k8s - init work on custom CA and ingress class

docs/integrations.md

@@ -747,7 +747,7 @@ Given the presence of multiple BunkerWeb instances, it is necessary to establish
 Please ensure that the autoconf services have access to the Kubernetes API. It is recommended to utilize [RBAC authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for this purpose.
 
 !!! warn "Custom CA for Kubernetes API"
-    At the moment, using a custom CA for the Kubernetes API is not supported by the autoconf. The only workaround available is to disable certificate verification by setting the `KUBERNETES_SSL_VERIFY` environment variable of the autoconf to `no` (default is `yes`).
+    If you use a custom CA for your Kubernetes API, you can mount a bundle file containing your intermediate(s) and root certificates on the ingress controller and set the `KUBERNETES_SSL_CA_FILE` environment value to the path of the bundle inside the container. Alternatively, even if it's not recommended, you can disable certificate verification by setting the `KUBERNETES_SSL_VERIFY` environment variable of the ingress controller to `no` (default is `yes`).
 
 Additionally, **it is crucial to set the `KUBERNETES_MODE` environment variable to `yes` when utilizing the Kubernetes integration**. This variable is mandatory for proper functionality.
 
@@ -786,6 +786,13 @@ roleRef:
   name: cr-bunkerweb
   apiGroup: rbac.authorization.k8s.io
 ---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: bunkerweb
+spec:
+  controller: bunkerweb.io/ingress-controller
+---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -1056,7 +1063,7 @@ spec:
 
 ### Namespaces
 
-Starting from version `1.6.0-beta`, BunkerWeb's Autoconf stacks now support namespaces. This feature enables you to manage multiple clusters of BunkerWeb instances and services on the same Kubernetes cluster. To take advantage of namespaces, simply set the `namespace` metadata field on your BunkerWeb instances and services. Here's an example:
+Starting from version `1.6.0-beta`, BunkerWeb's autoconf stacks now support namespaces. This feature enables you to manage multiple clusters of BunkerWeb instances and services on the same Kubernetes cluster. To take advantage of namespaces, simply set the `namespace` metadata field on your BunkerWeb instances and services. Here's an example:
 
 ```yaml
 apiVersion: apps/v1
@@ -1110,6 +1117,44 @@ metadata:
 
     The Scheduler doesn't need the `NAMESPACE` annotation to work properly. It will only need the `DATABASE_URI` setting properly configured so that it can access the same database as the autoconf service.
 
+### Ingress class
+
+When installed using the official methods in the documentation, BunkerWeb comes with the following `IngressClass` definition :
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: bunkerweb
+spec:
+  controller: bunkerweb.io/ingress-controller
+```
+
+In order to restrict the `Ingress` resources monitored by the ingress controller, you can set the `KUBERNETES_INGRESS_CLASS` environment variable with the value `bunkerweb`. Then, you can leverage the `ingressClassName` directive in your `Ingress` definitions :
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: my-ingress
+  annotations:
+    bunkerweb.io/MY_SETTING: "value"
+    bunkerweb.io/www.example.com_MY_SETTING: "value"
+spec:
+  ingressClassName: bunkerweb
+  rules:
+    - host: www.example.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: svc-my-app
+                port:
+                  number: 8000
+```
+
 ### Minikube specificities
 
 We are aware of issues with Minikube and internal hostname resolution. To work around this, there is a specific setting that you can use in the `bunkerweb-controller` deployment :

misc/integrations/k8s.mariadb.ui.yml

@@ -29,6 +29,13 @@ roleRef:
   name: cr-bunkerweb
   apiGroup: rbac.authorization.k8s.io
 ---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: bunkerweb
+spec:
+  controller: bunkerweb.io/ingress-controller
+---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:

misc/integrations/k8s.mariadb.yml

@@ -40,6 +40,13 @@ roleRef:
   name: cr-bunkerweb
   apiGroup: rbac.authorization.k8s.io
 ---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: bunkerweb
+spec:
+  controller: bunkerweb.io/ingress-controller
+---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:

misc/integrations/k8s.mysql.ui.yml

@@ -29,6 +29,13 @@ roleRef:
   name: cr-bunkerweb
   apiGroup: rbac.authorization.k8s.io
 ---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: bunkerweb
+spec:
+  controller: bunkerweb.io/ingress-controller
+---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:

misc/integrations/k8s.mysql.yml

@@ -40,6 +40,13 @@ roleRef:
   name: cr-bunkerweb
   apiGroup: rbac.authorization.k8s.io
 ---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: bunkerweb
+spec:
+  controller: bunkerweb.io/ingress-controller
+---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:

misc/integrations/k8s.postgres.ui.yml

@@ -29,6 +29,13 @@ roleRef:
   name: cr-bunkerweb
   apiGroup: rbac.authorization.k8s.io
 ---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: bunkerweb
+spec:
+  controller: bunkerweb.io/ingress-controller
+---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:

misc/integrations/k8s.postgres.yml

@@ -40,6 +40,13 @@ roleRef:
   name: cr-bunkerweb
   apiGroup: rbac.authorization.k8s.io
 ---
+apiVersion: networking.k8s.io/v1
+kind: IngressClass
+metadata:
+  name: bunkerweb
+spec:
+  controller: bunkerweb.io/ingress-controller
+---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:

src/autoconf/IngressController.py

@@ -6,6 +6,7 @@ from time import sleep
 from traceback import format_exc
 from typing import List
 from kubernetes import client, config, watch
+from kubernetes.client import Configuration
 from kubernetes.client.exceptions import ApiException
 from threading import Thread, Lock
 
@@ -17,10 +18,14 @@ class IngressController(Controller):
         self.__internal_lock = Lock()
         super().__init__("kubernetes")
         config.load_incluster_config()
-        config.verify_ssl = getenv("KUBERNETES_VERIFY_SSL", "yes") == "yes"
+        Configuration._default.verify_ssl = getenv("KUBERNETES_VERIFY_SSL", "yes") == "yes"
+        ssl_ca_cert = getenv("KUBERNETES_SSL_CA_CERT", "")
+        if ssl_ca_cert:
+            Configuration._default.ssl_ca_cert = ssl_ca_cert
         self.__corev1 = client.CoreV1Api()
         self.__networkingv1 = client.NetworkingV1Api()
         self.__use_fqdn = getenv("USE_KUBERNETES_FQDN", "yes").lower() == "yes"
+        self.__ingress_class = getenv("KUBERNETES_INGRESS_CLASS", "")
         self._logger.info(f"Using Pod {'FQDN' if self.__use_fqdn else 'IP'} as hostname")
 
     def _get_controller_instances(self) -> list:
@@ -219,6 +224,10 @@ class IngressController(Controller):
         if obj.kind == "Pod":
             return annotations and "bunkerweb.io/INSTANCE" in annotations
         if obj.kind == "Ingress":
+            if self.__ingress_class:
+                ingress_class_name = getattr(obj.spec, "ingressClassName", None)
+                if not ingress_class_name or ingress_class_name != self.__ingress_class:
+                    return False
             return True
         if obj.kind == "ConfigMap":
             return annotations and "bunkerweb.io/CONFIG_TYPE" in annotations