WIP: Add Application Load Balancer Controller Manager#879
WIP: Add Application Load Balancer Controller Manager#879kamilprzybyl wants to merge 36 commits intomainfrom
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
ske-prow
bot
added
do-not-merge/needs-kind
kamilprzybyl
changed the title
ske-prow
bot
added
the
do-not-merge/work-in-progress
kamilprzybyl
force-pushed
the
feat/kp/add-alb-ingress-controller
branch
from
7ecc416 to
86bdf1d
Compare
| // generate self-signed certificates for the metrics server. While convenient for development and testing, | ||
| // this setup is not recommended for production. | ||
| // | ||
| // TODO(user): If you enable certManager, uncomment the following lines: |
There was a problem hiding this comment.
might be good to create separate examples for that
| sort.SliceStable(ruleMetadataList, func(i, j int) bool { | ||
| a, b := ruleMetadataList[i], ruleMetadataList[j] | ||
| // 1. Host name (lexicographically) | ||
| if a.host != b.host { |
pkg/alb/ingress/alb_spec.go
Outdated
| } | ||
|
|
||
| // cleanupCerts deletes the certificates from the Certificates API that are no longer associated with any Ingress in the IngressClass | ||
| func (r *IngressClassReconciler) cleanupCerts(ctx context.Context, ingressClass *networkingv1.IngressClass, ingresses []*networkingv1.Ingress) error { |
There was a problem hiding this comment.
do we really want to delete certificates? That could be very dangerous as users might just not associate the certificate anymore and want to keep it.
There was a problem hiding this comment.
Each Ingress TLS secret reference is mapped to a unique ALB Certificate resource. Even if multiple Ingresses reference the same k8s Secret, they will each trigger the creation of a separate, independent certificate on the ALB. That means, deleting one Ingress (and its associated ALB Certificate) does not impact the certificates still being used by other Ingresses.
pkg/alb/ingress/alb_spec.go
Outdated
|
|
||
| // isCertValid checks if the certificate chain is complete. It is used for checking if | ||
| // the cert-manager's ACME challenge is completed, or if it's sill ongoing. | ||
| func isCertValid(secret *corev1.Secret) (bool, error) { |
There was a problem hiding this comment.
isn't that already handled by the certificate api?
There was a problem hiding this comment.
The Cert API only checks if the public and private keys are matching + if the certificate is a valid X.509 format but it does not reject incomplete chains.
Renamed the function from isCertValid to isCertReady and clarified the function in the comment above.
ske-prow
bot
added
the
needs-rebase
| } | ||
|
|
||
| if len(albIngressList) < 1 { | ||
| err := r.handleIngressClassWithoutIngresses(ctx, albIngressList, ingressClass) |
There was a problem hiding this comment.
It doesn't make sense to pass albIngressList if it is always empty.
There was a problem hiding this comment.
You're right, passing an empty list is useless. And with that, the controller does not clean up certificates properly as the list is always empty.
Removed the redundant ingresses parameter from handleIngressClassWithoutIngresses since it was always empty. Updated cleanupCerts to identify and delete certificates using the IngressClass UID prefix, ensuring orphaned certificates are properly removed even when no Ingress resources exist.
kamilprzybyl
force-pushed
the
feat/kp/add-alb-ingress-controller
branch
2 times, most recently
from
d8de28a to
f903b25
Compare
|
We currently only delete certificates when the IngressClass is deleted or no Ingress references the IngressClass. |
|
Added ExactMatch -Path- to change detection
… references; adjusted requeuing logic for certificates
dergeberl
force-pushed
the
feat/kp/add-alb-ingress-controller
branch
from
3ad18ef to
9d6f767
Compare
ske-prow
bot
removed
the
needs-rebase
… this requires the makefile from kubebuilder
| // It uses the trusted CAs from the operating system for validation. | ||
| tlsBridgingTrustedCaAnnotation = "alb.stackit.cloud/tls-bridging-trusted-ca" | ||
| // If set, the application load balancer enables TLS bridging with a custom CA provided as value. | ||
| tlsBridgingCustomCaAnnotation = "alb.stackit.cloud/tls-bridging-custom-ca" |
There was a problem hiding this comment.
This should probably use as value a reference to a TLS secret.
| // It merges and sorts all routing rules across the ingresses based on host, priority, path specificity, path type, and ingress origin. | ||
| // The resulting ALB payload includes targets derived from cluster nodes, target pools per backend service, HTTP(S) listeners, | ||
| // and optional TLS certificate bindings. This spec is later used to create or update the actual ALB instance. | ||
| func (r *IngressClassReconciler) albSpecFromIngress( //nolint:funlen,gocyclo // We go through a lot of fields. Not much complexity. |
There was a problem hiding this comment.
this is indeed complex, should be split up into multiple functions.
| return 0, fmt.Errorf("service not found: %s", path.Backend.Service.Name) | ||
| } | ||
|
|
||
| if path.Backend.Service.Port.Name != "" { |
There was a problem hiding this comment.
should be refactored to have less branching, 4 indents is too much imo.
| export KUBECONFIG=~/.kube/config | ||
| ``` | ||
|
|
||
| ### Create your deployment and expose it via Ingress |
There was a problem hiding this comment.
We should link to the samples yamls instead of duplicating this into this doc.
Also a list of annotations should be added.
|
|
||
| > NOTE: The service has to be of type NodePort to enable access to the nodes from the outside of the cluster. | ||
| 3. Create an IngressClass that specifies the ALB Ingress controller: |
There was a problem hiding this comment.
I have a bit of information missing:
Is each ingress under the same ingress class being added to the same ALB? If so this should be made clear so that it's clear to end users.
| ## Overview | ||
|
|
||
| The STACKIT Cloud Provider includes both the Cloud Controller Manager (CCM) for managing cloud resources and the CSI driver for persistent storage. This deployment provides a unified solution for cloud integration and storage provisioning. | ||
| The STACKIT Cloud Provider includes the Cloud Controller Manager (CCM) for managing cloud resources, the CSI driver for persistent storage and the Application Load Balancer Controller Manager (ALBCM) for managing STACKIT Application Load Balancer (ALB) via Ingress Resources. |
There was a problem hiding this comment.
we should have different deployment docs for each binary. CCM and ALBCM should be different md files. It's easier to comprehend.
|
|
||
| // nolint:funlen // TODO: Refactor into smaller functions. | ||
| func main() { | ||
| var metricsAddr string |
6 participants
How to categorize this PR?
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Breaking changes: