Implement support for ManagedCertificate CRD

[krzykwas]

This change adds to Ingress support for ManagedCertificate CRD to integrate with https://github.com/GoogleCloudPlatform/gke-managed-certs

[k8s-ci-robot]

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.
• If you have done the above and are still having issues with the CLA being reported as unsigned, please email the CNCF helpdesk: helpdesk@rt.linuxfoundation.org

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[krzykwas]

I signed it

[krzykwas]

I signed it

[krzykwas]

/assign @bowei

[rramkumar1]

/ok-to-test

[krzykwas]

/assign @rramkumar1

[rramkumar1]

Can you move this mock to pkg/events.

[rramkumar1]

In the same file as the interface definition is fine.

[krzykwas]

Done.

[rramkumar1]

Can you put this in pkg/utils instead?

[krzykwas]

Done. I also added a unit test. There was one special case I didn't expect: if annotation was empty, splitAnnotation produced []string{""} instead of nil or []string{}, I fixed it.

[bowei]

can you rebase and squash the commits, then split into:

• vendor/ only changes
• files changed for vendoring
• implementation
• unit tests

[krzykwas]

I rebased, squashed and split the commits into vendor/+Gopkg.lock changes, implementation and unit tests. I didn't get what files changed for vendoring means.

[rramkumar1]

/cc @prameshj

[k8s-ci-robot]

@rramkumar1: GitHub didn't allow me to request PR reviews from the following users: prameshj.

Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

/cc @prameshj

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rramkumar1]

So the previous behavior was that if the user specified both pre-shared certs and secrets, we would only take the pre-shared certs and ignore the secrets. Correct me if I am wrong, but here it seems like you accept all three (managed, pre-shared and secret).

I would prefer to stick with the existing semantics. Specifically, Managed certs should take precedence over everything else.

[krzykwas]

I think that the current code either uses managed certificates and pre-shared-cert or managed certificates and k8s secrets. I think it does not support all 3 types at once. This is because of return at line 51.:

if used {
	l.sslCerts = append(managedSslCerts, preSharedSslCerts...)
	return err
}

Also I added a test case for that to loadbalancer_test.go (one of last two test cases).

[prameshj]

Any reason we want to mix the modes? If we support both managed certs and preshared together, user might be confused why preshared and secrets don't work together or why all 3 are not picked up. Supporting just one mode with a priority in case more than one is specified might be clearer?

[prameshj]

I guess one reason to combine preshared and managed certs is because neither of them is ingress created and hence do not need to be garbage-collected. I am curious to see if you had any other reasons, and also motivation for supporting managed certs and secrets .

[krzykwas]

Only with modes combined it is possible to support no-downtime migration scenarios. GCLB has its own logic for selecting a certificate and Ingress really should just pass all the certificates down to GCLB. But pre-shared-cert and secrets are already implemented differently and I just wanted to keep this behavior unchanged.

[rramkumar1]

As discussed offline, I think it would make sense to keep consistency with the existing behavior. Namely, only take one form of cert. In this case, the precedence would be managed cert > pre-shared > secret.

[prameshj]

nit : Change to 2018?

[krzykwas]

ACK - please leave it unresolved and once we agree what changes are necessary I'll take a look to fix it.

[prameshj]

Any reason we want to mix the modes? If we support both managed certs and preshared together, user might be confused why preshared and secrets don't work together or why all 3 are not picked up. Supporting just one mode with a priority in case more than one is specified might be clearer?

[prameshj]

I guess one reason to combine preshared and managed certs is because neither of them is ingress created and hence do not need to be garbage-collected. I am curious to see if you had any other reasons, and also motivation for supporting managed certs and secrets .

[prameshj]

Maybe call this "getIngressManagedSslCerts()" ?

[krzykwas]

ACK, I can rename later when introducing all required changes.

[prameshj]

Is it possible for token to be " ", in which case we will still append an empty string to result since trimspace will make it "" ?
Maybe just check the result of TrimSpace for empty string?

[krzykwas]

Good catch, thanks. I'll also fix it once we agree what changes are necessary.

[rramkumar1]

/lgtm
/hold

@prameshj if this looks good to you, we can merge.

[prameshj]

Some small nits, looks good to me otherwise.
Thanks for making the changes.

[prameshj]

Can req be nil if there were no errors in line 156?

[krzykwas]

I think it can't based on the implementation of apimachinery labels, and also based on the Go convention for constructors I observed: err != nil or err == nil and an object is instantiated.

[prameshj]

ok, thanks for verifying.

[prameshj]

Is it valid to have managed cert status with empty Certificate name? Should we log an error in this case?

[krzykwas]

When a user creates a ManagedCertificate, he wouldn't usually fill in the status field, so the CertificateName field can be empty and it is not an error.

[rramkumar1]

/lgtm
/hold cancel

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: krzykwas, rramkumar1

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rramkumar1]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[fproulx-dfuse]

@krzykwas when can we expect this to be available in prod ?
Also, how and when are those releases made available to Kubernetes Engine, do I need to wait for an update of my Master for it to be available ?