ingress: Rename LB annotation to annotation prefixes

[ upstream commit 481493b ]

This is to avoid any potential confusion from user. Also, related
docs are updated.

Related: #20860

Signed-off-by: Tam Mach <tam.mach@cilium.io>

Documentation/gettingstarted/servicemesh/ingress.rst

@@ -50,6 +50,10 @@ Supported Ingress Annotations
      - Enable websocket
      - 0 (disabled)
 
+Additionally, cloud-provider specific annotations for the LoadBalancer service
+are supported. Please refer to the `Kubernetes documentation <https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer>`_
+for more details.
+
 Examples
 ########
 

Documentation/spelling_wordlist.txt

@@ -499,7 +499,7 @@ imagePullSecrets
 incrementing
 indices
 ingressController
-ingressLBAnnotations
+ingressLBAnnotationPrefixes
 ingressing
 init
 initContainer

install/kubernetes/cilium/README.md

@@ -323,7 +323,7 @@ contributors across the globe, there is almost always someone available to help.
 | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images |
 | ingressController.enabled | bool | `false` | Enable cilium ingress controller This will automatically set enable-envoy-config as well. |
 | ingressController.enforceHttps | bool | `true` | Enforce https for host having matching TLS host in Ingress. Incoming traffic to http listener will return 308 http error code with respective location in header. |
-| ingressController.ingressLBAnnotations | list | `["service.beta.kubernetes.io","service.kubernetes.io","cloud.google.com"]` | IngressLBAnnotations are the annotations which are needed to propagate from Ingress to the Load Balancer |
+| ingressController.ingressLBAnnotationPrefixes | list | `["service.beta.kubernetes.io","service.kubernetes.io","cloud.google.com"]` | IngressLBAnnotations are the annotation prefixes, which are used to filter annotations to propagate from Ingress to the Load Balancer service |
 | ingressController.secretsNamespace | object | `{"create":true,"name":"cilium-secrets","sync":true}` | SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from. |
 | ingressController.secretsNamespace.create | bool | `true` | Create secrets namespace for Ingress. |
 | ingressController.secretsNamespace.name | string | `"cilium-secrets"` | Name of Ingress secret namespace. |

install/kubernetes/cilium/templates/cilium-configmap.yaml

@@ -213,7 +213,7 @@ data:
   enforce-ingress-https: {{ .Values.ingressController.enforceHttps | quote }}
   enable-ingress-secrets-sync: {{ .Values.ingressController.secretsNamespace.sync | quote }}
   ingress-secrets-namespace: {{ .Values.ingressController.secretsNamespace.name | quote }}
-  ingress-lb-annotations: {{ .Values.ingressController.ingressLBAnnotations | join " " | quote }}
+  ingress-lb-annotation-prefixes: {{ .Values.ingressController.ingressLBAnnotationPrefixes | join " " | quote }}
 {{- end }}
 
   # Enable IPv4 addressing. If enabled, all endpoints are allocated an IPv4

install/kubernetes/cilium/values.yaml

@@ -481,10 +481,10 @@ ingressController:
   # Incoming traffic to http listener will return 308 http error code with respective location in header.
   enforceHttps: true
 
-  # -- IngressLBAnnotations are the annotations which are needed to propagate
-  # from Ingress to the Load Balancer
-  ingressLBAnnotations: ['service.beta.kubernetes.io', 'service.kubernetes.io', 'cloud.google.com']
-  
+  # -- IngressLBAnnotations are the annotation prefixes, which are used to filter annotations to propagate
+  # from Ingress to the Load Balancer service
+  ingressLBAnnotationPrefixes: ['service.beta.kubernetes.io', 'service.kubernetes.io', 'cloud.google.com']
+
   # -- SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from.
   secretsNamespace:
     # -- Create secrets namespace for Ingress.

install/kubernetes/cilium/values.yaml.tmpl

@@ -478,10 +478,10 @@ ingressController:
   # Incoming traffic to http listener will return 308 http error code with respective location in header.
   enforceHttps: true
 
-  # -- IngressLBAnnotations are the annotations which are needed to propagate
-  # from Ingress to the Load Balancer
-  ingressLBAnnotations: ['service.beta.kubernetes.io', 'service.kubernetes.io', 'cloud.google.com']
-  
+  # -- IngressLBAnnotations are the annotation prefixes, which are used to filter annotations to propagate
+  # from Ingress to the Load Balancer service
+  ingressLBAnnotationPrefixes: ['service.beta.kubernetes.io', 'service.kubernetes.io', 'cloud.google.com']
+
   # -- SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from.
   secretsNamespace:
     # -- Create secrets namespace for Ingress.

operator/flags.go

@@ -338,8 +338,8 @@ func init() {
 	option.BindEnv(option.KVstoreLeaseTTL)
 
 	viper.BindPFlags(flags)
-	flags.StringSlice(operatorOption.IngressLBAnnotations, operatorOption.IngressLBAnnotationsDefault, "IngressLBAnnotations are the annotations which are needed to propagate from Ingress to the Load Balancer")
-	option.BindEnv(operatorOption.IngressLBAnnotations)
+	flags.StringSlice(operatorOption.IngressLBAnnotationPrefixes, operatorOption.IngressLBAnnotationsDefault, "IngressLBAnnotations are the annotations which are needed to propagate from Ingress to the Load Balancer")
+	option.BindEnv(operatorOption.IngressLBAnnotationPrefixes)
 
 	viper.BindPFlags(flags)
 }

operator/main.go

@@ -583,7 +583,7 @@ func onOperatorStartLeading(ctx context.Context) {
 			ingress.WithHTTPSEnforced(operatorOption.Config.EnforceIngressHTTPS),
 			ingress.WithSecretsSyncEnabled(operatorOption.Config.EnableIngressSecretsSync),
 			ingress.WithSecretsNamespace(operatorOption.Config.IngressSecretsNamespace),
-			ingress.WithLBAnnotations(operatorOption.Config.IngressLBAnnotations))
+			ingress.WithLBAnnotationPrefixes(operatorOption.Config.IngressLBAnnotationPrefixes))
 		if err != nil {
 			log.WithError(err).WithField(logfields.LogSubsys, ingress.Subsys).Fatal(
 				"Failed to start ingress controller")

operator/option/config.go

@@ -253,9 +253,9 @@ const (
 	// nodes.
 	SetCiliumIsUpCondition = "set-cilium-is-up-condition"
 
-	// IngressLBAnnotations are the annotations which are needed to propagate
+	// IngressLBAnnotationPrefixes are the annotations which are needed to propagate
 	// from Ingress to the Load Balancer
-	IngressLBAnnotations = "ingress-lb-annotations"
+	IngressLBAnnotationPrefixes = "ingress-lb-annotation-prefixes"
 )
 
 // OperatorConfig is the configuration used by the operator.
@@ -473,9 +473,9 @@ type OperatorConfig struct {
 	// nodes.
 	SetCiliumIsUpCondition bool
 
-	// IngressLBAnnotations are the annotations which are needed to propagate
-	// from Ingress to the Load Balancer
-	IngressLBAnnotations []string
+	// IngressLBAnnotationPrefixes IngressLBAnnotations are the annotation prefixes,
+	// which are used to filter annotations to propagate from Ingress to the Load Balancer
+	IngressLBAnnotationPrefixes []string
 }
 
 // Populate sets all options with the values from viper.
@@ -513,7 +513,7 @@ func (c *OperatorConfig) Populate() {
 	c.CiliumPodLabels = viper.GetString(CiliumPodLabels)
 	c.RemoveCiliumNodeTaints = viper.GetBool(RemoveCiliumNodeTaints)
 	c.SetCiliumIsUpCondition = viper.GetBool(SetCiliumIsUpCondition)
-	c.IngressLBAnnotations = viper.GetStringSlice(IngressLBAnnotations)
+	c.IngressLBAnnotationPrefixes = viper.GetStringSlice(IngressLBAnnotationPrefixes)
 
 	c.CiliumK8sNamespace = viper.GetString(CiliumK8sNamespace)
 	if c.CiliumK8sNamespace == "" {

operator/pkg/ingress/ingress.go

@@ -69,10 +69,10 @@ type IngressController struct {
 	queue      workqueue.RateLimitingInterface
 	maxRetries int
 
-	enforcedHTTPS      bool
-	enabledSecretsSync bool
-	secretsNamespace   string
-	lbAnnotations      []string
+	enforcedHTTPS        bool
+	enabledSecretsSync   bool
+	secretsNamespace     string
+	lbAnnotationPrefixes []string
 }
 
 // NewIngressController returns a controller for ingress objects having ingressClassName as cilium
@@ -85,12 +85,12 @@ func NewIngressController(options ...Option) (*IngressController, error) {
 	}
 
 	ic := &IngressController{
-		queue:              workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter()),
-		maxRetries:         opts.MaxRetries,
-		enforcedHTTPS:      opts.EnforcedHTTPS,
-		enabledSecretsSync: opts.EnabledSecretsSync,
-		secretsNamespace:   opts.SecretsNamespace,
-		lbAnnotations:      opts.LBAnnotations,
+		queue:                workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter()),
+		maxRetries:           opts.MaxRetries,
+		enforcedHTTPS:        opts.EnforcedHTTPS,
+		enabledSecretsSync:   opts.EnabledSecretsSync,
+		secretsNamespace:     opts.SecretsNamespace,
+		lbAnnotationPrefixes: opts.LBAnnotationPrefixes,
 	}
 	ic.ingressStore, ic.ingressInformer = informer.NewInformer(
 		cache.NewListWatchFromClient(k8s.WatcherClient().NetworkingV1().RESTClient(), "ingresses", corev1.NamespaceAll, fields.Everything()),
@@ -329,7 +329,7 @@ func getIngressKeyForService(service *slim_corev1.Service) string {
 }
 
 func (ic *IngressController) createLoadBalancer(ingress *slim_networkingv1.Ingress) error {
-	svc := getServiceForIngress(ingress, ic.lbAnnotations)
+	svc := getServiceForIngress(ingress, ic.lbAnnotationPrefixes)
 	svcKey, err := cache.MetaNamespaceKeyFunc(svc)
 	if err != nil {
 		log.Warn("Failed to get service key for ingress")

operator/pkg/ingress/ingress_options.go

@@ -5,19 +5,19 @@ package ingress
 
 // Options stores all the configurations values for cilium ingress controller.
 type Options struct {
-	MaxRetries         int
-	EnforcedHTTPS      bool
-	EnabledSecretsSync bool
-	SecretsNamespace   string
-	LBAnnotations      []string
+	MaxRetries           int
+	EnforcedHTTPS        bool
+	EnabledSecretsSync   bool
+	SecretsNamespace     string
+	LBAnnotationPrefixes []string
 }
 
 // DefaultIngressOptions specifies default values for cilium ingress controller.
 var DefaultIngressOptions = Options{
-	MaxRetries:         10,
-	EnforcedHTTPS:      true,
-	EnabledSecretsSync: true,
-	LBAnnotations:      []string{},
+	MaxRetries:           10,
+	EnforcedHTTPS:        true,
+	EnabledSecretsSync:   true,
+	LBAnnotationPrefixes: []string{},
 }
 
 // Option customizes the configuration of cilium ingress controller
@@ -55,10 +55,10 @@ func WithSecretsNamespace(secretsNamespace string) Option {
 	}
 }
 
-// WithLBAnnotations configures LB annotations to be used for LB service
-func WithLBAnnotations(lbAnnotations []string) Option {
+// WithLBAnnotationPrefixes configures LB annotations to be used for LB service
+func WithLBAnnotationPrefixes(lbAnnotationPrefixes []string) Option {
 	return func(o *Options) error {
-		o.LBAnnotations = lbAnnotations
+		o.LBAnnotationPrefixes = lbAnnotationPrefixes
 		return nil
 	}
 }

operator/pkg/ingress/service.go

@@ -184,10 +184,10 @@ func (sm *serviceManager) notify(service *slim_corev1.Service) {
 	}
 }
 
-func getServiceForIngress(ingress *slim_networkingv1.Ingress, lbAnnotations []string) *v1.Service {
+func getServiceForIngress(ingress *slim_networkingv1.Ingress, lbAnnotationPrefixes []string) *v1.Service {
 	annotations := make(map[string]string)
-	for annotationKey, annotationValue := range ingress.ObjectMeta.Annotations {
-		for _, annotationPrefix := range lbAnnotations {
+	for annotationKey, annotationValue := range ingress.GetAnnotations() {
+		for _, annotationPrefix := range lbAnnotationPrefixes {
 			if strings.HasPrefix(annotationKey, annotationPrefix) {
 				annotations[annotationKey] = annotationValue
 			}