digitalocean
diff --git a/‎cloud-controller-manager/do/loadbalancers.go‎
Lines changed: 35 additions & 14 deletions b/‎cloud-controller-manager/do/loadbalancers.go‎
Lines changed: 35 additions & 14 deletions
diff --git a/‎cloud-controller-manager/do/loadbalancers_test.go‎
Lines changed: 179 additions & 0 deletions b/‎cloud-controller-manager/do/loadbalancers_test.go‎
Lines changed: 179 additions & 0 deletions
diff --git a/‎go.mod‎
Lines changed: 1 addition & 1 deletion b/‎go.mod‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎go.sum‎
Lines changed: 2 additions & 2 deletions b/‎go.sum‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎vendor/github.com/digitalocean/godo/CHANGELOG.md‎
Lines changed: 8 additions & 0 deletions b/‎vendor/github.com/digitalocean/godo/CHANGELOG.md‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎vendor/github.com/digitalocean/godo/godo.go‎
Lines changed: 1 addition & 1 deletion b/‎vendor/github.com/digitalocean/godo/godo.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎vendor/github.com/digitalocean/godo/kubernetes.go‎
Lines changed: 9 additions & 0 deletions b/‎vendor/github.com/digitalocean/godo/kubernetes.go‎
Lines changed: 9 additions & 0 deletions
@@ -146,6 +146,10 @@ const (
 	// should be redirected to Https. Defaults to false
 	annDORedirectHTTPToHTTPS = "service.beta.kubernetes.io/do-loadbalancer-redirect-http-to-https"
 
+	// annDODisableLetsEncryptDNSRecords is the annotation specifying whether automatic DNS record creation should
+	// be disabled when a Let's Encrypt cert is added to a load balancer
+	annDODisableLetsEncryptDNSRecords = "service.beta.kubernetes.io/do-loadbalancer-disable-lets-encrypt-dns-records"
+
 	// annDOEnableProxyProtocol is the annotation specifying whether PROXY protocol should
 	// be enabled. Defaults to false.
 	annDOEnableProxyProtocol = "service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol"
@@ -693,26 +697,32 @@ func (l *loadBalancers) buildLoadBalancerRequest(ctx context.Context, service *v
 		return nil, err
 	}
 
+	disableLetsEncryptDNSRecords, err := getDisableLetsEncryptDNSRecords(service)
+	if err != nil {
+		return nil, err
+	}
+
 	var tags []string
 	if l.resources.clusterID != "" {
 		tags = []string{buildK8sTag(l.resources.clusterID)}
 	}
 
 	return &godo.LoadBalancerRequest{
-		Name:                   lbName,
-		DropletIDs:             dropletIDs,
-		Region:                 l.region,
-		SizeSlug:               sizeSlug,
-		SizeUnit:               sizeUnit,
-		ForwardingRules:        forwardingRules,
-		HealthCheck:            healthCheck,
-		StickySessions:         stickySessions,
-		Tags:                   tags,
-		Algorithm:              algorithm,
-		RedirectHttpToHttps:    redirectHTTPToHTTPS,
-		EnableProxyProtocol:    enableProxyProtocol,
-		EnableBackendKeepalive: enableBackendKeepalive,
-		VPCUUID:                l.resources.clusterVPCID,
+		Name:                         lbName,
+		DropletIDs:                   dropletIDs,
+		Region:                       l.region,
+		SizeSlug:                     sizeSlug,
+		SizeUnit:                     sizeUnit,
+		ForwardingRules:              forwardingRules,
+		HealthCheck:                  healthCheck,
+		StickySessions:               stickySessions,
+		Tags:                         tags,
+		Algorithm:                    algorithm,
+		RedirectHttpToHttps:          redirectHTTPToHTTPS,
+		EnableProxyProtocol:          enableProxyProtocol,
+		EnableBackendKeepalive:       enableBackendKeepalive,
+		VPCUUID:                      l.resources.clusterVPCID,
+		DisableLetsEncryptDNSRecords: &disableLetsEncryptDNSRecords,
 	}, nil
 }
 
@@ -1199,6 +1209,17 @@ func getEnableProxyProtocol(service *v1.Service) (bool, error) {
 	return enableProxyProtocol, nil
 }
 
+// getDisableLetsEncryptDNSRecords returns whether DNS records should be automatically created
+// for Let's Encrypt certs added to the LB
+func getDisableLetsEncryptDNSRecords(service *v1.Service) (bool, error) {
+	disableLetsEncryptDNSRecords, _, err := getBool(service.Annotations, annDODisableLetsEncryptDNSRecords)
+	if err != nil {
+		return false, fmt.Errorf("failed to get disable lets encrypt dns records configuration setting: %s", err)
+	}
+
+	return disableLetsEncryptDNSRecords, nil
+}
+
 // getEnableBackendKeepalive returns whether HTTP keepalive to target droplets should be enabled.
 // False is returned if not specified.
 func getEnableBackendKeepalive(service *v1.Service) (bool, error) {
 
@@ -3067,6 +3067,7 @@ func Test_buildLoadBalancerRequest(t *testing.T) {
 				StickySessions: &godo.StickySessions{
 					Type: "none",
 				},
+				DisableLetsEncryptDNSRecords: godo.Bool(false),
 			},
 			nil,
 		},
@@ -3143,6 +3144,7 @@ func Test_buildLoadBalancerRequest(t *testing.T) {
 				StickySessions: &godo.StickySessions{
 					Type: "none",
 				},
+				DisableLetsEncryptDNSRecords: godo.Bool(false),
 			},
 			nil,
 		},
@@ -3219,6 +3221,7 @@ func Test_buildLoadBalancerRequest(t *testing.T) {
 				StickySessions: &godo.StickySessions{
 					Type: "none",
 				},
+				DisableLetsEncryptDNSRecords: godo.Bool(false),
 			},
 			nil,
 		},
@@ -3294,6 +3297,7 @@ func Test_buildLoadBalancerRequest(t *testing.T) {
 				StickySessions: &godo.StickySessions{
 					Type: "none",
 				},
+				DisableLetsEncryptDNSRecords: godo.Bool(false),
 			},
 			nil,
 		},
@@ -3370,6 +3374,7 @@ func Test_buildLoadBalancerRequest(t *testing.T) {
 				StickySessions: &godo.StickySessions{
 					Type: "none",
 				},
+				DisableLetsEncryptDNSRecords: godo.Bool(false),
 			},
 			nil,
 		},
@@ -3446,6 +3451,7 @@ func Test_buildLoadBalancerRequest(t *testing.T) {
 				StickySessions: &godo.StickySessions{
 					Type: "none",
 				},
+				DisableLetsEncryptDNSRecords: godo.Bool(false),
 			},
 			nil,
 		},
@@ -3582,6 +3588,7 @@ func Test_buildLoadBalancerRequest(t *testing.T) {
 					CookieName:       "DO-CCM",
 					CookieTtlSeconds: 300,
 				},
+				DisableLetsEncryptDNSRecords: godo.Bool(false),
 			},
 			nil,
 		},
@@ -3663,6 +3670,7 @@ func Test_buildLoadBalancerRequest(t *testing.T) {
 					CookieName:       "DO-CCM",
 					CookieTtlSeconds: 300,
 				},
+				DisableLetsEncryptDNSRecords: godo.Bool(false),
 			},
 			nil,
 		},
@@ -3753,6 +3761,99 @@ func Test_buildLoadBalancerRequest(t *testing.T) {
 				StickySessions: &godo.StickySessions{
 					Type: "none",
 				},
+				DisableLetsEncryptDNSRecords: godo.Bool(false),
+			},
+			nil,
+		},
+		{
+			"successful load balancer request with disable_lets_encrypt_dns_records",
+			[]godo.Droplet{
+				{
+					ID:   100,
+					Name: "node-1",
+				},
+				{
+					ID:   101,
+					Name: "node-2",
+				},
+				{
+					ID:   102,
+					Name: "node-3",
+				},
+			},
+			&v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test",
+					UID:  "foobar123",
+					Annotations: map[string]string{
+						annDOProtocol:                     "http",
+						annDOAlgorithm:                    "round_robin",
+						annDORedirectHTTPToHTTPS:          "true",
+						annDOTLSPorts:                     "443",
+						annDOCertificateID:                "test-certificate",
+						annDODisableLetsEncryptDNSRecords: "true",
+					},
+				},
+				Spec: v1.ServiceSpec{
+					Ports: []v1.ServicePort{
+						{
+							Name:     "test",
+							Protocol: "TCP",
+							Port:     int32(80),
+							NodePort: int32(30000),
+						},
+						{
+							Name:     "test",
+							Protocol: "TCP",
+							Port:     int32(443),
+							NodePort: int32(30000),
+						},
+					},
+				},
+			},
+			[]*v1.Node{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "node-1",
+					},
+				},
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "node-2",
+					},
+				},
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "node-3",
+					},
+				},
+			},
+			&godo.LoadBalancerRequest{
+				Name:       "afoobar123",
+				DropletIDs: []int{100, 101, 102},
+				Region:     "nyc3",
+				ForwardingRules: []godo.ForwardingRule{
+					{
+						EntryProtocol:  "http",
+						EntryPort:      80,
+						TargetProtocol: "http",
+						TargetPort:     30000,
+					},
+					{
+						EntryProtocol:  "https",
+						EntryPort:      443,
+						TargetProtocol: "http",
+						TargetPort:     30000,
+						CertificateID:  "test-certificate",
+					},
+				},
+				HealthCheck:         defaultHealthCheck("tcp", 30000, ""),
+				Algorithm:           "round_robin",
+				RedirectHttpToHttps: true,
+				StickySessions: &godo.StickySessions{
+					Type: "none",
+				},
+				DisableLetsEncryptDNSRecords: godo.Bool(true),
 			},
 			nil,
 		},
@@ -5064,3 +5165,81 @@ func TestEnsureLoadBalancerIDAnnotation(t *testing.T) {
 		})
 	}
 }
+
+func Test_getDisableLetsEncryptDNSRecords(t *testing.T) {
+
+	testcases := []struct {
+		name                          string
+		service                       *v1.Service
+		wantErr                       bool
+		wantDisableLetsEncryptRecords bool
+	}{
+		{
+			name: "enabled",
+			service: &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test",
+					UID:  "abc123",
+					Annotations: map[string]string{
+						annDODisableLetsEncryptDNSRecords: "true",
+					},
+				},
+			},
+			wantErr:                       false,
+			wantDisableLetsEncryptRecords: true,
+		},
+		{
+			name: "disabled",
+			service: &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test",
+					UID:  "abc123",
+					Annotations: map[string]string{
+						annDODisableLetsEncryptDNSRecords: "false",
+					},
+				},
+			},
+			wantErr:                       false,
+			wantDisableLetsEncryptRecords: false,
+		},
+		{
+			name: "annotation missing",
+			service: &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test",
+					UID:  "abc123",
+				},
+			},
+			wantErr:                       false,
+			wantDisableLetsEncryptRecords: false,
+		},
+		{
+			name: "illegal value",
+			service: &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test",
+					UID:  "abc123",
+					Annotations: map[string]string{
+						annDODisableLetsEncryptDNSRecords: "42",
+					},
+				},
+			},
+			wantErr:                       true,
+			wantDisableLetsEncryptRecords: false,
+		},
+	}
+
+	for _, test := range testcases {
+		t.Run(test.name, func(t *testing.T) {
+			gotDisableLetsEncryptDNSRecords, err := getDisableLetsEncryptDNSRecords(test.service)
+			if test.wantErr != (err != nil) {
+				t.Errorf("got error %q, want error: %t", err, test.wantErr)
+			}
+
+			// check for enable, disable
+			if gotDisableLetsEncryptDNSRecords != test.wantDisableLetsEncryptRecords {
+				t.Fatalf("got disable let's encrypt DNS records %t, want %t", gotDisableLetsEncryptDNSRecords, test.wantDisableLetsEncryptRecords)
+			}
+		})
+	}
+}
@@ -4,7 +4,7 @@ go 1.15
 
 require (
 	github.com/davecgh/go-spew v1.1.1
-	github.com/digitalocean/godo v1.67.0
+	github.com/digitalocean/godo v1.69.0
 	github.com/fsnotify/fsnotify v1.4.9 // indirect
 	github.com/go-ini/ini v1.39.0 // indirect
 	github.com/google/go-cmp v0.5.4
 
@@ -92,8 +92,8 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
-github.com/digitalocean/godo v1.67.0 h1:MksZlZl7i3nzrczgNXhzky8FODerHKL76JmpencjEyM=
-github.com/digitalocean/godo v1.67.0/go.mod h1:epPuOzTOOJujNo0nduDj2D5O1zu8cSpp9R+DdN0W9I0=
+github.com/digitalocean/godo v1.69.0 h1:d+CXI7s3g7zAbCYqscRrq46XPMrlv+A5doOdPYn7Pss=
+github.com/digitalocean/godo v1.69.0/go.mod h1:epPuOzTOOJujNo0nduDj2D5O1zu8cSpp9R+DdN0W9I0=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=