Merge branch 'master' of github.com:kubernetes-sigs/aws-alb-ingress-c…

…ontroller into rails-api-examples
kubernetes-sigs · Apr 5, 2019 · b970ebb · b970ebb
2 parents 42f6a0a + 2d0251f
commit b970ebb
Show file tree

Hide file tree

Showing 25 changed files with 348 additions and 101 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,2 @@
+*
+!server
diff --git a/Makefile b/Makefile
@@ -17,7 +17,7 @@
 
 all: container
 
-TAG?=v1.1.0
+TAG?=v1.1.2
 PREFIX?=amazon/aws-alb-ingress-controller
 ARCH?=amd64
 OS?=linux
@@ -63,4 +63,4 @@ docs-serve:
 	pipenv run mkdocs serve
 # deploy docs to github-pages(gh-pages branch)
 docs-deploy:
-	pipenv run mkdocs gh-deploy
+	pipenv run mkdocs gh-deploy
diff --git a/README.md b/README.md
@@ -5,7 +5,7 @@
 
 # AWS ALB Ingress Controller
 
-**NOTE:** The current image version is `v1.1.0`. Please file any issues you find and note the version used.
+**NOTE:** The current image version is `v1.1.2`. Please file any issues you find and note the version used.
 
 The AWS ALB Ingress Controller satisfies Kubernetes [ingress resources](https://kubernetes.io/docs/user-guide/ingress) by provisioning [Application Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html).
 

diff --git a/cmd/main.go b/cmd/main.go
@@ -26,16 +26,11 @@ import (
 	"syscall"
 	"time"
 
-	"github.com/aws/aws-sdk-go/service/ec2"
-	"github.com/aws/aws-sdk-go/service/resourcegroupstaggingapi"
-
 	"github.com/kubernetes-sigs/aws-alb-ingress-controller/internal/aws"
 	"github.com/kubernetes-sigs/aws-alb-ingress-controller/internal/ingress/controller"
 	"github.com/kubernetes-sigs/aws-alb-ingress-controller/internal/ingress/metric"
-	"github.com/kubernetes-sigs/aws-alb-ingress-controller/internal/ingress/metric/collectors"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
-	"github.com/ticketmaster/aws-sdk-go-cache/cache"
 	"k8s.io/apiserver/pkg/server/healthz"
 
 	"github.com/go-logr/glogr"
@@ -88,17 +83,13 @@ func main() {
 	reg.MustRegister(prometheus.NewGoCollector())
 	reg.MustRegister(prometheus.NewProcessCollector(prometheus.ProcessCollectorOpts{}))
 
-	cc := cache.NewConfig(5 * time.Minute)
-	cc.SetCacheTTL(resourcegroupstaggingapi.ServiceName, "GetResources", time.Hour)
-	cc.SetCacheTTL(ec2.ServiceName, "DescribeInstanceStatus", time.Minute)
-	reg.MustRegister(cc.NewCacheCollector(collectors.PrometheusNamespace))
 	mc, err := metric.NewCollector(reg, options.ingressCTLConfig.IngressClass)
 	if err != nil {
 		glog.Fatal(err)
 	}
 	mc.Start()
 
-	cloud, err := aws.New(options.cloudConfig, options.ingressCTLConfig.ClusterName, mc, cc)
+	cloud, err := aws.New(options.cloudConfig, options.ingressCTLConfig.ClusterName, mc)
 	if err != nil {
 		glog.Fatal(err)
 	}

diff --git a/docs/examples/alb-ingress-controller.yaml b/docs/examples/alb-ingress-controller.yaml
@@ -49,7 +49,7 @@ spec:
 
             # Enables logging on all outbound requests sent to the AWS API.
             # If logging is desired, set to true.
-            # - ---aws-api-debug
+            # - --aws-api-debug
             # Maximum number of times to retry the aws calls.
             # defaults to 10.
             # - --aws-max-retries=10
@@ -66,5 +66,5 @@ spec:
             #- name: AWS_SECRET_ACCESS_KEY
             #  value: SECRETVALUE
           # Repository location of the ALB Ingress Controller.
-          image: docker.io/amazon/aws-alb-ingress-controller:v1.1.1
+          image: docker.io/amazon/aws-alb-ingress-controller:v1.1.2
       serviceAccountName: alb-ingress-controller
diff --git a/docs/examples/cognito-ingress-template.yaml b/docs/examples/cognito-ingress-template.yaml
@@ -0,0 +1,67 @@
+# Requirements:
+#
+#    - For this template, Cognito should have the following basic settings:
+#        - User Pool ARN ( Cognito -> General Settings )
+#            `arn:aws:cognito-idp:<region>:<account-id>:userpool/<region><cognito-id>`
+#        - User Pool Client ID ( Cognito -> App Integration -> Application Client Settings )
+#            `<user-pool-client-id>`
+#        - Domain Name ( Cognito -> App Integration -> Domain Name)
+#            `<user-pool-authentication-domain>`
+#        - OAuth Scopes ( Cognito -> App Integration -> Application Client Settings )
+#            `[x] openid`
+#        - OAuth Flows ( Cognito -> App Integration -> Application Client Settings )
+#            `[x] Authorization code grant`
+#        - Callback URL(s) ( Cognito -> App Integration -> Application Client Settings )
+#            `https://<app-name>.<your-domain>/oauth2/idpresponse`
+#
+#    - Related Kubernetes service/application
+#
+
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: <ingress-name>  # app.example.com
+  namespace: <placement-namespace>  # default
+  annotations:
+    kubernetes.io/ingress.class: alb
+    alb.ingress.kubernetes.io/scheme: internet-facing
+    alb.ingress.kubernetes.io/tags: Environment=<environment-name>,Owner=<your-name
+    # For each `listen-ports` object defined an ALB lister is created
+    # For each listener created the rules defined in `spec` apply with some basic caveats
+    # SSL redirect rule is applied only to the HTTP listener.  Cognito authentication rule
+    # is applied to the HTTPS listener
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
+    # Detailed redirect settings
+    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
+    # Authentication type must be cognito
+    alb.ingress.kubernetes.io/auth-type: cognito
+    # Required parameter for ALB/Cognito integration
+    alb.ingress.kubernetes.io/auth-scope: openid
+    # Session timeout on authentication credentials
+    alb.ingress.kubernetes.io/auth-session-timeout: '3600'
+    # Session cookie name
+    alb.ingress.kubernetes.io/auth-session-cookie: AWSELBAuthSessionCookie
+    # Action to take when a request is not authenticated
+    alb.ingress.kubernetes.io/auth-on-unauthenticated-request: authenticate
+    # Cognito parameters required for creation of authentication rules
+    # The subdomain name only is sufficient for `UserPoolDomain`
+    # e.g. if `FQDN=app.auth.ap-northeast-1.amazoncognito.com` then `UserPoolDomain=app`
+    alb.ingress.kubernetes.io/auth-idp-cognito: '{"UserPoolArn": "arn:aws:cognito-idp:<region>:<account-id>:userpool/<region><cognito-id>","UserPoolClientId":"<user-pool-client-id>","UserPoolDomain":"<user-pool-authentication-domain>"}'
+    # ACM certificate ARN for your SSL domain
+    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:<region>:<account-id>:certificate/<certificate-id>
+spec:
+  rules:
+    # If you are using ExternalDNS, this will become your applications FQDN
+    - host: <FQDN>
+      http:
+        paths:
+          # This first path should perform an ssl-redirect as below
+          - path: /*
+            backend:
+              serviceName: ssl-redirect
+              # Configured via the redirect settings in the annotations
+              servicePort: use-annotation
+          - path: <html-path>
+            backend:
+              serviceName: <service-name>
+              servicePort: <service-port>
diff --git a/docs/examples/iam-policy.json b/docs/examples/iam-policy.json
@@ -23,6 +23,7 @@
         "ec2:DescribeInstances",
         "ec2:DescribeInstanceStatus",
         "ec2:DescribeInternetGateways",
+        "ec2:DescribeNetworkInterfaces",
         "ec2:DescribeSecurityGroups",
         "ec2:DescribeSubnets",
         "ec2:DescribeTags",

diff --git a/docs/examples/kustomization.yaml b/docs/examples/kustomization.yaml
@@ -3,7 +3,7 @@ commonLabels:
 
 imageTags:
 - name: docker.io/amazon/aws-alb-ingress-controller
-  newTag: v1.1.1
+  newTag: v1.1.2
 
 namespace: kube-system
 

diff --git a/docs/guide/cognito/setup.md b/docs/guide/cognito/setup.md
@@ -0,0 +1,28 @@
+# Setup Cognito/ALB Ingress Controller
+
+This document describes how to install ALB Ingress Controller with AWS Cognito integration to minimal capacity, other options and or configurations may be required for production, and on an app to app basis.  
+
+## Assumptions
+
+The following assumptions are observed regarding this procedure.
+
+* ExternalDNS is installed to the cluster and will provide a custom URL for your ALB. To setup ExternalDNS refer to the [install instructions](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/external-dns/setup/).
+
+## Cognitio Configuration
+
+Configure Cognito for use with ALB Ingress Controller using the following links with specified caveats.
+
+* [Create Cognito user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-as-user-directory.html)
+* [Configure application integration](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-configuring-app-integration.html)
+    * On step 11.c for the `Callback URL` enter `https://<your-domain>/oauth2/idpresponse`.
+    * On step 11.d for `Allowed OAuth Flows` select `authorization code grant` and for `Allowed OAuth Scopes` select `openid`.
+
+## ALB Ingress Controller Setup
+
+Install the ALB Ingress Controller using the [install instructions](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/controller/setup/) with the following caveats.
+
+* When setting up IAM Role Permissions, add the `cognito-idp:DescribeUserPoolClient` permission to the example policy.
+
+## Deploying an Ingress
+
+Using the [cognito-ingress-template](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/examples/cognito-ingress-template.yaml) you can fill in the `<required>` variables to create an ALB ingress connected to your Cognito user pool for authentication.
diff --git a/docs/guide/controller/setup.md b/docs/guide/controller/setup.md
@@ -32,7 +32,7 @@ More docs on [hub.helm.sh](https://hub.helm.sh/charts/incubator/aws-alb-ingress-
 ### Kubectl
 1. Download sample ALB ingress controller manifest
     ``` bash
-    wget https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.0/docs/examples/alb-ingress-controller.yaml
+    wget https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.2/docs/examples/alb-ingress-controller.yaml
     ```
 
 2. Configure the ALB ingress controller manifest
@@ -50,7 +50,7 @@ More docs on [hub.helm.sh](https://hub.helm.sh/charts/incubator/aws-alb-ingress-
 3. Deploy the RBAC roles manifest
 
     ```bash
-    kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.0/docs/examples/rbac-role.yaml
+    kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.2/docs/examples/rbac-role.yaml
     ```
 
 4. Deploy the ALB ingress controller manifest

diff --git a/docs/guide/external-dns/setup.md b/docs/guide/external-dns/setup.md
@@ -9,7 +9,7 @@ Adequate roles and policies must be configured in AWS and available to the node(
 1. Download sample external-dns manifest
 
     ``` bash
-    wget https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.0/docs/examples/external-dns.yaml
+    wget https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.2/docs/examples/external-dns.yaml
     ```
 
 2. Edit the `--domain-filter` flag to include your hosted zone(s)

diff --git a/docs/guide/ingress/annotation.md b/docs/guide/ingress/annotation.md
@@ -20,7 +20,7 @@ You can add kubernetes annotations to ingress and service objects to customize t
 |[alb.ingress.kubernetes.io/auth-on-unauthenticated-request](#auth-on-unauthenticated-request)|authenticate\|allow\|deny|authenticate|ingress,service|
 |[alb.ingress.kubernetes.io/auth-scope](#auth-scope)|string|openid|ingress,service|
 |[alb.ingress.kubernetes.io/auth-session-cookie](#auth-session-cookie)|string|AWSELBAuthSessionCookie|ingress,service|
-|[alb.ingress.kubernetes.io/auth-session-timeout](#auth-session-timeout)|integer|604800|ingress,service|
+|[alb.ingress.kubernetes.io/auth-session-timeout](#auth-session-timeout)|integer|'604800'|ingress,service|
 |[alb.ingress.kubernetes.io/auth-type](#auth-type)|none\|oidc\|cognito|none|ingress,service|
 |[alb.ingress.kubernetes.io/backend-protocol](#backend-protocol)|HTTP \| HTTPS|HTTP|ingress,service|
 |[alb.ingress.kubernetes.io/certificate-arn](#certificate-arn)|stringList|N/A|ingress|
@@ -216,14 +216,21 @@ ALB supports authentication with Cognito or OIDC. See [Authenticate Users Using
 
     !!!example
         ```
-        alb.ingress.kubernetes.io/auth-type: openid
+        alb.ingress.kubernetes.io/auth-on-unauthenticated-request: authenticate
         ```
 
-- <a name="auth-scope">`alb.ingress.kubernetes.io/auth-scope`</a> specifies the set of user claims to be requested from the IDP(cognito or oidc).
+- <a name="auth-scope">`alb.ingress.kubernetes.io/auth-scope`</a> specifies the set of user claims to be requested from the IDP(cognito or oidc), in a space-separated list.
 
+	!!!info "options:"
+	* **phone**
+	* **email**
+	* **profile**
+	* **openid**
+	* **aws.cognito.signin.user.admin**
+
     !!!example
         ```
-        alb.ingress.kubernetes.io/auth-type: openid
+        alb.ingress.kubernetes.io/auth-scope: 'email openid'
         ```
 
 - <a name="auth-session-cookie">`alb.ingress.kubernetes.io/auth-session-cookie`</a> specifies the name of the cookie used to maintain session information
@@ -237,7 +244,7 @@ ALB supports authentication with Cognito or OIDC. See [Authenticate Users Using
 
     !!!example
         ```
-        alb.ingress.kubernetes.io/auth-session-timeout: 86400
+        alb.ingress.kubernetes.io/auth-session-timeout: '86400'
         ```
 
 ## Health Check
@@ -340,6 +347,58 @@ SSL support can be controlled with following annotations:
             alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:xxxxx:certificate/cert1,arn:aws:acm:us-west-2:xxxxx:certificate/cert2,arn:aws:acm:us-west-2:xxxxx:certificate/cert3
             ```
 
+    !!!tip
+        If the `alb.ingress.kubernetes.io/certificate-arn` annotation is not specified, the controller will attempt to add certificates to listeners that require it by matching available certs from ACM with the `host` field in each listener's ingress rule.
+
+    !!!example
+        - attaches a cert for `dev.example.com` or `*.example.com` to the ALB
+            ```yaml
+            apiVersion: extensions/v1beta1
+            kind: Ingress
+            metadata:
+            namespace: default
+            name: ingress
+            annotations:
+              kubernetes.io/ingress.class: alb
+              alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
+            spec:
+            rules:
+            - host: dev.example.com
+              http:
+                paths:
+                - path: /users/*
+                backend:
+                  serviceName: user-service
+                  servicePort: 80
+            ```
+
+    !!!tip
+        Alternatively, domains specified using the `tls` field in the spec will also be matched with listeners and their certs will be attached from ACM. This can be used in conjunction with listener host field matching.
+
+    !!!example
+        - attaches certs for `www.example.com` to the ALB
+            ```yaml
+            apiVersion: extensions/v1beta1
+            kind: Ingress
+            metadata:
+            namespace: default
+            name: ingress
+            annotations:
+              kubernetes.io/ingress.class: alb
+              alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
+            spec:
+              tls:
+              - hosts:
+                - www.example.com
+            rules:
+            - http:
+                paths:
+                - path: /users/*
+                  backend:
+                    serviceName: user-service
+                    servicePort: 80
+            ```
+
 - <a name="ssl-policy">`alb.ingress.kubernetes.io/ssl-policy`</a> specifies the [Security Policy](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies) that should be assigned to the ALB, allowing you to control the protocol and ciphers.
 
     !!!example

diff --git a/docs/guide/walkthrough/echoserver.md b/docs/guide/walkthrough/echoserver.md
@@ -43,8 +43,8 @@ In this walkthrough, you'll
 1. Download the example alb-ingress-manifest locally.
 
     ```bash
-    wget https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.0/docs/examples/alb-ingress-controller.yaml
-    wget https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.0/docs/examples/rbac-role.yaml
+    wget https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.2/docs/examples/alb-ingress-controller.yaml
+    wget https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.2/docs/examples/rbac-role.yaml
     ```
 
 1. Edit the manifest and set the following parameters and environment variables.
@@ -100,9 +100,9 @@ In this walkthrough, you'll
 1.  Deploy all the echoserver resources (namespace, service, deployment)
 
     ```bash
-    kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.0/docs/examples/echoservice/echoserver-namespace.yaml &&\
-    kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.0/docs/examples/echoservice/echoserver-service.yaml &&\
-    kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.0/docs/examples/echoservice/echoserver-deployment.yaml
+    kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.2/docs/examples/echoservice/echoserver-namespace.yaml &&\
+    kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.2/docs/examples/echoservice/echoserver-service.yaml &&\
+    kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.2/docs/examples/echoservice/echoserver-deployment.yaml
     ```
 
 1.  List all the resources to ensure they were created.
@@ -126,7 +126,7 @@ In this walkthrough, you'll
 1.  Download the echoserver ingress manifest locally.
 
     ```bash
-    wget https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.0/docs/examples/echoservice/echoserver-ingress.yaml
+    wget https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.2/docs/examples/echoservice/echoserver-ingress.yaml
     ```
 
 1.  Configure the subnets, either by add annotation to the ingress or add tags to subnets.
@@ -235,7 +235,7 @@ In this walkthrough, you'll
 1.  Download external-dns to manage Route 53.
 
     ```bash
-    wget https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.0/docs/examples/external-dns.yaml
+    wget https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.2/docs/examples/external-dns.yaml
     ```
 
 1.  Edit the `--domain-filter` flag to include your hosted zone(s)
@@ -306,7 +306,7 @@ In this walkthrough, you'll
 follow below steps If you want to use kube2iam to provide the AWS credentials
 
 1. configure the proper policy
-    The policy to be used can be fetched from https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.0/docs/examples/iam-policy.json
+    The policy to be used can be fetched from https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.2/docs/examples/iam-policy.json
 
 1. configure the proper role and create the trust relationship
     You have to find which role is associated woth your K8S nodes. Once you found take note of the full arn: