From 4260fc1336f0cc69fef20bf50bdd5db74721f4c2 Mon Sep 17 00:00:00 2001 From: Ben Bettridge Date: Thu, 12 Apr 2018 23:26:40 +1200 Subject: [PATCH] Add support for annotation 'certmanager.k8s.io/ingress-class' to toggle the use of ingressClass: Add annotation to the ingress-shim documentation Remove debug output. Update documentation errors. Implement suggestions of using edit-in-place annotation to control behaviour. Fix reference to editInPlaceAnnotation Remove the presence of editInPlaceAnnotation from returning true to shouldSync() and relevant test. Update comment reference to correct annotation name. Remove tests that relied on annotation impacting result from shouldSync() Only edit in-place when explicitly requested to do so. Don't return error if unable to determine Ingress class, continue without setting either ingress or ingressClass. Update annotation to certmanager.k8s.io/acme-http01-edit-in-place in order to make use case more obvious and have consistent naming. Update docs to reflect possible values more accurately --- cmd/ingress-shim/controller/sync.go | 14 +++++++++++++- docs/reference/ingress-shim.rst | 7 +++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/cmd/ingress-shim/controller/sync.go b/cmd/ingress-shim/controller/sync.go index 4cd4e0cc7..15b43ff48 100644 --- a/cmd/ingress-shim/controller/sync.go +++ b/cmd/ingress-shim/controller/sync.go @@ -20,6 +20,9 @@ const ( // the default configuration provided to ingress-annotation should be // created. tlsACMEAnnotation = "kubernetes.io/tls-acme" + // editInPlaceAnnotation is used to toggle the use of ingressClass instead + // of ingress on the created Certificate resource + editInPlaceAnnotation = "certmanager.k8s.io/acme-http01-edit-in-place" // issuerNameAnnotation can be used to override the issuer specified on the // created Certificate resource. issuerNameAnnotation = "certmanager.k8s.io/issuer" @@ -182,7 +185,16 @@ func (c *Controller) setIssuerSpecificConfig(crt *v1alpha1.Certificate, issuer v } switch challengeType { case "http01": - domainCfg.HTTP01 = &v1alpha1.ACMECertificateHTTP01Config{Ingress: ing.Name} + editInPlace, ok := ingAnnotations[editInPlaceAnnotation] + // If annotation isn't present, or it's set to true, edit the existing ingress + if ok && editInPlace == "true" { + domainCfg.HTTP01 = &v1alpha1.ACMECertificateHTTP01Config{Ingress: ing.Name} + } else { + ingressClass, ok := ingAnnotations["kubernetes.io/ingress.class"] + if ok { + domainCfg.HTTP01 = &v1alpha1.ACMECertificateHTTP01Config{IngressClass: &ingressClass} + } + } case "dns01": dnsProvider, ok := ingAnnotations[acmeIssuerDNS01ProviderNameAnnotation] if !ok { diff --git a/docs/reference/ingress-shim.rst b/docs/reference/ingress-shim.rst index ce1f928a0..a9358d38c 100644 --- a/docs/reference/ingress-shim.rst +++ b/docs/reference/ingress-shim.rst @@ -68,5 +68,12 @@ Certificate resources to be automatically created: configuration of the ingress-shim (see above). Namely, a default issuer must be specified as arguments to the ingress-shim container. +* ``certmanager.k8s.io/acme-http01-edit-in-place""`` - if the ACME challenge type + has been set to http01, and the ingress has the 'kubernetes.io/tls-acme: true' + annotation, this controls whether the ingress is modified 'in-place', or a new + one created specifically for the http01 challenge. If present, and set to "true" + the existing ingress will be modified. Any other value, or the absence of the + annotation assumes "false". + .. _kube-lego: https://github.com/jetstack/kube-lego .. _ingress-shim: https://github.com/jetstack/cert-manager/tree/master/cmd/ingress-shim