Implement SslPolicies for TargetHttpsProxy

pkg/loadbalancers/loadbalancers_test.go

@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"reflect"
 	"strconv"
 	"strings"
 	"testing"
@@ -34,6 +35,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/ingress-gce/pkg/annotations"
+	frontendconfigv1beta1 "k8s.io/ingress-gce/pkg/apis/frontendconfig/v1beta1"
 	"k8s.io/ingress-gce/pkg/composite"
 	"k8s.io/ingress-gce/pkg/events"
 	"k8s.io/ingress-gce/pkg/flags"
@@ -973,6 +975,44 @@ func TestCreateBothLoadBalancers(t *testing.T) {
 	}
 }
 
+func TestGetSslPolicyLink(t *testing.T) {
+	j := newTestJig(t)
+
+	testCases := []struct {
+		desc string
+		fc   *frontendconfigv1beta1.FrontendConfig
+		want *string
+	}{
+		{
+			desc: "Empty frontendconfig",
+			fc:   nil,
+			want: nil,
+		},
+		{
+			desc: "frontendconfig with no ssl policy",
+			fc:   &frontendconfigv1beta1.FrontendConfig{Spec: frontendconfigv1beta1.FrontendConfigSpec{}},
+			want: nil,
+		},
+		{
+			desc: "frontendconfig with ssl policy",
+			fc:   &frontendconfigv1beta1.FrontendConfig{Spec: frontendconfigv1beta1.FrontendConfigSpec{SslPolicy: utils.NewString("test-policy")}},
+			want: utils.NewString("global/sslPolicies/test-policy"),
+		},
+	}
+
+	for _, tc := range testCases {
+		l7 := L7{runtimeInfo: &L7RuntimeInfo{FrontendConfig: tc.fc}, cloud: j.fakeGCE, scope: meta.Global}
+		result, err := l7.getSslPolicyLink()
+		if err != nil {
+			t.Errorf("desc: %q, l7.getSslPolicyLink() = %v, want nil", tc.desc, err)
+		}
+
+		if !reflect.DeepEqual(result, tc.want) {
+			t.Errorf("desc: %q, l7.getSslPolicyLink() = %v, want %+v", tc.desc, result, tc.want)
+		}
+	}
+}
+
 // verifyURLMap gets the created URLMap and compares it against an expected one.
 func verifyURLMap(t *testing.T, j *testJig, feNamer namer_util.IngressFrontendNamer, wantGCEURLMap *utils.GCEURLMap) {
 	t.Helper()

pkg/loadbalancers/target_proxies.go

@@ -19,6 +19,7 @@ package loadbalancers
 import (
 	"github.com/GoogleCloudPlatform/k8s-cloud-provider/pkg/cloud"
 	"k8s.io/ingress-gce/pkg/composite"
+	"k8s.io/ingress-gce/pkg/flags"
 	"k8s.io/ingress-gce/pkg/utils"
 	"k8s.io/ingress-gce/pkg/utils/namer"
 	"k8s.io/klog"
@@ -171,8 +172,25 @@ func (l *L7) checkHttpsProxy() (err error) {
 		if err := composite.SetSslCertificateForTargetHttpsProxy(l.cloud, key, proxy, sslCertURLs); err != nil {
 			return err
 		}
+	}
+
+	if flags.F.EnableFrontendConfig {
+		policyLink, err := l.getSslPolicyLink()
+		if err != nil {
+			return err
+		}
 
+		if policyLink != nil && !utils.EqualResourceIDs(*policyLink, proxy.SslPolicy) {
+			key, err := l.CreateKey(proxy.Name)
+			if err != nil {
+				return err
+			}
+			if err := composite.SetSslPolicyForTargetHttpsProxy(l.cloud, key, proxy, *policyLink); err != nil {
+				return err
+			}
+		}
 	}
+
 	l.tps = proxy
 	return nil
 }
@@ -190,3 +208,31 @@ func (l *L7) getSslCertLinkInUse() ([]string, error) {
 
 	return proxy.SslCertificates, nil
 }
+
+func (l *L7) getSslPolicyLink() (*string, error) {
+	var link string
+
+	if l.runtimeInfo.FrontendConfig == nil {
+		return nil, nil
+	}
+
+	policyName := l.runtimeInfo.FrontendConfig.Spec.SslPolicy
+	if policyName == nil {
+		return nil, nil
+	}
+	if *policyName == "" {
+		return &link, nil
+	}
+
+	key, err := l.CreateKey(*policyName)
+	if err != nil {
+		return nil, err
+	}
+	resourceID := cloud.ResourceID{
+		Resource: "sslPolicies",
+		Key:      key,
+	}
+	resID := resourceID.ResourcePath()
+
+	return &resID, nil
+}

pkg/utils/utils.go

@@ -439,3 +439,8 @@ func IsLegacyL4ILBService(svc *api_v1.Service) bool {
 	}
 	return false
 }
+
+// NewString returns a pointer to the provider string literal
+func NewString(s string) *string {
+	return &s
+}