Merge pull request jetstack#14 from jetstack/feature-ingress-classes

Support for different ingress classes

Author: simonswine

CHANGELOG.md

@@ -2,6 +2,21 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [0.1.0] - *not released yet*
+
+### Added
+
+- Support for GCE load balancer ingress controller
+- E2E automation scripts for GCE/NGINX ingress controllers on GKE
+- Support for ingress-class annotations to distinguish between GCE/NGINX ingress
+- Abstracted the ingress controller specific code into separate packages
+- Deployment of kube-lego uses readiness checks
+
+### Fixed
+
+- Handle failed certificate request without exiting kube-lego
+
+
 ## [0.0.4] - 2016-07-11
 ### Added
 - Check for expired certificates periodically (default config every 8 hours)

Godeps/Godeps.json

@@ -13,6 +13,10 @@ CONTAINER_DIR=/go/src/${PACKAGE_NAME}
 
 .PHONY: version
 
+codegen:
+	which mockgen
+	mockgen -imports .=github.com/jetstack/kube-lego/pkg/kubelego_const -package=mocks -source=pkg/kubelego_const/interfaces.go > pkg/mocks/mocks.go
+
 depend:
 	rm -rf $(TEST_DIR)/
 	rm -rf ${BUILD_DIR}/
@@ -25,7 +29,7 @@ version:
 	$(eval GIT_COMMIT := $(shell git rev-parse HEAD))
 	$(eval APP_VERSION := $(shell cat VERSION))
 
-test: test_root test_pkg_acme test_pkg_ingress test_pkg_kubelego test_pkg_secret test_pkg_utils
+test: test_root test_pkg_acme test_pkg_ingress test_pkg_kubelego test_pkg_secret test_pkg_utils test_pkg_provider_gce test_pkg_provider_nginx
 
 test_prepare: depend
 	which gocover-cobertura || go get github.com/t-yuki/gocover-cobertura
@@ -37,11 +41,17 @@ test_root: test_prepare
 	gocover-cobertura < $(TEST_DIR)/coverage.txt > $(TEST_DIR)/coverage.xml
 	sed -i "s#filename=\"$(PACKAGE_NAME)/#filename=\"#g" $(TEST_DIR)/coverage.xml
 
+test_pkg_provider_%: test_prepare
+	godep go test -v -coverprofile=$(TEST_DIR)/coverage.$*.txt -covermode count ./pkg/provider/$* | go2xunit > $(TEST_DIR)/test.$*.xml
+	gocover-cobertura < $(TEST_DIR)/coverage.$*.txt > $(TEST_DIR)/coverage.$*.xml
+	sed -i "s#filename=\"$(PACKAGE_NAME)/#filename=\"#g" $(TEST_DIR)/coverage.$*.xml
+
 test_pkg_%: test_prepare
 	godep go test -v -coverprofile=$(TEST_DIR)/coverage.$*.txt -covermode count ./pkg/$* | go2xunit > $(TEST_DIR)/test.$*.xml
 	gocover-cobertura < $(TEST_DIR)/coverage.$*.txt > $(TEST_DIR)/coverage.$*.xml
 	sed -i "s#filename=\"$(PACKAGE_NAME)/#filename=\"#g" $(TEST_DIR)/coverage.$*.xml
 
+
 build: depend version
 	CGO_ENABLED=0 GOOS=linux godep go build \
 		-a -tags netgo \

Makefile

@@ -11,29 +11,30 @@
 
 ## Features
 
-- Recognizes the need of new certificates for this cases
-  - domain name missing
-  - certificate expired
-  - certificate unparseable
-- Obtains certificates per TLS object in ingress resources and stores it in Kubernetes secrets using `HTTP-01` challenge
+- Recognizes the need of a new certificate for this cases:
+  - No certificate existing
+  - Existing certificate is not containing all domain names
+  - Existing certificate is expired or near to it's expiry date (cf. option `LEGO_MINIMUM_VALIDITY`)
+  - Existing certificate is unparseable, invalid or not matching the secret key
 - Creates a user account (incl. private key) for Let's Encrypt and stores it in Kubernetes secrets (secret name is configurable via `LEGO_SECRET_NAME`)
-- Watches changes of ingress resources and reevaluate certificates
-- Configures endpoints for `HTTP-01` challenge in a separate ingress resource (ingress name is configurable in `LEGO_INGRESS_NAME`)
+- Obtains the missing certificates from Let's Encrypt and authorizes the request with the `HTTP-01` challenge
+- Makes sure that the specific Kubernetes objects (Services, Ingress) contain the rights configuration for the `HTTP-01` challenge to succeed
 
 ## Requirements
 
 - Kubernetes 1.2+
-- Compatible ingress controller (cf. [here](#ingress))
+- Compatible ingress controller (nginx or GCE see [here](#ingress))
 - Non-production use case :laughing:
 
 ## Usage
 
 ### run kube-lego
 
-- [deployment](examples/kube-lego-deployment.yaml) for *kube-lego*
-  - don't forget to configure `LEGO_EMAIL` with your mail address
-  - the default value of `LEGO_URL` is the Let's Encrypt staging environment. If you want to get "real" certificates you have to configure their production env.
-- [service](examples/kube-lego-svc.yaml) pointing to *kube-lego* pods
+- [deployment](examples/gce/50-kube-lego-deployment.yaml) for *kube-lego*
+  - don't forget to configure
+     - `LEGO_EMAIL` with your mail address
+     - `LEGO_POD_IP` with the pod IP address using the downward API
+  - the default value of `LEGO_URL` is the Let's Encrypt **staging environment**. If you want to get "real" certificates you have to configure their production env.
 
 ### how kube-lego works
 
@@ -47,7 +48,7 @@ metadata:
 
 Every ingress resource that has this annotations will be monitored by *kube-lego* (cluster-wide in all namespaces). The only part that is watched is the list `spec.tls`. Every element will get their own certificate through Let's encrypt.
 
-Let's take a look at this ingress controller:
+Let's take a look at this ingress resource:
 
 ```yaml
 spec:
@@ -66,33 +67,42 @@ spec:
 - The `secretName` statements have to be unique per namespace
 - `secretName` is required (even if no secret exists with that name, as it will be created by *kube-lego*)
 
-###
 
 ##<a name="ingress"></a>Ingress controllers
 
 ### [Nginx Ingress Controller](https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx)
 
 - available through image `gcr.io/google_containers/nginx-ingress-controller`
-- fully supports kube-lego from version 0.8
+- fully supports kube-lego from version 0.8 onwards
+
+### [GCE Loadbalancers](https://github.com/kubernetes/contrib/tree/master/ingress/controllers/gce)
+
+- you don't have to maintain the ingress controller yourself, you pay GCE to do that for you
+- every ingress resource creates one GCE load balancer
+- all service that you want to expose, have to be `Type=NodePort`
 
 ## Environment variables
 
 | Name | Required | Default | Description |
 |------|----------|---------|-------------|
 | `LEGO_EMAIL` | y | `-` | E-Mail address for the ACME account, used to recover from lost secrets |
+| `LEGO_POD_IP` | y | `-` | Pod IP address (use the [downward API](http://kubernetes.io/docs/user-guide/downward-api/))|
 | `LEGO_NAMESPACE` | n | `default` | Namespace where kube-lego is running in |
 | `LEGO_URL` | n | `https://acme-staging.api.letsencrypt.org/directory` | URL for the ACME server |
 | `LEGO_SECRET_NAME` | n | `kube-lego-account` | Name of the secret in the same namespace that contains ACME account secret |
-| `LEGO_SERVICE_NAME` | n | `kube-lego` | Service name that connects to this pod |
-| `LEGO_INGRESS_NAME` | n | `kube-lego` | Ingress name which contains the routing for HTTP verification |
+| `LEGO_SERVICE_NAME_NGINX` | n | `kube-lego-nginx` | Service name for NGINX ingress |
+| `LEGO_SERVICE_NAME_GCE` | n | `kube-lego-gce` | Service name for GCE ingress |
+| `LEGO_INGRESS_NAME_NGINX` | n | `kube-lego-nginx` | Ingress name which contains the routing for HTTP verification for nginx ingress |
 | `LEGO_PORT` | n | `8080` | Port where this daemon is listening for verifcation calls (HTTP method)|
 | `LEGO_CHECK_INTERVAL` | n | `8h` | Interval for periodically certificate checks (to find expired certs)|
 | `LEGO_MINIMUM_VALIDITY` | n | `720h` (30 days) | Request a renewal when the remaining certificate validitiy falls below that value|
+| `LEGO_DEFAULT_INGRESS_CLASS` | n | `nginx` | Default ingress class for resources without specification|
 
 
-## Full example
+## Full deployment examples
 
-See the [examples](examples/README.md) directory.
+- [Nginx Ingress Controller](examples/nginx/README.md)
+- [GCE Load Balancers](examples/gce/README.md)
 
 ## Authors
 

README.md

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: echoserver

examples/gce/05-echoserver-namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kube-lego

examples/gce/05-kube-lego-namespace.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: echoserver
+  namespace: echoserver
+spec:
+  ports:
+  - port: 80
+    targetPort: 8080
+    protocol: TCP
+  type: NodePort
+  selector:
+    app: echoserver

examples/gce/20-echoserver-svc.yaml

@@ -1,6 +1,7 @@
 apiVersion: v1
 metadata:
   name: kube-lego
+  namespace: kube-lego
 data:
   # modify this to specify your address
   lego.email: "[email protected]"

examples/kube-lego-configmap.yaml renamed to examples/gce/20-kube-lego-configmap.yaml

@@ -2,6 +2,7 @@ apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
   name: echoserver
+  namespace: echoserver
 spec:
   replicas: 1
   template:

examples/echoserver-deployment.yaml renamed to examples/gce/50-echoserver-deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
   name: kube-lego
+  namespace: kube-lego
 spec:
   replicas: 1
   template:
@@ -30,3 +31,13 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        - name: LEGO_POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+          initialDelaySeconds: 5
+          timeoutSeconds: 1

examples/kube-lego-deployment.yaml renamed to examples/gce/50-kube-lego-deployment.yaml

@@ -2,12 +2,20 @@ apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
   name: echoserver
+  namespace: echoserver
+  annotations:
+    kubernetes.io/tls-acme: "true"
+    kubernetes.io/ingress.class: "gce"
 spec:
+  tls:
+  - hosts:
+    - echo.example.com
+    secretName: echoserver-tls
   rules:
   - host: echo.example.com
     http:
       paths:
-      - path: /
+      - path: /*
         backend:
           serviceName: echoserver
           servicePort: 80