-
Notifications
You must be signed in to change notification settings - Fork 2.7k
/
cell.go
137 lines (119 loc) · 5.7 KB
/
cell.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium
package ingress
import (
"fmt"
"github.com/sirupsen/logrus"
"github.com/spf13/pflag"
networkingv1 "k8s.io/api/networking/v1"
ctrlRuntime "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/builder"
"sigs.k8s.io/controller-runtime/pkg/predicate"
operatorOption "github.com/cilium/cilium/operator/option"
"github.com/cilium/cilium/operator/pkg/secretsync"
"github.com/cilium/cilium/pkg/hive/cell"
)
// Cell manages the Kubernetes Ingress related controllers.
var Cell = cell.Module(
"ingress",
"Manages the Kubernetes Ingress controllers",
cell.Config(ingressConfig{
EnableIngressController: false,
EnforceIngressHTTPS: true,
EnableIngressProxyProtocol: false,
EnableIngressSecretsSync: true,
IngressSecretsNamespace: "cilium-secrets",
IngressLBAnnotationPrefixes: []string{"service.beta.kubernetes.io", "service.kubernetes.io", "cloud.google.com"},
IngressSharedLBServiceName: "cilium-ingress",
IngressDefaultLBMode: "dedicated",
}),
cell.Invoke(registerReconciler),
cell.Provide(registerSecretSync),
)
type ingressConfig struct {
EnableIngressController bool
EnforceIngressHTTPS bool
EnableIngressProxyProtocol bool
EnableIngressSecretsSync bool
IngressSecretsNamespace string
IngressLBAnnotationPrefixes []string
IngressSharedLBServiceName string
IngressDefaultLBMode string
IngressDefaultSecretNamespace string
IngressDefaultSecretName string
}
func (r ingressConfig) Flags(flags *pflag.FlagSet) {
flags.Bool("enable-ingress-controller", r.EnableIngressController, "Enables cilium ingress controller. This must be enabled along with enable-envoy-config in cilium agent.")
flags.Bool("enforce-ingress-https", r.EnforceIngressHTTPS, "Enforces https for host having matching TLS host in Ingress. Incoming traffic to http listener will return 308 http error code with respective location in header.")
flags.Bool("enable-ingress-proxy-protocol", r.EnableIngressProxyProtocol, "Enable proxy protocol for all Ingress listeners. Note that _only_ Proxy protocol traffic will be accepted once this is enabled.")
flags.Bool("enable-ingress-secrets-sync", r.EnableIngressSecretsSync, "Enables fan-in TLS secrets from multiple namespaces to singular namespace (specified by ingress-secrets-namespace flag)")
flags.String("ingress-secrets-namespace", r.IngressSecretsNamespace, "Namespace having tls secrets used by Ingress and CEC.")
flags.StringSlice("ingress-lb-annotation-prefixes", r.IngressLBAnnotationPrefixes, "Annotations and labels which are needed to propagate from Ingress to the Load Balancer.")
flags.String("ingress-shared-lb-service-name", r.IngressSharedLBServiceName, "Name of shared LB service name for Ingress.")
flags.String("ingress-default-lb-mode", r.IngressDefaultLBMode, "Default loadbalancer mode for Ingress. Applicable values: dedicated, shared")
flags.String("ingress-default-secret-namespace", r.IngressDefaultSecretNamespace, "Default secret namespace for Ingress.")
flags.String("ingress-default-secret-name", r.IngressDefaultSecretName, "Default secret name for Ingress.")
}
type ingressParams struct {
cell.In
Logger logrus.FieldLogger
CtrlRuntimeManager ctrlRuntime.Manager
Config ingressConfig
}
func registerReconciler(params ingressParams) error {
if !params.Config.EnableIngressController {
return nil
}
reconciler := newIngressReconciler(
params.Logger,
params.CtrlRuntimeManager.GetClient(),
operatorOption.Config.CiliumK8sNamespace,
params.Config.EnforceIngressHTTPS,
params.Config.EnableIngressProxyProtocol,
params.Config.IngressSecretsNamespace,
params.Config.IngressLBAnnotationPrefixes,
params.Config.IngressSharedLBServiceName,
params.Config.IngressDefaultLBMode,
params.Config.IngressDefaultSecretNamespace,
params.Config.IngressDefaultSecretName,
operatorOption.Config.ProxyIdleTimeoutSeconds,
)
if err := reconciler.SetupWithManager(params.CtrlRuntimeManager); err != nil {
return fmt.Errorf("failed to setup ingress reconciler: %w", err)
}
return nil
}
// registerSecretSync registers the Ingress Controller for secret synchronization based on TLS secrets referenced
// by a Cilium Ingress resource.
func registerSecretSync(params ingressParams) secretsync.SecretSyncRegistrationOut {
if !params.Config.EnableIngressController || !params.Config.EnableIngressSecretsSync {
return secretsync.SecretSyncRegistrationOut{}
}
registration := secretsync.SecretSyncRegistrationOut{
SecretSyncRegistration: &secretsync.SecretSyncRegistration{
RefObject: &networkingv1.Ingress{},
RefObjectEnqueueFunc: EnqueueReferencedTLSSecrets(params.CtrlRuntimeManager.GetClient(), params.Logger),
RefObjectCheckFunc: IsReferencedByCiliumIngress,
SecretsNamespace: params.Config.IngressSecretsNamespace,
// In addition to changed Ingresses an additional watch on IngressClass gets added.
// Its purpose is to detect any changes regarding the default IngressClass
// (that is marked via annotation).
AdditionalWatches: []secretsync.AdditionalWatch{
{
RefObject: &networkingv1.IngressClass{},
RefObjectEnqueueFunc: enqueueAllSecrets(params.CtrlRuntimeManager.GetClient()),
RefObjectWatchOptions: []builder.WatchesOption{
builder.WithPredicates(predicate.AnnotationChangedPredicate{}),
},
},
},
},
}
if params.Config.IngressDefaultSecretName != "" && params.Config.IngressDefaultSecretNamespace != "" {
registration.SecretSyncRegistration.DefaultSecret = &secretsync.DefaultSecret{
Namespace: params.Config.IngressDefaultSecretNamespace,
Name: params.Config.IngressDefaultSecretName,
}
}
return registration
}