IAP and CDN plumbing

kubernetes · Jun 11, 2018 · e0372ab · e0372ab
1 parent 96bd52f
commit e0372ab
Show file tree

Hide file tree

Showing 16 changed files with 604 additions and 39 deletions.
diff --git a/cmd/glbc/main.go b/cmd/glbc/main.go
@@ -165,7 +165,7 @@ func runControllers(ctx *context.ControllerContext) {
 	}
 
 	defaultBackendServicePortID := app.DefaultBackendServicePortID(ctx.KubeClient)
-	clusterManager, err := controller.NewClusterManager(ctx.Cloud, namer, defaultBackendServicePortID, flags.F.HealthCheckPath, flags.F.DefaultSvcHealthCheckPath)
+	clusterManager, err := controller.NewClusterManager(ctx, namer, defaultBackendServicePortID, flags.F.HealthCheckPath, flags.F.DefaultSvcHealthCheckPath)
 	if err != nil {
 		glog.Fatalf("controller.NewClusterManager(cloud, namer, %+v, %q, %q) = %v", defaultBackendServicePortID, flags.F.HealthCheckPath, flags.F.DefaultSvcHealthCheckPath, err)
 	}

diff --git a/pkg/apis/backendconfig/v1beta1/types.go b/pkg/apis/backendconfig/v1beta1/types.go
@@ -30,7 +30,7 @@ type BackendConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	Spec   BackendConfigSpec   `json:"spec,omitempty"`
+	Spec   BackendConfigSpec   `json:"spec"`
 	Status BackendConfigStatus `json:"status,omitempty"`
 }
 
@@ -60,14 +60,14 @@ type BackendConfigList struct {
 // +k8s:openapi-gen=true
 type IAPConfig struct {
 	Enabled                bool                    `json:"enabled"`
-	OAuthClientCredentials *OAuthClientCredentials `json:"clientCredentials"`
+	OAuthClientCredentials *OAuthClientCredentials `json:"oauthclientCredentials"`
 }
 
 // OAuthClientCredentials contains credentials for a single IAP-enabled backend.
 // +k8s:openapi-gen=true
 type OAuthClientCredentials struct {
 	// The name of a k8s secret which stores the OAuth client id & secret.
-	SecretName string `json:"secret"`
+	SecretName string `json:"secretName"`
 	// Direct reference to OAuth client id.
 	ClientID string `json:"clientID,omitempty"`
 	// Direct reference to OAuth client secret.

diff --git a/pkg/apis/backendconfig/v1beta1/zz_generated.openapi.go b/pkg/apis/backendconfig/v1beta1/zz_generated.openapi.go
diff --git a/pkg/backendconfig/backendconfig_test.go b/pkg/backendconfig/backendconfig_test.go
@@ -297,8 +297,9 @@ func TestGetBackendConfigForServicePort(t *testing.T) {
 			expectedConfig: testBackendConfig,
 		},
 		{
-			desc: "service with no backend config",
-			svc:  svcWithoutConfig,
+			desc:           "service with no backend config",
+			svc:            svcWithoutConfig,
+			expectedConfig: nil,
 		},
 		{
 			desc:        "service with backend config but port doesn't match",

diff --git a/pkg/backends/backends.go b/pkg/backends/backends.go
@@ -32,6 +32,7 @@ import (
 	"k8s.io/kubernetes/pkg/cloudprovider/providers/gce"
 	"k8s.io/kubernetes/pkg/cloudprovider/providers/gce/cloud/meta"
 
+	"k8s.io/ingress-gce/pkg/backends/features"
 	"k8s.io/ingress-gce/pkg/composite"
 	"k8s.io/ingress-gce/pkg/healthchecks"
 	"k8s.io/ingress-gce/pkg/instances"
@@ -76,13 +77,14 @@ const maxRPS = 1
 
 // Backends implements BackendPool.
 type Backends struct {
-	cloud         *gce.GCECloud
-	negGetter     NEGGetter
-	nodePool      instances.NodePool
-	healthChecker healthchecks.HealthChecker
-	snapshotter   storage.Snapshotter
-	prober        ProbeProvider
-	namer         *utils.Namer
+	cloud                *gce.GCECloud
+	negGetter            NEGGetter
+	nodePool             instances.NodePool
+	healthChecker        healthchecks.HealthChecker
+	snapshotter          storage.Snapshotter
+	prober               ProbeProvider
+	namer                *utils.Namer
+	backendConfigEnabled bool
 }
 
 // Backends is a BackendPool.
@@ -101,14 +103,16 @@ func NewBackendPool(
 	healthChecker healthchecks.HealthChecker,
 	nodePool instances.NodePool,
 	namer *utils.Namer,
+	backendConfigEnabled,
 	resyncWithCloud bool) *Backends {
 
 	backendPool := &Backends{
-		cloud:         cloud,
-		negGetter:     negGetter,
-		nodePool:      nodePool,
-		healthChecker: healthChecker,
-		namer:         namer,
+		cloud:                cloud,
+		negGetter:            negGetter,
+		nodePool:             nodePool,
+		healthChecker:        healthChecker,
+		namer:                namer,
+		backendConfigEnabled: backendConfigEnabled,
 	}
 	if !resyncWithCloud {
 		backendPool.snapshotter = storage.NewInMemoryPool()
@@ -289,6 +293,11 @@ func (b *Backends) ensureBackendService(sp utils.ServicePort, igLinks []string)
 	needUpdate := ensureProtocol(be, sp)
 	needUpdate = ensureHealthCheckLink(be, hcLink) || needUpdate
 	needUpdate = ensureDescription(be, sp.Description()) || needUpdate
+	if b.backendConfigEnabled && sp.BackendConfig != nil {
+		needUpdate = features.EnsureCDN(sp, be) || needUpdate
+		needUpdate = features.EnsureIAP(sp, be) || needUpdate
+	}
+
 	if needUpdate {
 		if err = composite.UpdateBackendService(be, b.cloud); err != nil {
 			return err

diff --git a/pkg/backends/backends_test.go b/pkg/backends/backends_test.go
@@ -69,7 +69,7 @@ func newTestJig(gce *gce.GCECloud, fakeIGs instances.InstanceGroups, syncWithClo
 	nodePool.Init(&instances.FakeZoneLister{Zones: []string{defaultZone}})
 	healthCheckProvider := healthchecks.NewFakeHealthCheckProvider()
 	healthChecks := healthchecks.NewHealthChecker(healthCheckProvider, "/", "/healthz", defaultNamer, defaultBackendSvc)
-	bp := NewBackendPool(gce, negGetter, healthChecks, nodePool, defaultNamer, syncWithCloud)
+	bp := NewBackendPool(gce, negGetter, healthChecks, nodePool, defaultNamer, false, syncWithCloud)
 	probes := map[utils.ServicePort]*api_v1.Probe{{NodePort: 443, Protocol: annotations.ProtocolHTTPS}: existingProbe}
 	bp.Init(NewFakeProbeProvider(probes))
 
@@ -642,7 +642,7 @@ func TestBackendPoolDeleteLegacyHealthChecks(t *testing.T) {
 	nodePool.Init(&instances.FakeZoneLister{Zones: []string{defaultZone}})
 	hcp := healthchecks.NewFakeHealthCheckProvider()
 	healthChecks := healthchecks.NewHealthChecker(hcp, "/", "/healthz", defaultNamer, defaultBackendSvc)
-	bp := NewBackendPool(fakeGCE, negGetter, healthChecks, nodePool, defaultNamer, false)
+	bp := NewBackendPool(fakeGCE, negGetter, healthChecks, nodePool, defaultNamer, false, false)
 	probes := map[utils.ServicePort]*api_v1.Probe{}
 	bp.Init(NewFakeProbeProvider(probes))
 
@@ -832,7 +832,7 @@ func TestLinkBackendServiceToNEG(t *testing.T) {
 	nodePool.Init(&instances.FakeZoneLister{Zones: []string{defaultZone}})
 	hcp := healthchecks.NewFakeHealthCheckProvider()
 	healthChecks := healthchecks.NewHealthChecker(hcp, "/", "/healthz", defaultNamer, defaultBackendSvc)
-	bp := NewBackendPool(fakeGCE, fakeNEG, healthChecks, nodePool, defaultNamer, false)
+	bp := NewBackendPool(fakeGCE, fakeNEG, healthChecks, nodePool, defaultNamer, false, false)
 
 	// Add standard hooks for mocking update calls. Each test can set a update different hook if it chooses to.
 	(fakeGCE.Compute().(*cloud.MockGCE)).MockAlphaBackendServices.UpdateHook = mock.UpdateAlphaBackendServiceHook

diff --git a/pkg/backends/features/cdn.go b/pkg/backends/features/cdn.go
@@ -0,0 +1,68 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package features
+
+import (
+	"reflect"
+
+	"github.com/golang/glog"
+	backendconfigv1beta1 "k8s.io/ingress-gce/pkg/apis/backendconfig/v1beta1"
+	"k8s.io/ingress-gce/pkg/composite"
+	"k8s.io/ingress-gce/pkg/utils"
+)
+
+// EnsureCDN reads the CDN configuration specified in the ServicePort.BackendConfig
+// and applies it to the BackendService. It returns true if there were existing
+// settings on the BackendService that were overwritten.
+func EnsureCDN(sp utils.ServicePort, be *composite.BackendService) bool {
+	beTemp := &composite.BackendService{}
+	applyCDNSettings(sp, beTemp)
+	if !reflect.DeepEqual(beTemp.CdnPolicy, be.CdnPolicy) || beTemp.EnableCDN != be.EnableCDN {
+		applyCDNSettings(sp, be)
+		glog.V(2).Infof("Updated CDN settings for service %v/%v.", sp.ID.Service.Namespace, sp.ID.Service.Name)
+		return true
+	}
+	return false
+}
+
+// applyCDNSettings applies the CDN settings specified in the BackendConfig
+// to the passed in compute.BackendService. A GCE API call still needs to be
+// made to actually persist the changes.
+func applyCDNSettings(sp utils.ServicePort, be *composite.BackendService) {
+	beConfig := sp.BackendConfig
+	setCDNDefaults(beConfig)
+	// Apply the boolean switch
+	be.EnableCDN = beConfig.Spec.Cdn.Enabled
+	// Apply the cache key policies
+	cacheKeyPolicy := beConfig.Spec.Cdn.CachePolicy
+	be.CdnPolicy = &composite.BackendServiceCdnPolicy{CacheKeyPolicy: &composite.CacheKeyPolicy{}}
+	be.CdnPolicy.CacheKeyPolicy.IncludeHost = cacheKeyPolicy.IncludeHost
+	be.CdnPolicy.CacheKeyPolicy.IncludeProtocol = cacheKeyPolicy.IncludeProtocol
+	be.CdnPolicy.CacheKeyPolicy.IncludeQueryString = cacheKeyPolicy.IncludeQueryString
+	be.CdnPolicy.CacheKeyPolicy.QueryStringBlacklist = cacheKeyPolicy.QueryStringBlacklist
+	be.CdnPolicy.CacheKeyPolicy.QueryStringWhitelist = cacheKeyPolicy.QueryStringWhitelist
+}
+
+// setCDNDefaults initializes any nil pointers in CDN configuration which ensures that there are defaults for missing sub-types.
+func setCDNDefaults(beConfig *backendconfigv1beta1.BackendConfig) {
+	if beConfig.Spec.Cdn == nil {
+		beConfig.Spec.Cdn = &backendconfigv1beta1.CDNConfig{}
+	}
+	if beConfig.Spec.Cdn.CachePolicy == nil {
+		beConfig.Spec.Cdn.CachePolicy = &backendconfigv1beta1.CacheKeyPolicy{}
+	}
+}