IngressClassParams support (kubernetes-sigs#1849)

* bootstrap IngressClassParams CRD * add validation webhook for disable annotation usage for ingressClass & ingressGroupName * update go mod
darren-recentive · Mar 10, 2021 · 436c3d2 · 436c3d2
1 parent 04c9bf5
commit 436c3d2
Show file tree

Hide file tree

Showing 27 changed files with 1,234 additions and 251 deletions.
diff --git a/Makefile b/Makefile
@@ -71,7 +71,7 @@ ifeq (, $(shell which controller-gen))
 	CONTROLLER_GEN_TMP_DIR=$$(mktemp -d) ;\
 	cd $$CONTROLLER_GEN_TMP_DIR ;\
 	go mod init tmp ;\
-	go get sigs.k8s.io/controller-tools/cmd/[email protected] ;\
+	go install sigs.k8s.io/controller-tools/cmd/[email protected] ;\
 	rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
 	}
 CONTROLLER_GEN=$(GOBIN)/controller-gen

diff --git a/PROJECT b/PROJECT
@@ -4,5 +4,8 @@ repo: sigs.k8s.io/aws-load-balancer-controller
 resources:
 - group: elbv2
   kind: TargetGroupBinding
-  version: v1alpha1
+  version: v1beta1
+- group: elbv2
+  kind: IngressClassParams
+  version: v1beta1
 version: "2"
diff --git a/apis/elbv2/v1beta1/ingressclassparams_types.go b/apis/elbv2/v1beta1/ingressclassparams_types.go
@@ -0,0 +1,92 @@
+/*
+
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +kubebuilder:validation:Enum=ipv4;dualstack
+// IPAddressType is the ip address type of load balancer.
+type IPAddressType string
+
+const (
+	IPAddressTypeIPV4      IPAddressType = "ipv4"
+	IPAddressTypeDualStack IPAddressType = "dualstack"
+)
+
+// +kubebuilder:validation:Enum=internal;internet-facing
+// Scheme is the scheme of load balancer.
+//
+// * the nodes of an internet-facing load balancer have public IP addresses.
+// * the nodes of an internal load balancer have only private IP addresses.
+type LoadBalancerScheme string
+
+const (
+	LoadBalancerSchemeInternal       LoadBalancerScheme = "internal"
+	LoadBalancerSchemeInternetFacing LoadBalancerScheme = "internet-facing"
+)
+
+// IngressGroup defines IngressGroup configuration.
+type IngressGroup struct {
+	// Name is the name of IngressGroup.
+	Name string `json:"name"`
+}
+
+// IngressClassParamsSpec defines the desired state of IngressClassParams
+type IngressClassParamsSpec struct {
+	// NamespaceSelector restrict the namespaces of Ingresses that are allowed to specify the IngressClass with this IngressClassParams.
+	// * if absent or present but empty, it selects all namespaces.
+	// +optional
+	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
+
+	// Group defines the IngressGroup for all Ingresses that belong to IngressClass with this IngressClassParams.
+	// +optional
+	Group *IngressGroup `json:"group,omitempty"`
+
+	// Scheme defines the scheme for all Ingresses that belong to IngressClass with this IngressClassParams.
+	// +optional
+	Scheme *LoadBalancerScheme `json:"scheme,omitempty"`
+
+	// IPAddressType defines the ip address type for all Ingresses that belong to IngressClass with this IngressClassParams.
+	// +optional
+	IPAddressType *IPAddressType `json:"ipAddressType,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:scope=Cluster
+// +kubebuilder:storageversion
+// IngressClassParams is the Schema for the IngressClassParams API
+type IngressClassParams struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec IngressClassParamsSpec `json:"spec,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// IngressClassParamsList contains a list of IngressClassParams
+type IngressClassParamsList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []IngressClassParams `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&IngressClassParams{}, &IngressClassParamsList{})
+}
diff --git a/apis/elbv2/v1beta1/zz_generated.deepcopy.go b/apis/elbv2/v1beta1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/elbv2.k8s.aws_ingressclassparams.yaml b/config/crd/bases/elbv2.k8s.aws_ingressclassparams.yaml
@@ -0,0 +1,118 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.0
+  creationTimestamp: null
+  name: ingressclassparams.elbv2.k8s.aws
+spec:
+  group: elbv2.k8s.aws
+  names:
+    kind: IngressClassParams
+    listKind: IngressClassParamsList
+    plural: ingressclassparams
+    singular: ingressclassparams
+  scope: Cluster
+  validation:
+    openAPIV3Schema:
+      description: IngressClassParams is the Schema for the IngressClassParams API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: IngressClassParamsSpec defines the desired state of IngressClassParams
+          properties:
+            group:
+              description: Group defines the IngressGroup for all Ingresses that belong
+                to IngressClass with this IngressClassParams.
+              properties:
+                name:
+                  description: Name is the name of IngressGroup.
+                  type: string
+              required:
+              - name
+              type: object
+            ipAddressType:
+              description: IPAddressType defines the ip address type for all Ingresses
+                that belong to IngressClass with this IngressClassParams.
+              enum:
+              - ipv4
+              - dualstack
+              type: string
+            namespaceSelector:
+              description: NamespaceSelector restrict the namespaces of Ingresses
+                that are allowed to specify the IngressClass with this IngressClassParams.
+                * if absent or present but empty, it selects all namespaces.
+              properties:
+                matchExpressions:
+                  description: matchExpressions is a list of label selector requirements.
+                    The requirements are ANDed.
+                  items:
+                    description: A label selector requirement is a selector that contains
+                      values, a key, and an operator that relates the key and values.
+                    properties:
+                      key:
+                        description: key is the label key that the selector applies
+                          to.
+                        type: string
+                      operator:
+                        description: operator represents a key's relationship to a
+                          set of values. Valid operators are In, NotIn, Exists and
+                          DoesNotExist.
+                        type: string
+                      values:
+                        description: values is an array of string values. If the operator
+                          is In or NotIn, the values array must be non-empty. If the
+                          operator is Exists or DoesNotExist, the values array must
+                          be empty. This array is replaced during a strategic merge
+                          patch.
+                        items:
+                          type: string
+                        type: array
+                    required:
+                    - key
+                    - operator
+                    type: object
+                  type: array
+                matchLabels:
+                  additionalProperties:
+                    type: string
+                  description: matchLabels is a map of {key,value} pairs. A single
+                    {key,value} in the matchLabels map is equivalent to an element
+                    of matchExpressions, whose key field is "key", the operator is
+                    "In", and the values array contains only "value". The requirements
+                    are ANDed.
+                  type: object
+              type: object
+            scheme:
+              description: Scheme defines the scheme for all Ingresses that belong
+                to IngressClass with this IngressClassParams.
+              enum:
+              - internal
+              - internet-facing
+              type: string
+          type: object
+      type: object
+  version: v1beta1
+  versions:
+  - name: v1beta1
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
@@ -3,17 +3,20 @@
 # It should be run by config/default
 resources:
   - bases/elbv2.k8s.aws_targetgroupbindings.yaml
+  - bases/elbv2.k8s.aws_ingressclassparams.yaml
 # +kubebuilder:scaffold:crdkustomizeresource
 
 patchesStrategicMerge:
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
 #- patches/webhook_in_targetgroupbindings.yaml
+#- patches/webhook_in_ingressclassparams.yaml
 # +kubebuilder:scaffold:crdkustomizewebhookpatch
 
 # [CERTMANAGER] To enable webhook, uncomment all the sections with [CERTMANAGER] prefix.
 # patches here are for enabling the CA injection for each CRD
 #- patches/cainjection_in_targetgroupbindings.yaml
+#- patches/cainjection_in_ingressclassparams.yaml
 # +kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.

diff --git a/config/crd/patches/cainjection_in_ingressclassparams.yaml b/config/crd/patches/cainjection_in_ingressclassparams.yaml
@@ -0,0 +1,8 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+  name: ingressclassparams.elbv2.k8s.aws
diff --git a/config/crd/patches/webhook_in_ingressclassparams.yaml b/config/crd/patches/webhook_in_ingressclassparams.yaml
@@ -0,0 +1,16 @@
+# The following patch enables conversion webhook for CRD
+# CRD conversion requires k8s 1.13 or later.
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ingressclassparams.elbv2.k8s.aws
+spec:
+  conversion:
+    strategy: Webhook
+    webhookClientConfig:
+      # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
+      # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
+      caBundle: Cg==
+      service:
+        name: webhook-service
+        path: /convert