worker: fail on missing certificates (#747)

Controller manages loadbalancer lifecycle based on available
certificates.

Prevent controller from deleting loadbalancers when there are no
certificates found e.g. due to a bug like #725 or a tag filter
misconfiguration (#658).

Signed-off-by: Alexander Yastrebov <[email protected]>

Author: AlexanderYastrebov

aws/acm.go

@@ -33,7 +33,7 @@ func (p *acmCertificateProvider) GetCertificates(ctx context.Context) ([]*certs.
 	if err != nil {
 		return nil, err
 	}
-	result := make([]*certs.CertificateSummary, 0)
+	result := make([]*certs.CertificateSummary, 0, len(acmSummaries))
 	for _, o := range acmSummaries {
 		summary, err := getCertificateSummaryFromACM(ctx, p.api, o.CertificateArn)
 		if err != nil {

testdata/no_certificates/input/k8s/ing.yaml

@@ -0,0 +1,16 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: no_certificates
+spec:
+  rules:
+  - host: foo.bar.org
+    http:
+      paths:
+      - backend:
+          service:
+            name: foo-bar-service
+            port:
+              name: main-port
+        path: /
+        pathType: ImplementationSpecific

worker.go

@@ -318,6 +318,10 @@ func doWork(
 		return problems.Add("failed to get certificates: %w", err)
 	}
 
+	if len(certificateSummaries) == 0 {
+		return problems.Add("no certificates found")
+	}
+
 	cwAlarms, err := getCloudWatchAlarms(kubeAdapter, cwAlarmConfigMapLocation)
 	if err != nil {
 		return problems.Add("failed to retrieve cloudwatch alarm configuration: %w", err)

worker_test.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/x509"
 	"encoding/json"
+	"fmt"
 	"io"
 	"net/http/httptest"
 	"os"
@@ -50,15 +51,20 @@ func TestResourceConversionOneToOne(tt *testing.T) {
 	}
 
 	for _, scenario := range []struct {
-		name           string
+		name   string
+		typeLB string
+		// mock
 		responsesEC2   fake.EC2Outputs
 		responsesASG   fake.ASGOutputs
 		responsesELBv2 fake.ELBv2Outputs
 		responsesCF    fake.CFOutputs
-		typeLB         string
+		certsProvider  certs.CertificatesProvider
+		// expect
+		problems []string
 	}{
 		{
-			name: "ingress_alb",
+			name:   "ingress_alb",
+			typeLB: aws.LoadBalancerTypeApplication,
 			responsesEC2: fake.EC2Outputs{DescribeInstances: fake.R(fake.MockDescribeInstancesOutput(
 				fake.TestInstance{
 					Id:        "i0",
@@ -106,10 +112,11 @@ func TestResourceConversionOneToOne(tt *testing.T) {
 				DescribeStacks: fake.R(fake.MockDescribeStacksOutput(nil), nil),
 				CreateStack:    fake.R(fake.MockCSOutput("42"), nil),
 			},
-			typeLB: aws.LoadBalancerTypeApplication,
+			certsProvider: certsProvider,
 		},
 		{
-			name: "ingress_nlb",
+			name:   "ingress_nlb",
+			typeLB: aws.LoadBalancerTypeNetwork,
 			responsesEC2: fake.EC2Outputs{DescribeInstances: fake.R(fake.MockDescribeInstancesOutput(
 				fake.TestInstance{
 					Id:        "i0",
@@ -157,9 +164,10 @@ func TestResourceConversionOneToOne(tt *testing.T) {
 				DescribeStacks: fake.R(fake.MockDescribeStacksOutput(nil), nil),
 				CreateStack:    fake.R(fake.MockCSOutput("42"), nil),
 			},
-			typeLB: aws.LoadBalancerTypeNetwork,
+			certsProvider: certsProvider,
 		}, {
-			name: "rg_alb",
+			name:   "rg_alb",
+			typeLB: aws.LoadBalancerTypeApplication,
 			responsesEC2: fake.EC2Outputs{DescribeInstances: fake.R(fake.MockDescribeInstancesOutput(
 				fake.TestInstance{
 					Id:        "i0",
@@ -207,9 +215,10 @@ func TestResourceConversionOneToOne(tt *testing.T) {
 				DescribeStacks: fake.R(fake.MockDescribeStacksOutput(nil), nil),
 				CreateStack:    fake.R(fake.MockCSOutput("42"), nil),
 			},
-			typeLB: aws.LoadBalancerTypeApplication,
+			certsProvider: certsProvider,
 		}, {
-			name: "rg_nlb",
+			name:   "rg_nlb",
+			typeLB: aws.LoadBalancerTypeNetwork,
 			responsesEC2: fake.EC2Outputs{DescribeInstances: fake.R(fake.MockDescribeInstancesOutput(
 				fake.TestInstance{
 					Id:        "i0",
@@ -257,9 +266,10 @@ func TestResourceConversionOneToOne(tt *testing.T) {
 				DescribeStacks: fake.R(fake.MockDescribeStacksOutput(nil), nil),
 				CreateStack:    fake.R(fake.MockCSOutput("42"), nil),
 			},
-			typeLB: aws.LoadBalancerTypeNetwork,
+			certsProvider: certsProvider,
 		}, {
-			name: "ing_shared_rg_notshared_alb",
+			name:   "ing_shared_rg_notshared_alb",
+			typeLB: aws.LoadBalancerTypeApplication,
 			responsesEC2: fake.EC2Outputs{DescribeInstances: fake.R(fake.MockDescribeInstancesOutput(
 				fake.TestInstance{
 					Id:        "i0",
@@ -307,9 +317,10 @@ func TestResourceConversionOneToOne(tt *testing.T) {
 				DescribeStacks: fake.R(fake.MockDescribeStacksOutput(nil), nil),
 				CreateStack:    fake.R(fake.MockCSOutput("42"), nil),
 			},
-			typeLB: aws.LoadBalancerTypeApplication,
+			certsProvider: certsProvider,
 		}, {
-			name: "ingress_rg_shared_alb",
+			name:   "ingress_rg_shared_alb",
+			typeLB: aws.LoadBalancerTypeApplication,
 			responsesEC2: fake.EC2Outputs{DescribeInstances: fake.R(fake.MockDescribeInstancesOutput(
 				fake.TestInstance{
 					Id:        "i0",
@@ -357,9 +368,10 @@ func TestResourceConversionOneToOne(tt *testing.T) {
 				DescribeStacks: fake.R(fake.MockDescribeStacksOutput(nil), nil),
 				CreateStack:    fake.R(fake.MockCSOutput("42"), nil),
 			},
-			typeLB: aws.LoadBalancerTypeApplication,
+			certsProvider: certsProvider,
 		}, {
-			name: "ingress_rg_shared_nlb",
+			name:   "ingress_rg_shared_nlb",
+			typeLB: aws.LoadBalancerTypeNetwork,
 			responsesEC2: fake.EC2Outputs{DescribeInstances: fake.R(fake.MockDescribeInstancesOutput(
 				fake.TestInstance{
 					Id:        "i0",
@@ -407,59 +419,95 @@ func TestResourceConversionOneToOne(tt *testing.T) {
 				DescribeStacks: fake.R(fake.MockDescribeStacksOutput(nil), nil),
 				CreateStack:    fake.R(fake.MockCSOutput("42"), nil),
 			},
-			typeLB: aws.LoadBalancerTypeNetwork,
+			certsProvider: certsProvider,
+		},
+		{
+			name:   "no_certificates",
+			typeLB: aws.LoadBalancerTypeApplication,
+			responsesEC2: fake.EC2Outputs{DescribeInstances: fake.R(fake.MockDescribeInstancesOutput(
+				fake.TestInstance{
+					Id:        "i0",
+					Tags:      fake.Tags{"aws:autoscaling:groupName": "asg1", clusterIDTagPrefix + clusterID: "owned"},
+					PrivateIp: "1.2.3.3",
+					VpcId:     vpcID,
+					State:     running,
+				}), nil),
+				DescribeSecurityGroups: fake.R(fake.MockDescribeSecurityGroupsOutput(map[string]string{"id": securityGroupID}), nil),
+				DescribeSubnets: fake.R(fake.MockDescribeSubnetsOutput(
+					fake.TestSubnet{Id: "foo1", Name: "bar1", Az: "baz1", Tags: map[string]string{"kubernetes.io/role/elb": ""}}), nil),
+				DescribeRouteTables: fake.R(fake.MockDescribeRouteTableOutput(
+					fake.TestRouteTable{SubnetID: "foo1", GatewayIds: []string{"igw-foo1"}},
+					fake.TestRouteTable{SubnetID: "mismatch", GatewayIds: []string{"igw-foo2"}, Main: true},
+				), nil),
+			},
+			responsesASG: fake.ASGOutputs{
+				DescribeAutoScalingGroups: fake.R(fake.MockDescribeAutoScalingGroupOutput(map[string]fake.ASGtags{"asg1": {
+					clusterIDTagPrefix + clusterID: "owned",
+				}}), nil),
+				DescribeLoadBalancerTargetGroups: fake.R(&autoscaling.DescribeLoadBalancerTargetGroupsOutput{
+					LoadBalancerTargetGroups: []autoScalingTypes.LoadBalancerTargetGroupState{},
+				}, nil),
+				AttachLoadBalancerTargetGroups: fake.R(nil, nil),
+			},
+			responsesELBv2: fake.ELBv2Outputs{
+				DescribeTargetGroups: fake.R(fake.MockDescribeTargetGroupsOutput(), nil),
+				DescribeTags:         fake.R(nil, nil),
+			},
+			responsesCF: fake.CFOutputs{
+				DescribeStacks: fake.R(fake.MockDescribeStacksOutput(nil), nil),
+				CreateStack:    fake.R(fake.MockCSOutput("42"), nil),
+			},
+			certsProvider: &certsfake.CertificateProvider{
+				Summaries: nil,
+				Error:     fmt.Errorf("something went wrong"),
+			},
+			problems: []string{"failed to get certificates: something went wrong"},
+		},
+		{
+			name:   "no_certificates",
+			typeLB: aws.LoadBalancerTypeApplication,
+			responsesEC2: fake.EC2Outputs{DescribeInstances: fake.R(fake.MockDescribeInstancesOutput(
+				fake.TestInstance{
+					Id:        "i0",
+					Tags:      fake.Tags{"aws:autoscaling:groupName": "asg1", clusterIDTagPrefix + clusterID: "owned"},
+					PrivateIp: "1.2.3.3",
+					VpcId:     vpcID,
+					State:     running,
+				}), nil),
+				DescribeSecurityGroups: fake.R(fake.MockDescribeSecurityGroupsOutput(map[string]string{"id": securityGroupID}), nil),
+				DescribeSubnets: fake.R(fake.MockDescribeSubnetsOutput(
+					fake.TestSubnet{Id: "foo1", Name: "bar1", Az: "baz1", Tags: map[string]string{"kubernetes.io/role/elb": ""}}), nil),
+				DescribeRouteTables: fake.R(fake.MockDescribeRouteTableOutput(
+					fake.TestRouteTable{SubnetID: "foo1", GatewayIds: []string{"igw-foo1"}},
+					fake.TestRouteTable{SubnetID: "mismatch", GatewayIds: []string{"igw-foo2"}, Main: true},
+				), nil),
+			},
+			responsesASG: fake.ASGOutputs{
+				DescribeAutoScalingGroups: fake.R(fake.MockDescribeAutoScalingGroupOutput(map[string]fake.ASGtags{"asg1": {
+					clusterIDTagPrefix + clusterID: "owned",
+				}}), nil),
+				DescribeLoadBalancerTargetGroups: fake.R(&autoscaling.DescribeLoadBalancerTargetGroupsOutput{
+					LoadBalancerTargetGroups: []autoScalingTypes.LoadBalancerTargetGroupState{},
+				}, nil),
+				AttachLoadBalancerTargetGroups: fake.R(nil, nil),
+			},
+			responsesELBv2: fake.ELBv2Outputs{
+				DescribeTargetGroups: fake.R(fake.MockDescribeTargetGroupsOutput(), nil),
+				DescribeTags:         fake.R(nil, nil),
+			},
+			responsesCF: fake.CFOutputs{
+				DescribeStacks: fake.R(fake.MockDescribeStacksOutput(nil), nil),
+				CreateStack:    fake.R(fake.MockCSOutput("42"), nil),
+			},
+			certsProvider: &certsfake.CertificateProvider{
+				Summaries: []*certs.CertificateSummary{},
+				Error:     nil,
+			},
+			problems: []string{"no certificates found"},
 		},
 	} {
 		tt.Run(scenario.name, func(t *testing.T) {
 			ctx := context.Background()
-			readFile := func(fileName string) []byte {
-				b, err := os.ReadFile("./testdata/" + scenario.name + "/output/" + fileName)
-				if err != nil {
-					t.Fatal(err)
-				}
-
-				return b
-			}
-
-			var templates []string
-			templateFiles, err := os.ReadDir("./testdata/" + scenario.name + "/output/templates/")
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			for _, file := range templateFiles {
-				templates = append(templates, string(readFile("templates/"+file.Name())))
-			}
-
-			paramFiles, err := os.ReadDir("./testdata/" + scenario.name + "/output/params/")
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			var params [][]cfTypes.Parameter
-			for _, file := range paramFiles {
-				var content []cfTypes.Parameter
-				err := json.Unmarshal(readFile("params/"+file.Name()), &content)
-				if err != nil {
-					t.Fatal(err)
-				}
-				params = append(params, content)
-			}
-
-			tagFiles, err := os.ReadDir("./testdata/" + scenario.name + "/output/tags/")
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			var tags [][]cfTypes.Tag
-			for _, file := range tagFiles {
-				var content []cfTypes.Tag
-				err := json.Unmarshal(readFile("tags/"+file.Name()), &content)
-				if err != nil {
-					t.Fatal(err)
-				}
-				tags = append(tags, content)
-			}
 
 			clientEC2 := &fake.EC2Client{Outputs: scenario.responsesEC2}
 			clientASG := &fake.ASGClient{Outputs: scenario.responsesASG}
@@ -524,9 +572,66 @@ func TestResourceConversionOneToOne(tt *testing.T) {
 			}
 
 			log.SetLevel(log.DebugLevel)
-			problems := doWork(ctx, certsProvider, 10, time.Hour, a, k, "")
+			problems := doWork(ctx, scenario.certsProvider, 10, time.Hour, a, k, "")
+
+			if scenario.problems != nil {
+				assert.Len(t, problems.Errors(), len(scenario.problems))
+				for i, problem := range problems.Errors() {
+					assert.EqualError(t, problem, scenario.problems[i])
+				}
+				return
+			}
+
 			if len(problems.Errors()) > 0 {
-				t.Error(problems.Errors())
+				t.Fatalf("expected no problems, got %v", problems.Errors())
+			}
+
+			readFile := func(fileName string) []byte {
+				b, err := os.ReadFile("./testdata/" + scenario.name + "/output/" + fileName)
+				if err != nil {
+					t.Fatal(err)
+				}
+				return b
+			}
+
+			var templates []string
+			templateFiles, err := os.ReadDir("./testdata/" + scenario.name + "/output/templates/")
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			for _, file := range templateFiles {
+				templates = append(templates, string(readFile("templates/"+file.Name())))
+			}
+
+			paramFiles, err := os.ReadDir("./testdata/" + scenario.name + "/output/params/")
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			var params [][]cfTypes.Parameter
+			for _, file := range paramFiles {
+				var content []cfTypes.Parameter
+				err := json.Unmarshal(readFile("params/"+file.Name()), &content)
+				if err != nil {
+					t.Fatal(err)
+				}
+				params = append(params, content)
+			}
+
+			tagFiles, err := os.ReadDir("./testdata/" + scenario.name + "/output/tags/")
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			var tags [][]cfTypes.Tag
+			for _, file := range tagFiles {
+				var content []cfTypes.Tag
+				err := json.Unmarshal(readFile("tags/"+file.Name()), &content)
+				if err != nil {
+					t.Fatal(err)
+				}
+				tags = append(tags, content)
 			}
 
 			assert.Equal(t, len(clientCF.GetTagCreationHistory()), len(tags))