Configure ingress controller with endpoint publishing strategy as Pri…

…vate. Expose this configuration setting as an annotation on the HostedCluster/HostedControlPlane CRs. And will be generic to be applicable to any providers. Support ingress endpoint publishing strategy scope like we do today. Support for this was recently added to the IBM ROKS Toolkit and our ROKS 4 ansible code
gnufied · Aug 8, 2022 · 3227508 · 3227508
1 parent 460b721
commit 3227508
Show file tree

Hide file tree

Showing 6 changed files with 86 additions and 3 deletions.
diff --git a/api/v1alpha1/hostedcluster_types.go b/api/v1alpha1/hostedcluster_types.go
@@ -52,6 +52,11 @@ const (
 	// PortierisImageAnnotation is an annotation that allows the specification of the portieries component
 	// (performs container image verification).
 	PortierisImageAnnotation = "hypershift.openshift.io/portieris-image"
+	// Configure ingress controller with endpoint publishing strategy as Private.
+	// This overrides any opinionated strategy set by platform in ReconcileDefaultIngressController.
+	// It's used by IBM cloud to support ingress endpoint publishing strategy scope
+	// NOTE: We'll expose this in the API if the use case gets generalised.
+	PrivateIngressControllerAnnotation = "hypershift.openshift.io/private-ingress-controller"
 
 	// ClusterAPIProviderAWSImage overrides the CAPI AWS provider image to use for
 	// a HostedControlPlane.

diff --git a/control-plane-operator/hostedclusterconfigoperator/controllers/resources/ingress/params.go b/control-plane-operator/hostedclusterconfigoperator/controllers/resources/ingress/params.go
@@ -1,6 +1,7 @@
 package ingress
 
 import (
+	configv1 "github.com/openshift/api/config/v1"
 	hyperv1 "github.com/openshift/hypershift/api/v1alpha1"
 	"github.com/openshift/hypershift/support/globalconfig"
 )
@@ -9,16 +10,30 @@ type IngressParams struct {
 	IngressSubdomain string
 	Replicas         int32
 	PlatformType     hyperv1.PlatformType
+	IsPrivate        bool
+	IBMCloudUPI      bool
 }
 
 func NewIngressParams(hcp *hyperv1.HostedControlPlane) *IngressParams {
 	var replicas int32 = 1
+	isPrivate := false
+	ibmCloudUPI := false
+	if hcp.Spec.Platform.IBMCloud != nil && hcp.Spec.Platform.IBMCloud.ProviderType == configv1.IBMCloudProviderTypeUPI {
+		ibmCloudUPI = true
+	}
+	if hcp.Annotations[hyperv1.PrivateIngressControllerAnnotation] == "true" {
+		isPrivate = true
+	}
 	if hcp.Spec.InfrastructureAvailabilityPolicy == hyperv1.HighlyAvailable {
 		replicas = 2
 	}
+
 	return &IngressParams{
 		IngressSubdomain: globalconfig.IngressDomain(hcp),
 		Replicas:         replicas,
 		PlatformType:     hcp.Spec.Platform.Type,
+		IsPrivate:        isPrivate,
+		IBMCloudUPI:      ibmCloudUPI,
 	}
+
 }
diff --git a/...rol-plane-operator/hostedclusterconfigoperator/controllers/resources/ingress/reconcile.go b/...rol-plane-operator/hostedclusterconfigoperator/controllers/resources/ingress/reconcile.go
@@ -10,7 +10,7 @@ import (
 	"github.com/openshift/hypershift/control-plane-operator/hostedclusterconfigoperator/controllers/resources/manifests"
 )
 
-func ReconcileDefaultIngressController(ingressController *operatorv1.IngressController, ingressSubdomain string, platformType hyperv1.PlatformType, replicas int32, isIBMCloudUPI bool) error {
+func ReconcileDefaultIngressController(ingressController *operatorv1.IngressController, ingressSubdomain string, platformType hyperv1.PlatformType, replicas int32, isIBMCloudUPI bool, isPrivate bool) error {
 	ingressController.Spec.Domain = ingressSubdomain
 	ingressController.Spec.EndpointPublishingStrategy = &operatorv1.EndpointPublishingStrategy{
 		Type: operatorv1.LoadBalancerServiceStrategyType,
@@ -65,6 +65,12 @@ func ReconcileDefaultIngressController(ingressController *operatorv1.IngressCont
 			Name: manifests.IngressDefaultIngressControllerCert().Name,
 		}
 	}
+	if isPrivate {
+		ingressController.Spec.EndpointPublishingStrategy = &operatorv1.EndpointPublishingStrategy{
+			Type:    operatorv1.PrivateStrategyType,
+			Private: &operatorv1.PrivateStrategy{},
+		}
+	}
 	return nil
 }
 

diff --git a/...lane-operator/hostedclusterconfigoperator/controllers/resources/ingress/reconcile_test.go b/...lane-operator/hostedclusterconfigoperator/controllers/resources/ingress/reconcile_test.go
@@ -20,6 +20,7 @@ func TestReconcileDefaultIngressController(t *testing.T) {
 		inputPlatformType         hyperv1.PlatformType
 		inputReplicas             int32
 		inputIsIBMCloudUPI        bool
+		inputIsPrivate            bool
 		expectedIngressController *operatorv1.IngressController
 	}{
 		{
@@ -29,6 +30,7 @@ func TestReconcileDefaultIngressController(t *testing.T) {
 			inputPlatformType:      hyperv1.IBMCloudPlatform,
 			inputReplicas:          fakeInputReplicas,
 			inputIsIBMCloudUPI:     true,
+			inputIsPrivate:         false,
 			expectedIngressController: &operatorv1.IngressController{
 				ObjectMeta: manifests.IngressDefaultIngressController().ObjectMeta,
 				Spec: operatorv1.IngressControllerSpec{
@@ -58,6 +60,7 @@ func TestReconcileDefaultIngressController(t *testing.T) {
 			inputPlatformType:      hyperv1.IBMCloudPlatform,
 			inputReplicas:          fakeInputReplicas,
 			inputIsIBMCloudUPI:     false,
+			inputIsPrivate:         false,
 			expectedIngressController: &operatorv1.IngressController{
 				ObjectMeta: manifests.IngressDefaultIngressController().ObjectMeta,
 				Spec: operatorv1.IngressControllerSpec{
@@ -87,6 +90,7 @@ func TestReconcileDefaultIngressController(t *testing.T) {
 			inputPlatformType:      hyperv1.KubevirtPlatform,
 			inputReplicas:          fakeInputReplicas,
 			inputIsIBMCloudUPI:     false,
+			inputIsPrivate:         false,
 			expectedIngressController: &operatorv1.IngressController{
 				ObjectMeta: manifests.IngressDefaultIngressController().ObjectMeta,
 				Spec: operatorv1.IngressControllerSpec{
@@ -108,6 +112,7 @@ func TestReconcileDefaultIngressController(t *testing.T) {
 			inputPlatformType:      hyperv1.NonePlatform,
 			inputReplicas:          fakeInputReplicas,
 			inputIsIBMCloudUPI:     false,
+			inputIsPrivate:         false,
 			expectedIngressController: &operatorv1.IngressController{
 				ObjectMeta: manifests.IngressDefaultIngressController().ObjectMeta,
 				Spec: operatorv1.IngressControllerSpec{
@@ -129,6 +134,7 @@ func TestReconcileDefaultIngressController(t *testing.T) {
 			inputPlatformType:      hyperv1.AWSPlatform,
 			inputReplicas:          fakeInputReplicas,
 			inputIsIBMCloudUPI:     false,
+			inputIsPrivate:         false,
 			expectedIngressController: &operatorv1.IngressController{
 				ObjectMeta: manifests.IngressDefaultIngressController().ObjectMeta,
 				Spec: operatorv1.IngressControllerSpec{
@@ -143,11 +149,61 @@ func TestReconcileDefaultIngressController(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:                   "Private Publishing Strategy on IBM Cloud",
+			inputIngressController: manifests.IngressDefaultIngressController(),
+			inputIngressDomain:     fakeIngressDomain,
+			inputPlatformType:      hyperv1.IBMCloudPlatform,
+			inputReplicas:          fakeInputReplicas,
+			inputIsIBMCloudUPI:     false,
+			inputIsPrivate:         true,
+			expectedIngressController: &operatorv1.IngressController{
+				ObjectMeta: manifests.IngressDefaultIngressController().ObjectMeta,
+				Spec: operatorv1.IngressControllerSpec{
+					Domain:   fakeIngressDomain,
+					Replicas: &fakeInputReplicas,
+					EndpointPublishingStrategy: &operatorv1.EndpointPublishingStrategy{
+						Type:    operatorv1.PrivateStrategyType,
+						Private: &operatorv1.PrivateStrategy{},
+					},
+					NodePlacement: &operatorv1.NodePlacement{
+						Tolerations: []corev1.Toleration{
+							{
+								Key:   "dedicated",
+								Value: "edge",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:                   "Private Publishing Strategy on other Platforms",
+			inputIngressController: manifests.IngressDefaultIngressController(),
+			inputIngressDomain:     fakeIngressDomain,
+			inputReplicas:          fakeInputReplicas,
+			inputIsIBMCloudUPI:     false,
+			inputIsPrivate:         true,
+			expectedIngressController: &operatorv1.IngressController{
+				ObjectMeta: manifests.IngressDefaultIngressController().ObjectMeta,
+				Spec: operatorv1.IngressControllerSpec{
+					Domain:   fakeIngressDomain,
+					Replicas: &fakeInputReplicas,
+					EndpointPublishingStrategy: &operatorv1.EndpointPublishingStrategy{
+						Type:    operatorv1.PrivateStrategyType,
+						Private: &operatorv1.PrivateStrategy{},
+					},
+					DefaultCertificate: &corev1.LocalObjectReference{
+						Name: manifests.IngressDefaultIngressControllerCert().Name,
+					},
+				},
+			},
+		},
 	}
 	for _, tc := range testsCases {
 		t.Run(tc.name, func(t *testing.T) {
 			g := NewGomegaWithT(t)
-			err := ReconcileDefaultIngressController(tc.inputIngressController, tc.inputIngressDomain, tc.inputPlatformType, tc.inputReplicas, tc.inputIsIBMCloudUPI)
+			err := ReconcileDefaultIngressController(tc.inputIngressController, tc.inputIngressDomain, tc.inputPlatformType, tc.inputReplicas, tc.inputIsIBMCloudUPI, tc.inputIsPrivate)
 			g.Expect(err).To(BeNil())
 			g.Expect(tc.inputIngressController).To(BeEquivalentTo(tc.expectedIngressController))
 		})

diff --git a/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go b/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go
@@ -592,7 +592,7 @@ func (r *reconciler) reconcileIngressController(ctx context.Context, hcp *hyperv
 	p := ingress.NewIngressParams(hcp)
 	ingressController := manifests.IngressDefaultIngressController()
 	if _, err := r.CreateOrUpdate(ctx, r.client, ingressController, func() error {
-		return ingress.ReconcileDefaultIngressController(ingressController, p.IngressSubdomain, p.PlatformType, p.Replicas, (hcp.Spec.Platform.IBMCloud != nil && hcp.Spec.Platform.IBMCloud.ProviderType == configv1.IBMCloudProviderTypeUPI))
+		return ingress.ReconcileDefaultIngressController(ingressController, p.IngressSubdomain, p.PlatformType, p.Replicas, p.IBMCloudUPI, p.IsPrivate)
 	}); err != nil {
 		errs = append(errs, fmt.Errorf("failed to reconcile default ingress controller: %w", err))
 	}

diff --git a/hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go b/hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go
@@ -1384,6 +1384,7 @@ func reconcileHostedControlPlane(hcp *hyperv1.HostedControlPlane, hcluster *hype
 		hyperv1.PortierisImageAnnotation,
 		hyperutil.DebugDeploymentsAnnotation,
 		hyperv1.DisableProfilingAnnotation,
+		hyperv1.PrivateIngressControllerAnnotation,
 	}
 	for _, key := range mirroredAnnotations {
 		val, hasVal := hcluster.Annotations[key]