Merge pull request #113 from mjudeikis/mjudeikis/deprecate.fp.url.setting

Deprecate ExternalHostname string in favor of External structure

Author: kcp-ci-bot

config/crd/bases/operator.kcp.io_frontproxies.yaml

@@ -1486,10 +1486,43 @@ spec:
                         type: object
                     type: object
                 type: object
+              external:
+                description: 'Optional: External configures how this front-proxy should
+                  be exposed to the outside world.  If empty, the RootShard''s external
+                  hostname will be used only.'
+                properties:
+                  hostname:
+                    description: |-
+                      Hostname is the external name of the kcp instance. This should be matched by a DNS
+                      record pointing to the kcp-front-proxy Service's external IP address.
+                    type: string
+                  port:
+                    format: int32
+                    type: integer
+                  privateHostname:
+                    description: |-
+                      Optional: PrivateHostname is an optional hostname that should be used to
+                      access internal front-proxy services, e.g. by other kcp components. This is helpful
+                      if you don't want to use the public hostname for internal communication, e.g.
+                      You have a DNS configuration, where DNS is re-encrypted for external access, but
+                      internal components can access the front-proxy directly. If not set, the value of `hostname` is used.
+                    type: string
+                  privatePort:
+                    description: |-
+                      Optional: PrivatePort is an optional port that should be used to
+                      access internal front-proxy services, e.g. by other kcp components. This is helpful
+                      if you don't want to use the public port for internal communication, e.g.
+                      because it is firewalled. If not set, the value of `port` is used.
+                    format: int32
+                    type: integer
+                required:
+                - hostname
+                - port
+                type: object
               externalHostname:
-                description: 'Optional: ExternalHostname under which the FrontProxy
-                  can be reached. If empty, the RootShard''s external hostname will
-                  be used only.'
+                description: |-
+                  Optional: ExternalHostname under which the FrontProxy can be reached. If empty, the RootShard's external hostname will be used only.
+                  Deprecated: use spec.External for configuration of external access instead.
                 type: string
               image:
                 description: 'Optional: Image defines the image to use. Defaults to
@@ -1644,6 +1677,10 @@ spec:
             required:
             - rootShard
             type: object
+            x-kubernetes-validations:
+            - message: Cannot set both ExternalHostname (deprecated) and External.hostname.
+                Use External.hostname only.
+              rule: '!(has(self.externalHostname) && has(self.external.hostname))'
           status:
             description: FrontProxyStatus defines the observed state of FrontProxy
             properties:

config/crd/bases/operator.kcp.io_rootshards.yaml

@@ -1662,6 +1662,22 @@ spec:
                   port:
                     format: int32
                     type: integer
+                  privateHostname:
+                    description: |-
+                      Optional: PrivateHostname is an optional hostname that should be used to
+                      access internal front-proxy services, e.g. by other kcp components. This is helpful
+                      if you don't want to use the public hostname for internal communication, e.g.
+                      You have a DNS configuration, where DNS is re-encrypted for external access, but
+                      internal components can access the front-proxy directly. If not set, the value of `hostname` is used.
+                    type: string
+                  privatePort:
+                    description: |-
+                      Optional: PrivatePort is an optional port that should be used to
+                      access internal front-proxy services, e.g. by other kcp components. This is helpful
+                      if you don't want to use the public port for internal communication, e.g.
+                      because it is firewalled. If not set, the value of `port` is used.
+                    format: int32
+                    type: integer
                 required:
                 - hostname
                 - port

hack/run-e2e-tests.sh

@@ -92,6 +92,7 @@ _build/manager \
   -zap-log-level debug \
   -zap-encoder console \
   -zap-time-encoding iso8601 \
+  -health-probe-bind-address="" \
   >"$DATA_DIR/kcp-operator.log" 2>&1 &
 OPERATOR_PID=$!
 echo "Running as process $OPERATOR_PID."

internal/controller/kubeconfig/controller.go

@@ -83,6 +83,7 @@ func (r *KubeconfigReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 
 	rootShard := &operatorv1alpha1.RootShard{}
 	shard := &operatorv1alpha1.Shard{}
+	var frontProxy operatorv1alpha1.FrontProxy
 	var caBundle *corev1.Secret
 
 	var (
@@ -117,7 +118,6 @@ func (r *KubeconfigReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		serverCA = resources.GetRootShardCAName(rootShard, operatorv1alpha1.ServerCA)
 
 	case kc.Spec.Target.FrontProxyRef != nil:
-		var frontProxy operatorv1alpha1.FrontProxy
 		if err := r.Get(ctx, types.NamespacedName{Name: kc.Spec.Target.FrontProxyRef.Name, Namespace: req.Namespace}, &frontProxy); err != nil {
 			return ctrl.Result{}, fmt.Errorf("referenced FrontProxy '%s' does not exist", kc.Spec.Target.FrontProxyRef.Name)
 		}
@@ -166,7 +166,7 @@ func (r *KubeconfigReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 		return ctrl.Result{RequeueAfter: time.Second * 5}, nil
 	}
 
-	reconciler, err := kubeconfig.KubeconfigSecretReconciler(&kc, rootShard, shard, serverCASecret, clientCertSecret, caBundle)
+	reconciler, err := kubeconfig.KubeconfigSecretReconciler(&kc, rootShard, shard, frontProxy, serverCASecret, clientCertSecret, caBundle)
 	if err != nil {
 		return ctrl.Result{}, err
 	}

internal/resources/frontproxy/certificates.go

@@ -83,9 +83,16 @@ func (r *reconciler) serverCertificateReconciler() reconciling.NamedCertificateR
 	if r.frontProxy != nil {
 		// only add the external hostname if this is not reconciling the rootshard-internal-only proxy
 		dnsNames = append(dnsNames, r.rootShard.Spec.External.Hostname)
+		if r.rootShard.Spec.External.PrivateHostname != "" {
+			dnsNames = append(dnsNames, r.rootShard.Spec.External.PrivateHostname)
+		}
 
+		// DEPRECATED: keep support for the deprecated ExternalHostname field for now
+		// to not break existing front-proxy installations.
 		if r.frontProxy.Spec.ExternalHostname != "" {
 			dnsNames = append(dnsNames, r.frontProxy.Spec.ExternalHostname)
+		} else {
+			dnsNames = append(dnsNames, r.frontProxy.Spec.External.Hostname)
 		}
 	}
 

internal/resources/kubeconfig/secret.go

@@ -41,6 +41,7 @@ func KubeconfigSecretReconciler(
 	kubeconfig *operatorv1alpha1.Kubeconfig,
 	rootShard *operatorv1alpha1.RootShard,
 	shard *operatorv1alpha1.Shard,
+	frontProxy operatorv1alpha1.FrontProxy,
 	caSecret *corev1.Secret,
 	certSecret *corev1.Secret,
 	caBundle *corev1.Secret, // can be nil
@@ -120,7 +121,15 @@ func KubeconfigSecretReconciler(
 			panic("RootShard must be provided when kubeconfig targets a FrontProxy.")
 		}
 
-		serverURL := fmt.Sprintf("https://%s:6443", rootShard.Spec.External.Hostname)
+		var serverURL string
+		// New flow:
+		if frontProxy.Spec.External.Hostname != "" {
+			serverURL = fmt.Sprintf("https://%s:%d", frontProxy.Spec.External.Hostname, frontProxy.Spec.External.Port)
+		} else {
+			// Old flow:
+			serverURL = fmt.Sprintf("https://%s:%d", rootShard.Spec.External.Hostname, rootShard.Spec.External.Port)
+		}
+
 		defaultURL, err := url.JoinPath(serverURL, "clusters", "root")
 		if err != nil {
 			return nil, err

internal/resources/rootshard/kubeconfigs.go

@@ -101,7 +101,7 @@ func ExternalLogicalClusterAdminKubeconfigReconciler(rootShard *operatorv1alpha1
 				Clusters: map[string]*clientcmdapi.Cluster{
 					serverName: {
 						// This has to point to a front-proxy, not the root shard itself.
-						Server: fmt.Sprintf("https://%s:%d", rootShard.Spec.External.Hostname, rootShard.Spec.External.Port),
+						// Server is populated from the external hostname and port below.
 						// CertificateAuthority will be populated below, depending on whether CABundle is specified or not.
 					},
 				},
@@ -120,6 +120,16 @@ func ExternalLogicalClusterAdminKubeconfigReconciler(rootShard *operatorv1alpha1
 				CurrentContext: contextName,
 			}
 
+			if rootShard.Spec.External.PrivateHostname != "" {
+				port := rootShard.Spec.External.Port
+				if rootShard.Spec.External.PrivatePort != nil {
+					port = *rootShard.Spec.External.PrivatePort
+				}
+				config.Clusters[serverName].Server = fmt.Sprintf("https://%s:%d", rootShard.Spec.External.PrivateHostname, port)
+			} else {
+				config.Clusters[serverName].Server = fmt.Sprintf("https://%s:%d", rootShard.Spec.External.Hostname, rootShard.Spec.External.Port)
+			}
+
 			if rootShard.Spec.CABundleSecretRef == nil {
 				config.Clusters[serverName].CertificateAuthority = getCAMountPath(operatorv1alpha1.ServerCA) + "/tls.crt"
 			} else {

sdk/apis/operator/v1alpha1/frontproxy_types.go

@@ -22,6 +22,7 @@ import (
 )
 
 // FrontProxySpec defines the desired state of FrontProxy.
+// +kubebuilder:validation:XValidation:rule="!(has(self.externalHostname) && has(self.external.hostname))",message="Cannot set both ExternalHostname (deprecated) and External.hostname. Use External.hostname only."
 type FrontProxySpec struct {
 	// RootShard configures the kcp root shard that this front-proxy instance should connect to.
 	RootShard RootShardConfig `json:"rootShard"`
@@ -38,8 +39,12 @@ type FrontProxySpec struct {
 	// Optional: Image defines the image to use. Defaults to the latest versioned image during the release of kcp-operator.
 	Image *ImageSpec `json:"image,omitempty"`
 	// Optional: ExternalHostname under which the FrontProxy can be reached. If empty, the RootShard's external hostname will be used only.
+	// Deprecated: use spec.External for configuration of external access instead.
 	ExternalHostname string `json:"externalHostname,omitempty"`
 
+	// Optional: External configures how this front-proxy should be exposed to the outside world.  If empty, the RootShard's external hostname will be used only.
+	External ExternalConfig `json:"external,omitempty"`
+
 	// Optional: ServiceTemplate configures the Kubernetes Service created for this front-proxy instance.
 	ServiceTemplate *ServiceTemplate `json:"serviceTemplate,omitempty"`
 

sdk/apis/operator/v1alpha1/rootshard_types.go

@@ -66,6 +66,21 @@ type ExternalConfig struct {
 	// record pointing to the kcp-front-proxy Service's external IP address.
 	Hostname string `json:"hostname"`
 	Port     uint32 `json:"port"`
+
+	// Optional: PrivateHostname is an optional hostname that should be used to
+	// access internal front-proxy services, e.g. by other kcp components. This is helpful
+	// if you don't want to use the public hostname for internal communication, e.g.
+	// You have a DNS configuration, where DNS is re-encrypted for external access, but
+	// internal components can access the front-proxy directly. If not set, the value of `hostname` is used.
+	// +optional
+	PrivateHostname string `json:"privateHostname,omitempty"`
+
+	// Optional: PrivatePort is an optional port that should be used to
+	// access internal front-proxy services, e.g. by other kcp components. This is helpful
+	// if you don't want to use the public port for internal communication, e.g.
+	// because it is firewalled. If not set, the value of `port` is used.
+	// +optional
+	PrivatePort *uint32 `json:"privatePort,omitempty"`
 }
 
 // Certificates configures how certificates for kcp should be created.