WIP feat: allow cert-manager annotations on ingress based on environment variables PT.2

cluster/client.go

@@ -82,7 +82,7 @@ type Client interface {
 		tsq remotecommand.TerminalSizeQueue) (ctypes.ExecResult, error)
 
 	// ConnectHostnameToDeployment Connect a given hostname to a deployment
-	ConnectHostnameToDeployment(ctx context.Context, directive ctypes.ConnectHostnameToDeploymentDirective) error
+	ConnectHostnameToDeployment(ctx context.Context, directive ctypes.ConnectHostnameToDeploymentDirective, tlsEnabled bool) error
 	// RemoveHostnameFromDeployment Remove a given hostname from a deployment
 	RemoveHostnameFromDeployment(ctx context.Context, hostname string, leaseID mtypes.LeaseID, allowMissing bool) error
 
@@ -415,7 +415,7 @@ func (c *nullClient) GetHostnameDeploymentConnections(_ context.Context) ([]ctyp
 	return nil, errNotImplemented
 }
 
-func (c *nullClient) ConnectHostnameToDeployment(_ context.Context, _ ctypes.ConnectHostnameToDeploymentDirective) error {
+func (c *nullClient) ConnectHostnameToDeployment(_ context.Context, _ ctypes.ConnectHostnameToDeploymentDirective, _ bool) error {
 	return errNotImplemented
 }
 

cluster/kube/client.go

@@ -3,6 +3,7 @@ package kube
 import (
 	"context"
 	"fmt"
+	"github.com/akash-network/provider/cluster/util"
 	"strings"
 
 	"github.com/pkg/errors"
@@ -56,6 +57,7 @@ type client struct {
 	ns                string
 	log               log.Logger
 	kubeContentConfig *restclient.Config
+	env               map[string]string
 }
 
 func (c *client) String() string {
@@ -98,6 +100,7 @@ func NewClient(ctx context.Context, log log.Logger, ns string, configPath string
 		ns:                ns,
 		log:               log.With("client", "kube"),
 		kubeContentConfig: config,
+		env:               util.EnvironmentVariablesToMap(),
 	}, nil
 }
 

cluster/kube/client_ingress.go

@@ -24,12 +24,13 @@ import (
 
 const (
 	akashIngressClassName = "akash-ingress-class"
+	root                  = "nginx.ingress.kubernetes.io"
+	certManager           = "cert-manager.io"
 )
 
-func kubeNginxIngressAnnotations(directive ctypes.ConnectHostnameToDeploymentDirective) map[string]string {
+func (c *client) kubeNginxIngressAnnotations(directive ctypes.ConnectHostnameToDeploymentDirective) map[string]string {
 	// For kubernetes/ingress-nginx
 	// https://github.com/kubernetes/ingress-nginx
-	const root = "nginx.ingress.kubernetes.io"
 
 	readTimeout := math.Ceil(float64(directive.ReadTimeout) / 1000.0)
 	sendTimeout := math.Ceil(float64(directive.SendTimeout) / 1000.0)
@@ -66,11 +67,20 @@ func kubeNginxIngressAnnotations(directive ctypes.ConnectHostnameToDeploymentDir
 		}
 	}
 
+	switch c.env["AKASH_PROVIDER_ISSUER_TYPE"] {
+	case "cluster-issuer":
+		result[fmt.Sprintf("%s/cluster-issuer", certManager)] = c.env["AKASH_PROVIDER_ISSUER_NAME"]
+		break
+	case "issuer":
+		result[fmt.Sprintf("%s/issuer", certManager)] = c.env["AKASH_PROVIDER_ISSUER_NAME"]
+		break
+	}
+
 	result[fmt.Sprintf("%s/proxy-next-upstream", root)] = strBuilder.String()
 	return result
 }
 
-func (c *client) ConnectHostnameToDeployment(ctx context.Context, directive ctypes.ConnectHostnameToDeploymentDirective) error {
+func (c *client) ConnectHostnameToDeployment(ctx context.Context, directive ctypes.ConnectHostnameToDeploymentDirective, tlsEnabled bool) error {
 	ingressName := directive.Hostname
 	ns := builder.LidNS(directive.LeaseID)
 	rules := ingressRules(directive.Hostname, directive.ServiceName, directive.ServicePort)
@@ -82,16 +92,27 @@ func (c *client) ConnectHostnameToDeployment(ctx context.Context, directive ctyp
 	labels[builder.AkashManagedLabelName] = "true"
 	builder.AppendLeaseLabels(directive.LeaseID, labels)
 
+	var tls []netv1.IngressTLS
+	if tlsEnabled {
+		tls = []netv1.IngressTLS{
+			{
+				Hosts:      []string{directive.Hostname},
+				SecretName: fmt.Sprintf("%s-tls", ingressName),
+			},
+		}
+	}
+
 	ingressClassName := akashIngressClassName
 	obj := &netv1.Ingress{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        ingressName,
 			Labels:      labels,
-			Annotations: kubeNginxIngressAnnotations(directive),
+			Annotations: c.kubeNginxIngressAnnotations(directive),
 		},
 		Spec: netv1.IngressSpec{
 			IngressClassName: &ingressClassName,
 			Rules:            rules,
+			TLS:              tls,
 		},
 	}
 

cluster/util/environment.go

@@ -0,0 +1,17 @@
+package util
+
+import (
+	"os"
+	"strings"
+)
+
+func EnvironmentVariablesToMap() map[string]string {
+	m := make(map[string]string, len(os.Environ()))
+	for _, e := range os.Environ() {
+		if i := strings.Index(e, "="); i >= 0 {
+			m[e[:i]] = e[i+1:]
+		}
+	}
+
+	return m
+}

operator/hostnameoperator/hostname_operator.go

@@ -47,6 +47,8 @@ type hostnameOperator struct {
 
 	flagHostnamesData  operatorcommon.PrepareFlagFn
 	flagIgnoreListData operatorcommon.PrepareFlagFn
+
+	env map[string]string
 }
 
 func (op *hostnameOperator) run(parentCtx context.Context) error {
@@ -389,7 +391,7 @@ func (op *hostnameOperator) applyAddOrUpdateEvent(ctx context.Context, ev ctypes
 		if shouldConnect {
 			op.log.Debug("Updating ingress")
 			// Update or create the existing ingress
-			err = op.client.ConnectHostnameToDeployment(ctx, directive)
+			err = op.client.ConnectHostnameToDeployment(ctx, directive, op.env["AKASH_SSL_ENABLED"] != "")
 		}
 	} else {
 		op.log.Debug("Swapping ingress to new deployment")
@@ -398,7 +400,7 @@ func (op *hostnameOperator) applyAddOrUpdateEvent(ctx context.Context, ev ctypes
 		if err == nil {
 			// Remove the current entry, if the next action succeeds then it gets inserted below
 			delete(op.hostnames, ev.GetHostname())
-			err = op.client.ConnectHostnameToDeployment(ctx, directive)
+			err = op.client.ConnectHostnameToDeployment(ctx, directive, op.env["AKASH_SSL_ENABLED"] != "")
 		}
 	}
 
@@ -427,6 +429,7 @@ func newHostnameOperator(logger log.Logger, client cluster.Client, config operat
 		cfg:           config,
 		server:        opHTTP,
 		leasesIgnored: operatorcommon.NewIgnoreList(ilc),
+		env:           clusterutil.EnvironmentVariablesToMap(),
 	}
 
 	op.flagIgnoreListData = op.server.AddPreparedEndpoint("/ignore-list", op.prepareIgnoreListData)

operator/hostnameoperator/hostname_operator_test.go

@@ -424,7 +424,7 @@ func TestHostnameOperatorApplyAdd(t *testing.T) {
 	}
 	s.client.On("GetManifestGroup", mock.Anything, leaseID).Return(true, mg, nil)
 	directive := buildDirective(ev, serviceExpose) // result tested in other unit tests
-	s.client.On("ConnectHostnameToDeployment", mock.Anything, directive).Return(nil)
+	s.client.On("ConnectHostnameToDeployment", mock.Anything, directive, mock.Anything).Return(nil)
 
 	managed := grabManagedHostnames(t, s.op.server.GetRouter().ServeHTTP)
 	require.Empty(t, managed)
@@ -511,7 +511,7 @@ func TestHostnameOperatorApplyAddMultipleServices(t *testing.T) {
 	}
 	s.client.On("GetManifestGroup", mock.Anything, leaseID).Return(true, mg, nil)
 	directive := buildDirective(ev, serviceExpose) // result tested in other unit tests
-	s.client.On("ConnectHostnameToDeployment", mock.Anything, directive).Return(nil)
+	s.client.On("ConnectHostnameToDeployment", mock.Anything, directive, mock.Anything).Return(nil)
 
 	err := s.op.applyEvent(s.ctx, ev)
 	require.NoError(t, err)
@@ -596,9 +596,9 @@ func TestHostnameOperatorApplyUpdate(t *testing.T) {
 	s.client.On("GetManifestGroup", mock.Anything, secondLeaseID).Return(true, mg2, nil)
 
 	directive := buildDirective(ev, serviceExpose) // result tested in other unit tests
-	s.client.On("ConnectHostnameToDeployment", mock.Anything, directive).Return(nil)
+	s.client.On("ConnectHostnameToDeployment", mock.Anything, directive, mock.Anything).Return(nil)
 	secondDirective := buildDirective(secondEv, secondServiceExpose) // result tested in other unit tests
-	s.client.On("ConnectHostnameToDeployment", mock.Anything, secondDirective).Return(nil)
+	s.client.On("ConnectHostnameToDeployment", mock.Anything, secondDirective, mock.Anything).Return(nil)
 
 	s.client.On("RemoveHostnameFromDeployment", mock.Anything, hostname, leaseID, false).Return(nil)