Add support for ingress-configured router #12416
Conversation
marun
force-pushed
the
ingress-configured-router
branch
15 times, most recently
from
83bd1d9 to
54811f8
Compare
marun
changed the title
marun
force-pushed
the
ingress-configured-router
branch
4 times, most recently
from
fc7b3bd to
4e34553
Compare
|
This is ready for review. |
marun
force-pushed
the
ingress-configured-router
branch
from
4e34553 to
277c406
Compare
|
re-[test] |
| @@ -63,6 +77,8 @@ func (c *RouterController) Run() { | |||
| if c.WatchNodes { | |||
| go utilwait.Forever(c.HandleNode, 0) | |||
| } | |||
| go utilwait.Forever(c.HandleIngress, 0) | |||
There was a problem hiding this comment.
Need to make starting these goroutines conditional on EnableIngress
|
Done |
marun
force-pushed
the
ingress-configured-router
branch
2 times, most recently
from
0cf1aec to
7e79991
Compare
|
Done |
marun
force-pushed
the
ingress-configured-router
branch
2 times, most recently
from
68cd11d to
35e12fd
Compare
| @@ -225,7 +225,8 @@ func (o *F5RouterOptions) Run() error { | |||
|
|
|||
| factory := o.RouterSelection.NewFactory(oc, kc) | |||
| watchNodes := (len(o.InternalAddress) != 0 && len(o.VxlanGateway) != 0) | |||
| controller := factory.Create(plugin, watchNodes) | |||
| // TODO should ingress be configurable for f5? | |||
There was a problem hiding this comment.
Can the existing plugin support it? We already set the --enable-ingress on the router, may as well use it here if the router is configured for f5.
There was a problem hiding this comment.
Ok, I'll enable it. The f5 and template router define their flags separately, so f5 will use --f5-enable-ingress
| for _, tls := range ingressTLS { | ||
| // TODO what if a host is matched by more than one IngressTLS instance? | ||
|
|
||
| // TODO what if IngressTLS doesn't specify Hosts? There's mention of defaulting to a controller-specific |
There was a problem hiding this comment.
We should do the same as when a route has no host. i.e. use the run-time set one, or the default if that's not specified.
There was a problem hiding this comment.
By 'the default', do you mean the generated host name? Currently the host name is generated by the unique_host plugin, so its not currently available when the ingress events are being generated. Should the ingress translator be generating the host name?
I think this is problematic either way. If an ingress is created with rules that lack a host name and tls that requires a specific host name to be applied, the hostname template for a given router could mean the difference between tls being applied or not being applied. Not sure there's any way to solve this, maybe the best that can be done is logging when ingress paths will not have tls applied because no host matches.
Re-reading the code comment, my concern was that the code in its present form can't apply tls that doesn't specify hosts. If an ingress defined a single tls secret without hosts, maybe that tls should be applied to all routes generated from the ingress?
There was a problem hiding this comment.
I think that is a good solution. And only one blank host should be allowed? Or the first or last in the file is taken?
There was a problem hiding this comment.
Done. The first blank host is chosen.
| // tlsForHost attempts to retrieve ingress tls configuration for the given host | ||
| func (it *IngressTranslator) tlsForHost(ingressTLS []extensions.IngressTLS, namespace, host string) *cachedTLS { | ||
| for _, tls := range ingressTLS { | ||
| // TODO what if a host is matched by more than one IngressTLS instance? |
There was a problem hiding this comment.
Don't we claim it for a namespace?
There was a problem hiding this comment.
Host claims are the same as for routes. The point here is that there is nothing stopping an ingress from defining tls entries with overlapping hosts:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: foo
spec:
tls:
- apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: no-rules-map
spec:
tls:
- secretName: secret1
hosts:
- foo
- secretName: secret2
hosts:
- fooIn a case like this, which tls configuration should be applied to a generated route with host foo?
| // name submitted to the api, but generated routes are only intended to | ||
| // be used in the context of the router controller. | ||
| // | ||
| // TODO should the path be hashed or otherwise encoded for compatibility? |
There was a problem hiding this comment.
The name of the route (with - and / replaced with _) is used in haproxy configuration. I'm assuming there are other characters that would be legal in a path that would not be legal in haproxy configuration (e.g. ? & and other characters related to a path with query parameters).
There was a problem hiding this comment.
@knobunc This should be addressed before merge.
There was a problem hiding this comment.
Should we map all but legal characters to _ and then append a hash of the whole thing to ensure uniqueness?
marun
force-pushed
the
ingress-configured-router
branch
3 times, most recently
from
3cd9f76 to
6a99d30
Compare
|
Done |
marun
force-pushed
the
ingress-configured-router
branch
from
37c978f to
cee94b5
Compare
|
re-[test] |
marun
force-pushed
the
ingress-configured-router
branch
from
cee94b5 to
aec6e82
Compare
marun
force-pushed
the
ingress-configured-router
branch
from
aec6e82 to
0e2fa74
Compare
|
Evaluated for origin test up to 0e2fa74 |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/13050/) (Base Commit: 9e77cfe) |
|
[merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/13050/) (Image: devenv-rhel7_5730) |
|
Evaluated for origin merge up to 0e2fa74 |
|
@marun will be good if we have few notes which describes how it can be used etc |
|
@DanyC97 I'm not sure ingress in openshift is worth using over routes in the near term, since there are functional gaps. This is just the first step in reconciling the two. If you'd like to experiment anyway, you'll need to build a router from master (since it isn't yet released) and:
|
TODO
cc: @openshift/networking @smarterclayton