feat(ccm): allow to configure ssl-compatibility-level

Author: nox-404

docs/loadbalancer-annotations.md

@@ -123,6 +123,11 @@ The default value is `false`. The possible values are `false` or `true`.
 This is the annotation to enable HTTP/3 protocol for the load balancer.
 The default value is `false`. The possible values are `false` or `true`.
 
+### `service.beta.kubernetes.io/scw-loadbalancer-ssl-compatibility-level`
+This is the annotation to set the minimal SSL version supported on the client side.
+The default value is `ssl_compatibility_level_intermediate`.
+The possible values are `ssl_compatibility_level_intermediate`, `ssl_compatibility_level_modern`, and `ssl_compatibility_level_old`.
+
 ### `service.beta.kubernetes.io/scw-loadbalancer-timeout-client`
 This is the annotation to set the maximum client connection inactivity time.
 The default value is `10m`. The duration are go's time.Duration (ex: `1s`, `2m`, `4h`, ...).

scaleway/loadbalancers.go

@@ -57,6 +57,7 @@ type LoadBalancerAPI interface {
 	ListLBs(req *scwlb.ZonedAPIListLBsRequest, opts ...scw.RequestOption) (*scwlb.ListLBsResponse, error)
 	GetLB(req *scwlb.ZonedAPIGetLBRequest, opts ...scw.RequestOption) (*scwlb.LB, error)
 	CreateLB(req *scwlb.ZonedAPICreateLBRequest, opts ...scw.RequestOption) (*scwlb.LB, error)
+	UpdateLB(req *scwlb.ZonedAPIUpdateLBRequest, opts ...scw.RequestOption) (*scwlb.LB, error)
 	DeleteLB(req *scwlb.ZonedAPIDeleteLBRequest, opts ...scw.RequestOption) error
 	MigrateLB(req *scwlb.ZonedAPIMigrateLBRequest, opts ...scw.RequestOption) (*scwlb.LB, error)
 	ListIPs(req *scwlb.ZonedAPIListIPsRequest, opts ...scw.RequestOption) (*scwlb.ListIPsResponse, error)
@@ -469,6 +470,12 @@ func (l *loadbalancers) createLoadBalancer(ctx context.Context, clusterName stri
 		return nil, fmt.Errorf("invalid value for annotation %s: expected boolean", serviceAnnotationLoadBalancerPrivate)
 	}
 
+	sslCompatibilityLevel, err := getSSLCompatibilityLevel(service)
+	if err != nil {
+		klog.Errorf("error getting SSL compatibility level for service %s(%s): %v", service.Name, service.UID, err)
+		return nil, fmt.Errorf("error getting SSL compatibility level for service %s(%s): %v", service.Name, service.UID, err)
+	}
+
 	// Attach specific IP if set
 	var ipIDs []string
 	if !lbPrivate {
@@ -503,7 +510,8 @@ func (l *loadbalancers) createLoadBalancer(ctx context.Context, clusterName stri
 		Type:        lbType,
 		// We must only assign a flexible IP if LB is public AND no IP ID is provided.
 		// If IP IDs are provided, there must be at least one IPv4.
-		AssignFlexibleIP: scw.BoolPtr(!lbPrivate && len(ipIDs) == 0),
+		AssignFlexibleIP:      scw.BoolPtr(!lbPrivate && len(ipIDs) == 0),
+		SslCompatibilityLevel: sslCompatibilityLevel,
 	}
 	lb, err := l.api.CreateLB(&request)
 	if err != nil {
@@ -780,6 +788,27 @@ func (l *loadbalancers) updateLoadBalancer(ctx context.Context, loadbalancer *sc
 				return fmt.Errorf("error updating load balancer %s: %v", loadbalancer.ID, err)
 			}
 		}
+
+		// Update SSL compatibility level if needed
+		sslCompatibilityLevel, err := getSSLCompatibilityLevel(service)
+		if err != nil {
+			klog.Errorf("error getting SSL compatibility level on the service %s for load balancer %s: %v", service.Name, loadbalancer.ID, err)
+			return fmt.Errorf("error getting SSL compatibility level on the service %s for load balancer %s: %v", service.Name, loadbalancer.ID, err)
+		}
+		if loadbalancer.SslCompatibilityLevel != sslCompatibilityLevel {
+			_, err := l.api.UpdateLB(&scwlb.ZonedAPIUpdateLBRequest{
+				Zone:                  loadbalancer.Zone,
+				LBID:                  loadbalancer.ID,
+				Name:                  loadbalancer.Name,
+				Description:           loadbalancer.Description,
+				Tags:                  loadbalancer.Tags,
+				SslCompatibilityLevel: sslCompatibilityLevel,
+			})
+			if err != nil {
+				klog.Errorf("error updating load balancer %s: %v", loadbalancer.ID, err)
+				return fmt.Errorf("error updating load balancer %s: %v", loadbalancer.ID, err)
+			}
+		}
 	}
 
 	return nil

scaleway/loadbalancers_annotations.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 	"time"
 
+	"golang.org/x/exp/slices"
 	"google.golang.org/protobuf/types/known/durationpb"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/klog/v2"
@@ -120,6 +121,10 @@ const (
 	// The default value is "false". The possible values are "false" or "true".
 	serviceAnnotationLoadBalancerEnableHTTP3 = "service.beta.kubernetes.io/scw-loadbalancer-enable-http3"
 
+	// serviceAnnotationLoadBalancerSSLCompatibilityLevel is the annotation to set the minimal SSL version supported on the client side.
+	// The default value is "ssl_compatibility_level_intermediate".
+	serviceAnnotationLoadBalancerSSLCompatibilityLevel = "service.beta.kubernetes.io/scw-loadbalancer-ssl-compatibility-level"
+
 	// serviceAnnotationLoadBalancerTimeoutClient is the maximum client connection inactivity time
 	// The default value is "10m". The duration are go's time.Duration (ex: "1s", "2m", "4h", ...)
 	serviceAnnotationLoadBalancerTimeoutClient = "service.beta.kubernetes.io/scw-loadbalancer-timeout-client"
@@ -1101,3 +1106,18 @@ func getNativeHealthCheck(service *v1.Service, targetPort int32) (*scwlb.HealthC
 		},
 	}, nil
 }
+
+func getSSLCompatibilityLevel(service *v1.Service) (scwlb.SSLCompatibilityLevel, error) {
+	sslCompatibilityLevel := service.Annotations[serviceAnnotationLoadBalancerSSLCompatibilityLevel]
+	if sslCompatibilityLevel == "" {
+		return scwlb.SSLCompatibilityLevelSslCompatibilityLevelIntermediate, nil
+	}
+
+	level := scwlb.SSLCompatibilityLevel(sslCompatibilityLevel)
+	if !slices.Contains(level.Values(), level) {
+		klog.Errorf("invalid value for annotation %s", serviceAnnotationLoadBalancerSSLCompatibilityLevel)
+		return "", errLoadBalancerInvalidAnnotation
+	}
+
+	return level, nil
+}

scaleway/loadbalancers_test.go

@@ -1849,6 +1849,88 @@ func Test_nodesInitialized(t *testing.T) {
 	}
 }
 
+func TestGetSSLCompatibilityLevel(t *testing.T) {
+	matrix := []struct {
+		name    string
+		service *v1.Service
+		want    scwlb.SSLCompatibilityLevel
+		wantErr bool
+	}{
+		{
+			"with empty annotation",
+			&v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{},
+				},
+			},
+			scwlb.SSLCompatibilityLevelSslCompatibilityLevelIntermediate,
+			false,
+		},
+		{
+			"with valid intermediate level",
+			&v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						"service.beta.kubernetes.io/scw-loadbalancer-ssl-compatibility-level": "ssl_compatibility_level_intermediate",
+					},
+				},
+			},
+			scwlb.SSLCompatibilityLevelSslCompatibilityLevelIntermediate,
+			false,
+		},
+		{
+			"with valid modern level",
+			&v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						"service.beta.kubernetes.io/scw-loadbalancer-ssl-compatibility-level": "ssl_compatibility_level_modern",
+					},
+				},
+			},
+			scwlb.SSLCompatibilityLevelSslCompatibilityLevelModern,
+			false,
+		},
+		{
+			"with valid old level",
+			&v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						"service.beta.kubernetes.io/scw-loadbalancer-ssl-compatibility-level": "ssl_compatibility_level_old",
+					},
+				},
+			},
+			scwlb.SSLCompatibilityLevelSslCompatibilityLevelOld,
+			false,
+		},
+		{
+			"with invalid level",
+			&v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						"service.beta.kubernetes.io/scw-loadbalancer-ssl-compatibility-level": "invalid_level",
+					},
+				},
+			},
+			"",
+			true,
+		},
+	}
+
+	for _, tt := range matrix {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := getSSLCompatibilityLevel(tt.service)
+			if tt.wantErr != (err != nil) {
+				t.Errorf("got error: %s, expected: %v", err, tt.wantErr)
+				return
+			}
+
+			if got != tt.want {
+				t.Errorf("want: %v, got: %v", tt.want, got)
+			}
+		})
+	}
+}
+
 func Test_ipMode(t *testing.T) {
 	type args struct {
 		service *v1.Service