-
Notifications
You must be signed in to change notification settings - Fork 84
/
controller.go
443 lines (404 loc) · 22.6 KB
/
controller.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
package main
import (
"context"
"fmt"
"os"
"os/signal"
"path"
"strconv"
"strings"
"syscall"
"time"
kingpin "github.com/alecthomas/kingpin/v2"
"github.com/aws/aws-sdk-go/service/elbv2"
log "github.com/sirupsen/logrus"
"github.com/zalando-incubator/kube-ingress-aws-controller/aws"
"github.com/zalando-incubator/kube-ingress-aws-controller/certs"
"github.com/zalando-incubator/kube-ingress-aws-controller/kubernetes"
)
const (
defaultDisableSNISupport = "false"
defaultInstrumentedHttpClient = "false"
defaultHTTPRedirectToHTTPS = "false"
defaultCertTTL = "1h"
customTagFilterEnvVarName = "CUSTOM_FILTERS"
)
var (
buildstamp = "Not set"
githash = "Not set"
version = "Not set"
versionFlag bool
apiServerBaseURL string
pollingInterval time.Duration
creationTimeout time.Duration
certPollingInterval time.Duration
healthCheckPath string
healthCheckPort uint
healthCheckInterval time.Duration
healthCheckTimeout time.Duration
albHealthyThresholdCount uint
albUnhealthyThresholdCount uint
nlbHealthyThresholdCount uint
targetPort uint
albHTTPTargetPort uint
nlbHTTPTargetPort uint
targetHTTPS bool
metricsAddress string
disableSNISupport bool
disableInstrumentedHttpClient bool
certTTL time.Duration
certFilterTag string
stackTerminationProtection bool
additionalStackTags = make(map[string]string)
idleConnectionTimeout time.Duration
deregistrationDelayTimeout time.Duration
ingressClassFilters string
controllerID string
clusterID string
vpcID string
clusterLocalDomain string
maxCertsPerALB int
sslPolicy string
blacklistCertARNs []string
blacklistCertArnMap map[string]bool
ipAddressType string
albLogsS3Bucket string
albLogsS3Prefix string
wafWebAclId string
httpRedirectToHTTPS bool
debugFlag bool
quietFlag bool
firstRun bool = true
cwAlarmConfigMap string
cwAlarmConfigMapLocation *kubernetes.ResourceLocation
loadBalancerType string
nlbZoneAffinity string
nlbCrossZone bool
nlbHTTPEnabled bool
ingressAPIVersion string
internalDomains []string
targetAccessMode string
targetCNINamespace string
targetCNIPodLabelSelector string
denyInternalDomains bool
denyInternalRespBody string
denyInternalRespContentType string
denyInternalRespStatusCode int
defaultInternalDomains = fmt.Sprintf("*%s", kubernetes.DefaultClusterLocalDomain)
)
func init() {
registerMetrics()
}
func loadSettings() error {
kingpin.Flag("version", "Print version and exit").Default("false").BoolVar(&versionFlag)
kingpin.Flag("debug", "Enables debug logging level").Default("false").BoolVar(&debugFlag)
kingpin.Flag("quiet", "Enables quiet logging").Default("false").BoolVar(&quietFlag)
kingpin.Flag("api-server-base-url", "sets the kubernetes api server base url. If empty will try to use the configuration from the running cluster, else it will use InsecureConfig, that does not use encryption or authentication (use case to develop with kubectl proxy).").
Envar("API_SERVER_BASE_URL").StringVar(&apiServerBaseURL)
kingpin.Flag("polling-interval", "sets the polling interval for ingress resources. The flag accepts a value acceptable to time.ParseDuration").
Envar("POLLING_INTERVAL").Default("30s").DurationVar(&pollingInterval)
kingpin.Flag("creation-timeout", "sets the stack creation timeout. The flag accepts a value acceptable to time.ParseDuration. Should be >= 1min").
Envar("CREATION_TIMEOUT").Default(aws.DefaultCreationTimeout.String()).DurationVar(&creationTimeout)
kingpin.Flag("cert-polling-interval", "sets the polling interval for the certificates cache refresh. The flag accepts a value acceptable to time.ParseDuration").
Envar("CERT_POLLING_INTERVAL").Default(aws.DefaultCertificateUpdateInterval.String()).DurationVar(&certPollingInterval)
kingpin.Flag("disable-sni-support", "disables SNI support limiting the number of certificates per ALB to 1.").
Default(defaultDisableSNISupport).BoolVar(&disableSNISupport)
kingpin.Flag("disable-instrumented-http-client", "disables instrumented http client.").
Default(defaultInstrumentedHttpClient).BoolVar(&disableInstrumentedHttpClient)
kingpin.Flag("stack-termination-protection", "enables stack termination protection for the stacks managed by the controller.").
Default("false").BoolVar(&stackTerminationProtection)
kingpin.Flag("additional-stack-tags", "set additional custom tags on the Cloudformation Stacks managed by the controller.").
StringMapVar(&additionalStackTags)
kingpin.Flag("cert-ttl-timeout", "sets the timeout of how long a certificate is kept on an old ALB to be decommissioned.").
Default(defaultCertTTL).DurationVar(&certTTL)
kingpin.Flag("cert-filter-tag", "sets a tag so the ingress controller only consider ACM or IAM certificates that have this tag set when adding a certificate to a load balancer.").
Default("").StringVar(&certFilterTag)
kingpin.Flag("health-check-path", "sets the health check path for the created target groups").
Default(aws.DefaultHealthCheckPath).StringVar(&healthCheckPath)
kingpin.Flag("health-check-port", "sets the health check port for the created target groups").
Default(strconv.FormatUint(aws.DefaultHealthCheckPort, 10)).UintVar(&healthCheckPort)
kingpin.Flag("target-port", "sets the target port for the created target groups").
Default(strconv.FormatUint(aws.DefaultTargetPort, 10)).UintVar(&targetPort)
kingpin.Flag("alb-http-target-port", "Sets the target port for ALB HTTP listener different from --target-port.").
UintVar(&albHTTPTargetPort)
kingpin.Flag("nlb-http-target-port", "Sets the target port for NLB HTTP listener different from --target-port. Requires --nlb-http-enabled.").
UintVar(&nlbHTTPTargetPort)
kingpin.Flag("target-https", "sets the target protocol to https").
Default("false").BoolVar(&targetHTTPS)
kingpin.Flag("health-check-interval", "sets the health check interval for the created target groups. The flag accepts a value acceptable to time.ParseDuration").
Default(aws.DefaultHealthCheckInterval.String()).DurationVar(&healthCheckInterval)
kingpin.Flag("health-check-timeout", "sets the health check timeout for the created target groups. The flag accepts a value acceptable to time.ParseDuration").
Default(aws.DefaultHealthCheckTimeout.String()).DurationVar(&healthCheckTimeout)
kingpin.Flag("alb-healthy-threshold-count", "The number of consecutive successful health checks required before considering an unhealthy target healthy. The range is 2–10. (ALB only)").
Default(strconv.FormatUint(aws.DefaultAlbHealthyThresholdCount, 10)).UintVar(&albHealthyThresholdCount)
kingpin.Flag("alb-unhealthy-threshold-count", "The number of consecutive failed health checks required before considering a target unhealthy. The range is 2–10. (ALB only)").
Default(strconv.FormatUint(aws.DefaultAlbUnhealthyThresholdCount, 10)).UintVar(&albUnhealthyThresholdCount)
kingpin.Flag("nlb-healthy-threshold-count", "The number of consecutive successful or failed health checks required before considering a target healthy or unhealthy. The range is 2–10. (NLB only)").
Default(strconv.FormatUint(aws.DefaultNlbHealthyThresholdCount, 10)).UintVar(&nlbHealthyThresholdCount)
kingpin.Flag("idle-connection-timeout", "sets the idle connection timeout of all ALBs. The flag accepts a value acceptable to time.ParseDuration and are between 1s and 4000s.").
Default(aws.DefaultIdleConnectionTimeout.String()).DurationVar(&idleConnectionTimeout)
kingpin.Flag("deregistration-delay-timeout", "sets the deregistration delay timeout of all target groups. The flag accepts a value acceptable to time.ParseDuration that is between 1s and 3600s.").
Default(aws.DefaultDeregistrationTimeout.String()).DurationVar(&deregistrationDelayTimeout)
kingpin.Flag("metrics-address", "defines where to serve metrics").Default(":7979").StringVar(&metricsAddress)
kingpin.Flag("ingress-class-filter", "optional comma-seperated list of kubernetes.io/ingress.class annotation values to filter behaviour on.").
StringVar(&ingressClassFilters)
kingpin.Flag("controller-id", "controller ID used to differentiate resources from multiple aws ingress controller instances").
Default(aws.DefaultControllerID).StringVar(&controllerID)
kingpin.Flag("cluster-id", "ID of the Kubernetes cluster used to lookup cluster related resources tagged with `kubernetes.io/cluster/<cluster-id>` tags. Auto discovered from the EC2 instance where the controller is running if not specified.").
StringVar(&clusterID)
kingpin.Flag("vpc-id", "VPC ID for where the cluster is running. Used to lookup relevant subnets. Auto discovered from the EC2 instance where the controller is running if not specified.").
StringVar(&vpcID)
kingpin.Flag("cluster-local-domain", "Cluster local domain is used to detect hostnames, that won't trigger a creation of an AWS load balancer, empty string will not change the default behavior. In Kubernetes you might want to pass cluster.local").
Default("").StringVar(&clusterLocalDomain)
kingpin.Flag("max-certs-alb", fmt.Sprintf("sets the maximum number of certificates to be attached to an ALB. Cannot be higher than %d", aws.DefaultMaxCertsPerALB)).
Default(strconv.Itoa(aws.DefaultMaxCertsPerALB)).IntVar(&maxCertsPerALB) // TODO: max
kingpin.Flag("ssl-policy", "Security policy that will define the protocols/ciphers accepts by the SSL listener").
Default(aws.DefaultSslPolicy).EnumVar(&sslPolicy, aws.SSLPoliciesList...)
kingpin.Flag("blacklist-certificate-arns", "Certificate ARNs to not consider by the controller.").StringsVar(&blacklistCertARNs)
kingpin.Flag("ip-addr-type", "IP Address type to use.").
Default(aws.DefaultIpAddressType).EnumVar(&ipAddressType, aws.IPAddressTypeIPV4, aws.IPAddressTypeDualstack)
kingpin.Flag("logs-s3-bucket", "S3 bucket to be used for ALB logging").
Default(aws.DefaultAlbS3LogsBucket).StringVar(&albLogsS3Bucket)
kingpin.Flag("logs-s3-prefix", "Prefix within S3 bucket to be used for ALB logging").
Default(aws.DefaultAlbS3LogsPrefix).StringVar(&albLogsS3Prefix)
kingpin.Flag("aws-waf-web-acl-id", "WAF web acl id to be associated with the ALB. For WAF v2 it is possible to specify the WebACL ARN arn:aws:wafv2:<region>:<account>:regional/webacl/<name>/<id>").
Default("").StringVar(&wafWebAclId)
kingpin.Flag("cloudwatch-alarms-config-map", "ConfigMap location of the form 'namespace/config-map-name' where to read CloudWatch Alarm configuration from. Ignored if empty.").
StringVar(&cwAlarmConfigMap)
kingpin.Flag("redirect-http-to-https", "Configure HTTP listener to redirect to HTTPS").
Default(defaultHTTPRedirectToHTTPS).BoolVar(&httpRedirectToHTTPS)
kingpin.Flag("load-balancer-type", "Sets default Load Balancer type (application or network).").
Default(aws.LoadBalancerTypeApplication).EnumVar(&loadBalancerType, aws.LoadBalancerTypeApplication, aws.LoadBalancerTypeNetwork)
kingpin.Flag("nlb-zone-affinity", "Specify whether Route53 should return zone aware Network Load Balancers IPs. It configures dns_record.client_routing_policy NLB configuration. This setting only apply to 'network' Load Balancers.").
Default(aws.DefaultZoneAffinity).StringVar(&nlbZoneAffinity)
kingpin.Flag("nlb-cross-zone", "Specify whether Network Load Balancers should balance cross availablity zones. This setting only apply to 'network' Load Balancers.").
Default("false").BoolVar(&nlbCrossZone)
kingpin.Flag("nlb-http-enabled", "Enable HTTP (port 80) for Network Load Balancers. By default this is disabled as NLB can't provide HTTP -> HTTPS redirect.").
Default("false").BoolVar(&nlbHTTPEnabled)
kingpin.Flag("deny-internal-domains", "Sets a rule on ALB's Listeners that denies requests with the Host header as a internal domain. Domains can be set with the -internal-domains flag.").
Default("false").BoolVar(&denyInternalDomains)
kingpin.Flag("internal-domains", "Define the internal domains to be blocked when -deny-internal-domains is set to true. Set it multiple times for multiple domains. The maximum size of each name is 128 characters. The following wildcard characters are supported: * (matches 0 or more characters) and ? (matches exactly 1 character).").
Default(defaultInternalDomains).StringsVar(&internalDomains)
kingpin.Flag("deny-internal-domains-response", "Defines the response body for a request identified as to an internal domain when -deny-internal-domains is set.").
Default("Unauthorized").StringVar(&denyInternalRespBody)
kingpin.Flag("deny-internal-domains-response-content-type", "Defines the response conten-type for a request identified as to an internal domain when -deny-internal-domains is set.").
Default("text/plain").StringVar(&denyInternalRespContentType)
kingpin.Flag("deny-internal-domains-response-status-code", "Defines the response status code for a request identified as to an internal domain when -deny-internal-domains is set.").
Default("401").IntVar(&denyInternalRespStatusCode)
kingpin.Flag("target-access-mode", "Defines target type of the target groups in CloudFormation and how loadbalancer targets are discovered. "+
"HostPort sets target type to 'instance' and discovers EC2 instances using AWS API and instance filters. "+
"AWSCNI sets target type to 'ip' and discovers target IPs using Kubernetes API and Pod label selector. "+
"Legacy is the same as HostPort but does not set target type and relies on CloudFormation to use 'instance' as a default value. "+
"Changing value from 'Legacy' to 'HostPort' will change target type in CloudFormation and trigger target group recreation and downtime.").
Required().EnumVar(&targetAccessMode, aws.TargetAccessModeHostPort, aws.TargetAccessModeAWSCNI, aws.TargetAccessModeLegacy)
kingpin.Flag("target-cni-namespace", "AWS VPC CNI only. Defines the namespace for ingress pods that should be linked to target group.").StringVar(&targetCNINamespace)
// LabelSelector semantics https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
kingpin.Flag("target-cni-pod-labelselector", "AWS VPC CNI only. Defines the labelselector for ingress pods that should be linked to target group. Supports simple equality and multi value form (a=x,b=y) as well as complex forms (a IN (x,y,z).").StringVar(&targetCNIPodLabelSelector)
kingpin.Parse()
// We currently only support one Ingress API Version
ingressAPIVersion = kubernetes.IngressAPIVersionNetworking
blacklistCertArnMap = make(map[string]bool)
for _, s := range blacklistCertARNs {
blacklistCertArnMap[s] = true
}
if targetAccessMode == aws.TargetAccessModeAWSCNI {
if targetCNINamespace == "" {
return fmt.Errorf("target-cni-namespace is required when target-access-mode is set to %s", aws.TargetAccessModeAWSCNI)
}
// complex selector formats possible, late validation by the k8s client
if targetCNIPodLabelSelector == "" {
return fmt.Errorf("target-cni-pod-labelselector definition cannot be empty when target-access-mode is set to %s", aws.TargetAccessModeAWSCNI)
}
}
if creationTimeout < 1*time.Minute {
return fmt.Errorf("invalid creation timeout %d. please specify a value > 1min", creationTimeout)
}
if healthCheckPort == 0 || healthCheckPort > 65535 {
return fmt.Errorf("invalid health check port: %d. please use a valid TCP port", healthCheckPort)
}
for _, v := range []uint{albHealthyThresholdCount, albUnhealthyThresholdCount, nlbHealthyThresholdCount} {
if v < 2 || v > 10 {
return fmt.Errorf("invalid (un)healthy threshold: %d. must be between 2 and 10", v)
}
}
if targetPort == 0 || targetPort > 65535 {
return fmt.Errorf("invalid target port: %d. please use a valid TCP port", targetPort)
}
if albHTTPTargetPort > 65535 { // default 0
return fmt.Errorf("invalid ALB HTTP target port: %d. please use a valid TCP port", albHTTPTargetPort)
}
if nlbHTTPTargetPort > 65535 { // default 0
return fmt.Errorf("invalid NLB HTTP target port: %d. please use a valid TCP port", nlbHTTPTargetPort)
}
if nlbHTTPTargetPort > 0 && !nlbHTTPEnabled {
return fmt.Errorf("NLB HTTP is not enabled")
}
if maxCertsPerALB > aws.DefaultMaxCertsPerALB {
return fmt.Errorf("invalid max number of certificates per ALB: %d. AWS does not allow more than %d", maxCertsPerALB, aws.DefaultMaxCertsPerALB)
}
if cwAlarmConfigMap != "" {
loc, err := kubernetes.ParseResourceLocation(cwAlarmConfigMap)
if err != nil {
return fmt.Errorf("failed to parse cloudwatch alarm config map location: %w", err)
}
cwAlarmConfigMapLocation = loc
}
if kv := strings.Split(certFilterTag, "="); len(kv) != 2 && certFilterTag != "" {
log.Errorf("Certificate filter tag should be in the format \"key=value\", instead it is set to: %s", certFilterTag)
}
if quietFlag && debugFlag {
log.Warn("--quiet and --debug flags are both set. Debug will be used as logging level.")
}
if quietFlag {
log.SetLevel(log.WarnLevel)
}
if debugFlag {
log.SetLevel(log.DebugLevel)
}
log.SetOutput(os.Stdout)
return nil
}
func main() {
log.Infof("Starting %s %s", os.Args[0], version)
var (
awsAdapter *aws.Adapter
kubeAdapter *kubernetes.Adapter
kubeConfig *kubernetes.Config
err error
)
if err = loadSettings(); err != nil {
log.Fatal(err)
}
if versionFlag {
log.Infof(`%s
===========================
Version: %s
Buildtime: %s
GitHash: %s
`, path.Base(os.Args[0]), version, buildstamp, githash)
os.Exit(0)
}
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
log.Debug("aws.NewAdapter")
awsAdapter, err = aws.NewAdapter(clusterID, controllerID, vpcID, debugFlag, disableInstrumentedHttpClient)
if err != nil {
log.Fatal(err)
}
customFilter, ok := os.LookupEnv(customTagFilterEnvVarName)
if !ok {
customFilter = ""
}
awsAdapter = awsAdapter.
WithHealthCheckPath(healthCheckPath).
WithHealthCheckPort(healthCheckPort).
WithHealthCheckInterval(healthCheckInterval).
WithHealthCheckTimeout(healthCheckTimeout).
WithAlbHealthyThresholdCount(albHealthyThresholdCount).
WithAlbUnhealthyThresholdCount(albUnhealthyThresholdCount).
WithNlbHealthyThresholdCount(nlbHealthyThresholdCount).
WithTargetPort(targetPort).
WithALBHTTPTargetPort(albHTTPTargetPort).
WithNLBHTTPTargetPort(nlbHTTPTargetPort).
WithTargetHTTPS(targetHTTPS).
WithCreationTimeout(creationTimeout).
WithStackTerminationProtection(stackTerminationProtection).
WithIdleConnectionTimeout(idleConnectionTimeout).
WithDeregistrationDelayTimeout(deregistrationDelayTimeout).
WithControllerID(controllerID).
WithSslPolicy(sslPolicy).
WithIpAddressType(ipAddressType).
WithAlbLogsS3Bucket(albLogsS3Bucket).
WithAlbLogsS3Prefix(albLogsS3Prefix).
WithHTTPRedirectToHTTPS(httpRedirectToHTTPS).
WithNLBCrossZone(nlbCrossZone).
WithNLBZoneAffinity(nlbZoneAffinity).
WithNLBHTTPEnabled(nlbHTTPEnabled).
WithCustomFilter(customFilter).
WithStackTags(additionalStackTags).
WithInternalDomains(internalDomains).
WithDenyInternalDomains(denyInternalDomains).
WithInternalDomainsDenyResponse(denyInternalRespBody).
WithInternalDomainsDenyResponseStatusCode(denyInternalRespStatusCode).
WithInternalDomainsDenyResponseContenType(denyInternalRespContentType).
WithTargetAccessMode(targetAccessMode)
log.Debug("certs.NewCachingProvider")
certificatesProvider, err := certs.NewCachingProvider(
certPollingInterval,
blacklistCertArnMap,
awsAdapter.NewACMCertificateProvider(certFilterTag),
awsAdapter.NewIAMCertificateProvider(certFilterTag),
)
if err != nil {
log.Fatal(err)
}
if apiServerBaseURL == "" {
log.Debug("kubernetes.InClusterConfig")
kubeConfig, err = kubernetes.InClusterConfig()
if err != nil {
log.Fatal(err)
}
} else {
log.Debug("kubernetes.InsecureConfig")
kubeConfig = kubernetes.InsecureConfig(apiServerBaseURL)
}
ingressClassFiltersList := []string{}
if ingressClassFilters != "" {
ingressClassFiltersList = strings.Split(ingressClassFilters, ",")
}
log.Debug("kubernetes.NewAdapter")
kubeAdapter, err = kubernetes.NewAdapter(kubeConfig, ingressAPIVersion, ingressClassFiltersList, awsAdapter.SecurityGroupID(), sslPolicy, loadBalancerType, clusterLocalDomain, disableInstrumentedHttpClient)
if err != nil {
log.Fatal(err)
}
if targetAccessMode == aws.TargetAccessModeAWSCNI {
if err = kubeAdapter.NewInclusterConfigClientset(ctx); err != nil {
log.Fatal(err)
}
kubeAdapter.WithTargetCNIPodSelector(targetCNINamespace, targetCNIPodLabelSelector)
}
certificatesPerALB := maxCertsPerALB
if disableSNISupport {
certificatesPerALB = 1
}
log.Infof("Kubernetes API server: %s", apiServerBaseURL)
log.Infof("Cluster ID: %s", awsAdapter.ClusterID())
log.Infof("VPC ID: %s", awsAdapter.VpcID())
log.Infof("Instance ID: %s", awsAdapter.InstanceID())
log.Infof("Security group ID: %s", awsAdapter.SecurityGroupID())
log.Infof("Internal subnet IDs: %s", awsAdapter.FindLBSubnets(elbv2.LoadBalancerSchemeEnumInternal))
log.Infof("Public subnet IDs: %s", awsAdapter.FindLBSubnets(elbv2.LoadBalancerSchemeEnumInternetFacing))
log.Infof("EC2 filters: %s", awsAdapter.FiltersString())
log.Infof("Certificates per ALB: %d (SNI: %t)", certificatesPerALB, certificatesPerALB > 1)
log.Infof("Blacklisted Certificate ARNs (%d): %s", len(blacklistCertARNs), strings.Join(blacklistCertARNs, ","))
log.Infof("Ingress class filters: %s", kubeAdapter.IngressFiltersString())
log.Infof("ALB Logging S3 Bucket: %s", awsAdapter.S3Bucket())
log.Infof("ALB Logging S3 Prefix: %s", awsAdapter.S3Prefix())
log.Infof("CloudWatch Alarm ConfigMap: %s", cwAlarmConfigMapLocation)
log.Infof("Default LoadBalancer type: %s", loadBalancerType)
log.Infof("Target access mode: %s", targetAccessMode)
log.Infof("NLB Cross Zone: %t", nlbCrossZone)
log.Infof("NLB Zone Affinity: %s", nlbZoneAffinity)
go handleTerminationSignals(cancel, syscall.SIGTERM, syscall.SIGQUIT)
go serveMetrics(metricsAddress)
if awsAdapter.TargetCNI.Enabled {
go cniEventHandler(ctx, awsAdapter.TargetCNI, awsAdapter.SetTargetsOnCNITargetGroups, kubeAdapter.PodInformer)
}
startPolling(
ctx,
certificatesProvider,
certificatesPerALB,
certTTL,
awsAdapter,
kubeAdapter,
pollingInterval,
wafWebAclId,
)
log.Infof("Terminating %s", os.Args[0])
}
func handleTerminationSignals(cancelFunc func(), signals ...os.Signal) {
sigsc := make(chan os.Signal, 1)
signal.Notify(sigsc, signals...)
<-sigsc
cancelFunc()
}