF1sh M00nF1sh changed the title [WIP]add TLS support for NLB add TLS support for NLB Mar 6, 2019

@M00nF1sh M00nF1sh force-pushed the M00nF1sh:nlb_tls branch from a30a909 to 7266c6d Mar 6, 2019

@M00nF1sh M00nF1sh changed the title add TLS support for NLB add TLS support for NLB / Fix several NLB bugs Mar 6, 2019

@M00nF1sh M00nF1sh changed the title add TLS support for NLB / Fix several NLB bugs add TLS support for NLB / fix several NLB bugs Mar 6, 2019

@M00nF1sh

This comment has been minimized.

Copy link
Contributor Author

commented Mar 6, 2019

/assign @micahhausler

@M00nF1sh

This comment has been minimized.

Copy link
Contributor Author

commented Mar 6, 2019

/test pull-kubernetes-e2e-gce-100-performance

@usvgmani

This comment has been minimized.

Copy link

commented Mar 11, 2019

Do we know when this bug will be fixed? We are interested in installing Istio on our AWS EKS with multiple NLBs --> Fixes #69264

@evanfuller

This comment has been minimized.

Copy link

commented Mar 27, 2019

Any updates? I'm also interested in this feature.

@yurrriq

This comment has been minimized.

Copy link

commented Apr 8, 2019

Any update or timeline for this getting merged?

@M00nF1sh M00nF1sh force-pushed the M00nF1sh:nlb_tls branch from 7266c6d to 1d6fe8c Apr 12, 2019

@lelabo-marc

This comment has been minimized.

Copy link

commented Apr 18, 2019

@yurrriq

This comment has been minimized.

Copy link

commented Apr 30, 2019

/bump

@micahhausler
Copy link
Member

left a comment

/approve
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label Apr 30, 2019

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented Apr 30, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: M00nF1sh, micahhausler

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@M00nF1sh

This comment has been minimized.

Copy link
Contributor Author

commented Apr 30, 2019

/test pull-kubernetes-kubemark-e2e-gce-big

@k8s-ci-robot k8s-ci-robot merged commit 4f08ea9 into kubernetes:master May 1, 2019

20 checks passed

cla/linuxfoundation M00nF1sh authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-conformance-image-test Skipped.
pull-kubernetes-cross Skipped.
pull-kubernetes-dependencies Job succeeded.
Details
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-csi-serial Skipped.
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gce-storage-slow Skipped.
pull-kubernetes-godeps Skipped.
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped.
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
pull-publishing-bot-validate Skipped.
tide In merge pool.
Details
@yurrriq

This comment has been minimized.

Copy link

commented May 2, 2019

What are the chances this'll make its way into a 1.11.x release?

@matthewejohnson711

This comment has been minimized.

Copy link

commented May 3, 2019

Dragging in on the mail chain.

@M00nF1sh

This comment has been minimized.

Copy link
Contributor Author

commented May 4, 2019

What are the chances this'll make its way into a 1.11.x release?

Hi, I'll check whether there are merge conflicts and cherry pick this back 馃槃

@micahhausler

This comment has been minimized.

Copy link
Member

commented May 4, 2019

Sorry, cherrypicks are only for bugfixes not features

@yurrriq

This comment has been minimized.

Copy link

commented May 4, 2019

To me, this seems like a bit of both. So which version will have these changes then?

@tnachen

This comment has been minimized.

Copy link
Contributor

commented May 10, 2019

+1 What version is this going into?

@M00nF1sh

This comment has been minimized.

Copy link
Contributor Author

commented May 10, 2019

@tnachen Hi, this will go into v1.15 馃槃

@yurrriq

This comment has been minimized.

Copy link

commented May 10, 2019

Thanks for the response, @M00nF1sh. I guess it's time to put the heat on the kops team to catch up then :)

@davidxjohnson

This comment has been minimized.

Copy link

commented May 11, 2019

Thanks @M00nF1sh for working on this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can鈥檛 perform that action at this time.