Ingress: Add support for is-default-class on IngressClass

[meyskens]

This adds support for the ingressclass.kubernetes.io/is-default-class flag on the IngressClass. If set Cilium ingress wil pick up all ingress objects where no class is set also.

This also adds exposure to enable it in Helm under ingressController.default

Fixes: #23181

Signed-off-by: Maartje Eyskens maartje.eyskens@isovalent.com

Please ensure your pull request adheres to the following guidelines:

• For first time contributors, read Submitting a pull request
• All code is covered by unit and/or runtime tests where feasible.
• All commits contain a well written commit description including a title,
  description and a Fixes: #XXX line if the commit addresses a particular
  GitHub issue.
• If your commit description contains a Fixes: <commit-id> tag, then
  please add the commit author[s] as reviewer[s] to this issue.
• All commits are signed off. See the section Developer’s Certificate of Origin
• Provide a title or release-note blurb suitable for the release notes.
• Thanks for contributing!

Fixes: #issue-number

Add support for the `ingressclass.kubernetes.io/is-default-class` annotation on Cilium's IngressClass

[nbusseneau]

CI workflow LGTM, uses pull_request trigger so no specific risk in case of attack via malicious PR (forks do not have access to upstream secrets).

Helm changes are trivial, LGTM.

[nbusseneau]

Is there any specific reason to use Minikube here instead of Kind? Not a problem at all but I'm wondering if the pipeline would not run faster on a Kind-based cluster.

[meyskens]

Happy to move it to kind (I was wondering the same thing as you...), but it builds upon the previous conformance tests which all use minikube, I only modified this one to use the default behavior

[nbusseneau]

Your call, if not worth the trouble it's OK as is, and consistency with the other conformance workflows is also good. Probably @sayboras just needed Minikube for the other workflows.

[meyskens]

I'll keep it minikube for now and will probably file an issue to consider kind (unless @sayboras has a reason)

[sayboras]

Last time I can't get kind + metallb (required for LB service) to work from host (i.e. github runner), so I just use minikube with handy minikube tunnel command.

Recently, I noticed that we have labs prepared with Kind + MetalLB, so it's worth to give it a crack again.

[sayboras]

as discussed offline, we can tackle this separately, we might even use LB IPAM feature if possible.

[ldelossa]

@meyskens can you please fill me in on motivation for this? I understand the change, but just looking for a bit more context.

[meyskens]

This PR came out of #23181 (which was passed onto be by my team as good first issue).
As far as I understand the motivation (@sayboras feel free to add onto this if I missed something) is to add the ability for the user to say they want Cilium as their default ingress controller which is useful when not setting the ingressClassName on all ingress objects. In which case the default one will always pick it up. This was standardized with an annotation in the Kubernetes spec (info at https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class) however we did not implement this yet thus lacking an upstream compatibility with the ingress API.

[qmonnet]

I found a couple of typos, but looks good otherwise from my side. Thanks!

[qmonnet]

Thanks!

[squeed]

One minor thing, then LGTM!

[squeed]

Nice!

[sayboras]

Thanks a lot for taking up this task, LGTM ✔️

[sayboras]

/test

[sayboras]

Suite-k8s-1.16.K8sUpdates Tests upgrade and downgrade from a Cilium stable image to master failure due to the below error. I don't think it's related to the changes here (only on operator and Ingress).

Re-run to confirm the flake.

DNS entry is not ready after timeout
Expected
    <*errors.errorString | 0xc0006f6fb0>: {
        s: "DNS 'app1-service.default.svc.cluster.local' is not ready after timeout: 7m0s timeout expired",
    }
to be nil

[sayboras]

/test-1.16-4.19

[sayboras]

Reviews are in, all tests passed (ci-verifier test is not required for this change). Mark this ready to merge.

[pchaigno]

Suite-k8s-1.16.K8sUpdates Tests upgrade and downgrade from a Cilium stable image to master failure due to the below error. I don't think it's related to the changes here (only on operator and Ingress).

@sayboras Do we already have a flake issue for that?

[sayboras]

Suite-k8s-1.16.K8sUpdates Tests upgrade and downgrade from a Cilium stable image to master failure due to the below error. I don't think it's related to the changes here (only on operator and Ingress).

Do we already have a flake issue for that?

Good point, confirmed that its a flake as re-run was good. Here is it #23845

[pchaigno]

Thanks Tam!