Allow multiple ingress hosts to be defined when using ingress (ansible#1377)

guillaumelfv · Guillaume Lefevre · fosterseth · web-flow · commit 07427be0b794 · 2024-01-05T10:15:04.000-05:00
* Replace api version for deployment kind to apps/v1

* Add new multiple ingress spec and deprecate hostname and ingress_tls_secret

* Manage new ingress_hosts.tls_secret backup separately

* Fix ci molecule lint warnings and error

* Fix documentation

* Fix ingress_hosts tls_secret key being optional

* Remove fieldDependency:ingress_type:Ingress for Ingress Hosts

* Fix scenario when neither hostname or ingress_hosts is defined

---------

Co-authored-by: Guillaume Lefevre &lt;guillaume.lefevre@agoda.com&gt;
Co-authored-by: Seth Foster &lt;fosterseth@users.noreply.github.com&gt;
Co-authored-by: Christian Adams &lt;chadams@redhat.com&gt;
diff --git a/config/crd/bases/awx.ansible.com_awxs.yaml b/config/crd/bases/awx.ansible.com_awxs.yaml
@@ -54,8 +54,8 @@ spec:
                 description: Username to use for the admin account
                 type: string
                 default: admin
-              hostname:
-                description: The hostname of the instance
+              hostname:  # deprecated
+                description: (Deprecated) The hostname of the instance
                 type: string
               admin_email:
                 description: The admin user email
@@ -123,12 +123,24 @@ spec:
               ingress_annotations:
                 description: Annotations to add to the Ingress Controller
                 type: string
-              ingress_tls_secret:
-                description: Secret where the Ingress TLS secret can be found
+              ingress_tls_secret:  # deprecated
+                description: (Deprecated) Secret where the Ingress TLS secret can be found
                 type: string
               ingress_class_name:
                 description: The name of ingress class to use instead of the cluster default.
                 type: string
+              ingress_hosts:
+                description: Ingress hostnames of the instance
+                type: array
+                items:
+                  type: object
+                  properties:
+                    hostname:
+                      description: Hostname of the instance
+                      type: string
+                    tls_secret:
+                      description: Secret where the Ingress TLS secret can be found
+                      type: string
               ingress_controller:
                 description: Special configuration for specific Ingress Controllers
                 type: string
diff --git a/config/manifests/bases/awx-operator.clusterserviceversion.yaml b/config/manifests/bases/awx-operator.clusterserviceversion.yaml
@@ -212,7 +212,7 @@ spec:
       kind: AWX
       name: awxs.awx.ansible.com
       specDescriptors:
-      - displayName: Hostname
+      - displayName: Hostname (Deprecated)
         path: hostname
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
@@ -302,12 +302,17 @@ spec:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:text
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress
-      - displayName: Ingress TLS Secret
+      - displayName: Ingress TLS Secret (Deprecated)
         path: ingress_tls_secret
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:io.kubernetes:Secret
         - urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress
+      - displayName: Ingress Hosts
+        path: ingress_hosts
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:text
       - displayName: Ingress Controller
         path: ingress_controller
         x-descriptors:
diff --git a/docs/user-guide/network-and-tls-configuration.md b/docs/user-guide/network-and-tls-configuration.md
@@ -32,7 +32,7 @@ The following variables are customizable only when `service_type=LoadBalancer`
 | --------------------- | ---------------------------------------- | ------- |
 | loadbalancer_protocol | Protocol to use for Loadbalancer ingress | http    |
 | loadbalancer_port     | Port used for Loadbalancer ingress       | 80      |
-| loadbalancer_ip        | Assign Loadbalancer IP                   | ''      |  
+| loadbalancer_ip       | Assign Loadbalancer IP                   | ''      |
 
 ```yaml
 ---
@@ -86,22 +86,26 @@ spec:
 
 The following variables are customizable when `ingress_type=ingress`. The `ingress` type creates an Ingress resource as [documented](https://kubernetes.io/docs/concepts/services-networking/ingress/) which can be shared with many other Ingress Controllers as [listed](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/).
 
-| Name                | Description                              | Default                     |
-| ------------------- | ---------------------------------------- | --------------------------- |
-| ingress_annotations | Ingress annotations                      | Empty string                |
-| ingress_tls_secret  | Secret that contains the TLS information | Empty string                |
-| ingress_class_name  | Define the ingress class name            | Cluster default             |
-| hostname            | Define the FQDN                          | {{ meta.name }}.example.com |
-| ingress_path        | Define the ingress path to the service   | /                           |
-| ingress_path_type   | Define the type of the path (for LBs)    | Prefix                      |
-| ingress_api_version | Define the Ingress resource apiVersion   | 'networking.k8s.io/v1'      |
+| Name                               | Description                                                                        | Default                     |
+| ---------------------------------- | ---------------------------------------------------------------------------------- | --------------------------- |
+| ingress_annotations                | Ingress annotations                                                                | Empty string                |
+| ingress_tls_secret _(deprecated)_  | Secret that contains the TLS information                                           | Empty string                |
+| ingress_class_name                 | Define the ingress class name                                                      | Cluster default             |
+| hostname _(deprecated)_            | Define the FQDN                                                                    | {{ meta.name }}.example.com |
+| ingress_hosts                      | Define one or multiple FQDN with optional Secret that contains the TLS information | Empty string                |
+| ingress_path                       | Define the ingress path to the service                                             | /                           |
+| ingress_path_type                  | Define the type of the path (for LBs)                                              | Prefix                      |
+| ingress_api_version                | Define the Ingress resource apiVersion                                             | 'networking.k8s.io/v1'      |
 
 ```yaml
 ---
 spec:
   ...
   ingress_type: ingress
-  hostname: awx-demo.example.com
+  ingress_hosts:
+    - hostname: awx-demo.example.com
+    - hostname: awx-demo.sample.com
+      tls_secret: sample-tls-secret
   ingress_annotations: |
     environment: testing
 ```
@@ -119,7 +123,10 @@ Some Ingress Controllers need a special configuration to fully support AWX, add
 spec:
   ...
   ingress_type: ingress
-  hostname: awx-demo.example.com
+  ingress_hosts:
+    - hostname: awx-demo.example.com
+    - hostname: awx-demo.sample.com
+      tls_secret: sample-tls-secret
   ingress_controller: contour
 ```
 
diff --git a/roles/backup/tasks/dump_ingress_tls_secrets.yml b/roles/backup/tasks/dump_ingress_tls_secrets.yml
@@ -0,0 +1,24 @@
+---
+
+- name: Get secret
+  k8s_info:
+    version: v1
+    kind: Secret
+    namespace: '{{ ansible_operator_meta.namespace }}'
+    name: "{{ item }}"
+  register: _secret
+  no_log: "{{ no_log }}"
+
+- name: Backup secret if exists
+  block:
+    - name: Set secret key
+      set_fact:
+        _data: "{{ _secret['resources'][0]['data'] }}"
+        _type: "{{ _secret['resources'][0]['type'] }}"
+      no_log: "{{ no_log }}"
+
+    - name: Create and Add secret names and data to dictionary
+      set_fact:
+        secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': item, 'data': _data, 'type': _type }}) }}"
+      no_log: "{{ no_log }}"
+  when: _secret | length
diff --git a/roles/backup/tasks/secrets.yml b/roles/backup/tasks/secrets.yml
@@ -12,11 +12,18 @@
   include_tasks: dump_secret.yml
   loop:
     - route_tls_secret
+    # ingress_tls_secret is deprecated in favor of ingress_hosts.tls_secret
     - ingress_tls_secret
     - ldap_cacert_secret
     - bundle_cacert_secret
     - ee_pull_credentials_secret
 
+- name: Dump ingress tls secret names from awx spec and data into file
+  include_tasks: dump_ingress_tls_secrets.yml
+  with_items:
+    - "{{ awx_spec.spec['ingress_hosts'] | default('') | map(attribute='tls_secret', default='') | select() | list }}"
+  when: "{{ awx_spec.spec['ingress_hosts'] | default('') | map(attribute='tls_secret', default='') | select() | list | length }}"
+
 - name: Dump receptor secret names and data into file
   include_tasks: dump_receptor_secrets.yml
   loop:
diff --git a/roles/installer/defaults/main.yml b/roles/installer/defaults/main.yml
@@ -40,6 +40,16 @@ ingress_tls_secret: ''
 # ingress_controller: contour
 ingress_controller: ''
 
+# One or multiple FQDN with optional Secret that contains the TLS information.
+# The TLS secret either has to exist before hand with
+# the corresponding cert and key or just be an indicator for where an automated
+# process like cert-manager (enabled via annotations) will store the TLS
+# certificate and key.
+# ingress_hosts:
+#   - hostname: awx-demo.example.com
+#     tls_secret: example-com-tls
+ingress_hosts: ''
+
 loadbalancer_protocol: 'http'
 loadbalancer_port: '80'
 service_annotations: ''
diff --git a/roles/installer/tasks/install.yml b/roles/installer/tasks/install.yml
@@ -2,7 +2,7 @@
 - name: Delete old deployment for before installing during upgrade
   k8s:
     kind: Deployment
-    api_version: v1
+    api_version: apps/v1
     namespace: "{{ ansible_operator_meta.namespace }}"
     name: "{{ ansible_operator_meta.name }}"
     state: absent
diff --git a/roles/installer/tasks/main.yml b/roles/installer/tasks/main.yml
@@ -9,15 +9,15 @@
 
 - name: Check for presence of awx-task Deployment
   k8s_info:
-    api_version: v1
+    api_version: apps/v1
     kind: Deployment
     name: "{{ ansible_operator_meta.name }}-task"
     namespace: "{{ ansible_operator_meta.namespace }}"
   register: awx_task_deployment
 
 - name: Check for presence of awx-web Deployment
   k8s_info:
-    api_version: v1
+    api_version: apps/v1
     kind: Deployment
     name: "{{ ansible_operator_meta.name }}-web"
     namespace: "{{ ansible_operator_meta.namespace }}"
diff --git a/roles/installer/templates/networking/ingress.yaml.j2 b/roles/installer/templates/networking/ingress.yaml.j2
@@ -13,7 +13,7 @@ metadata:
   annotations:
 {% if ingress_annotations %}
     {{ ingress_annotations | indent(width=4) }}
-{% endif %}
+{%- endif %}
 {% if ingress_controller|lower == "contour" %}
     projectcontour.io/websocket-routes: "/websocket"
     kubernetes.io/ingress.class: contour
@@ -24,6 +24,7 @@ spec:
   ingressClassName: '{{ ingress_class_name }}'
 {% endif %}
   rules:
+{% if not ingress_hosts %}
     - http:
         paths:
           - path: '{{ ingress_path }}'
@@ -33,6 +34,9 @@ spec:
                 name: '{{ ansible_operator_meta.name }}-service'
                 port:
                   number: 80
+{% if hostname %}
+      host: {{ hostname }}
+{% endif %}
 {% if ingress_controller|lower == "contour" %}
           - path: '{{ ingress_path.rstrip("/") }}/websocket'
             pathType: '{{ ingress_path_type }}'
@@ -42,16 +46,45 @@ spec:
                 port:
                   number: 80
 {% endif %}
-{% if hostname %}      
-      host: {{ hostname }}
-{% endif %}      
 {% if ingress_tls_secret %}
   tls:
     - hosts:
-        - {{ hostname }}
+      - {{ hostname }}
       secretName: {{ ingress_tls_secret }}
 {% endif %}
 {% endif %}
+{% if ingress_hosts %}
+{% for item in ingress_hosts %}
+    - host: {{ item.hostname }}
+      http:
+        paths:
+          - path: '{{ ingress_path }}'
+            pathType: '{{ ingress_path_type }}'
+            backend:
+              service:
+                name: '{{ ansible_operator_meta.name }}-service'
+                port:
+                  number: 80
+{% if ingress_controller|lower == "contour" %}
+          - path: '{{ ingress_path.rstrip("/") }}/websocket'
+            pathType: '{{ ingress_path_type }}'
+            backend:
+              service:
+                name: '{{ ansible_operator_meta.name }}-service'
+                port:
+                  number: 80
+{% endif %}
+{% endfor %}
+  tls:
+{% for item in ingress_hosts %}
+{% if 'tls_secret' in item %}
+    - hosts:
+      - {{ item.hostname }}
+      secretName: {{ item.tls_secret }}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% endif %}
 
 {% if ingress_type|lower == "route" %}
 ---
