Allow multiple ingress hosts to be defined when using ingress (#1377)

* Replace api version for deployment kind to apps/v1 * Add new multiple ingress spec and deprecate hostname and ingress_tls_secret * Manage new ingress_hosts.tls_secret backup separately * Fix ci molecule lint warnings and error * Fix documentation * Fix ingress_hosts tls_secret key being optional * Remove fieldDependency:ingress_type:Ingress for Ingress Hosts * Fix scenario when neither hostname or ingress_hosts is defined --------- Co-authored-by: Guillaume Lefevre <guillaume.lefevre@agoda.com> Co-authored-by: Seth Foster <fosterseth@users.noreply.github.com> Co-authored-by: Christian Adams <chadams@redhat.com>
2026-03-26 21:33:14 +00:00 · 2024-01-05 22:15:04 +07:00
parent c23bc68900
commit 07427be0b7
9 changed files with 126 additions and 28 deletions
--- a/config/crd/bases/awx.ansible.com_awxs.yaml
+++ b/config/crd/bases/awx.ansible.com_awxs.yaml
@@ -54,8 +54,8 @@ spec:
                description: Username to use for the admin account
                type: string
                default: admin
-              hostname:
-                description: The hostname of the instance
+              hostname:  # deprecated
+                description: (Deprecated) The hostname of the instance
                type: string
              admin_email:
                description: The admin user email
@@ -123,12 +123,24 @@ spec:
              ingress_annotations:
                description: Annotations to add to the Ingress Controller
                type: string
-              ingress_tls_secret:
-                description: Secret where the Ingress TLS secret can be found
+              ingress_tls_secret:  # deprecated
+                description: (Deprecated) Secret where the Ingress TLS secret can be found
                type: string
              ingress_class_name:
                description: The name of ingress class to use instead of the cluster default.
                type: string
+              ingress_hosts:
+                description: Ingress hostnames of the instance
+                type: array
+                items:
+                  type: object
+                  properties:
+                    hostname:
+                      description: Hostname of the instance
+                      type: string
+                    tls_secret:
+                      description: Secret where the Ingress TLS secret can be found
+                      type: string
              ingress_controller:
                description: Special configuration for specific Ingress Controllers
                type: string
--- a/config/manifests/bases/awx-operator.clusterserviceversion.yaml
+++ b/config/manifests/bases/awx-operator.clusterserviceversion.yaml
@@ -212,7 +212,7 @@ spec:
      kind: AWX
      name: awxs.awx.ansible.com
      specDescriptors:
-      - displayName: Hostname
+      - displayName: Hostname (Deprecated)
        path: hostname
        x-descriptors:
        - urn:alm:descriptor:com.tectonic.ui:advanced
@@ -302,12 +302,17 @@ spec:
        - urn:alm:descriptor:com.tectonic.ui:advanced
        - urn:alm:descriptor:com.tectonic.ui:text
        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress
-      - displayName: Ingress TLS Secret
+      - displayName: Ingress TLS Secret (Deprecated)
        path: ingress_tls_secret
        x-descriptors:
        - urn:alm:descriptor:com.tectonic.ui:advanced
        - urn:alm:descriptor:io.kubernetes:Secret
        - urn:alm:descriptor:com.tectonic.ui:fieldDependency:ingress_type:Ingress
+      - displayName: Ingress Hosts
+        path: ingress_hosts
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:text
      - displayName: Ingress Controller
        path: ingress_controller
        x-descriptors:
--- a/docs/user-guide/network-and-tls-configuration.md
+++ b/docs/user-guide/network-and-tls-configuration.md
@@ -32,7 +32,7 @@ The following variables are customizable only when `service_type=LoadBalancer`
 | --------------------- | ---------------------------------------- | ------- |
 | loadbalancer_protocol | Protocol to use for Loadbalancer ingress | http    |
 | loadbalancer_port     | Port used for Loadbalancer ingress       | 80      |
-| loadbalancer_ip        | Assign Loadbalancer IP                   | ''      |  
+| loadbalancer_ip       | Assign Loadbalancer IP                   | ''      |

 ```yaml
 ---
@@ -86,22 +86,26 @@ spec:

 The following variables are customizable when `ingress_type=ingress`. The `ingress` type creates an Ingress resource as [documented](https://kubernetes.io/docs/concepts/services-networking/ingress/) which can be shared with many other Ingress Controllers as [listed](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/).

-| Name                | Description                              | Default                     |
-| ------------------- | ---------------------------------------- | --------------------------- |
-| ingress_annotations | Ingress annotations                      | Empty string                |
-| ingress_tls_secret  | Secret that contains the TLS information | Empty string                |
-| ingress_class_name  | Define the ingress class name            | Cluster default             |
-| hostname            | Define the FQDN                          | {{ meta.name }}.example.com |
-| ingress_path        | Define the ingress path to the service   | /                           |
-| ingress_path_type   | Define the type of the path (for LBs)    | Prefix                      |
-| ingress_api_version | Define the Ingress resource apiVersion   | 'networking.k8s.io/v1'      |
+| Name                               | Description                                                                        | Default                     |
+| ---------------------------------- | ---------------------------------------------------------------------------------- | --------------------------- |
+| ingress_annotations                | Ingress annotations                                                                | Empty string                |
+| ingress_tls_secret _(deprecated)_  | Secret that contains the TLS information                                           | Empty string                |
+| ingress_class_name                 | Define the ingress class name                                                      | Cluster default             |
+| hostname _(deprecated)_            | Define the FQDN                                                                    | {{ meta.name }}.example.com |
+| ingress_hosts                      | Define one or multiple FQDN with optional Secret that contains the TLS information | Empty string                |
+| ingress_path                       | Define the ingress path to the service                                             | /                           |
+| ingress_path_type                  | Define the type of the path (for LBs)                                              | Prefix                      |
+| ingress_api_version                | Define the Ingress resource apiVersion                                             | 'networking.k8s.io/v1'      |

 ```yaml
 ---
 spec:
  ...
  ingress_type: ingress
-  hostname: awx-demo.example.com
+  ingress_hosts:
+    - hostname: awx-demo.example.com
+    - hostname: awx-demo.sample.com
+      tls_secret: sample-tls-secret
  ingress_annotations: |
    environment: testing
 ```
@@ -119,7 +123,10 @@ Some Ingress Controllers need a special configuration to fully support AWX, add
 spec:
  ...
  ingress_type: ingress
-  hostname: awx-demo.example.com
+  ingress_hosts:
+    - hostname: awx-demo.example.com
+    - hostname: awx-demo.sample.com
+      tls_secret: sample-tls-secret
  ingress_controller: contour
 ```

--- a/roles/backup/tasks/dump_ingress_tls_secrets.yml
+++ b/roles/backup/tasks/dump_ingress_tls_secrets.yml
@@ -0,0 +1,24 @@
+---
+
+- name: Get secret
+  k8s_info:
+    version: v1
+    kind: Secret
+    namespace: '{{ ansible_operator_meta.namespace }}'
+    name: "{{ item }}"
+  register: _secret
+  no_log: "{{ no_log }}"
+
+- name: Backup secret if exists
+  block:
+    - name: Set secret key
+      set_fact:
+        _data: "{{ _secret['resources'][0]['data'] }}"
+        _type: "{{ _secret['resources'][0]['type'] }}"
+      no_log: "{{ no_log }}"
+
+    - name: Create and Add secret names and data to dictionary
+      set_fact:
+        secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': item, 'data': _data, 'type': _type }}) }}"
+      no_log: "{{ no_log }}"
+  when: _secret | length
--- a/roles/backup/tasks/secrets.yml
+++ b/roles/backup/tasks/secrets.yml
@@ -12,11 +12,18 @@
  include_tasks: dump_secret.yml
  loop:
    - route_tls_secret
+    # ingress_tls_secret is deprecated in favor of ingress_hosts.tls_secret
    - ingress_tls_secret
    - ldap_cacert_secret
    - bundle_cacert_secret
    - ee_pull_credentials_secret

+- name: Dump ingress tls secret names from awx spec and data into file
+  include_tasks: dump_ingress_tls_secrets.yml
+  with_items:
+    - "{{ awx_spec.spec['ingress_hosts'] | default('') | map(attribute='tls_secret', default='') | select() | list }}"
+  when: "{{ awx_spec.spec['ingress_hosts'] | default('') | map(attribute='tls_secret', default='') | select() | list | length }}"
+
 - name: Dump receptor secret names and data into file
  include_tasks: dump_receptor_secrets.yml
  loop:
--- a/roles/installer/defaults/main.yml
+++ b/roles/installer/defaults/main.yml
@@ -40,6 +40,16 @@ ingress_tls_secret: ''
 # ingress_controller: contour
 ingress_controller: ''

+# One or multiple FQDN with optional Secret that contains the TLS information.
+# The TLS secret either has to exist before hand with
+# the corresponding cert and key or just be an indicator for where an automated
+# process like cert-manager (enabled via annotations) will store the TLS
+# certificate and key.
+# ingress_hosts:
+#   - hostname: awx-demo.example.com
+#     tls_secret: example-com-tls
+ingress_hosts: ''
+
 loadbalancer_protocol: 'http'
 loadbalancer_port: '80'
 service_annotations: ''
--- a/roles/installer/tasks/install.yml
+++ b/roles/installer/tasks/install.yml
@@ -2,7 +2,7 @@
 - name: Delete old deployment for before installing during upgrade
  k8s:
    kind: Deployment
-    api_version: v1
+    api_version: apps/v1
    namespace: "{{ ansible_operator_meta.namespace }}"
    name: "{{ ansible_operator_meta.name }}"
    state: absent
--- a/roles/installer/tasks/main.yml
+++ b/roles/installer/tasks/main.yml
@@ -9,7 +9,7 @@

 - name: Check for presence of awx-task Deployment
  k8s_info:
-    api_version: v1
+    api_version: apps/v1
    kind: Deployment
    name: "{{ ansible_operator_meta.name }}-task"
    namespace: "{{ ansible_operator_meta.namespace }}"
@@ -17,7 +17,7 @@

 - name: Check for presence of awx-web Deployment
  k8s_info:
-    api_version: v1
+    api_version: apps/v1
    kind: Deployment
    name: "{{ ansible_operator_meta.name }}-web"
    namespace: "{{ ansible_operator_meta.namespace }}"
--- a/roles/installer/templates/networking/ingress.yaml.j2
+++ b/roles/installer/templates/networking/ingress.yaml.j2
@@ -13,7 +13,7 @@ metadata:
  annotations:
 {% if ingress_annotations %}
    {{ ingress_annotations | indent(width=4) }}
-{% endif %}
+{%- endif %}
 {% if ingress_controller|lower == "contour" %}
    projectcontour.io/websocket-routes: "/websocket"
    kubernetes.io/ingress.class: contour
@@ -24,6 +24,7 @@ spec:
  ingressClassName: '{{ ingress_class_name }}'
 {% endif %}
  rules:
+{% if not ingress_hosts %}
    - http:
        paths:
          - path: '{{ ingress_path }}'
@@ -33,6 +34,37 @@ spec:
                name: '{{ ansible_operator_meta.name }}-service'
                port:
                  number: 80
+{% if hostname %}
+      host: {{ hostname }}
+{% endif %}
+{% if ingress_controller|lower == "contour" %}
+          - path: '{{ ingress_path.rstrip("/") }}/websocket'
+            pathType: '{{ ingress_path_type }}'
+            backend:
+              service:
+                name: '{{ ansible_operator_meta.name }}-service'
+                port:
+                  number: 80
+{% endif %}
+{% if ingress_tls_secret %}
+  tls:
+    - hosts:
+      - {{ hostname }}
+      secretName: {{ ingress_tls_secret }}
+{% endif %}
+{% endif %}
+{% if ingress_hosts %}
+{% for item in ingress_hosts %}
+    - host: {{ item.hostname }}
+      http:
+        paths:
+          - path: '{{ ingress_path }}'
+            pathType: '{{ ingress_path_type }}'
+            backend:
+              service:
+                name: '{{ ansible_operator_meta.name }}-service'
+                port:
+                  number: 80
 {% if ingress_controller|lower == "contour" %}
          - path: '{{ ingress_path.rstrip("/") }}/websocket'
            pathType: '{{ ingress_path_type }}'
@@ -42,14 +74,15 @@ spec:
                port:
                  number: 80
 {% endif %}
-{% if hostname %}      
-      host: {{ hostname }}
-{% endif %}      
-{% if ingress_tls_secret %}
+{% endfor %}
  tls:
+{% for item in ingress_hosts %}
+{% if 'tls_secret' in item %}
    - hosts:
-        - {{ hostname }}
-      secretName: {{ ingress_tls_secret }}
+      - {{ item.hostname }}
+      secretName: {{ item.tls_secret }}
+{% endif %}
+{% endfor %}
 {% endif %}
 {% endif %}