OliverMKing commented 5 months ago

Description

Adds a tls reconciler that adds the TLS portion to Ingresses that have the keyvault tls cert managed by us. We reconcile the Ingress object to point to the managed secret that contains the cert pulled from keyvault if the Ingress contains a specific annotation.

To use this feature, users will need to add the kubernetes.azure.com/tls-cert-keyvault-managed: true annotation to their Ingress.

Essentially, the reconcile logic is as follows:

Do nothing if the Ingress' IngressClass is not an App Routing IngressClass
Do nothing if the Ingress doesn't contain the kubernetes.azure.com/tls-cert-keyvault-managed: true annotation
If the Ingress has the kubernetes.azure.com/tls-cert-keyvault-managed: true annotation but doesn't contain the kubernetes.azure.com/tls-cert-keyvault-uri: <uri> annotation then we push an Event to the Ingress informing them that we can't manage TLS without that.
If the Ingress contains both required annotations we always set the TLS section of the Ingress to point to the App Routing managed Secret. We also update the TLS hosts to exactly match the hosts section of the rules part of the Ingress spec. We do this regardless of if the TLS section was empty before. This is a truly "managed" experience. If we chose not to reconcile if the TLS section was non-empty then we wouldn't be able to handle the case of a user adding a new Rule and hostname to the spec of the Ingress.

Type of change

Please delete options that are not relevant.

[ ] Bug fix (non-breaking change which fixes an issue)
[x] New feature (non-breaking change which adds functionality)
[ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
[x] This change requires a documentation update

How Has This Been Tested?

unit

Checklist:

[x] My code follows the style guidelines of this project
[x] I have performed a self-review of my code
[x] I have commented my code, particularly in hard-to-understand areas
[x] I have made corresponding changes to the documentation
[x] My changes generate no new warnings
[x] I have added tests that prove my fix is effective or that my feature works
[x] New and existing unit tests pass locally with my changes
[x] Any dependent changes have been merged and published in downstream modules

coveralls commented 5 months ago

Pull Request Test Coverage Report for Build 8391179182

Details

49 of 78 (62.82%) changed or added relevant lines in 3 files are covered.
No unchanged relevant lines lost coverage.
Overall coverage decreased (-0.4%) to 79.45%

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
pkg/controller/controller.go	0	4	0.0%
pkg/controller/keyvault/ingress_tls.go	44	69	63.77%
<!--	Total:	49	78	62.82%	-->

Totals
Change from base Build 8391177511:	-0.4%
Covered Lines:	2656
Relevant Lines:	3343

💛 - Coveralls

OliverMKing commented 5 months ago

/ok-to-test sha=8177500

OliverMKing commented 5 months ago

/ok-to-test sha=b886254

OliverMKing commented 5 months ago

/ok-to-test sha=0f31414

OliverMKing commented 5 months ago

/ok-to-test sha=cec8cd3

OliverMKing commented 5 months ago

/ok-to-test sha=acfd433

OliverMKing commented 3 months ago

/ok-to-test sha=28adffb

davidgamero commented 3 months ago

in the description,

If the Ingress contains both required Ingresses

this is referring to annotations right?

OliverMKing commented 3 months ago

in the description,

If the Ingress contains both required Ingresses

this is referring to annotations right?

yes

Azure / aks-app-routing-operator

adds tls reconciler #155

Description

Type of change

How Has This Been Tested?

Checklist:

Pull Request Test Coverage Report for Build 8391179182

Details

💛 - Coveralls