Add sni support #111
Add sni support #111
Conversation
aws/adapter.go
Outdated
| @@ -64,7 +64,7 @@ const ( | |||
|
|
|||
| nameTag = "Name" | |||
|
|
|||
| certificateARNTag = "ingress:certificate-arn" | |||
| certificateARNsTag = "ingress:certificate-arns" | |||
There was a problem hiding this comment.
this will break existing installations, please make it upgradeable and set a deprecated comment and log a warning if used
aws/cf.go
Outdated
| dnsName string | ||
| scheme string | ||
| targetGroupARN string | ||
| CertificateARNs []string |
There was a problem hiding this comment.
please do not change visibility here, better add a method, for example: Add(certarns ...string)
aws/cf.go
Outdated
| CertificateArn string `yaml:"CertificateArn"` | ||
| } | ||
|
|
||
| // cfTemplate is an opauqe structure for unmarshaling a yaml cloudformation |
aws/cf.go
Outdated
|
|
||
| // injectCertificates injects a list of certificates into the cloudformation | ||
| // template. | ||
| func injectCertificates(cfTmpl string, certs []string) (string, error) { |
There was a problem hiding this comment.
I am not happy with the solution parsing string, modify object and return string.
This looks more like a hack to me. We should have a type based object that can render to a cloudformation stack.
| @@ -138,10 +139,18 @@ func doWork(certsProvider certs.CertificatesProvider, awsAdapter *aws.Adapter, k | |||
| return nil | |||
| } | |||
|
|
|||
| func buildManagedModel(certsProvider certs.CertificatesProvider, ingresses []*kubernetes.Ingress, stacks []*aws.Stack) map[string]*managedItem { | |||
| model := make(map[string]*managedItem) | |||
| func buildManagedModel(certsProvider certs.CertificatesProvider, ingresses []*kubernetes.Ingress, stacks []*aws.Stack) []*managedItem { | |||
There was a problem hiding this comment.
the changes in this function look more like we lack of abstraction and power of the abstraction.
|
👎 |
|
Is this PR active? This is a super important feature for us as we use ingress for basically everything, and having one ALB per service is too expensive. If not, I'm interested in finishing it. |
|
@greenboxal I think we have not so much pressure as we provision wildcard certificates and mostly use the same ALB for all ingress already. Feel free to work on that. |
|
@greenboxal I have some half finished work locally, which I will try to push one of the next days. |
mikkeloscar
force-pushed
the
sni-support
branch
from
c801e68 to
4c83b4d
Compare
|
I have now updated this with all the changes I had locally. It now uses the github.com/mweagle/go-cloudformation library to generate a CF stack template instead of doing some weird yaml unmarshal/marshaling like it did before. Note that this currently hasn't been tested and there are at least some issues I'm aware of:
Both of these things has to be done in a backwardcompatible way such that we can automatically migrate the single cert ALBs to multi cert ALBs without affecting applications behind those ingress ALBs. @greenboxal If you want to go on from here, you are welcome to do so just let me know, otherwise I will work on this in CW04. |
mikkeloscar
force-pushed
the
sni-support
branch
from
4c83b4d to
c09c2c7
Compare
mikkeloscar
force-pushed
the
sni-support
branch
from
0e7eb4f to
c469e11
Compare
|
@szuecs I have now updated the description explaining how it works. I have tested the following scenarios:
|
|
@greenboxal This should now be done. You are very welcome to give it a try. Here's an image built from this PR: |
worker.go
Outdated
| if err != kubernetes.ErrUpdateNotNeeded { | ||
| log.Println(err) | ||
| } else { | ||
| log.Printf("updated ingress not needed %v with DNS name %q", ing, dnsName) |
There was a problem hiding this comment.
please switch the error handling and change the message.
if err == kubernetes.ErrUpdateNotNeeded {
log.Printf("Ingress update not needed %v with DNS name %q", ing, dnsName)
} else {
log.Printf("Failed to update ingress: %v", err)
}
|
I discussed offline with @mikkeloscar and checked the code with 4 eyes that it will support more than 2 stacks, too. (I dropped my old comment) Only small refactoring to have it more readable. Thanks! |
|
👍 |
1 similar comment
|
👍 |
This adds SNI support by adding up to 25 certificates to a single ALB. If multiple ALBs exist with less than 25 certificates each then it will aggregate the certificates to as few ALBs as possible.
To support multiple certs this also fixes a bunch of other issues:
cluster-id-<hash-of-cert-arn>-schemebut since we can now have 25 certs per stack the naming no longer makes sense. Instead it just gets the namecluster-id-<uuid>.Migration
This PR also takes care to ensure safe migration from stacks created by the
<=v0.5.0version of the controller. The migration works like this:Each certificate is defined on the stack with a tag
ingress:certificate-arn/<cert-arn>=ttlwhere ttl is a timestamp for when the cert should be removed from the stack. This way it's possible to create multiple stacks in case there are more than 25 certs requested. And it's possible to later merge the stacks back to one when the demand for certs are less than 25 again.Note: with this approach it's not possible to explicitly get an ALB that is unique per ingress/certificate we could add support for this either through a flag or as an annotation added to ingresses which want to have their own ALB, however this PR is already quite big so I would add these features separately.
Fix #94