forked from kubernetes-sigs/aws-load-balancer-controller
-
Notifications
You must be signed in to change notification settings - Fork 0
/
model_build_load_balancer_addons.go
104 lines (99 loc) · 3.82 KB
/
model_build_load_balancer_addons.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
package ingress
import (
"context"
"github.com/pkg/errors"
"k8s.io/apimachinery/pkg/util/sets"
"github.com/sonal-chauhan/aws-load-balancer-controller/pkg/annotations"
"github.com/sonal-chauhan/aws-load-balancer-controller/pkg/model/core"
shieldmodel "github.com/sonal-chauhan/aws-load-balancer-controller/pkg/model/shield"
wafregionalmodel "github.com/sonal-chauhan/aws-load-balancer-controller/pkg/model/wafregional"
wafv2model "github.com/sonal-chauhan/aws-load-balancer-controller/pkg/model/wafv2"
)
func (t *defaultModelBuildTask) buildLoadBalancerAddOns(ctx context.Context, lbARN core.StringToken) error {
if _, err := t.buildWAFv2WebACLAssociation(ctx, lbARN); err != nil {
return err
}
if _, err := t.buildWAFRegionalWebACLAssociation(ctx, lbARN); err != nil {
return err
}
if _, err := t.buildShieldProtection(ctx, lbARN); err != nil {
return err
}
return nil
}
func (t *defaultModelBuildTask) buildWAFv2WebACLAssociation(_ context.Context, lbARN core.StringToken) (*wafv2model.WebACLAssociation, error) {
explicitWebACLARNs := sets.NewString()
for _, member := range t.ingGroup.Members {
rawWebACLARN := ""
if exists := t.annotationParser.ParseStringAnnotation(annotations.IngressSuffixWAFv2ACLARN, &rawWebACLARN, member.Ing.Annotations); exists {
explicitWebACLARNs.Insert(rawWebACLARN)
}
}
if len(explicitWebACLARNs) == 0 {
return nil, nil
}
if len(explicitWebACLARNs) > 1 {
return nil, errors.Errorf("conflicting WAFv2 WebACL ARNs: %v", explicitWebACLARNs.List())
}
webACLARN, _ := explicitWebACLARNs.PopAny()
if webACLARN != "" {
association := wafv2model.NewWebACLAssociation(t.stack, resourceIDLoadBalancer, wafv2model.WebACLAssociationSpec{
WebACLARN: webACLARN,
ResourceARN: lbARN,
})
return association, nil
}
return nil, nil
}
func (t *defaultModelBuildTask) buildWAFRegionalWebACLAssociation(_ context.Context, lbARN core.StringToken) (*wafregionalmodel.WebACLAssociation, error) {
explicitWebACLIDs := sets.NewString()
for _, member := range t.ingGroup.Members {
rawWebACLARN := ""
if exists := t.annotationParser.ParseStringAnnotation(annotations.IngressSuffixWAFACLID, &rawWebACLARN, member.Ing.Annotations); exists {
explicitWebACLIDs.Insert(rawWebACLARN)
} else if exists := t.annotationParser.ParseStringAnnotation(annotations.IngressSuffixWebACLID, &rawWebACLARN, member.Ing.Annotations); exists {
explicitWebACLIDs.Insert(rawWebACLARN)
}
}
if len(explicitWebACLIDs) == 0 {
return nil, nil
}
if len(explicitWebACLIDs) > 1 {
return nil, errors.Errorf("conflicting WAFRegional WebACL IDs: %v", explicitWebACLIDs.List())
}
webACLID, _ := explicitWebACLIDs.PopAny()
if webACLID != "" {
association := wafregionalmodel.NewWebACLAssociation(t.stack, resourceIDLoadBalancer, wafregionalmodel.WebACLAssociationSpec{
WebACLID: webACLID,
ResourceARN: lbARN,
})
return association, nil
}
return nil, nil
}
func (t *defaultModelBuildTask) buildShieldProtection(_ context.Context, lbARN core.StringToken) (*shieldmodel.Protection, error) {
explicitEnableProtections := make(map[bool]struct{})
for _, member := range t.ingGroup.Members {
rawEnableProtection := false
exists, err := t.annotationParser.ParseBoolAnnotation(annotations.IngressSuffixShieldAdvancedProtection, &rawEnableProtection, member.Ing.Annotations)
if err != nil {
return nil, err
}
if exists {
explicitEnableProtections[rawEnableProtection] = struct{}{}
}
}
if len(explicitEnableProtections) == 0 {
return nil, nil
}
if len(explicitEnableProtections) > 1 {
return nil, errors.New("conflicting enable shield advanced protection")
}
if _, enableProtection := explicitEnableProtections[true]; enableProtection {
protection := shieldmodel.NewProtection(t.stack, resourceIDLoadBalancer, shieldmodel.ProtectionSpec{
ResourceARN: lbARN,
})
return protection, nil
}
return nil, nil
}