Merge pull request #28 from cybozu-go/ingress-class-name

Class-name filter

Author: dulltz

cmd/root.go

@@ -49,6 +49,7 @@ func init() {
 	fs.String("service-name", "", "NamespacedName of the Contour LoadBalancer Service")
 	fs.String("default-issuer-name", "", "Issuer name used by default")
 	fs.String("default-issuer-kind", certmanagerv1alpha2.ClusterIssuerKind, "Issuer kind used by default")
+	fs.String("ingress-class-name", "", "Ingress class name that watched by Contour Plus. If not specified, then all classes are watched")
 	fs.Bool("leader-election", true, "Enable/disable leader election")
 	if err := viper.BindPFlags(fs); err != nil {
 		panic(err)
@@ -76,7 +77,8 @@ In addition to flags, the following environment variables are read:
 	CP_SERVICE_NAME          NamespacedName of the Contour LoadBalancer Service
 	CP_DEFAULT_ISSUER_NAME   Issuer name used by default
 	CP_DEFAULT_ISSUER_KIND   Issuer kind used by default
-	CP_LEADER_ELECTION       Disable leader election if set to "false"`,
+	CP_LEADER_ELECTION       Disable leader election if set to "false"
+	CP_INGRESS_CLASS_NAME    Ingress class name that watched by Contour Plus. If not specified, then all classes are watched`,
 	RunE: func(cmd *cobra.Command, args []string) error {
 		cmd.SilenceUsage = true
 		return subMain()
@@ -124,6 +126,8 @@ func subMain() error {
 	}
 	opts.DefaultIssuerKind = defaultIssuerKind
 
+	opts.IngressClassName = viper.GetString("ingress-class-name")
+
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme:             scheme,
 		MetricsBindAddress: viper.GetString("metrics-addr"),

controllers/httpproxy_controller.go

@@ -32,6 +32,7 @@ type HTTPProxyReconciler struct {
 	DefaultIssuerKind string
 	CreateDNSEndpoint bool
 	CreateCertificate bool
+	IngressClassName  string
 }
 
 // +kubebuilder:rbac:groups=projectcontour.io,resources=httpproxies,verbs=get;list;watch
@@ -65,6 +66,12 @@ func (r *HTTPProxyReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 		return ctrl.Result{}, nil
 	}
 
+	if r.IngressClassName != "" {
+		if !r.isClassNameMatched(hp) {
+			return ctrl.Result{}, nil
+		}
+	}
+
 	if err := r.reconcileDNSEndpoint(ctx, hp, log); err != nil {
 		log.Error(err, "unable to reconcile DNSEndpoint")
 		return ctrl.Result{}, err
@@ -77,6 +84,28 @@ func (r *HTTPProxyReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 	return ctrl.Result{}, nil
 }
 
+func (r *HTTPProxyReconciler) isClassNameMatched(hp *projectcontourv1.HTTPProxy) bool {
+	ingressClassName := hp.Annotations[ingressClassNameAnnotation]
+	if ingressClassName != "" {
+		if ingressClassName != r.IngressClassName {
+			return false
+		}
+	}
+
+	contourIngressClassName := hp.Annotations[contourIngressClassNameAnnotation]
+	if contourIngressClassName != "" {
+		if contourIngressClassName != r.IngressClassName {
+			return false
+		}
+	}
+
+	if contourIngressClassName == "" && ingressClassName == "" {
+		return false
+	}
+
+	return true
+}
+
 func (r *HTTPProxyReconciler) reconcileDNSEndpoint(ctx context.Context, hp *projectcontourv1.HTTPProxy, log logr.Logger) error {
 	if !r.CreateDNSEndpoint {
 		return nil

controllers/httpproxy_controller_test.go

@@ -2,6 +2,8 @@ package controllers
 
 import (
 	"context"
+	"fmt"
+	"testing"
 	"time"
 
 	certmanagerv1alpha2 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2"
@@ -467,6 +469,97 @@ func testHTTPProxyReconcile() {
 		Expect(k8sClient.List(context.Background(), crtList, client.InNamespace(ns))).ShouldNot(HaveOccurred())
 		Expect(crtList.Items).Should(BeEmpty())
 	})
+
+	It(`should not create DNSEndpoint and Certificate if the class name is not the target`, func() {
+		ns := testNamespacePrefix + randomString(10)
+		Expect(k8sClient.Create(context.Background(), &corev1.Namespace{
+			ObjectMeta: ctrl.ObjectMeta{Name: ns},
+		})).ShouldNot(HaveOccurred())
+		defer k8sClient.Delete(context.Background(), &corev1.Namespace{
+			ObjectMeta: ctrl.ObjectMeta{Name: ns},
+		})
+
+		scm, mgr := setupManager()
+
+		Expect(SetupReconciler(mgr, scm, ReconcilerOptions{
+			ServiceKey:        testServiceKey,
+			DefaultIssuerName: "test-issuer",
+			DefaultIssuerKind: certmanagerv1alpha2.IssuerKind,
+			CreateDNSEndpoint: true,
+			CreateCertificate: true,
+			IngressClassName:  "class-name",
+		})).ShouldNot(HaveOccurred())
+
+		stopMgr := startTestManager(mgr)
+		defer stopMgr()
+
+		By("creating HTTPProxy having the annotation")
+		hpKey := client.ObjectKey{Name: "foo", Namespace: ns}
+		hp := newDummyHTTPProxy(hpKey)
+		hp.Annotations[ingressClassNameAnnotation] = "wrong"
+		Expect(k8sClient.Create(context.Background(), hp)).ShouldNot(HaveOccurred())
+
+		By("confirming that DNSEndpoint and Certificate do not exist")
+		time.Sleep(time.Second)
+		endpointList := &endpoint.DNSEndpointList{}
+		Expect(k8sClient.List(context.Background(), endpointList, client.InNamespace(ns))).ShouldNot(HaveOccurred())
+		Expect(endpointList.Items).Should(BeEmpty())
+
+		crtList := &certmanagerv1alpha2.CertificateList{}
+		Expect(k8sClient.List(context.Background(), crtList, client.InNamespace(ns))).ShouldNot(HaveOccurred())
+		Expect(crtList.Items).Should(BeEmpty())
+
+		By("creating HTTPProxy without the annotation")
+		hpKey = client.ObjectKey{Name: "bar", Namespace: ns}
+		hp = newDummyHTTPProxy(hpKey)
+		Expect(k8sClient.Create(context.Background(), hp)).ShouldNot(HaveOccurred())
+
+		By("confirming that DNSEndpoint and Certificate do not exist")
+		time.Sleep(time.Second)
+		endpointList = &endpoint.DNSEndpointList{}
+		Expect(k8sClient.List(context.Background(), endpointList, client.InNamespace(ns))).ShouldNot(HaveOccurred())
+		Expect(endpointList.Items).Should(BeEmpty())
+
+		crtList = &certmanagerv1alpha2.CertificateList{}
+		Expect(k8sClient.List(context.Background(), crtList, client.InNamespace(ns))).ShouldNot(HaveOccurred())
+		Expect(crtList.Items).Should(BeEmpty())
+	})
+
+	It(`should create Certificate if the class name equals to the target`, func() {
+		ns := testNamespacePrefix + randomString(10)
+		Expect(k8sClient.Create(context.Background(), &corev1.Namespace{
+			ObjectMeta: ctrl.ObjectMeta{Name: ns},
+		})).ShouldNot(HaveOccurred())
+		defer k8sClient.Delete(context.Background(), &corev1.Namespace{
+			ObjectMeta: ctrl.ObjectMeta{Name: ns},
+		})
+
+		scm, mgr := setupManager()
+
+		Expect(SetupReconciler(mgr, scm, ReconcilerOptions{
+			ServiceKey:        testServiceKey,
+			DefaultIssuerName: "test-issuer",
+			DefaultIssuerKind: certmanagerv1alpha2.IssuerKind,
+			CreateCertificate: true,
+			IngressClassName:  "class-name",
+		})).ShouldNot(HaveOccurred())
+
+		stopMgr := startTestManager(mgr)
+		defer stopMgr()
+
+		By("creating HTTPProxy having the annotation")
+		hpKey := client.ObjectKey{Name: "foo", Namespace: ns}
+		hp := newDummyHTTPProxy(hpKey)
+		hp.Annotations[ingressClassNameAnnotation] = "class-name"
+		Expect(k8sClient.Create(context.Background(), hp)).ShouldNot(HaveOccurred())
+
+		By("getting Certificate")
+		certificate := &certmanagerv1alpha2.Certificate{}
+		objKey := client.ObjectKey{Name: hpKey.Name, Namespace: hpKey.Namespace}
+		Eventually(func() error {
+			return k8sClient.Get(context.Background(), objKey, certificate)
+		}, 5*time.Second).Should(Succeed())
+	})
 }
 
 func newDummyHTTPProxy(hpKey client.ObjectKey) *projectcontourv1.HTTPProxy {
@@ -487,3 +580,107 @@ func newDummyHTTPProxy(hpKey client.ObjectKey) *projectcontourv1.HTTPProxy {
 		},
 	}
 }
+
+func TestIsClassNameMatched(t *testing.T) {
+	tests := []struct {
+		name             string
+		ingressClassName string
+		hp               *projectcontourv1.HTTPProxy
+		want             bool
+	}{
+		{
+			name:             "Annotation is not set",
+			ingressClassName: "class-name",
+			hp: &projectcontourv1.HTTPProxy{
+				ObjectMeta: v1.ObjectMeta{
+					Annotations: map[string]string{},
+				},
+			},
+			want: false,
+		},
+		{
+			name:             "Both annotation are set",
+			ingressClassName: "class-name",
+			hp: &projectcontourv1.HTTPProxy{
+				ObjectMeta: v1.ObjectMeta{
+					Annotations: map[string]string{
+						ingressClassNameAnnotation:        "class-name",
+						contourIngressClassNameAnnotation: "class-name",
+					},
+				},
+			},
+			want: true,
+		},
+		{
+			name:             "Both annotation are set but not matched",
+			ingressClassName: "class-name",
+			hp: &projectcontourv1.HTTPProxy{
+				ObjectMeta: v1.ObjectMeta{
+					Annotations: map[string]string{
+						ingressClassNameAnnotation:        "class-name",
+						contourIngressClassNameAnnotation: "wrong",
+					},
+				},
+			},
+			want: false,
+		},
+		{
+			name:             fmt.Sprintf("Annotation %s is set", ingressClassNameAnnotation),
+			ingressClassName: "class-name",
+			hp: &projectcontourv1.HTTPProxy{
+				ObjectMeta: v1.ObjectMeta{
+					Annotations: map[string]string{
+						ingressClassNameAnnotation: "class-name",
+					},
+				},
+			},
+			want: true,
+		},
+		{
+			name:             fmt.Sprintf("Annotation %s is set but not matched", ingressClassNameAnnotation),
+			ingressClassName: "class-name",
+			hp: &projectcontourv1.HTTPProxy{
+				ObjectMeta: v1.ObjectMeta{
+					Annotations: map[string]string{
+						ingressClassNameAnnotation: "wrong",
+					},
+				},
+			},
+			want: false,
+		},
+		{
+			name:             fmt.Sprintf("Annotation %s is set", contourIngressClassNameAnnotation),
+			ingressClassName: "class-name",
+			hp: &projectcontourv1.HTTPProxy{
+				ObjectMeta: v1.ObjectMeta{
+					Annotations: map[string]string{
+						contourIngressClassNameAnnotation: "class-name",
+					},
+				},
+			},
+			want: true,
+		},
+		{
+			name:             fmt.Sprintf("Annotation %s is set but not matched", contourIngressClassNameAnnotation),
+			ingressClassName: "class-name",
+			hp: &projectcontourv1.HTTPProxy{
+				ObjectMeta: v1.ObjectMeta{
+					Annotations: map[string]string{
+						contourIngressClassNameAnnotation: "wrong",
+					},
+				},
+			},
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			r := &HTTPProxyReconciler{
+				IngressClassName: tt.ingressClassName,
+			}
+			if got := r.isClassNameMatched(tt.hp); got != tt.want {
+				t.Errorf("HTTPProxyReconciler.isClassNameMatched() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

controllers/ingressroute_controller.go

@@ -21,10 +21,12 @@ import (
 )
 
 const (
-	excludeAnnotation           = "contour-plus.cybozu.com/exclude"
-	testACMETLSAnnotation       = "kubernetes.io/tls-acme"
-	issuerNameAnnotation        = "cert-manager.io/issuer"
-	clusterIssuerNameAnnotation = "cert-manager.io/cluster-issuer"
+	excludeAnnotation                 = "contour-plus.cybozu.com/exclude"
+	testACMETLSAnnotation             = "kubernetes.io/tls-acme"
+	issuerNameAnnotation              = "cert-manager.io/issuer"
+	clusterIssuerNameAnnotation       = "cert-manager.io/cluster-issuer"
+	ingressClassNameAnnotation        = "kubernetes.io/ingress.class"
+	contourIngressClassNameAnnotation = "projectcontour.io/ingress.class"
 )
 
 // IngressRouteReconciler reconciles a IngressRoute object
@@ -39,6 +41,7 @@ type IngressRouteReconciler struct {
 	DefaultIssuerKind string
 	CreateDNSEndpoint bool
 	CreateCertificate bool
+	IngressClassName  string
 }
 
 // +kubebuilder:rbac:groups=contour.heptio.com,resources=ingressroutes,verbs=get;list;watch
@@ -71,6 +74,12 @@ func (r *IngressRouteReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error
 		return ctrl.Result{}, nil
 	}
 
+	if r.IngressClassName != "" {
+		if !r.isClassNameMatched(ir) {
+			return ctrl.Result{}, nil
+		}
+	}
+
 	err = r.reconcileDNSEndpoint(ctx, ir, log)
 	if err != nil {
 		log.Error(err, "unable to reconcile DNSEndpoint")
@@ -85,6 +94,28 @@ func (r *IngressRouteReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error
 	return ctrl.Result{}, nil
 }
 
+func (r *IngressRouteReconciler) isClassNameMatched(ir *contourv1beta1.IngressRoute) bool {
+	ingressClassName := ir.Annotations[ingressClassNameAnnotation]
+	if ingressClassName != "" {
+		if ingressClassName != r.IngressClassName {
+			return false
+		}
+	}
+
+	contourIngressClassName := ir.Annotations[contourIngressClassNameAnnotation]
+	if contourIngressClassName != "" {
+		if contourIngressClassName != r.IngressClassName {
+			return false
+		}
+	}
+
+	if contourIngressClassName == "" && ingressClassName == "" {
+		return false
+	}
+
+	return true
+}
+
 func (r *IngressRouteReconciler) reconcileDNSEndpoint(ctx context.Context, ir *contourv1beta1.IngressRoute, log logr.Logger) error {
 	if !r.CreateDNSEndpoint {
 		return nil

controllers/setup.go

@@ -22,6 +22,7 @@ type ReconcilerOptions struct {
 	DefaultIssuerKind string
 	CreateDNSEndpoint bool
 	CreateCertificate bool
+	IngressClassName  string
 }
 
 // SetupScheme initializes a schema
@@ -69,6 +70,7 @@ func SetupReconciler(mgr manager.Manager, scheme *runtime.Scheme, opts Reconcile
 		DefaultIssuerKind: opts.DefaultIssuerKind,
 		CreateDNSEndpoint: opts.CreateDNSEndpoint,
 		CreateCertificate: opts.CreateCertificate,
+		IngressClassName:  opts.IngressClassName,
 	}
 	err := ingressRouteReconciler.SetupWithManager(mgr)
 	if err != nil {
@@ -85,6 +87,7 @@ func SetupReconciler(mgr manager.Manager, scheme *runtime.Scheme, opts Reconcile
 		DefaultIssuerKind: opts.DefaultIssuerKind,
 		CreateDNSEndpoint: opts.CreateDNSEndpoint,
 		CreateCertificate: opts.CreateCertificate,
+		IngressClassName:  opts.IngressClassName,
 	}
 	err = httpProxyReconciler.SetupWithManager(mgr)
 	if err != nil {