From f626b80d8f1fb6408500d4dcd57c847c4f70c4b2 Mon Sep 17 00:00:00 2001 From: Jon Poler Date: Thu, 9 May 2024 11:58:43 -0400 Subject: [PATCH] feat: make ClusterIssuer optional to allow certmanager defaults (#299) Co-authored-by: Jon Poler --- api/install/v1alpha1/armadaserver_types.go | 2 +- api/install/v1alpha1/binoculars_types.go | 2 +- api/install/v1alpha1/lookout_types.go | 2 +- api/install/v1alpha1/scheduler_types.go | 2 +- .../install.armadaproject.io_armadaservers.yaml | 1 - .../install.armadaproject.io_binoculars.yaml | 1 - .../bases/install.armadaproject.io_lookouts.yaml | 1 - .../install.armadaproject.io_schedulers.yaml | 1 - .../controller/install/armadaserver_controller.go | 15 +++++++++++---- .../controller/install/binoculars_controller.go | 15 +++++++++++---- internal/controller/install/lookout_controller.go | 7 +++++-- .../controller/install/scheduler_controller.go | 7 +++++-- 12 files changed, 36 insertions(+), 20 deletions(-) diff --git a/api/install/v1alpha1/armadaserver_types.go b/api/install/v1alpha1/armadaserver_types.go index 97a25d0f..4eb32446 100644 --- a/api/install/v1alpha1/armadaserver_types.go +++ b/api/install/v1alpha1/armadaserver_types.go @@ -34,7 +34,7 @@ type ArmadaServerSpec struct { // An array of host names to build ingress rules for HostNames []string `json:"hostNames,omitempty"` // Who is issuing certificates for CA - ClusterIssuer string `json:"clusterIssuer"` + ClusterIssuer string `json:"clusterIssuer,omitempty"` // Run Pulsar Init Jobs On Startup PulsarInit bool `json:"pulsarInit,omitempty"` // SecurityContext defines the security options the container should be run with diff --git a/api/install/v1alpha1/binoculars_types.go b/api/install/v1alpha1/binoculars_types.go index 2c945199..0f5c1e99 100644 --- a/api/install/v1alpha1/binoculars_types.go +++ b/api/install/v1alpha1/binoculars_types.go @@ -58,7 +58,7 @@ type BinocularsSpec struct { // An array of host names to build ingress rules for HostNames []string `json:"hostNames,omitempty"` // Who is issuing certificates for CA - ClusterIssuer string `json:"clusterIssuer"` + ClusterIssuer string `json:"clusterIssuer,omitempty"` // SecurityContext defines the security options the container should be run with SecurityContext *corev1.SecurityContext `json:"securityContext,omitempty"` // PodSecurityContext defines the security options the pod should be run with diff --git a/api/install/v1alpha1/lookout_types.go b/api/install/v1alpha1/lookout_types.go index 616422b1..586389d7 100644 --- a/api/install/v1alpha1/lookout_types.go +++ b/api/install/v1alpha1/lookout_types.go @@ -58,7 +58,7 @@ type LookoutSpec struct { // An array of host names to build ingress rules for HostNames []string `json:"hostNames,omitempty"` // Who is issuing certificates for CA - ClusterIssuer string `json:"clusterIssuer"` + ClusterIssuer string `json:"clusterIssuer,omitempty"` // Migrate toggles whether to run migrations when installed Migrate *bool `json:"migrate,omitempty"` // DbPruningEnabled when true a pruning CronJob is created diff --git a/api/install/v1alpha1/scheduler_types.go b/api/install/v1alpha1/scheduler_types.go index 9127d6ec..9a020e82 100644 --- a/api/install/v1alpha1/scheduler_types.go +++ b/api/install/v1alpha1/scheduler_types.go @@ -56,7 +56,7 @@ type SchedulerSpec struct { // An array of host names to build ingress rules for HostNames []string `json:"hostNames,omitempty"` // Who is issuing certificates for CA - ClusterIssuer string `json:"clusterIssuer"` + ClusterIssuer string `json:"clusterIssuer,omitempty"` // Migrate toggles whether to run migrations when installed Migrate *bool `json:"migrate,omitempty"` // Pruning config for cron job diff --git a/config/crd/bases/install.armadaproject.io_armadaservers.yaml b/config/crd/bases/install.armadaproject.io_armadaservers.yaml index 60eab95d..d9660018 100644 --- a/config/crd/bases/install.armadaproject.io_armadaservers.yaml +++ b/config/crd/bases/install.armadaproject.io_armadaservers.yaml @@ -2368,7 +2368,6 @@ spec: type: array required: - applicationConfig - - clusterIssuer - image type: object status: diff --git a/config/crd/bases/install.armadaproject.io_binoculars.yaml b/config/crd/bases/install.armadaproject.io_binoculars.yaml index 7973e95e..edc1b38d 100644 --- a/config/crd/bases/install.armadaproject.io_binoculars.yaml +++ b/config/crd/bases/install.armadaproject.io_binoculars.yaml @@ -2365,7 +2365,6 @@ spec: type: array required: - applicationConfig - - clusterIssuer - image - replicas type: object diff --git a/config/crd/bases/install.armadaproject.io_lookouts.yaml b/config/crd/bases/install.armadaproject.io_lookouts.yaml index 91c628ea..04cc34e7 100644 --- a/config/crd/bases/install.armadaproject.io_lookouts.yaml +++ b/config/crd/bases/install.armadaproject.io_lookouts.yaml @@ -2374,7 +2374,6 @@ spec: type: array required: - applicationConfig - - clusterIssuer - image type: object status: diff --git a/config/crd/bases/install.armadaproject.io_schedulers.yaml b/config/crd/bases/install.armadaproject.io_schedulers.yaml index 2d37393f..65139f46 100644 --- a/config/crd/bases/install.armadaproject.io_schedulers.yaml +++ b/config/crd/bases/install.armadaproject.io_schedulers.yaml @@ -2434,7 +2434,6 @@ spec: type: array required: - applicationConfig - - clusterIssuer - image type: object status: diff --git a/internal/controller/install/armadaserver_controller.go b/internal/controller/install/armadaserver_controller.go index 3dae78a7..79b73588 100644 --- a/internal/controller/install/armadaserver_controller.go +++ b/internal/controller/install/armadaserver_controller.go @@ -593,11 +593,15 @@ func createIngressGrpc(as *installv1alpha1.ArmadaServer) (*networkingv1.Ingress, "kubernetes.io/ingress.class": as.Spec.Ingress.IngressClass, "nginx.ingress.kubernetes.io/ssl-redirect": "true", "nginx.ingress.kubernetes.io/backend-protocol": "GRPC", - "certmanager.k8s.io/cluster-issuer": as.Spec.ClusterIssuer, - "cert-manager.io/cluster-issuer": as.Spec.ClusterIssuer, }, }, } + + if as.Spec.ClusterIssuer != "" { + grpcIngress.ObjectMeta.Annotations["certmanager.k8s.io/cluster-issuer"] = as.Spec.ClusterIssuer + grpcIngress.ObjectMeta.Annotations["cert-manager.io/cluster-issuer"] = as.Spec.ClusterIssuer + } + if as.Spec.Ingress.Annotations != nil { for key, value := range as.Spec.Ingress.Annotations { grpcIngress.ObjectMeta.Annotations[key] = value @@ -643,14 +647,17 @@ func createIngressHttp(as *installv1alpha1.ArmadaServer) (*networkingv1.Ingress, Name: restIngressName, Namespace: as.Namespace, Labels: AllLabels(as.Name, as.Labels), Annotations: map[string]string{ "kubernetes.io/ingress.class": as.Spec.Ingress.IngressClass, - "certmanager.k8s.io/cluster-issuer": as.Spec.ClusterIssuer, - "cert-manager.io/cluster-issuer": as.Spec.ClusterIssuer, "nginx.ingress.kubernetes.io/rewrite-target": "/$2", "nginx.ingress.kubernetes.io/ssl-redirect": "true", }, }, } + if as.Spec.ClusterIssuer != "" { + restIngress.ObjectMeta.Annotations["certmanager.k8s.io/cluster-issuer"] = as.Spec.ClusterIssuer + restIngress.ObjectMeta.Annotations["cert-manager.io/cluster-issuer"] = as.Spec.ClusterIssuer + } + if as.Spec.Ingress.Annotations != nil { for key, value := range as.Spec.Ingress.Annotations { restIngress.ObjectMeta.Annotations[key] = value diff --git a/internal/controller/install/binoculars_controller.go b/internal/controller/install/binoculars_controller.go index 90295475..3c145a5c 100644 --- a/internal/controller/install/binoculars_controller.go +++ b/internal/controller/install/binoculars_controller.go @@ -396,11 +396,15 @@ func createBinocularsIngressGrpc(binoculars *installv1alpha1.Binoculars) (*netwo "kubernetes.io/ingress.class": binoculars.Spec.Ingress.IngressClass, "nginx.ingress.kubernetes.io/ssl-redirect": "true", "nginx.ingress.kubernetes.io/backend-protocol": "GRPC", - "certmanager.k8s.io/cluster-issuer": binoculars.Spec.ClusterIssuer, - "cert-manager.io/cluster-issuer": binoculars.Spec.ClusterIssuer, }, }, } + + if binoculars.Spec.ClusterIssuer != "" { + grpcIngress.ObjectMeta.Annotations["certmanager.k8s.io/cluster-issuer"] = binoculars.Spec.ClusterIssuer + grpcIngress.ObjectMeta.Annotations["cert-manager.io/cluster-issuer"] = binoculars.Spec.ClusterIssuer + } + if binoculars.Spec.Ingress.Annotations != nil { for key, value := range binoculars.Spec.Ingress.Annotations { grpcIngress.ObjectMeta.Annotations[key] = value @@ -445,14 +449,17 @@ func createBinocularsIngressHttp(binoculars *installv1alpha1.Binoculars) (*netwo ObjectMeta: metav1.ObjectMeta{Name: restIngressName, Namespace: binoculars.Namespace, Labels: AllLabels(binoculars.Name, binoculars.Labels), Annotations: map[string]string{ "kubernetes.io/ingress.class": binoculars.Spec.Ingress.IngressClass, - "certmanager.k8s.io/cluster-issuer": binoculars.Spec.ClusterIssuer, - "cert-manager.io/cluster-issuer": binoculars.Spec.ClusterIssuer, "nginx.ingress.kubernetes.io/rewrite-target": "/$2", "nginx.ingress.kubernetes.io/ssl-redirect": "true", }, }, } + if binoculars.Spec.ClusterIssuer != "" { + restIngress.ObjectMeta.Annotations["certmanager.k8s.io/cluster-issuer"] = binoculars.Spec.ClusterIssuer + restIngress.ObjectMeta.Annotations["cert-manager.io/cluster-issuer"] = binoculars.Spec.ClusterIssuer + } + if binoculars.Spec.Ingress.Annotations != nil { for key, value := range binoculars.Spec.Ingress.Annotations { restIngress.ObjectMeta.Annotations[key] = value diff --git a/internal/controller/install/lookout_controller.go b/internal/controller/install/lookout_controller.go index 83cfa5b5..374f0a92 100644 --- a/internal/controller/install/lookout_controller.go +++ b/internal/controller/install/lookout_controller.go @@ -383,13 +383,16 @@ func createLookoutIngressHttp(lookout *installv1alpha1.Lookout) (*networking.Ing Name: ingressName, Namespace: lookout.Namespace, Labels: AllLabels(lookout.Name, lookout.Labels), Annotations: map[string]string{ "kubernetes.io/ingress.class": lookout.Spec.Ingress.IngressClass, - "certmanager.k8s.io/cluster-issuer": lookout.Spec.ClusterIssuer, - "cert-manager.io/cluster-issuer": lookout.Spec.ClusterIssuer, "nginx.ingress.kubernetes.io/ssl-redirect": "true", }, }, } + if lookout.Spec.ClusterIssuer != "" { + ingressHttp.ObjectMeta.Annotations["certmanager.k8s.io/cluster-issuer"] = lookout.Spec.ClusterIssuer + ingressHttp.ObjectMeta.Annotations["cert-manager.io/cluster-issuer"] = lookout.Spec.ClusterIssuer + } + if lookout.Spec.Ingress.Annotations != nil { for key, value := range lookout.Spec.Ingress.Annotations { ingressHttp.ObjectMeta.Annotations[key] = value diff --git a/internal/controller/install/scheduler_controller.go b/internal/controller/install/scheduler_controller.go index f390bef9..8868dbe5 100644 --- a/internal/controller/install/scheduler_controller.go +++ b/internal/controller/install/scheduler_controller.go @@ -375,12 +375,15 @@ func createSchedulerIngressGrpc(scheduler *installv1alpha1.Scheduler) (*networki "kubernetes.io/ingress.class": scheduler.Spec.Ingress.IngressClass, "nginx.ingress.kubernetes.io/ssl-redirect": "true", "nginx.ingress.kubernetes.io/backend-protocol": "GRPC", - "certmanager.k8s.io/cluster-issuer": scheduler.Spec.ClusterIssuer, - "cert-manager.io/cluster-issuer": scheduler.Spec.ClusterIssuer, }, }, } + if scheduler.Spec.ClusterIssuer != "" { + ingressHttp.ObjectMeta.Annotations["certmanager.k8s.io/cluster-issuer"] = scheduler.Spec.ClusterIssuer + ingressHttp.ObjectMeta.Annotations["cert-manager.io/cluster-issuer"] = scheduler.Spec.ClusterIssuer + } + if scheduler.Spec.Ingress.Annotations != nil { for key, value := range scheduler.Spec.Ingress.Annotations { ingressHttp.ObjectMeta.Annotations[key] = value