Implement support for ManagedCertificate CRD

Gopkg.toml

@@ -64,3 +64,7 @@ ignored = ["k8s.io/kubernetes/pkg/api"]
 [[constraint]]
   name = "github.com/kr/pretty"
   version = "0.1.0"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/GoogleCloudPlatform/gke-managed-certs"

cmd/glbc/main.go

@@ -23,6 +23,7 @@ import (
 	"os"
 	"time"
 
+	managedcertificatesclient "github.com/GoogleCloudPlatform/gke-managed-certs/pkg/clientgen/clientset/versioned"
 	"github.com/golang/glog"
 	flag "github.com/spf13/pflag"
 
@@ -82,6 +83,12 @@ func main() {
 		glog.Fatalf("Failed to create kubernetes client: %v", err)
 	}
 
+	// Ingress only reads status of ManagedCertificate CR which is set in another component.
+	mcrtClient, err := managedcertificatesclient.NewForConfig(kubeConfig)
+	if err != nil {
+		glog.Fatalf("Failed to create Managed Certificates client: %v", err)
+	}
+
 	var backendConfigClient backendconfigclient.Interface
 	if flags.F.EnableBackendConfig {
 		crdClient, err := crdclient.NewForConfig(kubeConfig)
@@ -121,7 +128,7 @@ func main() {
 		HealthCheckPath:               flags.F.HealthCheckPath,
 		DefaultBackendHealthCheckPath: flags.F.DefaultSvcHealthCheckPath,
 	}
-	ctx := ingctx.NewControllerContext(kubeClient, backendConfigClient, cloud, namer, ctxConfig)
+	ctx := ingctx.NewControllerContext(kubeClient, backendConfigClient, mcrtClient, cloud, namer, ctxConfig)
 	go app.RunHTTPServer(ctx.HealthCheck)
 
 	if !flags.F.LeaderElection.LeaderElect {

pkg/annotations/ingress.go

@@ -64,6 +64,12 @@ const (
 	// This is read only for users. Controller will overrite any user updates.
 	// This is only set for ingresses with ingressClass = "gce-multi-cluster"
 	InstanceGroupsAnnotationKey = "ingress.gcp.kubernetes.io/instance-groups"
+
+	// ManagedCertificates represents the specific ManagedCertificate resources for
+	// the Ingress controller to use to terminate SSL. The controller *does not*
+	// manage ManagedCertificate resources, it is the user's responsibility to
+	// create/delete them.
+	ManagedCertificates = "gke.googleapis.com/managed-certificates"
 )
 
 // Ingress represents ingress annotations.
@@ -114,3 +120,11 @@ func (ing *Ingress) IngressClass() string {
 	}
 	return val
 }
+
+func (ing *Ingress) ManagedCertificates() string {
+	val, ok := ing.v[ManagedCertificates]
+	if !ok {
+		return ""
+	}
+	return val
+}

pkg/context/context.go

@@ -17,6 +17,8 @@ import (
 	"sync"
 	"time"
 
+	managedcertificatesclient "github.com/GoogleCloudPlatform/gke-managed-certs/pkg/clientgen/clientset/versioned"
+	managedcertificatesv1alpha1 "github.com/GoogleCloudPlatform/gke-managed-certs/pkg/clientgen/informers/externalversions/gke.googleapis.com/v1alpha1"
 	"github.com/golang/glog"
 
 	apiv1 "k8s.io/api/core/v1"
@@ -51,12 +53,13 @@ type ControllerContext struct {
 
 	ControllerContextConfig
 
-	IngressInformer       cache.SharedIndexInformer
-	ServiceInformer       cache.SharedIndexInformer
-	BackendConfigInformer cache.SharedIndexInformer
-	PodInformer           cache.SharedIndexInformer
-	NodeInformer          cache.SharedIndexInformer
-	EndpointInformer      cache.SharedIndexInformer
+	IngressInformer            cache.SharedIndexInformer
+	ServiceInformer            cache.SharedIndexInformer
+	BackendConfigInformer      cache.SharedIndexInformer
+	PodInformer                cache.SharedIndexInformer
+	NodeInformer               cache.SharedIndexInformer
+	EndpointInformer           cache.SharedIndexInformer
+	ManagedCertificateInformer cache.SharedIndexInformer
 
 	healthChecks map[string]func() error
 
@@ -82,21 +85,23 @@ type ControllerContextConfig struct {
 func NewControllerContext(
 	kubeClient kubernetes.Interface,
 	backendConfigClient backendconfigclient.Interface,
+	mcrtClient managedcertificatesclient.Interface,
 	cloud *gce.GCECloud,
 	namer *utils.Namer,
 	config ControllerContextConfig) *ControllerContext {
 
 	context := &ControllerContext{
-		KubeClient:              kubeClient,
-		Cloud:                   cloud,
-		ClusterNamer:            namer,
-		ControllerContextConfig: config,
-		IngressInformer:         informerv1beta1.NewIngressInformer(kubeClient, config.Namespace, config.ResyncPeriod, utils.NewNamespaceIndexer()),
-		ServiceInformer:         informerv1.NewServiceInformer(kubeClient, config.Namespace, config.ResyncPeriod, utils.NewNamespaceIndexer()),
-		PodInformer:             informerv1.NewPodInformer(kubeClient, config.Namespace, config.ResyncPeriod, utils.NewNamespaceIndexer()),
-		NodeInformer:            informerv1.NewNodeInformer(kubeClient, config.ResyncPeriod, utils.NewNamespaceIndexer()),
-		recorders:               map[string]record.EventRecorder{},
-		healthChecks:            make(map[string]func() error),
+		KubeClient:                 kubeClient,
+		Cloud:                      cloud,
+		ClusterNamer:               namer,
+		ControllerContextConfig:    config,
+		IngressInformer:            informerv1beta1.NewIngressInformer(kubeClient, config.Namespace, config.ResyncPeriod, utils.NewNamespaceIndexer()),
+		ServiceInformer:            informerv1.NewServiceInformer(kubeClient, config.Namespace, config.ResyncPeriod, utils.NewNamespaceIndexer()),
+		PodInformer:                informerv1.NewPodInformer(kubeClient, config.Namespace, config.ResyncPeriod, utils.NewNamespaceIndexer()),
+		NodeInformer:               informerv1.NewNodeInformer(kubeClient, config.ResyncPeriod, utils.NewNamespaceIndexer()),
+		ManagedCertificateInformer: managedcertificatesv1alpha1.NewManagedCertificateInformer(mcrtClient, config.Namespace, config.ResyncPeriod, utils.NewNamespaceIndexer()),
+		recorders:                  map[string]record.EventRecorder{},
+		healthChecks:               make(map[string]func() error),
 	}
 	if config.NEGEnabled {
 		context.EndpointInformer = informerv1.NewEndpointsInformer(kubeClient, config.Namespace, config.ResyncPeriod, utils.NewNamespaceIndexer())
@@ -115,6 +120,7 @@ func (ctx *ControllerContext) HasSynced() bool {
 		ctx.ServiceInformer.HasSynced,
 		ctx.PodInformer.HasSynced,
 		ctx.NodeInformer.HasSynced,
+		ctx.ManagedCertificateInformer.HasSynced,
 	}
 	if ctx.EndpointInformer != nil {
 		funcs = append(funcs, ctx.EndpointInformer.HasSynced)
@@ -177,6 +183,7 @@ func (ctx *ControllerContext) Start(stopCh chan struct{}) {
 	go ctx.ServiceInformer.Run(stopCh)
 	go ctx.PodInformer.Run(stopCh)
 	go ctx.NodeInformer.Run(stopCh)
+	go ctx.ManagedCertificateInformer.Run(stopCh)
 	if ctx.EndpointInformer != nil {
 		go ctx.EndpointInformer.Run(stopCh)
 	}

pkg/controller/controller.go

@@ -23,6 +23,7 @@ import (
 	"sync"
 	"time"
 
+	mcrtv1alpha1 "github.com/GoogleCloudPlatform/gke-managed-certs/pkg/clientgen/listers/gke.googleapis.com/v1alpha1"
 	"github.com/golang/glog"
 
 	apiv1 "k8s.io/api/core/v1"
@@ -100,6 +101,7 @@ func NewLoadBalancerController(
 	healthChecker := healthchecks.NewHealthChecker(ctx.Cloud, ctx.HealthCheckPath, ctx.DefaultBackendHealthCheckPath, ctx.ClusterNamer, ctx.DefaultBackendSvcPortID.Service)
 	instancePool := instances.NewNodePool(ctx.Cloud, ctx.ClusterNamer)
 	backendPool := backends.NewPool(ctx.Cloud, ctx.ClusterNamer, true)
+	mcrtLister := mcrtv1alpha1.NewManagedCertificateLister(ctx.ManagedCertificateInformer.GetIndexer())
 	lbc := LoadBalancerController{
 		ctx:           ctx,
 		ingLister:     utils.StoreToIngressLister{Store: ctx.IngressInformer.GetStore()},
@@ -110,7 +112,7 @@ func NewLoadBalancerController(
 		hasSynced:     ctx.HasSynced,
 		nodes:         NewNodeController(ctx, instancePool),
 		instancePool:  instancePool,
-		l7Pool:        loadbalancers.NewLoadBalancerPool(ctx.Cloud, ctx.ClusterNamer),
+		l7Pool:        loadbalancers.NewLoadBalancerPool(ctx.Cloud, ctx.ClusterNamer, mcrtLister, ctx),
 		backendSyncer: backends.NewBackendSyncer(backendPool, healthChecker, ctx.ClusterNamer, ctx.BackendConfigEnabled),
 		negLinker:     backends.NewNEGLinker(backendPool, ctx.Cloud, ctx.ClusterNamer),
 		igLinker:      backends.NewInstanceGroupLinker(instancePool, backendPool, ctx.ClusterNamer),
@@ -541,12 +543,14 @@ func (lbc *LoadBalancerController) toRuntimeInfo(ing *extensions.Ingress, urlMap
 	}
 
 	return &loadbalancers.L7RuntimeInfo{
-		Name:         k,
-		TLS:          tls,
-		TLSName:      annotations.UseNamedTLS(),
-		AllowHTTP:    annotations.AllowHTTP(),
-		StaticIPName: annotations.StaticIPName(),
-		UrlMap:       urlMap,
+		Name:                k,
+		TLS:                 tls,
+		TLSName:             annotations.UseNamedTLS(),
+		Ingress:             ing,
+		ManagedCertificates: annotations.ManagedCertificates(),
+		AllowHTTP:           annotations.AllowHTTP(),
+		StaticIPName:        annotations.StaticIPName(),
+		UrlMap:              urlMap,
 	}, nil
 }
 

pkg/controller/controller_test.go

@@ -29,6 +29,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/kubernetes/fake"
 	backendconfigclient "k8s.io/ingress-gce/pkg/backendconfig/client/clientset/versioned/fake"
+	"k8s.io/ingress-gce/pkg/events"
 	"k8s.io/ingress-gce/pkg/instances"
 	"k8s.io/ingress-gce/pkg/loadbalancers"
 	"k8s.io/ingress-gce/pkg/test"
@@ -60,11 +61,11 @@ func newLoadBalancerController() *LoadBalancerController {
 		HealthCheckPath:               "/",
 		DefaultBackendHealthCheckPath: "/healthz",
 	}
-	ctx := context.NewControllerContext(kubeClient, backendConfigClient, fakeGCE, namer, ctxConfig)
+	ctx := context.NewControllerContext(kubeClient, backendConfigClient, nil, fakeGCE, namer, ctxConfig)
 	lbc := NewLoadBalancerController(ctx, stopCh)
 	// TODO(rramkumar): Fix this so we don't have to override with our fake
 	lbc.instancePool = instances.NewNodePool(instances.NewFakeInstanceGroups(sets.NewString(), namer), namer)
-	lbc.l7Pool = loadbalancers.NewLoadBalancerPool(loadbalancers.NewFakeLoadBalancers(clusterUID, namer), namer)
+	lbc.l7Pool = loadbalancers.NewLoadBalancerPool(loadbalancers.NewFakeLoadBalancers(clusterUID, namer), namer, nil, events.RecorderProducerMock{})
 	lbc.instancePool.Init(&instances.FakeZoneLister{Zones: []string{"zone-a"}})
 
 	lbc.hasSynced = func() bool { return true }

pkg/controller/translator/translator_test.go

@@ -58,7 +58,7 @@ func fakeTranslator(negEnabled, backendConfigEnabled bool) *Translator {
 		HealthCheckPath:               "/",
 		DefaultBackendHealthCheckPath: "/healthz",
 	}
-	ctx := context.NewControllerContext(client, backendConfigClient, nil, namer, ctxConfig)
+	ctx := context.NewControllerContext(client, backendConfigClient, nil, nil, namer, ctxConfig)
 	gce := &Translator{
 		ctx: ctx,
 	}

pkg/events/events.go

@@ -0,0 +1,32 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package events
+
+import (
+	"k8s.io/client-go/tools/record"
+)
+
+type RecorderProducer interface {
+	Recorder(ns string) record.EventRecorder
+}
+
+type RecorderProducerMock struct {
+}
+
+func (r RecorderProducerMock) Recorder(ns string) record.EventRecorder {
+	return &record.FakeRecorder{}
+}

pkg/firewalls/controller_test.go

@@ -47,7 +47,7 @@ func newFirewallController() *FirewallController {
 		DefaultBackendSvcPortID: test.DefaultBeSvcPort.ID,
 	}
 
-	ctx := context.NewControllerContext(kubeClient, backendConfigClient, fakeGCE, namer, ctxConfig)
+	ctx := context.NewControllerContext(kubeClient, backendConfigClient, nil, fakeGCE, namer, ctxConfig)
 	fwc := NewFirewallController(ctx, []string{"30000-32767"})
 	fwc.hasSynced = func() bool { return true }
 

pkg/flags/flags.go

@@ -128,12 +128,15 @@ type Features struct {
 	NEG bool
 	// NEGExposed enables using standalone (exposed) NEGs
 	NEGExposed bool
+	// ManagedCertificates enables using ManagedCertificate CRD
+	ManagedCertificates bool
 }
 
 var DefaultFeatures = &Features{
-	Http2:      true,
-	NEG:        true,
-	NEGExposed: true,
+	Http2:               true,
+	NEG:                 true,
+	NEGExposed:          true,
+	ManagedCertificates: false,
 }
 
 func EnabledFeatures() *Features {
@@ -210,6 +213,7 @@ L7 load balancing. CSV values accepted. Example: -node-port-ranges=80,8080,400-5
 	leaderelectionconfig.BindFlags(&F.LeaderElection.LeaderElectionConfiguration, flag.CommandLine)
 	flag.StringVar(&F.LeaderElection.LockObjectNamespace, "lock-object-namespace", F.LeaderElection.LockObjectNamespace, "Define the namespace of the lock object.")
 	flag.StringVar(&F.LeaderElection.LockObjectName, "lock-object-name", F.LeaderElection.LockObjectName, "Define the name of the lock object.")
+	flag.BoolVar(&F.Features.ManagedCertificates, "enable-managed-certificates", F.Features.ManagedCertificates, "Enable ManagedCertificates.")
 
 	// Deprecated F.
 	flag.BoolVar(&F.Verbose, "verbose", false,