/
route.go
123 lines (114 loc) · 4.48 KB
/
route.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
/*
Copyright 2020 Eric Ace.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package nuxeo
import (
"context"
"fmt"
"github.com/aceeric/nuxeo-operator/api/v1alpha1"
"github.com/aceeric/nuxeo-operator/controllers/util"
routev1 "github.com/openshift/api/route/v1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/intstr"
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
)
func (r *NuxeoReconciler) reconcileOpenShiftRoute(access v1alpha1.NuxeoAccess, forcePassthrough bool,
nodeSet v1alpha1.NodeSet, instance *v1alpha1.Nuxeo) error {
routeName := routeName(instance, nodeSet)
if access != (v1alpha1.NuxeoAccess{}) {
if expected, err := r.defaultRoute(instance, access, forcePassthrough, routeName, nodeSet); err != nil {
return err
} else {
_, err = r.addOrUpdate(routeName, instance.Namespace, expected, &routev1.Route{}, util.RouteComparer)
return err
}
} else {
return r.removeIfPresent(instance, routeName, instance.Namespace, &routev1.Route{})
}
}
// defaultRoute generates and returns a Route struct from the passed params. The 'tls' section of the route is
// only populated if the passed 'access' arg specifies a TLSSecret and/or Termination - or - the forcePassthrough
// arg is true
func (r *NuxeoReconciler) defaultRoute(instance *v1alpha1.Nuxeo, access v1alpha1.NuxeoAccess, forcePassthrough bool,
routeName string, nodeSet v1alpha1.NodeSet) (*routev1.Route, error) {
if access.Termination != "" && forcePassthrough {
return nil, fmt.Errorf("invalid to explicitly specify route/ingress termination if Nuxeo is terminating TLS")
}
targetPort := intstr.IntOrString{
Type: intstr.String,
StrVal: "web",
}
if access.TargetPort != (intstr.IntOrString{}) {
targetPort = access.TargetPort
}
route := routev1.Route{
ObjectMeta: metav1.ObjectMeta{
Name: routeName,
Namespace: instance.Namespace,
},
Spec: routev1.RouteSpec{
Host: access.Hostname,
To: routev1.RouteTargetReference{
Kind: "Service",
Name: serviceName(instance, nodeSet),
Weight: util.Int32Ptr(100),
},
Port: &routev1.RoutePort{TargetPort: targetPort},
WildcardPolicy: routev1.WildcardPolicyNone,
TLS: nil,
},
}
if access.Termination != "" || forcePassthrough {
term := access.Termination
if forcePassthrough {
term = routev1.TLSTerminationPassthrough
}
route.Spec.TLS = &routev1.TLSConfig{
Termination: term,
}
}
if access.TLSSecret != "" && access.Termination != "" {
s := &corev1.Secret{}
err := r.Get(context.TODO(), types.NamespacedName{Name: access.TLSSecret, Namespace: instance.Namespace}, s)
if err != nil {
return nil, fmt.Errorf("TLS Secret not found: %v", access.TLSSecret)
}
// accept "certificate" and "tls.crt" keys in the secret
var cert, key []byte
var ok bool
if cert, ok = s.Data["certificate"]; !ok {
cert, _ = s.Data["tls.crt"]
}
// accept "key" and "tls.key" keys in the secret
if key, ok = s.Data["key"]; !ok {
key, _ = s.Data["tls.key"]
}
caCert, _ := s.Data["caCertificate"]
destCaCert, _ := s.Data["destinationCACertificate"]
insTermPol, _ := s.Data["insecureEdgeTerminationPolicy"]
route.Spec.TLS.Certificate = string(cert)
route.Spec.TLS.Key = string(key)
route.Spec.TLS.CACertificate = string(caCert)
route.Spec.TLS.DestinationCACertificate = string(destCaCert)
route.Spec.TLS.InsecureEdgeTerminationPolicy = routev1.InsecureEdgeTerminationPolicyType(insTermPol)
}
_ = controllerutil.SetControllerReference(instance, &route, r.Scheme)
return &route, nil
}
// routeName generates a Route name from the passed Nuxeo CR, and the passed NodeSet. The generated
// name consists of the passed Nuxeo CR name + dash + the passed 'nodeSet' name + dash + 'route'. E.g. if
// 'instance.Name' is 'my-nuxeo' and 'nodeSet.Name' is 'cluster' then the function returns 'my-nuxeo-cluster-route'.
func routeName(instance *v1alpha1.Nuxeo, nodeSet v1alpha1.NodeSet) string {
return instance.Name + "-" + nodeSet.Name + "-route"
}