Add support for annotation 'certmanager.k8s.io/ingress-class' to toggle the use of ingressClass: <value>

Add annotation to the ingress-shim documentation Remove debug output. Update documentation errors. Implement suggestions of using edit-in-place annotation to control behaviour. Fix reference to editInPlaceAnnotation Remove the presence of editInPlaceAnnotation from returning true to shouldSync() and relevant test. Update comment reference to correct annotation name. Remove tests that relied on annotation impacting result from shouldSync() Only edit in-place when explicitly requested to do so. Don't return error if unable to determine Ingress class, continue without setting either ingress or ingressClass. Update annotation to certmanager.k8s.io/acme-http01-edit-in-place in order to make use case more obvious and have consistent naming. Update docs to reflect possible values more accurately
2018-04-12 23:26:40 +12:00 · 2018-04-12 23:26:40 +12:00 · 4260fc1336
commit 4260fc1336
parent 8485ada4e2
2 changed files with 20 additions and 1 deletions
--- a/cmd/ingress-shim/controller/sync.go
+++ b/cmd/ingress-shim/controller/sync.go
@ -20,6 +20,9 @@ const (
 	// the default configuration provided to ingress-annotation should be
 	// created.
 	tlsACMEAnnotation = "kubernetes.io/tls-acme"
+	// editInPlaceAnnotation is used to toggle the use of ingressClass instead
+	// of ingress on the created Certificate resource
+	editInPlaceAnnotation = "certmanager.k8s.io/acme-http01-edit-in-place"
 	// issuerNameAnnotation can be used to override the issuer specified on the
 	// created Certificate resource.
 	issuerNameAnnotation = "certmanager.k8s.io/issuer"
@ -182,7 +185,16 @@ func (c *Controller) setIssuerSpecificConfig(crt *v1alpha1.Certificate, issuer v
 		}
 		switch challengeType {
 		case "http01":
-			domainCfg.HTTP01 = &v1alpha1.ACMECertificateHTTP01Config{Ingress: ing.Name}
+			editInPlace, ok := ingAnnotations[editInPlaceAnnotation]
+			// If annotation isn't present, or it's set to true, edit the existing ingress
+			if ok && editInPlace == "true" {
+				domainCfg.HTTP01 = &v1alpha1.ACMECertificateHTTP01Config{Ingress: ing.Name}
+			} else {
+				ingressClass, ok := ingAnnotations["kubernetes.io/ingress.class"]
+				if ok {
+					domainCfg.HTTP01 = &v1alpha1.ACMECertificateHTTP01Config{IngressClass: &ingressClass}
+				}
+			}
 		case "dns01":
 			dnsProvider, ok := ingAnnotations[acmeIssuerDNS01ProviderNameAnnotation]
 			if !ok {
--- a/docs/reference/ingress-shim.rst
+++ b/docs/reference/ingress-shim.rst
@ -68,5 +68,12 @@ Certificate resources to be automatically created:
  configuration of the ingress-shim (see above). Namely, a default issuer must be
  specified as arguments to the ingress-shim container.

+* ``certmanager.k8s.io/acme-http01-edit-in-place""`` - if the ACME challenge type
+  has been set to http01, and the ingress has the 'kubernetes.io/tls-acme: true'
+  annotation, this controls whether the ingress is modified 'in-place', or a new
+  one created specifically for the http01 challenge. If present, and set to "true"
+  the existing ingress will be modified. Any other value, or the absence of the
+  annotation assumes "false".
+
 .. _kube-lego: https://github.com/jetstack/kube-lego
 .. _ingress-shim: https://github.com/jetstack/cert-manager/tree/master/cmd/ingress-shim