Merge branch 'main' of github.com:oracle/oci-native-ingress-controlle…

…r into dependabot/go_modules/golang.org/x/net-0.17.0

GettingStarted.md

@@ -46,9 +46,9 @@ This section describes steps to deploy and test OCI-Native-Ingress-Controller.
 ### Prerequisites
 Kubernetes Cluster with Native Pod Networking setup.
 Currently supported kubernetes versions are:
-- 1.26
 - 1.27
 - 1.28
+- 1.29
 
 We set up the cluster with native pod networking and update the security rules. 
 The documentation for NPN : [Doc Ref](https://docs.oracle.com/en-us/iaas/Content/ContEng/Concepts/contengpodnetworking_topic-OCI_CNI_plugin.htm).
@@ -135,8 +135,8 @@ Allow <subject> to manage certificate-associations in compartment <compartment-i
 Allow <subject> to read certificate-authorities in compartment <compartment-id>
 Allow <subject> to manage certificate-authority-associations in compartment <compartment-id>
 Allow <subject> to read certificate-authority-bundles in compartment <compartment-id>
-ALLOW <subject> native-ingress-controller to read public-ips in tenancy
-ALLOW <subject> native-ingress-controller to manage floating-ips in tenancy 
+ALLOW <subject> to read public-ips in tenancy
+ALLOW <subject> to manage floating-ips in tenancy 
 Allow <subject> to manage waf-family in compartment <compartment-id>
 Allow <subject> to read cluster-family in compartment <compartment-id>
 

deploy/manifests/oci-native-ingress-controller/templates/deployment.yaml

@@ -18,10 +18,10 @@ metadata:
   name: oci-native-ingress-controller
   namespace: native-ingress-controller-system
   labels:
-    helm.sh/chart: oci-native-ingress-controller-1.3.0
+    helm.sh/chart: oci-native-ingress-controller-1.3.3
     app.kubernetes.io/name: oci-native-ingress-controller
     app.kubernetes.io/instance: oci-native-ingress-controller
-    app.kubernetes.io/version: "1.3.0"
+    app.kubernetes.io/version: "1.3.3"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -51,7 +51,7 @@ spec:
             readOnlyRootFilesystem: true
             runAsNonRoot: true
             runAsUser: 1000
-          image: "ghcr.io/oracle/oci-native-ingress-controller:v1.3.0"
+          image: "ghcr.io/oracle/oci-native-ingress-controller:v1.3.3"
           imagePullPolicy: Always
           args: 
           - --lease-lock-name=oci-native-ingress-controller

deploy/manifests/oci-native-ingress-controller/templates/rbac.yaml

@@ -11,10 +11,10 @@ kind: ClusterRole
 metadata:
   name: oci-native-ingress-controller-role
   labels:
-    helm.sh/chart: oci-native-ingress-controller-1.3.0
+    helm.sh/chart: oci-native-ingress-controller-1.3.3
     app.kubernetes.io/name: oci-native-ingress-controller
     app.kubernetes.io/instance: oci-native-ingress-controller
-    app.kubernetes.io/version: "1.3.0"
+    app.kubernetes.io/version: "1.3.3"
     app.kubernetes.io/managed-by: Helm
 rules:
 - apiGroups: [""]
@@ -48,10 +48,10 @@ kind: ClusterRoleBinding
 metadata:
   name: oci-native-ingress-controller-rolebinding
   labels:
-    helm.sh/chart: oci-native-ingress-controller-1.3.0
+    helm.sh/chart: oci-native-ingress-controller-1.3.3
     app.kubernetes.io/name: oci-native-ingress-controller
     app.kubernetes.io/instance: oci-native-ingress-controller
-    app.kubernetes.io/version: "1.3.0"
+    app.kubernetes.io/version: "1.3.3"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -69,10 +69,10 @@ metadata:
   name: oci-native-ingress-controller-leader-election-role
   namespace: native-ingress-controller-system
   labels:
-    helm.sh/chart: oci-native-ingress-controller-1.3.0
+    helm.sh/chart: oci-native-ingress-controller-1.3.3
     app.kubernetes.io/name: oci-native-ingress-controller
     app.kubernetes.io/instance: oci-native-ingress-controller
-    app.kubernetes.io/version: "1.3.0"
+    app.kubernetes.io/version: "1.3.3"
     app.kubernetes.io/managed-by: Helm
 rules:
 - apiGroups: ["coordination.k8s.io"]
@@ -90,10 +90,10 @@ metadata:
   name: oci-native-ingress-controller-leader-election-rolebinding
   namespace: native-ingress-controller-system
   labels:
-    helm.sh/chart: oci-native-ingress-controller-1.3.0
+    helm.sh/chart: oci-native-ingress-controller-1.3.3
     app.kubernetes.io/name: oci-native-ingress-controller
     app.kubernetes.io/instance: oci-native-ingress-controller
-    app.kubernetes.io/version: "1.3.0"
+    app.kubernetes.io/version: "1.3.3"
     app.kubernetes.io/managed-by: Helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io

deploy/manifests/oci-native-ingress-controller/templates/service.yaml

@@ -12,10 +12,10 @@ metadata:
   name: oci-native-ingress-controller
   namespace: native-ingress-controller-system
   labels:
-    helm.sh/chart: oci-native-ingress-controller-1.3.0
+    helm.sh/chart: oci-native-ingress-controller-1.3.3
     app.kubernetes.io/name: oci-native-ingress-controller
     app.kubernetes.io/instance: oci-native-ingress-controller
-    app.kubernetes.io/version: "1.3.0"
+    app.kubernetes.io/version: "1.3.3"
     app.kubernetes.io/managed-by: Helm
 spec:
   type: ClusterIP

deploy/manifests/oci-native-ingress-controller/templates/serviceaccount.yaml

@@ -12,8 +12,8 @@ metadata:
   name: oci-native-ingress-controller
   namespace: native-ingress-controller-system
   labels:
-    helm.sh/chart: oci-native-ingress-controller-1.3.0
+    helm.sh/chart: oci-native-ingress-controller-1.3.3
     app.kubernetes.io/name: oci-native-ingress-controller
     app.kubernetes.io/instance: oci-native-ingress-controller
-    app.kubernetes.io/version: "1.3.0"
+    app.kubernetes.io/version: "1.3.3"
     app.kubernetes.io/managed-by: Helm

deploy/manifests/oci-native-ingress-controller/templates/webhook.yaml

@@ -36,10 +36,10 @@ kind: MutatingWebhookConfiguration
 metadata:
   name: oci-native-ingress-controller-webhook
   labels:
-    helm.sh/chart: oci-native-ingress-controller-1.3.0
+    helm.sh/chart: oci-native-ingress-controller-1.3.3
     app.kubernetes.io/name: oci-native-ingress-controller
     app.kubernetes.io/instance: oci-native-ingress-controller
-    app.kubernetes.io/version: "1.3.0"
+    app.kubernetes.io/version: "1.3.3"
     app.kubernetes.io/managed-by: Helm
   annotations:
     cert-manager.io/inject-ca-from: native-ingress-controller-system/oci-native-ingress-controller-webhook-serving-cert

helm/oci-native-ingress-controller/Chart.yaml

@@ -8,8 +8,8 @@ apiVersion: v2
 name: oci-native-ingress-controller
 description: OCI Native Ingress Controller
 type: application
-version: 1.3.0
-appVersion: "1.3.0"
+version: 1.3.3
+appVersion: "1.3.3"
 
 maintainers:
   - name: OKE Foundations team

helm/oci-native-ingress-controller/templates/deployment.yaml

@@ -4,10 +4,12 @@
 # Copyright (c) 2023 Oracle America, Inc. and its affiliates.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
 #
+{{- if not (lookup "v1" "Namespace" "" .Values.deploymentNamespace)}}
 apiVersion: v1
 kind: Namespace
 metadata:
   name: {{ .Values.deploymentNamespace }}
+{{- end }}
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -69,7 +71,7 @@ spec:
             - name: OCI_RESOURCE_PRINCIPAL_VERSION
               value: "2.2"
             - name: OCI_RESOURCE_PRINCIPAL_REGION
-              value: "us-phoenix-1"
+              value: {{ .Values.region }}
             - name: OCI_SDK_DEFAULT_RETRY_ENABLED
               value: "true"
           ports:

helm/oci-native-ingress-controller/values.yaml

@@ -22,7 +22,7 @@ image:
   repository: ghcr.io/oracle/oci-native-ingress-controller
   pullPolicy: Always
   # Overrides the image tag whose default is the chart appVersion.
-  tag: "v1.3.0"
+  tag: "v1.3.3"
 
 imagePullSecrets: []
 nameOverride: ""
@@ -97,6 +97,8 @@ webhookBindPort: 9443
 # Supported auths - instance(default), user
 authType: instance
 authSecretName: oci-config
+# Region where OKE cluster is deployed
+region: ""
 
 # objectSelector for webhook
 objectSelector:
@@ -110,4 +112,4 @@ objectSelector:
 
 metrics:
   backend: prometheus
-  port: 2223
+  port: 2223

pkg/controllers/backend/backend.go

@@ -146,41 +146,38 @@ func (c *Controller) ensureBackends(ingressClass *networkingv1.IngressClass, lbI
 	for _, ingress := range ingresses {
 		for _, rule := range ingress.Spec.Rules {
 			for _, path := range rule.HTTP.Paths {
-				svcName, svcPort, targetPort, _, err := util.PathToServiceAndTargetPort(c.serviceLister, ingress.Namespace, path)
+				pSvc, svc, err := util.ExtractServices(path, c.serviceLister, ingress)
+				if err != nil {
+					return err
+				}
+				svcName, svcPort, targetPort, err := util.PathToServiceAndTargetPort(svc, pSvc, ingress.Namespace, false)
 				if err != nil {
 					return err
 				}
-
 				epAddrs, err := util.GetEndpoints(c.endpointLister, ingress.Namespace, svcName)
 				if err != nil {
 					return fmt.Errorf("unable to fetch endpoints for %s/%s/%d: %w", ingress.Namespace, svcName, targetPort, err)
 				}
-
 				backends := []ociloadbalancer.BackendDetails{}
 				for _, epAddr := range epAddrs {
 					backends = append(backends, util.NewBackend(epAddr.IP, targetPort))
 				}
-
 				backendSetName := util.GenerateBackendSetName(ingress.Namespace, svcName, svcPort)
 				err = c.client.GetLbClient().UpdateBackends(context.TODO(), lbID, backendSetName, backends)
 				if err != nil {
 					return fmt.Errorf("unable to update backends for %s/%s: %w", ingressClass.Name, backendSetName, err)
 				}
-
 				backendSetHealth, err := c.client.GetLbClient().GetBackendSetHealth(context.TODO(), lbID, backendSetName)
 				if err != nil {
 					return fmt.Errorf("unable to fetch backendset health: %w", err)
 				}
-
 				for _, epAddr := range epAddrs {
 					pod, err := c.podLister.Pods(ingress.Namespace).Get(epAddr.TargetRef.Name)
 					if err != nil {
 						return fmt.Errorf("failed to fetch pod %s/%s: %w", ingress.Namespace, epAddr.TargetRef.Name, err)
 					}
-
 					backendName := fmt.Sprintf("%s:%d", epAddr.IP, targetPort)
 					readinessCondition := util.GetPodReadinessCondition(ingress.Name, rule.Host, path)
-
 					err = c.ensurePodReadinessCondition(pod, readinessCondition, backendSetHealth, backendName)
 					if err != nil {
 						return fmt.Errorf("%w", err)

pkg/controllers/nodeBackend/nodeBackend.go

@@ -169,17 +169,21 @@ func (c *Controller) ensureBackends(ingressClass *networkingv1.IngressClass, lbI
 	for _, ingress := range ingresses {
 		for _, rule := range ingress.Spec.Rules {
 			for _, path := range rule.HTTP.Paths {
-				svcName, svcPort, _, svc, err := util.PathToServiceAndTargetPort(c.serviceLister, ingress.Namespace, path)
+
+				pSvc, svc, err := util.ExtractServices(path, c.serviceLister, ingress)
 				if err != nil {
 					return err
 				}
 
-				if svc == nil || svc.Spec.Ports == nil || svc.Spec.Ports[0].NodePort == 0 {
+				svcName, svcPort, nodePort, err := util.PathToServiceAndTargetPort(svc, pSvc, ingress.Namespace, true)
+				if err != nil {
+					return err
+				}
+				if svc == nil || svc.Spec.Ports == nil || nodePort == 0 {
 					continue
 				}
 
 				var backends []ociloadbalancer.BackendDetails
-				nodePort := svc.Spec.Ports[0].NodePort
 				trafficPolicy := svc.Spec.ExternalTrafficPolicy
 				if trafficPolicy == corev1.ServiceExternalTrafficPolicyTypeCluster {
 					for _, node := range nodes {

pkg/server/server.go

@@ -53,6 +53,11 @@ import (
 	"github.com/oracle/oci-native-ingress-controller/pkg/podreadiness"
 )
 
+const (
+	// OkeHostOverrideEnvVar is a hidden flag that allows NIC to hit another containerengine endpoint
+	okeHostOverrideEnvVar = "OKE_HOST_OVERRIDE"
+)
+
 func BuildConfig(kubeconfig string) (*rest.Config, error) {
 	if kubeconfig != "" {
 		cfg, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
@@ -200,6 +205,11 @@ func setupClient(ctx context.Context, opts types.IngressOpts, k8client clientset
 		klog.Fatalf("failed to load container engine client configuration provider: %v", err)
 	}
 
+	// undocumented endpoint for testing in dev
+	if os.Getenv(okeHostOverrideEnvVar) != "" {
+		containerEngineClient.BaseClient.Host = os.Getenv(okeHostOverrideEnvVar)
+	}
+
 	lbClient := loadbalancer.New(&ociLBClient)
 
 	certificatesClient := certificate.New(&ociCertificatesMgmtClient, ociclient.NewCertificateClient(&ociCertificatesClient))

pkg/state/ingressstate.go

@@ -150,7 +150,7 @@ func (s *StateStore) BuildState(ingressClass *networkingv1.IngressClass) error {
 				if err != nil {
 					return err
 				}
-
+				bsTLSEnabled := util.GetBackendTlsEnabled(ing)
 				certificateId := util.GetListenerTlsCertificateOcid(ing)
 				if certificateId != nil {
 					tlsPortDetail, ok := listenerTLSConfigMap[servicePort]
@@ -165,11 +165,12 @@ func (s *StateStore) BuildState(ingressClass *networkingv1.IngressClass) error {
 						Artifact: *certificateId,
 					}
 					listenerTLSConfigMap[servicePort] = config
-					bsTLSConfigMap[bsName] = config
+					updateBackendTlsStatus(bsTLSEnabled, bsTLSConfigMap, bsName, config)
 				}
 
 				if rule.Host != "" {
 					secretName, ok := hostSecretMap[rule.Host]
+
 					if ok && secretName != "" {
 						tlsPortDetail, ok := listenerTLSConfigMap[servicePort]
 						if ok {
@@ -183,7 +184,7 @@ func (s *StateStore) BuildState(ingressClass *networkingv1.IngressClass) error {
 							Artifact: secretName,
 						}
 						listenerTLSConfigMap[servicePort] = config
-						bsTLSConfigMap[bsName] = config
+						updateBackendTlsStatus(bsTLSEnabled, bsTLSConfigMap, bsName, config)
 					}
 				}
 			}
@@ -214,6 +215,18 @@ func (s *StateStore) BuildState(ingressClass *networkingv1.IngressClass) error {
 	return nil
 }
 
+func updateBackendTlsStatus(bsTLSEnabled bool, bsTLSConfigMap map[string]TlsConfig, bsName string, config TlsConfig) {
+	if bsTLSEnabled {
+		bsTLSConfigMap[bsName] = config
+	} else {
+		config := TlsConfig{
+			Type:     "",
+			Artifact: "",
+		}
+		bsTLSConfigMap[bsName] = config
+	}
+}
+
 func validateBackendSetHealthChecker(ingressResource *networkingv1.Ingress,
 	bsHealthCheckerMap map[string]*ociloadbalancer.HealthCheckerDetails, bsName string) error {
 	defaultHealthChecker := util.GetDefaultHeathChecker()

pkg/state/ingressstate_test.go

@@ -35,6 +35,7 @@ const (
 	TestIngressStateFilePath                  = "test-ingress-state.yaml"
 	TestIngressStateWithPortNameFilePath      = "test-ingress-state_withportname.yaml"
 	TestIngressStateWithNamedClassesFilePath  = "test-ingress-state_withnamedclasses.yaml"
+	TestSslTerminationAtLb                    = "test-ssl-termination-lb.yaml"
 )
 
 func setUp(ctx context.Context, ingressClassList *networkingv1.IngressClassList, ingressList *networkingv1.IngressList, testService *v1.ServiceList) (networkinglisters.IngressClassLister, networkinglisters.IngressLister, corelisters.ServiceLister) {
@@ -418,3 +419,33 @@ func TestValidateProtocolConfigWithConflict(t *testing.T) {
 
 	Expect(err.Error()).Should(ContainSubstring(fmt.Sprintf(ProtocolConflictMessage, 900)))
 }
+
+func TestSslTerminationAtLB(t *testing.T) {
+	RegisterTestingT(t)
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	ingressClassList := testutil.GetIngressClassList()
+
+	ingressList := testutil.ReadResourceAsIngressList(TestSslTerminationAtLb)
+
+	certificateId := "certificateId"
+	ingressList.Items[0].Spec.TLS = []networkingv1.IngressTLS{}
+	ingressList.Items[0].Annotations = map[string]string{util.IngressListenerTlsCertificateAnnotation: certificateId}
+
+	testService := testutil.GetServiceListResource("default", "tls-test", 443)
+	ingressClassLister, ingressLister, serviceLister := setUp(ctx, ingressClassList, ingressList, testService)
+
+	stateStore := NewStateStore(ingressClassLister, ingressLister, serviceLister, nil)
+	err := stateStore.BuildState(&ingressClassList.Items[0])
+	Expect(err).NotTo(HaveOccurred())
+
+	bsName := util.GenerateBackendSetName("default", "tls-test", 443)
+	bsTlsConfig := stateStore.IngressGroupState.BackendSetTLSConfigMap[bsName]
+	Expect(bsTlsConfig.Artifact).Should(Equal(""))
+	Expect(bsTlsConfig.Type).Should(Equal(""))
+
+	lstTlsConfig := stateStore.IngressGroupState.ListenerTLSConfigMap[443]
+	Expect(lstTlsConfig.Artifact).Should(Equal(certificateId))
+	Expect(lstTlsConfig.Type).Should(Equal(ArtifactTypeCertificate))
+}