feat: Upgrade caddy to v2.5.1, k8s client to 0.23 (#94)

2026-01-09 19:48:28 +00:00 · 2022-07-20 21:42:40 +02:00 · 2022-07-20 21:42:40 +02:00 · 1ba3f761ec
commit 1ba3f761ec
parent 45368dc237
10 changed files with 596 additions and 181 deletions
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -15,7 +15,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v2
        with:
-          go-version: 1.16
+          go-version: 1.18

      - name: Test
        run: go test -v ./...
@ -34,6 +34,11 @@ jobs:
        with:
          version: v3.8.1

+      - name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.18
+
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1
        with:
--- a/.github/workflows/release-controller.yml
+++ b/.github/workflows/release-controller.yml
@ -18,7 +18,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v2
        with:
-          go-version: 1.16
+          go-version: 1.18

      - name: Login to DockerHub
        uses: docker/login-action@v1
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -9,7 +9,7 @@
 - You need a machine with [docker](https://docker.io) up & running
 - You need to install [kind](https://kind.sigs.k8s.io/) on your machine

-Than we can create a two nodes cluster (one master and one worker):
+Then we can create a two nodes cluster (one master and one worker):

 ```bash
 cat <<EOF | kind create cluster --config=-
@ -34,7 +34,7 @@ Create a namespace to host the caddy ingress controller:
 kubectl create ns caddy-system
 ```

-Than we can start skaffold using:
+Then we can start skaffold using:
 ```
 skaffold dev --port-forward
 ```
@ -55,9 +55,9 @@ curl -H 'Host: example2.kubernetes.localhost http://127.0.0.1:80/hello2

 ## Notes

- - You can change local port forwarded by skaffold by changing the port values in the `skaffold.yaml` file on section `portForward` `localPort`. Remind that you can forward only port greather than 1024 if you execute it as non root user
+ - You can change local port forwarded by skaffold by changing the port values in the `skaffold.yaml` file on section `portForward` `localPort`. Remind that you can forward only port greater than 1024 if you execute it as non-root user
 - You can delete your local cluster with the command `kind delete cluster`
- - To use TLS your domain should be publically resolved to your cluster IP in order to allow Let's Encript to validate the domain
+ - To use TLS your domain should be publicly resolved to your cluster IP in order to allow Let's Encrypt to validate the domain

 ## Releasing new helm chart version

--- a/README.md
+++ b/README.md
@ -75,16 +75,23 @@ kubectl logs <pod-name> -n caddy-system

 ## Automatic HTTPS

-To enable automatic https via ingress controller using Let's Encrypt you can set
-the argument `ingressController.autotls=true` and the email to use
-`ingressController.email=your@email.com` on the caddy ingress controller helm
-chart values.
+To have automatic HTTPS (not to be confused with `On-demand TLS`), you simply have
+to specify your email in the config map. When using Helm chart, you can add
+`--set ingressController.config.email=your@email.com` when installing.

-Example:
- - `--set ingressController.autotls=true`
- - `--set ingressController.email=your@email.com`
+## On-Demand TLS
+
+[On-demand TLS](https://caddyserver.com/docs/automatic-https#on-demand-tls) can generate SSL certs on the fly
+and can be enabled in this controller by setting the `onDemandTLS` config to `true`:
+
+```sh
+helm install ...\
+  --set ingressController.config.onDemandTLS=true
+```
+
+> You can also specify options 
+> for the on demand config: `onDemandRateLimitInterval`, `onDemandRateLimitBurst` and `onDemandAsk`

-when you execute the helm-chart installation.

 ## Bringing Your Own Certificates

--- a/go.mod
+++ b/go.mod
@ -1,24 +1,139 @@
 module github.com/caddyserver/ingress

-go 1.16
+go 1.18

 require (
-	github.com/caddyserver/caddy/v2 v2.4.6
-	github.com/caddyserver/certmagic v0.15.2
+	github.com/caddyserver/caddy/v2 v2.5.1
+	github.com/caddyserver/certmagic v0.16.1
 	github.com/google/uuid v1.3.0
-	github.com/mitchellh/mapstructure v1.4.3
-	github.com/pires/go-proxyproto v0.3.1
+	github.com/mitchellh/mapstructure v1.5.0
+	github.com/pires/go-proxyproto v0.6.2
 	github.com/pkg/errors v0.9.1
 	go.uber.org/zap v1.21.0
-	gopkg.in/go-playground/assert.v1 v1.2.1 // indirect
 	gopkg.in/go-playground/pool.v3 v3.1.1
-	k8s.io/api v0.19.4
-	k8s.io/apimachinery v0.19.4
-	k8s.io/client-go v0.19.4
+	k8s.io/api v0.23.6
+	k8s.io/apimachinery v0.23.6
+	k8s.io/client-go v0.23.6
 )

-replace (
-	k8s.io/api => k8s.io/api v0.19.4
-	k8s.io/apimachinery => k8s.io/apimachinery v0.19.4
-	k8s.io/client-go => k8s.io/client-go v0.19.4
+require (
+	filippo.io/edwards25519 v1.0.0-rc.1 // indirect
+	github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.1.1 // indirect
+	github.com/Masterminds/sprig/v3 v3.2.2 // indirect
+	github.com/antlr/antlr4 v0.0.0-20200503195918-621b933c7a7f // indirect
+	github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash v1.1.0 // indirect
+	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/cheekybits/genny v1.0.0 // indirect
+	github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/dgraph-io/badger v1.6.2 // indirect
+	github.com/dgraph-io/badger/v2 v2.2007.4 // indirect
+	github.com/dgraph-io/ristretto v0.0.4-0.20200906165740-41ebdbffecfd // indirect
+	github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 // indirect
+	github.com/dustin/go-humanize v1.0.1-0.20200219035652-afde56e7acac // indirect
+	github.com/fsnotify/fsnotify v1.5.1 // indirect
+	github.com/go-kit/kit v0.10.0 // indirect
+	github.com/go-logfmt/logfmt v0.5.0 // indirect
+	github.com/go-logr/logr v1.2.2 // indirect
+	github.com/go-sql-driver/mysql v1.6.0 // indirect
+	github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
+	github.com/google/cel-go v0.7.3 // indirect
+	github.com/google/go-cmp v0.5.7 // indirect
+	github.com/google/gofuzz v1.1.0 // indirect
+	github.com/googleapis/gnostic v0.5.5 // indirect
+	github.com/huandu/xstrings v1.3.2 // indirect
+	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
+	github.com/jackc/pgconn v1.10.1 // indirect
+	github.com/jackc/pgio v1.0.0 // indirect
+	github.com/jackc/pgpassfile v1.0.0 // indirect
+	github.com/jackc/pgproto3/v2 v2.2.0 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b // indirect
+	github.com/jackc/pgtype v1.9.0 // indirect
+	github.com/jackc/pgx/v4 v4.14.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/compress v1.15.0 // indirect
+	github.com/klauspost/cpuid/v2 v2.0.11 // indirect
+	github.com/libdns/libdns v0.2.1 // indirect
+	github.com/lucas-clemente/quic-go v0.26.0 // indirect
+	github.com/manifoldco/promptui v0.9.0 // indirect
+	github.com/marten-seemann/qpack v0.2.1 // indirect
+	github.com/marten-seemann/qtls-go1-16 v0.1.5 // indirect
+	github.com/marten-seemann/qtls-go1-17 v0.1.1 // indirect
+	github.com/marten-seemann/qtls-go1-18 v0.1.1 // indirect
+	github.com/mattn/go-colorable v0.1.8 // indirect
+	github.com/mattn/go-isatty v0.0.13 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
+	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
+	github.com/mholt/acmez v1.0.2 // indirect
+	github.com/micromdm/scep/v2 v2.1.0 // indirect
+	github.com/miekg/dns v1.1.46 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-ps v1.0.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/nxadm/tail v1.4.8 // indirect
+	github.com/onsi/ginkgo v1.16.4 // indirect
+	github.com/prometheus/client_golang v1.12.1 // indirect
+	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/prometheus/common v0.32.1 // indirect
+	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/rs/xid v1.2.1 // indirect
+	github.com/russross/blackfriday/v2 v2.0.1 // indirect
+	github.com/shopspring/decimal v1.2.0 // indirect
+	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
+	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/slackhq/nebula v1.5.2 // indirect
+	github.com/smallstep/certificates v0.19.0 // indirect
+	github.com/smallstep/cli v0.18.0 // indirect
+	github.com/smallstep/nosql v0.4.0 // indirect
+	github.com/smallstep/truststore v0.11.0 // indirect
+	github.com/spf13/cast v1.4.1 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/stoewer/go-strcase v1.2.0 // indirect
+	github.com/tailscale/tscert v0.0.0-20220125204807-4509a5fbaf74 // indirect
+	github.com/urfave/cli v1.22.5 // indirect
+	go.etcd.io/bbolt v1.3.6 // indirect
+	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect
+	go.step.sm/cli-utils v0.7.0 // indirect
+	go.step.sm/crypto v0.16.1 // indirect
+	go.step.sm/linkedca v0.15.0 // indirect
+	go.uber.org/atomic v1.9.0 // indirect
+	go.uber.org/multierr v1.6.0 // indirect
+	golang.org/x/crypto v0.0.0-20220210151621-f4118a5b28e2 // indirect
+	golang.org/x/mod v0.4.2 // indirect
+	golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect
+	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
+	golang.org/x/sys v0.0.0-20220209214540-3681064d5158 // indirect
+	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
+	golang.org/x/text v0.3.8-0.20211004125949-5bd84dd9b33b // indirect
+	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
+	golang.org/x/tools v0.1.7 // indirect
+	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/genproto v0.0.0-20220222213610-43724f9ea8cf // indirect
+	google.golang.org/grpc v1.44.0 // indirect
+	google.golang.org/protobuf v1.27.1 // indirect
+	gopkg.in/go-playground/assert.v1 v1.2.1 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
+	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	howett.net/plist v1.0.0 // indirect
+	k8s.io/klog/v2 v2.30.0 // indirect
+	k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect
+	k8s.io/utils v0.0.0-20211116205334-6203023598ed // indirect
+	sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
+	sigs.k8s.io/yaml v1.2.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/internal/controller/action_configmap.go
+++ b/internal/controller/action_configmap.go
@ -36,7 +36,7 @@ func (c *CaddyController) onConfigMapUpdated(old *v1.ConfigMap, new *v1.ConfigMa
 	})
 }

-// onConfigMapDeleted is run when an configmap is deleted from the namespace.
+// onConfigMapDeleted is run when a configmap is deleted from the namespace.
 func (c *CaddyController) onConfigMapDeleted(obj *v1.ConfigMap) {
 	c.syncQueue.Add(ConfigMapDeletedAction{
 		resource: obj,
--- a/internal/controller/controller.go
+++ b/internal/controller/controller.go
@ -2,6 +2,7 @@ package controller

 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"fmt"
 	"github.com/caddyserver/caddy/v2"
@ -163,7 +164,7 @@ func (c *CaddyController) Shutdown() error {
 		c.logger.Error("failed to stop caddy server", zap.Error(err))
 		return err
 	}
-	certmagic.CleanUpOwnLocks(c.logger.Desugar())
+	certmagic.CleanUpOwnLocks(context.TODO(), c.logger.Desugar())
 	return nil
 }

--- a/internal/k8s/pod.go
+++ b/internal/k8s/pod.go
@ -24,7 +24,7 @@ func GetAddresses(p *store.PodInfo, kubeClient *kubernetes.Clientset) ([]string,
 	}

 	for _, svc := range svcs.Items {
-		if labels.AreLabelsInWhiteList(svc.Spec.Selector, p.Labels) {
+		if isSubset(svc.Spec.Selector, p.Labels) {
 			addr := GetAddressFromService(&svc)
 			if addr != "" {
 				addrs = append(addrs, addr)
@ -35,7 +35,25 @@ func GetAddresses(p *store.PodInfo, kubeClient *kubernetes.Clientset) ([]string,
 	return addrs, nil
 }

-// GetNodeIPOrName returns the IP address or the name of a node in the cluster
+// Copied from https://github.com/kubernetes/kubernetes/pull/95179
+func isSubset(subSet, superSet labels.Set) bool {
+	if len(superSet) == 0 {
+		return true
+	}
+
+	for k, v := range subSet {
+		value, ok := superSet[k]
+		if !ok {
+			return false
+		}
+		if value != v {
+			return false
+		}
+	}
+	return true
+}
+
+// GetAddressFromService returns the IP address or the name of a node in the cluster
 func GetAddressFromService(service *apiv1.Service) string {
 	switch service.Spec.Type {
 	case apiv1.ServiceTypeNodePort:
--- a/pkg/storage/storage.go
+++ b/pkg/storage/storage.go
@ -34,7 +34,7 @@ var matchLabels = map[string]string{
 }

 // specialChars is a regex that matches all special characters except '-'.
-var specialChars = regexp.MustCompile("[^0-9a-zA-Z-]+")
+var specialChars = regexp.MustCompile("[^\\da-zA-Z-]+")

 // cleanKey strips all special characters that are not supported by kubernetes names and converts them to a '.'.
 // sequences like '.*.' are also converted to a single '.'.
@ -77,7 +77,7 @@ func (s *SecretStorage) CertMagicStorage() (certmagic.Storage, error) {
 }

 // Exists returns true if key exists in fs.
-func (s *SecretStorage) Exists(key string) bool {
+func (s *SecretStorage) Exists(ctx context.Context, key string) bool {
 	s.logger.Debug("finding secret", zap.String("name", key))
 	secrets, err := s.KubeClient.CoreV1().Secrets(s.Namespace).List(context.TODO(), metav1.ListOptions{
 		FieldSelector: fmt.Sprintf("metadata.name=%v", cleanKey(key, keyPrefix)),
@ -99,7 +99,7 @@ func (s *SecretStorage) Exists(key string) bool {
 }

 // Store saves value at key. More than certs and keys are stored by certmagic in secrets.
-func (s *SecretStorage) Store(key string, value []byte) error {
+func (s *SecretStorage) Store(ctx context.Context, key string, value []byte) error {
 	se := corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:   cleanKey(key, keyPrefix),
@ -111,7 +111,7 @@ func (s *SecretStorage) Store(key string, value []byte) error {
 	}

 	var err error
-	if s.Exists(key) {
+	if s.Exists(ctx, key) {
 		s.logger.Debug("creating secret", zap.String("name", key))
 		_, err = s.KubeClient.CoreV1().Secrets(s.Namespace).Update(context.TODO(), &se, metav1.UpdateOptions{})
 	} else {
@ -127,7 +127,7 @@ func (s *SecretStorage) Store(key string, value []byte) error {
 }

 // Load retrieves the value at the given key.
-func (s *SecretStorage) Load(key string) ([]byte, error) {
+func (s *SecretStorage) Load(ctx context.Context, key string) ([]byte, error) {
 	secret, err := s.KubeClient.CoreV1().Secrets(s.Namespace).Get(context.TODO(), cleanKey(key, keyPrefix), metav1.GetOptions{})
 	if err != nil {
 		return nil, err
@ -138,7 +138,7 @@ func (s *SecretStorage) Load(key string) ([]byte, error) {
 }

 // Delete deletes the value at the given key.
-func (s *SecretStorage) Delete(key string) error {
+func (s *SecretStorage) Delete(ctx context.Context, key string) error {
 	err := s.KubeClient.CoreV1().Secrets(s.Namespace).Delete(context.TODO(), cleanKey(key, keyPrefix), metav1.DeleteOptions{})
 	if err != nil {
 		return err
@ -149,7 +149,7 @@ func (s *SecretStorage) Delete(key string) error {
 }

 // List returns all keys that match prefix.
-func (s *SecretStorage) List(prefix string, recursive bool) ([]string, error) {
+func (s *SecretStorage) List(ctx context.Context, prefix string, recursive bool) ([]string, error) {
 	var keys []string

 	s.logger.Debug("listing secrets", zap.String("name", prefix))
@ -172,7 +172,7 @@ func (s *SecretStorage) List(prefix string, recursive bool) ([]string, error) {
 }

 // Stat returns information about key.
-func (s *SecretStorage) Stat(key string) (certmagic.KeyInfo, error) {
+func (s *SecretStorage) Stat(ctx context.Context, key string) (certmagic.KeyInfo, error) {
 	secret, err := s.KubeClient.CoreV1().Secrets(s.Namespace).Get(context.TODO(), cleanKey(key, keyPrefix), metav1.GetOptions{})
 	if err != nil {
 		return certmagic.KeyInfo{}, err
@ -274,7 +274,7 @@ func (s *SecretStorage) tryAcquireOrRenew(ctx context.Context, key string, shoul
 	return false, nil
 }

-func (s *SecretStorage) Unlock(key string) error {
+func (s *SecretStorage) Unlock(ctx context.Context, key string) error {
 	err := s.KubeClient.CoordinationV1().Leases(s.Namespace).Delete(context.TODO(), cleanKey(key, leasePrefix), metav1.DeleteOptions{})
 	return err
 }