add support for ingressv1.Spec.IngressClassName

[stevesloka]

Fixes #2146 by adding support for ingressv1.Spec.IngressClassName.

Signed-off-by: Steve Sloka [email protected]

[stevesloka]

I'm not in love with the package name annotations, but couldn't think up a better name. Up for discussion of ideas on that. =)

[codecov]

Codecov Report

Merging #2548 into master will decrease coverage by 0.09%.
The diff coverage is 79.03%.

@@            Coverage Diff             @@
##           master    #2548      +/-   ##
==========================================
- Coverage   77.04%   76.94%   -0.10%     
==========================================
  Files          72       72              
  Lines        5723     5757      +34     
==========================================
+ Hits         4409     4430      +21     
- Misses       1226     1238      +12     
- Partials       88       89       +1     

Impacted Files	Coverage Δ
cmd/contour/serve.go	2.55% <0.00%> (-0.04%)	⬇️
internal/k8s/clients.go	11.62% <ø> (ø)
internal/k8s/informers.go	0.00% <0.00%> (ø)
internal/dag/cache.go	95.93% <84.61%> (-2.24%)	⬇️
internal/annotation/annotations.go	100.00% <100.00%> (ø)
internal/dag/builder.go	91.93% <100.00%> (ø)
internal/k8s/statusaddress.go	86.95% <100.00%> (+0.14%)	⬆️

[stevesloka]

I took off the 1.15 milestone since this is not critical to land in that release.

[jpeach]

If I' reading this correctly, this change looks for an Ingress class string in the spec.ingressclassname field. However, in the v1 API, this string is the name of an object of type IngressClass which represents a deployed Contour control plane.

[stevesloka]

ha you're right @jpeach, I misread that spec. I'll get this fixed up. =)

[github-actions]

Marking this PR stale since there has been no activity for 14 days. It will be closed if there is no activity for another 90 days.

[stevesloka]

I'm not happy with the version check logic, going to look at implementing: #2219

[stevesloka]

#2668 adds a dynamic lookup for resources. Once that merges, I'll rebase this PR to include that portion.

[stevesloka]

The current implementation checks if the IngressClass api type exists, but doesn't set an error on the status of an object if used. The only feedback is a warning emitted when Contour starts.

This is for the use-case where a cluster doesn't have ingressClasses but a user tries to use them, which I think is an edge case but still valid.

[jpeach]

I made a first pass over this. I think it would really help to sketch out how we think about IngressClass deployments and how we want them to evolve over time. That larger context would help illuminate the decisions in this PR.

[jpeach]

The purpose of this function is to capture the complexity around matching resources to ingress classes. Now, that is distributed across here, (*KubernetesCache) matchesIngressClass() and (*StatusAddressUpdater) OnAdd(). Can we bring is all back so that there is exactly one place that does the ingress class match?

[jpeach]

This is what annotation.IngressClass() should do - given a generic resource, figure out and return the ingress class that it belongs to.

[stevesloka]

The problem is that we need to know if the annotation is defined at all, if it is then check if it matches. If it's not defined, then we can look at ingress class. That's why it's changed.

[skriss]

I agree that having one function that returns an object's ingress class would be really helpful since the logic is spread around a bunch now. It may need to also return a bool indicating if the class came from Spec.IngressClassName or not.

[jpeach]

The problem is that we need to know if the annotation is defined at all, if it is then check if it matches. If it's not defined, then we can look at ingress class. That's why it's changed.

I think that we can still have it in one place though. The logic for IngressClass would be:

func IngressClass(o runtime.Object) string {
	a := o.GetObjectMeta().GetAnnotations()
	if class, ok := a["projectcontour.io/ingress.class"]; ok {
		return class
	}
	if class, ok := a["contour.heptio.com/ingress.class"]; ok {
		return class
	}
	if class, ok := a["kubernetes.io/ingress.class"]; ok {
		return class
	}

        switch obj := obj.(type) {
        case *v1beta1.Ingress:
                return obj.Spec.IngressClassName
        }

        return ""
}

This treats the ingress class the same no matter how it is specified. Then we can treat the issue of whether the ingress class matches our configuration separately. We may not want to propagate the default Contour matching behaviour across the the IngressClass resource.

[jpeach]

Since you are working in the area, suggest adopting the v1beta1.AnnotationIngressClass constant.

[jpeach]

IMHO the Spec.IngressClassName should take precedence since it's not deprecated.

[stevesloka]

The docs used to say that annotations were to take precedence over the ingressclass, but now I can't find that reference. I know @youngnick mentioned the same on a previous call.

[skriss]

https://github.com/kubernetes/enhancements/blob/master/keps/sig-network/20190125-ingress-api-group.md#interoperability-with-previous-annotation

[jpeach]

Yup you are right. From the spec:

// IngressClassName is the name of the IngressClass cluster resource. The
// associated IngressClass defines which controller will implement the
// resource. This replaces the deprecated kubernetes.io/ingress.class
// annotation. For backwards compatibility, when that annotation is set, it
// must be given precedence over this field. The controller may emit a
// warning if the field and annotation have different values.
// Implementations of this API should ignore Ingresses without a class
// specified.

Can we add a comment with the rationale and background?

[jpeach]

"projectcontour.io/ingress-controller" should be a named constant somewhere.

[jpeach]

Maybe this should be "projectcontour.io/contour" 🤷

[stevesloka]

The docs show it as ingress-controller and I've seen other folks do the same: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class

[skriss]

👀

[skriss]

this should probably be info-level since it's not required / the user hasn't explicitly opted into using it (unlike the service API types just above)

[skriss]

https://github.com/kubernetes/enhancements/blob/master/keps/sig-network/20190125-ingress-api-group.md#interoperability-with-previous-annotation

[skriss]

This doesn't seem like it'll correctly handle Ingresses with Spec.IngressClassName specified -- for example, if s.IngressClass != "" then won't all Ingresses that only have Spec.IngressClassName (no annotation) be filtered out here?

[skriss]

Not directly related to your PR, but I think this block of code would be easier to understand if we sort of inverted the logic, something like:

// if ic is specified, then the object's ingress class must match it
if ic != "" {
    return objectClass == ic
}

// if ic is empty, then the object's ingress class can either be empty
// or DEFAULT_INGRESS_CLASS
return objectClass == "" || objectClass == DEFAULT_INGRESS_CLASS

May be a matter of personal preference though, so take it or leave it.

[skriss]

I think you want ic() here

[skriss]

I agree that having one function that returns an object's ingress class would be really helpful since the logic is spread around a bunch now. It may need to also return a bool indicating if the class came from Spec.IngressClassName or not.

[jpeach]

I thought I left a comment before, but I can't find it now :-/

IIUC, Contour will cache all IngressClass resources that match the controller name. Here, we will match any ingress class whose name matches the Spec.IngressClassName. So the result of this is that Contour will accept all resources which map to a Contour IngressClass regardless of the class name.

Did I get that right?

[github-actions]

Marking this PR stale since there has been no activity for 14 days. It will be closed if there is no activity for another 90 days.

[youngnick]

I think this one won't be implementable until we've settled on a decision in #2809.