Add support for ingress-configured router#12416
Add support for ingress-configured router#12416openshift-bot merged 2 commits intoopenshift:masterfrom marun:ingress-configured-router
Conversation
marun
changed the title
|
This is ready for review. |
|
re-[test] |
pkg/router/controller/controller.go
Outdated
| if c.WatchNodes { | ||
| go utilwait.Forever(c.HandleNode, 0) | ||
| } | ||
| go utilwait.Forever(c.HandleIngress, 0) |
There was a problem hiding this comment.
Need to make starting these goroutines conditional on EnableIngress
|
Done |
|
Done |
knobunc
left a comment
knobunc
left a comment
There was a problem hiding this comment.
Nice work Maru. @JacobTanenbaum @rajatchopra @ramr PTAL
pkg/cmd/infra/router/f5.go
Outdated
| factory := o.RouterSelection.NewFactory(oc, kc) | ||
| watchNodes := (len(o.InternalAddress) != 0 && len(o.VxlanGateway) != 0) | ||
| controller := factory.Create(plugin, watchNodes) | ||
| // TODO should ingress be configurable for f5? |
There was a problem hiding this comment.
Can the existing plugin support it? We already set the --enable-ingress on the router, may as well use it here if the router is configured for f5.
There was a problem hiding this comment.
Ok, I'll enable it. The f5 and template router define their flags separately, so f5 will use --f5-enable-ingress
pkg/router/controller/ingress.go
Outdated
| for _, tls := range ingressTLS { | ||
| // TODO what if a host is matched by more than one IngressTLS instance? | ||
|
|
||
| // TODO what if IngressTLS doesn't specify Hosts? There's mention of defaulting to a controller-specific |
There was a problem hiding this comment.
We should do the same as when a route has no host. i.e. use the run-time set one, or the default if that's not specified.
There was a problem hiding this comment.
By 'the default', do you mean the generated host name? Currently the host name is generated by the unique_host plugin, so its not currently available when the ingress events are being generated. Should the ingress translator be generating the host name?
I think this is problematic either way. If an ingress is created with rules that lack a host name and tls that requires a specific host name to be applied, the hostname template for a given router could mean the difference between tls being applied or not being applied. Not sure there's any way to solve this, maybe the best that can be done is logging when ingress paths will not have tls applied because no host matches.
Re-reading the code comment, my concern was that the code in its present form can't apply tls that doesn't specify hosts. If an ingress defined a single tls secret without hosts, maybe that tls should be applied to all routes generated from the ingress?
There was a problem hiding this comment.
I think that is a good solution. And only one blank host should be allowed? Or the first or last in the file is taken?
There was a problem hiding this comment.
Done. The first blank host is chosen.
pkg/router/controller/ingress.go
Outdated
| // tlsForHost attempts to retrieve ingress tls configuration for the given host | ||
| func (it *IngressTranslator) tlsForHost(ingressTLS []extensions.IngressTLS, namespace, host string) *cachedTLS { | ||
| for _, tls := range ingressTLS { | ||
| // TODO what if a host is matched by more than one IngressTLS instance? |
There was a problem hiding this comment.
Don't we claim it for a namespace?
There was a problem hiding this comment.
Host claims are the same as for routes. The point here is that there is nothing stopping an ingress from defining tls entries with overlapping hosts:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: foo
spec:
tls:
- apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: no-rules-map
spec:
tls:
- secretName: secret1
hosts:
- foo
- secretName: secret2
hosts:
- fooIn a case like this, which tls configuration should be applied to a generated route with host foo?
pkg/router/controller/ingress.go
Outdated
| // name submitted to the api, but generated routes are only intended to | ||
| // be used in the context of the router controller. | ||
| // | ||
| // TODO should the path be hashed or otherwise encoded for compatibility? |
There was a problem hiding this comment.
The name of the route (with - and / replaced with _) is used in haproxy configuration. I'm assuming there are other characters that would be legal in a path that would not be legal in haproxy configuration (e.g. ? & and other characters related to a path with query parameters).
There was a problem hiding this comment.
@knobunc This should be addressed before merge.
There was a problem hiding this comment.
Should we map all but legal characters to _ and then append a hash of the whole thing to ensure uniqueness?
|
Done |
|
re-[test] |
|
Evaluated for origin test up to 0e2fa74 |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/13050/) (Base Commit: 9e77cfe) |
|
[merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/13050/) (Image: devenv-rhel7_5730) |
|
Evaluated for origin merge up to 0e2fa74 |
|
@marun will be good if we have few notes which describes how it can be used etc |
|
@DanyC97 I'm not sure ingress in openshift is worth using over routes in the near term, since there are functional gaps. This is just the first step in reconciling the two. If you'd like to experiment anyway, you'll need to build a router from master (since it isn't yet released) and:
|
5 participants
TODO
cc: @openshift/networking @smarterclayton