Various fixes for ingress

skateco · Aug 8, 2024 · ebf1edc · ebf1edc
1 parent d53b382
commit ebf1edc
Show file tree

Hide file tree

Showing 9 changed files with 87 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -151,6 +151,7 @@ sudo apt-get install -y gcc make libssl-dev pkg-config
         - [ ] Remove
         - [x] List
         - [ ] Store manifest in store so CNI plugin can get access
+        - [ ] Fix pod naming to avoid collisions
     - Deployments
         - [x] Apply
         - [ ] Remove
@@ -199,6 +200,7 @@ sudo apt-get install -y gcc make libssl-dev pkg-config
     - [x] letsencrypt
         - [ ] Cluster Issuer to set letsencrypt url
     - [ ] Support gateway api
+    - [ ] Fix sihup reload
 - CNI
     - [ ] Get pod config from store and not sqlite
     - [ ] Reload nginx 

diff --git a/images/nginx-ingress/docker_entrypoint.sh b/images/nginx-ingress/docker_entrypoint.sh
@@ -90,6 +90,7 @@ reload_and_wait() {
         # have lock
         pid="$(cat $pidfile 2>/dev/null || echo '')"
         if [ -z "${pid:-}" ]; then
+            echo "no pid found"
             return
         fi
 
@@ -100,6 +101,8 @@ reload_and_wait() {
         rm /tmp/ingressreload.lock
         echo "waiting on $pid"
         wait "$pid"
+    else
+        echo "lock failed"
     fi
 }
 

diff --git a/images/nginx-ingress/nginx.conf.tmpl b/images/nginx-ingress/nginx.conf.tmpl
@@ -60,6 +60,7 @@ http {
      '"http_referrer": "$http_referer", '
      '"http_user_agent": "$http_user_agent", '
      '"http_version": "$server_protocol", '
+     '"server_port": "$server_port", '
      '"nginx_access": true }';
     access_log /dev/stdout vhost;
 

diff --git a/images/nginx-ingress/service.conf.tmpl b/images/nginx-ingress/service.conf.tmpl
@@ -74,11 +74,11 @@ server {
 
     # create the server based on the service
     server_name {{this.host}};
-    listen {{../port}}{{#if port 443}} ssl{{/if}};
+    listen {{../port}}{{#if (eq ../port 443)}} ssl{{/if}};
     access_log "/usr/local/openresty/nginx/logs/access.log" vhost;
 
-    {{#if port 443}}
-        {{> enableTLS }}
+    {{#if (eq ../port 443)}}
+        {{> enableTLS baseDomain=../baseDomain}}
     {{/if}}
 
     {{> enableMaxBody metatdata.annotations["nginx.ingress.kubernetes.io/proxy-body-size"]}}
@@ -120,7 +120,7 @@ server {
 
 
     {{#each this.http.paths as |path|}}
-        {{#if path.pathType "prefix"}}
+        {{#if (eq path.pathType "prefix")}}
         location {{path.path}} {
             {{> proxyPassLocation path}}
 

diff --git a/images/nginx-ingress/test/443.json b/images/nginx-ingress/test/443.json
@@ -0,0 +1,34 @@
+{
+  "port": 443,
+  "baseDomain": "example.com",
+  "apiVersion": "networking.k8s.io/v1",
+  "kind": "Ingress",
+  "metadata": {
+    "name": "foo-external"
+  },
+  "annotations": {
+  },
+  "spec": {
+    "rules": [
+      {
+        "host": "foo.example.com",
+        "http": {
+          "paths": [
+            {
+              "path": "/",
+              "pathType": "Prefix",
+              "backend": {
+                "service": {
+                  "name": "foo",
+                  "port": {
+                    "number": 80
+                  }
+                }
+              }
+            }
+          ]
+        }
+      }
+    ]
+  }
+}
diff --git a/images/nginx-ingress/test/80.json b/images/nginx-ingress/test/80.json
@@ -0,0 +1,33 @@
+{
+  "port": 80,
+  "apiVersion": "networking.k8s.io/v1",
+  "kind": "Ingress",
+  "metadata": {
+    "name": "foo-external"
+  },
+  "annotations": {
+  },
+  "spec": {
+    "rules": [
+      {
+        "host": "foo.example.com",
+        "http": {
+          "paths": [
+            {
+              "path": "/",
+              "pathType": "Prefix",
+              "backend": {
+                "service": {
+                  "name": "foo",
+                  "port": {
+                    "number": 80
+                  }
+                }
+              }
+            }
+          ]
+        }
+      }
+    ]
+  }
+}
diff --git a/images/nginx-ingress/test/test.sh b/images/nginx-ingress/test/test.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -xeuo pipefail
+
+cat 443.json|skatelet template -f ../service.conf.tmpl -
+cat 80.json|skatelet template -f ../service.conf.tmpl -
diff --git a/src/create.rs b/src/create.rs
@@ -166,7 +166,7 @@ async fn create_node(args: CreateNodeArgs) -> Result<(), Box<dyn Error>> {
 
 
     _ = conn.execute("sudo mkdir -p /var/lib/skate/ingress").await?;
-    _ = conn.execute("sudo podman rm -fa").await;
+    // _ = conn.execute("sudo podman rm -fa").await;
 
     setup_networking(&conn, &all_conns, &cluster, &node).await?;
 

diff --git a/src/executor.rs b/src/executor.rs
@@ -208,6 +208,9 @@ impl DefaultExecutor {
             // set "port" key
             let mut json_ingress = serde_json::to_value(&ingress).map_err(|e| anyhow!(e).context("failed to serialize manifest to json"))?;
             json_ingress["port"] = json!(port);
+            // TODO - figure out how best to deal with fallback TLS certificates.
+            // Should we create a self signed every time?
+            json_ingress["baseDomain"] = json!("fallback.com");
 
             let json_ingress_string = json_ingress.to_string();