Merge pull request #4390 from zac-nixon/main

fix waf name resolution

Author: k8s-ci-robot

docs/guide/ingress/annotations.md

@@ -1055,6 +1055,9 @@ Load balancer capacity unit reservation can be configured via following annotati
 
 - <a name="wafv2-acl-name">`alb.ingress.kubernetes.io/wafv2-acl-name`</a> specifies Name of the Amazon WAFv2 web ACL.
 
+    !!!note ""
+        The controller role must allow access to `wafv2:ListWebACLs` 
+
     !!!warning ""
         Only Regional WAFv2 is supported.
 

pkg/aws/services/wafv2.go

@@ -10,7 +10,7 @@ type WAFv2 interface {
 	AssociateWebACLWithContext(context.Context, *wafv2.AssociateWebACLInput) (*wafv2.AssociateWebACLOutput, error)
 	DisassociateWebACLWithContext(ctx context.Context, req *wafv2.DisassociateWebACLInput) (*wafv2.DisassociateWebACLOutput, error)
 	GetWebACLForResourceWithContext(ctx context.Context, req *wafv2.GetWebACLForResourceInput) (*wafv2.GetWebACLForResourceOutput, error)
-	GetWebACLWithContext(ctx context.Context, req *wafv2.GetWebACLInput) (*wafv2.GetWebACLOutput, error)
+	ListWebACLsWithContext(ctx context.Context, req *wafv2.ListWebACLsInput) (*wafv2.ListWebACLsOutput, error)
 }
 
 // NewWAFv2 constructs new WAFv2 implementation.
@@ -48,10 +48,10 @@ func (c *wafv2Client) GetWebACLForResourceWithContext(ctx context.Context, req *
 	return client.GetWebACLForResource(ctx, req)
 }
 
-func (c *wafv2Client) GetWebACLWithContext(ctx context.Context, req *wafv2.GetWebACLInput) (*wafv2.GetWebACLOutput, error) {
+func (c *wafv2Client) ListWebACLsWithContext(ctx context.Context, req *wafv2.ListWebACLsInput) (*wafv2.ListWebACLsOutput, error) {
 	client, err := c.awsClientsProvider.GetWAFv2Client(ctx, "GetWebACL")
 	if err != nil {
 		return nil, err
 	}
-	return client.GetWebACL(ctx, req)
+	return client.ListWebACLs(ctx, req)
 }

pkg/aws/services/wafv2_mocks.go

@@ -2,15 +2,14 @@ package ingress
 
 import (
 	"context"
-	"sigs.k8s.io/aws-load-balancer-controller/pkg/shared_constants"
-
 	"github.com/pkg/errors"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/annotations"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
 	shieldmodel "sigs.k8s.io/aws-load-balancer-controller/pkg/model/shield"
 	wafregionalmodel "sigs.k8s.io/aws-load-balancer-controller/pkg/model/wafregional"
 	wafv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/wafv2"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/shared_constants"
 )
 
 const (

pkg/ingress/model_build_load_balancer_addons.go

@@ -847,8 +847,8 @@ func Test_defaultModelBuildTask_buildShieldProtection(t *testing.T) {
 
 func Test_defaultModelBuildTask_buildWAFv2WebACLAssociationFromWAFv2Name(t *testing.T) {
 	type getWebACLCall struct {
-		req  *wafv2sdk.GetWebACLInput
-		resp *wafv2sdk.GetWebACLOutput
+		req  *wafv2sdk.ListWebACLsInput
+		resp *wafv2sdk.ListWebACLsOutput
 		err  error
 	}
 	type fields struct {
@@ -942,12 +942,15 @@ func Test_defaultModelBuildTask_buildWAFv2WebACLAssociationFromWAFv2Name(t *test
 				cache: map[string]string{},
 				getWebACLCalls: []getWebACLCall{
 					{
-						req: &wafv2sdk.GetWebACLInput{
-							Name: awssdk.String("web-acl-name1"),
+						req: &wafv2sdk.ListWebACLsInput{
+							Scope: wafv2types.ScopeRegional,
 						},
-						resp: &wafv2sdk.GetWebACLOutput{
-							WebACL: &wafv2types.WebACL{
-								ARN: awssdk.String("web-acl-arn1"),
+						resp: &wafv2sdk.ListWebACLsOutput{
+							WebACLs: []wafv2types.WebACLSummary{
+								{
+									Name: awssdk.String("web-acl-name1"),
+									ARN:  awssdk.String("web-acl-arn1"),
+								},
 							},
 						},
 						err: nil,
@@ -1041,12 +1044,15 @@ func Test_defaultModelBuildTask_buildWAFv2WebACLAssociationFromWAFv2Name(t *test
 				cache: map[string]string{},
 				getWebACLCalls: []getWebACLCall{
 					{
-						req: &wafv2sdk.GetWebACLInput{
-							Name: awssdk.String("web-acl-name1"),
+						req: &wafv2sdk.ListWebACLsInput{
+							Scope: wafv2types.ScopeRegional,
 						},
-						resp: &wafv2sdk.GetWebACLOutput{
-							WebACL: &wafv2types.WebACL{
-								ARN: awssdk.String("web-acl-arn1"),
+						resp: &wafv2sdk.ListWebACLsOutput{
+							WebACLs: []wafv2types.WebACLSummary{
+								{
+									Name: awssdk.String("web-acl-name1"),
+									ARN:  awssdk.String("web-acl-arn1"),
+								},
 							},
 						},
 						err: nil,
@@ -1093,12 +1099,15 @@ func Test_defaultModelBuildTask_buildWAFv2WebACLAssociationFromWAFv2Name(t *test
 				cache: map[string]string{},
 				getWebACLCalls: []getWebACLCall{
 					{
-						req: &wafv2sdk.GetWebACLInput{
-							Name: awssdk.String("web-acl-name1"),
+						req: &wafv2sdk.ListWebACLsInput{
+							Scope: wafv2types.ScopeRegional,
 						},
-						resp: &wafv2sdk.GetWebACLOutput{
-							WebACL: &wafv2types.WebACL{
-								ARN: awssdk.String("web-acl-arn1"),
+						resp: &wafv2sdk.ListWebACLsOutput{
+							WebACLs: []wafv2types.WebACLSummary{
+								{
+									Name: awssdk.String("web-acl-name1"),
+									ARN:  awssdk.String("web-acl-arn1"),
+								},
 							},
 						},
 						err: nil,
@@ -1147,12 +1156,15 @@ func Test_defaultModelBuildTask_buildWAFv2WebACLAssociationFromWAFv2Name(t *test
 				cache: map[string]string{},
 				getWebACLCalls: []getWebACLCall{
 					{
-						req: &wafv2sdk.GetWebACLInput{
-							Name: awssdk.String("web-acl-name1"),
+						req: &wafv2sdk.ListWebACLsInput{
+							Scope: wafv2types.ScopeRegional,
 						},
-						resp: &wafv2sdk.GetWebACLOutput{
-							WebACL: &wafv2types.WebACL{
-								ARN: awssdk.String("web-acl-arn1"),
+						resp: &wafv2sdk.ListWebACLsOutput{
+							WebACLs: []wafv2types.WebACLSummary{
+								{
+									Name: awssdk.String("web-acl-name1"),
+									ARN:  awssdk.String("web-acl-arn1"),
+								},
 							},
 						},
 						err: nil,
@@ -1216,6 +1228,58 @@ func Test_defaultModelBuildTask_buildWAFv2WebACLAssociationFromWAFv2Name(t *test
 			},
 			wantCache: map[string]string{},
 		},
+		{
+			name: "name not found",
+			fields: fields{
+				ingGroup: Group{
+					Members: []ClassifiedIngress{
+						{
+							Ing: &networking.Ingress{
+								ObjectMeta: metav1.ObjectMeta{
+									Namespace: "awesome-ns",
+									Name:      "awesome-ing-0",
+									Annotations: map[string]string{
+										"alb.ingress.kubernetes.io/wafv2-acl-name": "web-acl-name1",
+									},
+								},
+							},
+							IngClassConfig: ClassConfiguration{
+								IngClassParams: &v1beta1.IngressClassParams{
+									Spec: v1beta1.IngressClassParamsSpec{
+										WAFv2ACLName: "web-acl-name1",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			args: args{
+				lbARN: core.LiteralStringToken("awesome-lb-arn"),
+				cache: map[string]string{},
+				getWebACLCalls: []getWebACLCall{
+					{
+						req: &wafv2sdk.ListWebACLsInput{
+							Scope: wafv2types.ScopeRegional,
+						},
+						resp: &wafv2sdk.ListWebACLsOutput{
+							WebACLs: []wafv2types.WebACLSummary{
+								{
+									Name: awssdk.String("some other name"),
+									ARN:  awssdk.String("web-acl-arn1"),
+								},
+							},
+						},
+						err: nil,
+					},
+				},
+			},
+			wantErr: func(t assert.TestingT, err error, msgAndArgs ...interface{}) bool {
+				assert.EqualError(t, err, "couldn't find WAFv2 WebACL with name: web-acl-name1", msgAndArgs...)
+				return false
+			},
+			wantCache: map[string]string{},
+		},
 	}
 
 	for _, tt := range tests {
@@ -1229,7 +1293,7 @@ func Test_defaultModelBuildTask_buildWAFv2WebACLAssociationFromWAFv2Name(t *test
 
 			for _, call := range tt.args.getWebACLCalls {
 				wafv2Client.EXPECT().
-					GetWebACLWithContext(gomock.Any(), call.req).
+					ListWebACLsWithContext(gomock.Any(), call.req).
 					Return(call.resp, call.err)
 			}
 
@@ -1257,8 +1321,8 @@ func Test_defaultModelBuildTask_buildWAFv2WebACLAssociationFromWAFv2Name(t *test
 			for webACLName, expectedArn := range tt.wantCache {
 				rawCacheItem, exists := task.webACLNameToArnMapper.cache.Get(webACLName)
 				assert.True(t, exists)
-				cachedArn := rawCacheItem.(*string)
-				assert.Equal(t, expectedArn, *cachedArn)
+				cachedArn := rawCacheItem.(string)
+				assert.Equal(t, expectedArn, cachedArn)
 			}
 		})
 	}

pkg/ingress/model_build_load_balancer_addons_test.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	elbv2sdk "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2"
 	wafv2sdk "github.com/aws/aws-sdk-go-v2/service/wafv2"
+	wafv2types "github.com/aws/aws-sdk-go-v2/service/wafv2/types"
 	"k8s.io/apimachinery/pkg/util/cache"
 	"reflect"
 	"strconv"
@@ -191,6 +192,7 @@ func (b *defaultModelBuilder) Build(ctx context.Context, ingGroup Group, metrics
 		tgByResID:                  make(map[string]*elbv2model.TargetGroup),
 		backendServices:            make(map[types.NamespacedName]*corev1.Service),
 		targetGroupNameToArnMapper: b.targetGroupNameToArnMapper,
+		webACLNameToArnMapper:      b.webACLNameToArnMapper,
 	}
 	if err := task.run(ctx); err != nil {
 		return nil, nil, nil, false, nil, nil, err
@@ -560,6 +562,7 @@ func newWebACLNameToArnMapper(wafv2Client services.WAFv2, ttl time.Duration) *we
 		wafv2Client: wafv2Client,
 		cache:       cache.NewExpiring(),
 		cacheTTL:    ttl,
+		cacheMutex:  sync.RWMutex{},
 	}
 }
 
@@ -609,15 +612,30 @@ func (w *webACLNameToArnMapper) getArnByName(ctx context.Context, webACLName str
 	if rawCacheItem, exists := w.cache.Get(webACLName); exists {
 		return rawCacheItem.(string), nil
 	}
-	req := &wafv2sdk.GetWebACLInput{
-		Name: awssdk.String(webACLName),
-	}
 
-	webACL, err := w.wafv2Client.GetWebACLWithContext(ctx, req)
-	if err != nil {
-		return "", err
+	firstRun := true
+	var next *string
+
+	for firstRun || next != nil {
+		req := &wafv2sdk.ListWebACLsInput{
+			Scope:      wafv2types.ScopeRegional,
+			NextMarker: next,
+		}
+
+		output, err := w.wafv2Client.ListWebACLsWithContext(ctx, req)
+		if err != nil {
+			return "", err
+		}
+
+		for _, o := range output.WebACLs {
+			if o.Name != nil && *o.Name == webACLName {
+				arn := *o.ARN
+				w.cache.Set(webACLName, arn, w.cacheTTL)
+				return arn, nil
+			}
+		}
+		firstRun = false
+		next = output.NextMarker
 	}
-	arn := webACL.WebACL.ARN
-	w.cache.Set(webACLName, arn, w.cacheTTL)
-	return *arn, nil
+	return "", errors.New("Unable to find web acl named " + webACLName)
 }