From 048c06724075c7f1d960982e4dabe7514bd395fe Mon Sep 17 00:00:00 2001 From: Aiden Carpenter <72675057+CaptainCarpensir@users.noreply.github.com> Date: Mon, 11 Dec 2023 15:39:15 -0800 Subject: [PATCH] fix: account for tls termination in exposed port validation (#5549) Addresses #5536 By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the Apache 2.0 License. --- internal/pkg/manifest/validate.go | 7 +++++++ internal/pkg/manifest/validate_test.go | 22 ++++++++++++++++++++-- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/internal/pkg/manifest/validate.go b/internal/pkg/manifest/validate.go index c44fa02ca22..f6135e3c780 100644 --- a/internal/pkg/manifest/validate.go +++ b/internal/pkg/manifest/validate.go @@ -2226,6 +2226,7 @@ func validateAndPopulateNLBListenerPorts(listener NetworkLoadBalancerListener, p if err != nil { return err } + port, err := strconv.ParseUint(aws.StringValue(nlbReceiverPort), 10, 16) if err != nil { return err @@ -2242,6 +2243,11 @@ func validateAndPopulateNLBListenerPorts(listener NetworkLoadBalancerListener, p targetProtocol = strings.ToUpper(aws.StringValue(nlbProtocol)) } + // Handle TLS termination of container exposed port protocol + if targetProtocol == TLS { + targetProtocol = TCP + } + // Prefer `nlb.target_container`, then existing exposed port mapping, then fallback on name of main container targetContainer := mainContainerName if existingContainerNameAndProtocol, ok := portExposedTo[targetPort]; ok { @@ -2256,6 +2262,7 @@ func validateAndPopulateNLBListenerPorts(listener NetworkLoadBalancerListener, p func validateAndPopulateExposedPortMapping(portExposedTo map[uint16]containerNameAndProtocol, targetPort uint16, targetProtocol string, targetContainer string) error { exposedContainerAndProtocol, alreadyExposed := portExposedTo[targetPort] + targetProtocol = strings.ToUpper(targetProtocol) // Port is not associated with container and protocol, populate map if !alreadyExposed { diff --git a/internal/pkg/manifest/validate_test.go b/internal/pkg/manifest/validate_test.go index d8a3161c1f8..49a454e73b2 100644 --- a/internal/pkg/manifest/validate_test.go +++ b/internal/pkg/manifest/validate_test.go @@ -4196,7 +4196,25 @@ func TestValidateExposedPorts(t *testing.T) { }, wanted: nil, }, - "should not error out when nlb target_port is same as that of sidecar container port but sidecar uses non default protocol": { + "should not error out when tls is terminated exposing a tcp port": { + in: validateExposedPortsOpts{ + mainContainerName: "mockMainContainer", + mainContainerPort: aws.Uint16(8080), + sidecarConfig: map[string]*SidecarConfig{ + "foo": { + Port: aws.String("80/tcp"), + }, + }, + nlb: &NetworkLoadBalancerConfiguration{ + Listener: NetworkLoadBalancerListener{ + Port: aws.String("8080/tls"), + TargetPort: aws.Int(80), + }, + }, + }, + wanted: nil, + }, + "should return an error when nlb target_port is same as that of sidecar container port but sidecar uses non default protocol": { in: validateExposedPortsOpts{ mainContainerName: "mockMainContainer", mainContainerPort: aws.Uint16(8080), @@ -4212,7 +4230,7 @@ func TestValidateExposedPorts(t *testing.T) { }, }, }, - wanted: fmt.Errorf(`validate "nlb": container "foo" is exposing the same port 80 with protocol TCP and udp`), + wanted: fmt.Errorf(`validate "nlb": container "foo" is exposing the same port 80 with protocol TCP and UDP`), }, "should return an error if alb target_port points to one sidecar container port and target_container points to another sidecar container": { in: validateExposedPortsOpts{