Merge pull request #4669 from shuqz/i2g-annotation

[feat i2g]support ssl-redirect translate

Author: k8s-ci-robot

pkg/ingress2gateway/translate/annotation_coverage_test.go

@@ -77,6 +77,7 @@ func TestAllIngressAnnotationsCovered(t *testing.T) {
 		},
 		HTTPRouteConfig: {
 			annotations.IngressSuffixUseRegexPathMatch,
+			annotations.IngressSuffixSSLRedirect,
 		},
 	}
 
@@ -87,15 +88,13 @@ func TestAllIngressAnnotationsCovered(t *testing.T) {
 			annotations.IngressSuffixGroupOrder,
 		},
 		Routing: {
-			annotations.IngressSuffixSSLRedirect,
 			// NOTE: "use-annotation" action backends (alb.ingress.kubernetes.io/actions.{name}),
 			// condition annotations (alb.ingress.kubernetes.io/conditions.{name}), and
 			// transform annotations (alb.ingress.kubernetes.io/transforms.{name}) are dynamically
 			// named and cannot be tracked as static suffixes here.
 			// actions.* translation is implemented in translate_action_helper.go (forward, redirect, fixed-response).
 			// conditions.* translation is implemented in translate_condition_helper.go.
 			// transforms.* translation is implemented in translate_transform_helper.go.
-			// ssl-redirect is planned for a subsequent PR.
 		},
 		Authentication: {
 			annotations.IngressSuffixAuthType,

pkg/ingress2gateway/translate/gateway.go

@@ -1,6 +1,8 @@
 package translate
 
 import (
+	"strings"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	gatewayv1beta1 "sigs.k8s.io/aws-load-balancer-controller/apis/gateway/v1beta1"
 	gwconstants "sigs.k8s.io/aws-load-balancer-controller/pkg/gateway/constants"
@@ -30,11 +32,22 @@ func buildGatewayClass() gwv1.GatewayClass {
 func buildGateway(name, namespace string, lbConfig *gatewayv1beta1.LoadBalancerConfiguration, listenPorts []listenPortEntry) gwv1.Gateway {
 	var listeners []gwv1.Listener
 	for _, lp := range listenPorts {
-		listeners = append(listeners, gwv1.Listener{
-			Name:     gwv1.SectionName(utils.GetSectionName(lp.Protocol, lp.Port)),
+		listener := gwv1.Listener{
+			Name:     gwv1.SectionName(utils.GenerateSectionName(lp.Protocol, lp.Port)),
 			Port:     gwv1.PortNumber(lp.Port),
 			Protocol: toALBProtocol(lp.Protocol),
-		})
+		}
+		// Gateway API requires a tls section for HTTPS listeners.
+		// The actual certificate is configured via LoadBalancerConfiguration,
+		// but the webhook rejects HTTPS listeners without tls set.
+		if strings.EqualFold(lp.Protocol, utils.ProtocolHTTPS) {
+			listener.TLS = &gwv1.ListenerTLSConfig{
+				CertificateRefs: []gwv1.SecretObjectReference{
+					{Name: utils.PlaceholderTLSSecretName},
+				},
+			}
+		}
+		listeners = append(listeners, listener)
 	}
 
 	gw := gwv1.Gateway{

pkg/ingress2gateway/translate/gateway_test.go

@@ -62,8 +62,8 @@ func TestBuildGateway(t *testing.T) {
 }
 
 func TestListenerName(t *testing.T) {
-	assert.Equal(t, "http-80", utils.GetSectionName("HTTP", 80))
-	assert.Equal(t, "https-443", utils.GetSectionName("HTTPS", 443))
+	assert.Equal(t, "http-80", utils.GenerateSectionName("HTTP", 80))
+	assert.Equal(t, "https-443", utils.GenerateSectionName("HTTPS", 443))
 }
 
 func TestToALBProtocol(t *testing.T) {

pkg/ingress2gateway/translate/httproute.go

@@ -47,9 +47,17 @@ func (t *httpRouteTranslator) trackBackend(svcName string, resolvedPort int32) {
 }
 
 // buildHTTPRoutes builds one or more HTTPRoutes from an Ingress resource and collects
-// unique service references (with resolved ports) encountered during the iteration.
-func buildHTTPRoutes(ing networking.Ingress, namespace, gatewayName string, listenPorts []listenPortEntry, servicesByKey map[string]corev1.Service) ([]gwv1.HTTPRoute, []serviceRef, []gatewayv1beta1.ListenerRuleConfiguration, error) {
-	parentRefs := buildParentRefs(gatewayName)
+func buildHTTPRoutes(ing networking.Ingress, namespace, gatewayName string, listenPorts []listenPortEntry, servicesByKey map[string]corev1.Service, sslRedirectPort *int32) ([]gwv1.HTTPRoute, []serviceRef, []gatewayv1beta1.ListenerRuleConfiguration, error) {
+	// Determine parentRefs based on ssl-redirect.
+	// When ssl-redirect is set, the rules route attaches only to the HTTPS listener.
+	// When not set, the route attaches to all listeners (no sectionName).
+	var parentRefs []gwv1.ParentReference
+	if sslRedirectPort != nil {
+		sectionName := utils.GenerateSectionName(utils.ProtocolHTTPS, *sslRedirectPort)
+		parentRefs = buildParentRefs(gatewayName, &sectionName)
+	} else {
+		parentRefs = buildParentRefs(gatewayName, nil)
+	}
 
 	t := &httpRouteTranslator{
 		namespace:      namespace,
@@ -98,18 +106,35 @@ func buildHTTPRoutes(ing networking.Ingress, namespace, gatewayName string, list
 		return nil, nil, nil, err
 	}
 
+	// When ssl-redirect is set, generate a redirect route for each HTTP listener.
+	if sslRedirectPort != nil {
+		for _, lp := range listenPorts {
+			if strings.EqualFold(lp.Protocol, utils.ProtocolHTTP) {
+				redirectRoute := buildSSLRedirectRoute(
+					namespace, ing.Name, gatewayName,
+					utils.GenerateSectionName(lp.Protocol, lp.Port),
+					*sslRedirectPort,
+				)
+				routes = append(routes, redirectRoute)
+			}
+		}
+	}
+
 	return routes, t.svcRefs, t.listenerRuleConfigs, nil
 }
 
-// buildParentRefs creates a single ParentReference to the gateway.
-// No sectionName is needed because Ingress applies all rules to all listen-ports,
-// and a parentRef without sectionName attaches the route to all listeners on the gateway.
-func buildParentRefs(gatewayName string) []gwv1.ParentReference {
-	return []gwv1.ParentReference{
-		{
-			Name: gwv1.ObjectName(gatewayName),
-		},
+// buildParentRefs creates a ParentReference to the gateway.
+// When sectionName is nil, the route attaches to all listeners.
+// When sectionName is set, the route attaches only to that specific listener.
+func buildParentRefs(gatewayName string, sectionName *string) []gwv1.ParentReference {
+	ref := gwv1.ParentReference{
+		Name: gwv1.ObjectName(gatewayName),
+	}
+	if sectionName != nil {
+		sn := gwv1.SectionName(*sectionName)
+		ref.SectionName = &sn
 	}
+	return []gwv1.ParentReference{ref}
 }
 
 // buildRouteRule builds a single HTTPRouteRule from an Ingress path, including backend resolution,
@@ -339,6 +364,29 @@ func assembleRoutes(namespace, ingName string, parentRefs []gwv1.ParentReference
 	return routes, nil
 }
 
+// buildSSLRedirectRoute creates an HTTPRoute that redirects all HTTP traffic to HTTPS.
+// It attaches only to the specified HTTP listener via sectionName.
+func buildSSLRedirectRoute(namespace, ingName, gatewayName, httpSectionName string, sslPort int32) gwv1.HTTPRoute {
+	parentRefs := buildParentRefs(gatewayName, &httpSectionName)
+	httpsScheme := "https"
+	port := gwv1.PortNumber(sslPort)
+	statusCode := 301
+	return newHTTPRoute(
+		utils.GetRedirectHTTPRouteName(namespace, ingName),
+		namespace, parentRefs, nil,
+		[]gwv1.HTTPRouteRule{{
+			Filters: []gwv1.HTTPRouteFilter{{
+				Type: gwv1.HTTPRouteFilterRequestRedirect,
+				RequestRedirect: &gwv1.HTTPRequestRedirectFilter{
+					Scheme:     &httpsScheme,
+					Port:       &port,
+					StatusCode: &statusCode,
+				},
+			}},
+		}},
+	)
+}
+
 // resolveServicePort resolves a ServiceBackendPort to a numeric port.
 func resolveServicePort(sbp networking.ServiceBackendPort, namespace, svcName string, servicesByKey map[string]corev1.Service) (int32, error) {
 	if sbp.Number != 0 {

pkg/ingress2gateway/translate/httproute_test.go

@@ -16,13 +16,14 @@ func TestBuildHTTPRoutes(t *testing.T) {
 	pathExact := networking.PathTypeExact
 
 	tests := []struct {
-		name       string
-		ing        networking.Ingress
-		namespace  string
-		gwName     string
-		ports      []listenPortEntry
-		wantRoutes int
-		check      func(t *testing.T, routes []gwv1.HTTPRoute)
+		name            string
+		ing             networking.Ingress
+		namespace       string
+		gwName          string
+		ports           []listenPortEntry
+		sslRedirectPort *int32
+		wantRoutes      int
+		check           func(t *testing.T, routes []gwv1.HTTPRoute)
 	}{
 		{
 			name: "single rule with host and prefix path",
@@ -439,11 +440,65 @@ func TestBuildHTTPRoutes(t *testing.T) {
 				assert.Equal(t, "/src", *r.Spec.Rules[0].Matches[0].Path.Value)
 			},
 		},
+		{
+			name: "ssl-redirect produces redirect route on HTTP and rules route on HTTPS",
+			ing: networking.Ingress{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "ssl",
+					Annotations: map[string]string{
+						"alb.ingress.kubernetes.io/ssl-redirect": "443",
+					},
+				},
+				Spec: networking.IngressSpec{
+					Rules: []networking.IngressRule{{
+						Host: "app.example.com",
+						IngressRuleValue: networking.IngressRuleValue{
+							HTTP: &networking.HTTPIngressRuleValue{
+								Paths: []networking.HTTPIngressPath{{
+									Path: "/api", PathType: &pathPrefix,
+									Backend: networking.IngressBackend{
+										Service: &networking.IngressServiceBackend{
+											Name: "api-svc", Port: networking.ServiceBackendPort{Number: 80},
+										},
+									},
+								}},
+							},
+						},
+					}},
+				},
+			},
+			namespace: "default", gwName: "gw",
+			ports: []listenPortEntry{
+				{Protocol: "HTTP", Port: 80},
+				{Protocol: "HTTPS", Port: 443},
+			},
+			sslRedirectPort: int32Ptr(443),
+			wantRoutes:      2, // rules route + redirect route
+			check: func(t *testing.T, routes []gwv1.HTTPRoute) {
+				// First route: rules, attached to HTTPS listener only
+				rulesRoute := routes[0]
+				require.NotNil(t, rulesRoute.Spec.ParentRefs[0].SectionName)
+				assert.Equal(t, gwv1.SectionName("https-443"), *rulesRoute.Spec.ParentRefs[0].SectionName)
+				assert.Len(t, rulesRoute.Spec.Rules, 1)
+				assert.Equal(t, "/api", *rulesRoute.Spec.Rules[0].Matches[0].Path.Value)
+
+				// Second route: redirect, attached to HTTP listener only
+				redirectRoute := routes[1]
+				require.NotNil(t, redirectRoute.Spec.ParentRefs[0].SectionName)
+				assert.Equal(t, gwv1.SectionName("http-80"), *redirectRoute.Spec.ParentRefs[0].SectionName)
+				require.Len(t, redirectRoute.Spec.Rules, 1)
+				require.Len(t, redirectRoute.Spec.Rules[0].Filters, 1)
+				assert.Equal(t, gwv1.HTTPRouteFilterRequestRedirect, redirectRoute.Spec.Rules[0].Filters[0].Type)
+				assert.Equal(t, "https", *redirectRoute.Spec.Rules[0].Filters[0].RequestRedirect.Scheme)
+				assert.Equal(t, gwv1.PortNumber(443), *redirectRoute.Spec.Rules[0].Filters[0].RequestRedirect.Port)
+				assert.Equal(t, 301, *redirectRoute.Spec.Rules[0].Filters[0].RequestRedirect.StatusCode)
+			},
+		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			routes, _, _, err := buildHTTPRoutes(tt.ing, tt.namespace, tt.gwName, tt.ports, nil)
+			routes, _, _, err := buildHTTPRoutes(tt.ing, tt.namespace, tt.gwName, tt.ports, nil, tt.sslRedirectPort)
 			require.NoError(t, err)
 			require.Len(t, routes, tt.wantRoutes)
 			if tt.check != nil {
@@ -525,3 +580,39 @@ func TestResolveServicePort(t *testing.T) {
 	_, err = resolveServicePort(networking.ServiceBackendPort{}, "default", "my-svc", svcMap)
 	assert.Error(t, err)
 }
+
+func int32Ptr(v int32) *int32 { return &v }
+
+func TestBuildHTTPRoutes_DefaultBackendError(t *testing.T) {
+	pathPrefix := networking.PathTypePrefix
+	ing := networking.Ingress{
+		ObjectMeta: metav1.ObjectMeta{Name: "app"},
+		Spec: networking.IngressSpec{
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "missing-svc",
+					Port: networking.ServiceBackendPort{Name: "http"},
+				},
+			},
+			Rules: []networking.IngressRule{{
+				IngressRuleValue: networking.IngressRuleValue{
+					HTTP: &networking.HTTPIngressRuleValue{
+						Paths: []networking.HTTPIngressPath{{
+							Path: "/", PathType: &pathPrefix,
+							Backend: networking.IngressBackend{
+								Service: &networking.IngressServiceBackend{
+									Name: "svc", Port: networking.ServiceBackendPort{Number: 80},
+								},
+							},
+						}},
+					},
+				},
+			}},
+		},
+	}
+	// No services provided — named port resolution for defaultBackend will fail
+	_, _, _, err := buildHTTPRoutes(ing, "default", "gw",
+		[]listenPortEntry{{Protocol: "HTTP", Port: 80}}, nil, nil)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "defaultBackend")
+}

pkg/ingress2gateway/translate/icp_overrides.go

@@ -2,10 +2,12 @@ package translate
 
 import (
 	"fmt"
+	"strconv"
 	"strings"
 
 	elbv2api "sigs.k8s.io/aws-load-balancer-controller/apis/elbv2/v1beta1"
 	gatewayv1beta1 "sigs.k8s.io/aws-load-balancer-controller/apis/gateway/v1beta1"
+	annotations "sigs.k8s.io/aws-load-balancer-controller/pkg/annotations"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/ingress2gateway/utils"
 )
 
@@ -14,9 +16,8 @@ import (
 // Fields intentionally not mapped to LB config:
 // - NamespaceSelector: cluster policy, not a LB setting
 // - TargetType: TG-level, handled in applyIngressClassParamsToTGProps
-// TO-DO
-// - Group: handled at Ingress grouping level task
-// - SSLRedirectPort: handled at routing level task
+// - Group: handled at Ingress grouping level task (TO-DO)
+// - SSLRedirectPort: handled in buildHTTPRoutes via resolveSSLRedirectPort
 func applyIngressClassParamsToLBConfig(spec *gatewayv1beta1.LoadBalancerConfigurationSpec, icp *elbv2api.IngressClassParams) {
 	if icp == nil {
 		return
@@ -167,3 +168,16 @@ func applyIngressClassParamsToTGProps(props *gatewayv1beta1.TargetGroupProps, ic
 		props.TargetType = &tt
 	}
 }
+
+// resolveSSLRedirectPort returns the SSL redirect port if configured.
+// IngressClassParams.SSLRedirectPort takes priority over the Ingress annotation.
+func resolveSSLRedirectPort(ingAnnotations map[string]string, icp *elbv2api.IngressClassParams) *int32 {
+	if icp != nil && icp.Spec.SSLRedirectPort != "" {
+		port, err := strconv.ParseInt(icp.Spec.SSLRedirectPort, 10, 32)
+		if err == nil {
+			p := int32(port)
+			return &p
+		}
+	}
+	return getInt32(ingAnnotations, annotations.IngressSuffixSSLRedirect)
+}