Allow multiple ingress hosts to be defined when using ingress (#1377)

* Replace api version for deployment kind to apps/v1

* Add new multiple ingress spec and deprecate hostname and ingress_tls_secret

* Manage new ingress_hosts.tls_secret backup separately

* Fix ci molecule lint warnings and error

* Fix documentation

* Fix ingress_hosts tls_secret key being optional

* Remove fieldDependency:ingress_type:Ingress for Ingress Hosts

* Fix scenario when neither hostname or ingress_hosts is defined

---------

Co-authored-by: Guillaume Lefevre <guillaume.lefevre@agoda.com>
Co-authored-by: Seth Foster <fosterseth@users.noreply.github.com>
Co-authored-by: Christian Adams <chadams@redhat.com>

roles/backup/tasks/dump_ingress_tls_secrets.yml

@@ -0,0 +1,24 @@
+---
+
+- name: Get secret
+  k8s_info:
+    version: v1
+    kind: Secret
+    namespace: '{{ ansible_operator_meta.namespace }}'
+    name: "{{ item }}"
+  register: _secret
+  no_log: "{{ no_log }}"
+
+- name: Backup secret if exists
+  block:
+    - name: Set secret key
+      set_fact:
+        _data: "{{ _secret['resources'][0]['data'] }}"
+        _type: "{{ _secret['resources'][0]['type'] }}"
+      no_log: "{{ no_log }}"
+
+    - name: Create and Add secret names and data to dictionary
+      set_fact:
+        secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': item, 'data': _data, 'type': _type }}) }}"
+      no_log: "{{ no_log }}"
+  when: _secret | length

roles/backup/tasks/secrets.yml

@@ -12,11 +12,18 @@
   include_tasks: dump_secret.yml
   loop:
     - route_tls_secret
+    # ingress_tls_secret is deprecated in favor of ingress_hosts.tls_secret
     - ingress_tls_secret
     - ldap_cacert_secret
     - bundle_cacert_secret
     - ee_pull_credentials_secret
 
+- name: Dump ingress tls secret names from awx spec and data into file
+  include_tasks: dump_ingress_tls_secrets.yml
+  with_items:
+    - "{{ awx_spec.spec['ingress_hosts'] | default('') | map(attribute='tls_secret', default='') | select() | list }}"
+  when: "{{ awx_spec.spec['ingress_hosts'] | default('') | map(attribute='tls_secret', default='') | select() | list | length }}"
+
 - name: Dump receptor secret names and data into file
   include_tasks: dump_receptor_secrets.yml
   loop:

roles/installer/defaults/main.yml

@@ -40,6 +40,16 @@ ingress_tls_secret: ''
 # ingress_controller: contour
 ingress_controller: ''
 
+# One or multiple FQDN with optional Secret that contains the TLS information.
+# The TLS secret either has to exist before hand with
+# the corresponding cert and key or just be an indicator for where an automated
+# process like cert-manager (enabled via annotations) will store the TLS
+# certificate and key.
+# ingress_hosts:
+#   - hostname: awx-demo.example.com
+#     tls_secret: example-com-tls
+ingress_hosts: ''
+
 loadbalancer_protocol: 'http'
 loadbalancer_port: '80'
 service_annotations: ''

roles/installer/tasks/install.yml

@@ -2,7 +2,7 @@
 - name: Delete old deployment for before installing during upgrade
   k8s:
     kind: Deployment
-    api_version: v1
+    api_version: apps/v1
     namespace: "{{ ansible_operator_meta.namespace }}"
     name: "{{ ansible_operator_meta.name }}"
     state: absent

roles/installer/tasks/main.yml

@@ -9,7 +9,7 @@
 
 - name: Check for presence of awx-task Deployment
   k8s_info:
-    api_version: v1
+    api_version: apps/v1
     kind: Deployment
     name: "{{ ansible_operator_meta.name }}-task"
     namespace: "{{ ansible_operator_meta.namespace }}"
@@ -17,7 +17,7 @@
 
 - name: Check for presence of awx-web Deployment
   k8s_info:
-    api_version: v1
+    api_version: apps/v1
     kind: Deployment
     name: "{{ ansible_operator_meta.name }}-web"
     namespace: "{{ ansible_operator_meta.namespace }}"

roles/installer/templates/networking/ingress.yaml.j2

@@ -13,7 +13,7 @@ metadata:
   annotations:
 {% if ingress_annotations %}
     {{ ingress_annotations | indent(width=4) }}
-{% endif %}
+{%- endif %}
 {% if ingress_controller|lower == "contour" %}
     projectcontour.io/websocket-routes: "/websocket"
     kubernetes.io/ingress.class: contour
@@ -24,6 +24,7 @@ spec:
   ingressClassName: '{{ ingress_class_name }}'
 {% endif %}
   rules:
+{% if not ingress_hosts %}
     - http:
         paths:
           - path: '{{ ingress_path }}'
@@ -33,6 +34,37 @@ spec:
                 name: '{{ ansible_operator_meta.name }}-service'
                 port:
                   number: 80
+{% if hostname %}
+      host: {{ hostname }}
+{% endif %}
+{% if ingress_controller|lower == "contour" %}
+          - path: '{{ ingress_path.rstrip("/") }}/websocket'
+            pathType: '{{ ingress_path_type }}'
+            backend:
+              service:
+                name: '{{ ansible_operator_meta.name }}-service'
+                port:
+                  number: 80
+{% endif %}
+{% if ingress_tls_secret %}
+  tls:
+    - hosts:
+      - {{ hostname }}
+      secretName: {{ ingress_tls_secret }}
+{% endif %}
+{% endif %}
+{% if ingress_hosts %}
+{% for item in ingress_hosts %}
+    - host: {{ item.hostname }}
+      http:
+        paths:
+          - path: '{{ ingress_path }}'
+            pathType: '{{ ingress_path_type }}'
+            backend:
+              service:
+                name: '{{ ansible_operator_meta.name }}-service'
+                port:
+                  number: 80
 {% if ingress_controller|lower == "contour" %}
           - path: '{{ ingress_path.rstrip("/") }}/websocket'
             pathType: '{{ ingress_path_type }}'
@@ -42,14 +74,15 @@ spec:
                 port:
                   number: 80
 {% endif %}
-{% if hostname %}      
-      host: {{ hostname }}
-{% endif %}      
-{% if ingress_tls_secret %}
+{% endfor %}
   tls:
+{% for item in ingress_hosts %}
+{% if 'tls_secret' in item %}
     - hosts:
-        - {{ hostname }}
-      secretName: {{ ingress_tls_secret }}
+      - {{ item.hostname }}
+      secretName: {{ item.tls_secret }}
+{% endif %}
+{% endfor %}
 {% endif %}
 {% endif %}