feat: add Contour ingress controller support (PSCLOUD-414)

examples/ansible-vars-iac.yaml

@@ -20,7 +20,7 @@ V4_CFG_CR_USER: <container_registry_user>
 V4_CFG_CR_PASSWORD: <container_registry_password>
 
 ## Ingress
-V4_CFG_INGRESS_TYPE: ingress
+V4_CFG_INGRESS_TYPE: contour
 V4_CFG_INGRESS_FQDN: <desired_fqdn>
 V4_CFG_TLS_MODE: full-stack # [full-stack|front-door|ingress-only|disabled]
 

examples/ansible-vars.yaml

@@ -31,7 +31,7 @@ V4_CFG_CR_USER: <container_registry_user>
 V4_CFG_CR_PASSWORD: <container_registry_password>
 
 ## Ingress
-V4_CFG_INGRESS_TYPE: ingress
+V4_CFG_INGRESS_TYPE: contour
 V4_CFG_INGRESS_FQDN: <desired_fqdn>
 V4_CFG_TLS_MODE: full-stack # [full-stack|front-door|ingress-only|disabled]
 

roles/baseline/defaults/main.yml

@@ -4,7 +4,7 @@
 ---
 V4_CFG_TLS_MODE: full-stack # other valid values are front-door, ingress-only, and disabled
 V4_CFG_RWX_FILESTORE_PATH: /export
-V4_CFG_INGRESS_TYPE: ingress
+V4_CFG_INGRESS_TYPE: contour
 V4_CFG_INGRESS_MODE: public
 V4_CFG_MANAGE_STORAGE: true
 V4_CFG_AWS_LB_SUBNETS: ""
@@ -190,15 +190,36 @@ CSI_DRIVER_NFS_PG_EFS_CONFIG:
 
 ## Contour - Ingress
 CONTOUR_NAME: contour
-CONTOUR_NAMESPACE: contour
+CONTOUR_NAMESPACE: projectcontour
 CONTOUR_CHART_NAME: contour
-CONTOUR_CHART_URL: https://charts.bitnami.com/bitnami
-CONTOUR_CHART_VERSION: 4.3.8
+CONTOUR_CHART_URL: https://projectcontour.github.io/helm-charts/
+CONTOUR_CHART_VERSION: 0.2.1
 CONTOUR_CONFIG:
   envoy:
     service:
       loadBalancerSourceRanges: "{{ LOADBALANCER_SOURCE_RANGES | default(['0.0.0.0/0'], -1) }}"
 
+# Add annotation to include Azure load-balancer health probe request path for Contour
+CONTOUR_AZURE_LB_HEALTH_PROBE_CONFIG:
+  envoy:
+    service:
+      annotations:
+        service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: /healthz
+
+# Update default load-balancer for AWS to be NLB for Contour
+CONTOUR_AWS_NLB_CONFIG:
+  envoy:
+    service:
+      annotations:
+        service.beta.kubernetes.io/aws-load-balancer-type: nlb
+
+# Update LB for AWS, specify subnets to allocate internal IPs from for Contour
+CONTOUR_AWS_LB_SUBNETS:
+  envoy:
+    service:
+      annotations:
+        service.beta.kubernetes.io/aws-load-balancer-subnets: "{{ V4_CFG_AWS_LB_SUBNETS }}"
+
 ## Cluster Autoscaler
 CLUSTER_AUTOSCALER_ENABLED: true
 CLUSTER_AUTOSCALER_NAME: cluster-autoscaler
@@ -274,16 +295,29 @@ private_ingress:
         annotations:
           service.beta.kubernetes.io/aws-load-balancer-internal: "true"
           service.beta.kubernetes.io/aws-load-balancer-type: nlb
+    envoy:
+      service:
+        annotations:
+          service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+          service.beta.kubernetes.io/aws-load-balancer-type: nlb
   azure:
     controller:
       service:
         annotations:
           service.beta.kubernetes.io/azure-load-balancer-internal: "true"
+    envoy:
+      service:
+        annotations:
+          service.beta.kubernetes.io/azure-load-balancer-internal: "true"
   gcp:
     controller:
       service:
         annotations:
           networking.gke.io/load-balancer-type: Internal
+    envoy:
+      service:
+        annotations:
+          networking.gke.io/load-balancer-type: Internal
 
 ## NIST Features
 V4_CFG_NIST_FEATURES_ENABLED: false

roles/baseline/tasks/contour.yaml

@@ -13,6 +13,47 @@
 # Chart URL: https://projectcontour.io/
 # Container registry: docker.io
 # Purpose: Alternative ingress controller (if selected).
+# Update CONTOUR_CONFIG with private ingress settings if running in private mode and provider is supported
+- name: Update CONTOUR_CONFIG to add private_ingress
+  set_fact:
+    CONTOUR_CONFIG: "{{ CONTOUR_CONFIG | combine(private_ingress[PROVIDER], recursive=True) }}"
+  when:
+    - V4_CFG_INGRESS_MODE == "private"
+    - PROVIDER in private_ingress
+  tags:
+    - install
+    - update
+
+# Update CONTOUR_CONFIG to use NLB for AWS
+- name: Update CONTOUR_CONFIG to use NLB for AWS
+  set_fact:
+    CONTOUR_CONFIG: "{{ CONTOUR_CONFIG | combine(CONTOUR_AWS_NLB_CONFIG, recursive=True) }}"
+  when:
+    - PROVIDER == "aws"
+  tags:
+    - install
+    - update
+
+# Add AWS load balancer subnets to the configuration if specified
+- name: Update CONTOUR_CONFIG annotations to include CONTOUR_AWS_LB_SUBNETS
+  set_fact:
+    CONTOUR_CONFIG: "{{ CONTOUR_CONFIG | combine(CONTOUR_AWS_LB_SUBNETS, recursive=True) }}"
+  when:
+    - PROVIDER == "aws"
+    - V4_CFG_AWS_LB_SUBNETS|length != 0
+  tags:
+    - install
+    - update
+
+# Add Azure load-balancer health probe request path to the configuration if provider is Azure
+- name: Update CONTOUR_CONFIG to add Azure load-balancer health probe request path
+  set_fact:
+    CONTOUR_CONFIG: "{{ CONTOUR_CONFIG | combine(CONTOUR_AZURE_LB_HEALTH_PROBE_CONFIG, recursive=True) }}"
+  when:
+    - PROVIDER == "azure"
+  tags:
+    - install
+    - update
 
 # Deploy the Contour ingress controller using Helm
 - name: Deploy contour

roles/vdm/defaults/main.yaml

@@ -39,7 +39,7 @@ V4_CFG_MANAGE_STORAGE: true
 V4_CFG_DEPLOYMENT_URL_PREFIX: null
 V4_CFG_DEPLOYMENT_URL_PORT: null
 V4_CFG_INGRESS_FQDN: null
-V4_CFG_INGRESS_TYPE: ingress
+V4_CFG_INGRESS_TYPE: contour
 
 V4_CFG_TLS_MODE: front-door # other valid values are full-stack, ingress-only, and disabled
 V4_CFG_TLS_CERT: null

roles/vdm/tasks/tls.yaml

@@ -92,7 +92,7 @@
       - { transformers: overlays/network/ingress/security/transformers/product-tls-transformers.yaml, max: 2021.1.2, priority: 51 }
       - { transformers: overlays/network/ingress/security/transformers/backend-tls-transformers.yaml, max: 2021.1.2, priority: 51 }
       - { components: components/security/core/base/full-stack-tls, min: 2021.1.3, priority: 51 }
-      - { components: components/security/network/networking.k8s.io/ingress/nginx.ingress.kubernetes.io/full-stack-tls, min: 2021.1.3, priority: 51 }
+      - { components: "components/security/network/{{ 'projectcontour.io/httpproxy' if V4_CFG_INGRESS_TYPE == 'contour' else 'networking.k8s.io/ingress/nginx.ingress.kubernetes.io' }}/full-stack-tls", min: 2021.1.3, priority: 51 }
   when:
     # Only run if full-stack TLS is enabled
     - V4_CFG_TLS_MODE == "full-stack"
@@ -111,7 +111,7 @@
       - { transformers: overlays/network/ingress/security/transformers/cas-connect-tls-transformers.yaml, max: 2021.1.2, priority: 51 }
       - { transformers: overlays/network/ingress/security/transformers/ingress-tls-transformers.yaml, max: 2021.1.2, priority: 51 }
       - { components: components/security/core/base/front-door-tls, min: 2021.1.3, priority: 51 }
-      - { components: components/security/network/networking.k8s.io/ingress/nginx.ingress.kubernetes.io/front-door-tls, min: 2021.1.3, priority: 51 }
+      - { components: "components/security/network/{{ 'projectcontour.io/httpproxy' if V4_CFG_INGRESS_TYPE == 'contour' else 'networking.k8s.io/ingress/nginx.ingress.kubernetes.io' }}/front-door-tls", min: 2021.1.3, priority: 51 }
   when:
     # Only run if front-door TLS is enabled
     - V4_CFG_TLS_MODE == "front-door"
@@ -141,7 +141,7 @@
     existing: "{{ vdm_overlays }}"
     add:
       - { components: components/security/core/ingress-only-tls, min: 2021.2.4, priority: 51 }
-      - { components: components/security/network/networking.k8s.io/ingress/nginx.ingress.kubernetes.io/front-door-tls, min: 2021.2.4, priority: 51 }
+      - { components: "components/security/network/{{ 'projectcontour.io/httpproxy' if V4_CFG_INGRESS_TYPE == 'contour' else 'networking.k8s.io/ingress/nginx.ingress.kubernetes.io' }}/front-door-tls", min: 2021.2.4, priority: 51 }
   when:
     # Only run if ingress-only TLS is enabled
     - V4_CFG_TLS_MODE == "ingress-only"