github.com/cilium/cilium@v1.16.2/operator/pkg/ingress/annotations/annotations.go (about) 1 // SPDX-License-Identifier: Apache-2.0 2 // Copyright Authors of Cilium 3 4 package annotations 5 6 import ( 7 "fmt" 8 "strconv" 9 "time" 10 11 corev1 "k8s.io/api/core/v1" 12 networkingv1 "k8s.io/api/networking/v1" 13 14 "github.com/cilium/cilium/operator/pkg/model" 15 "github.com/cilium/cilium/pkg/annotation" 16 ) 17 18 const ( 19 LBModeAnnotation = annotation.IngressPrefix + "/loadbalancer-mode" 20 LBClassAnnotation = annotation.IngressPrefix + "/loadbalancer-class" 21 ServiceTypeAnnotation = annotation.IngressPrefix + "/service-type" 22 ServiceExternalTrafficPolicyAnnotation = annotation.IngressPrefix + "/service-external-traffic-policy" 23 InsecureNodePortAnnotation = annotation.IngressPrefix + "/insecure-node-port" 24 SecureNodePortAnnotation = annotation.IngressPrefix + "/secure-node-port" 25 HostListenerPortAnnotation = annotation.IngressPrefix + "/host-listener-port" 26 TLSPassthroughAnnotation = annotation.IngressPrefix + "/tls-passthrough" 27 ForceHTTPSAnnotation = annotation.IngressPrefix + "/force-https" 28 RequestTimeoutAnnotation = annotation.IngressPrefix + "/request-timeout" 29 30 LBModeAnnotationAlias = annotation.Prefix + ".ingress" + "/loadbalancer-mode" 31 ServiceTypeAnnotationAlias = annotation.Prefix + ".ingress" + "/service-type" 32 InsecureNodePortAnnotationAlias = annotation.Prefix + ".ingress" + "/insecure-node-port" 33 SecureNodePortAnnotationAlias = annotation.Prefix + ".ingress" + "/secure-node-port" 34 TLSPassthroughAnnotationAlias = annotation.Prefix + ".ingress" + "/tls-passthrough" 35 ) 36 37 const ( 38 enabled = "enabled" 39 disabled = "disabled" 40 defaultTCPKeepAliveEnabled = 1 // 1 - Enabled, 0 - Disabled 41 defaultTCPKeepAliveInitialIdle = 10 // in seconds 42 defaultTCPKeepAliveProbeInterval = 5 // in seconds 43 defaultTCPKeepAliveMaxProbeCount = 10 44 defaultWebsocketEnabled = 0 // 1 - Enabled, 0 - Disabled 45 ) 46 47 const ( 48 LoadbalancerModeDedicated = "dedicated" 49 LoadbalancerModeShared = "shared" 50 ) 51 52 // GetAnnotationIngressLoadbalancerMode returns the loadbalancer mode for the ingress if possible. 53 func GetAnnotationIngressLoadbalancerMode(ingress *networkingv1.Ingress) string { 54 value, _ := annotation.Get(ingress, LBModeAnnotation, LBModeAnnotationAlias) 55 return value 56 } 57 58 // GetAnnotationLoadBalancerClass returns the loadbalancer class from the ingress if possible. 59 // Defaults to nil 60 func GetAnnotationLoadBalancerClass(ingress *networkingv1.Ingress) *string { 61 val, exists := annotation.Get(ingress, LBClassAnnotation) 62 if !exists { 63 return nil 64 } 65 return &val 66 } 67 68 // GetAnnotationServiceType returns the service type for the ingress if possible. 69 // Defaults to LoadBalancer 70 func GetAnnotationServiceType(ingress *networkingv1.Ingress) string { 71 val, exists := annotation.Get(ingress, ServiceTypeAnnotation, ServiceTypeAnnotationAlias) 72 if !exists { 73 return string(corev1.ServiceTypeLoadBalancer) 74 } 75 return val 76 } 77 78 // GetAnnotationServiceExternalTrafficPolicy returns the service externalTrafficPolicy for the ingress. 79 func GetAnnotationServiceExternalTrafficPolicy(ingress *networkingv1.Ingress) (string, error) { 80 val, exists := annotation.Get(ingress, ServiceExternalTrafficPolicyAnnotation) 81 if !exists { 82 return string(corev1.ServiceExternalTrafficPolicyCluster), nil 83 } 84 85 switch val { 86 case string(corev1.ServiceExternalTrafficPolicyCluster), string(corev1.ServiceExternalTrafficPolicyLocal): 87 return val, nil 88 default: 89 return string(corev1.ServiceExternalTrafficPolicyCluster), fmt.Errorf("invalid value for externalTrafficPolicy %q", val) 90 } 91 } 92 93 // GetAnnotationRequestTimeout retrieves the RequestTimeout annotation's value. 94 func GetAnnotationRequestTimeout(ingress *networkingv1.Ingress) (*time.Duration, error) { 95 val, exists := annotation.Get(ingress, RequestTimeoutAnnotation) 96 if !exists { 97 return nil, nil 98 } 99 100 d, err := time.ParseDuration(val) 101 if err != nil { 102 return nil, fmt.Errorf("failed to parse duration %q: %w", val, err) 103 } 104 105 return &d, nil 106 } 107 108 // GetAnnotationSecureNodePort returns the secure node port for the ingress if possible. 109 func GetAnnotationSecureNodePort(ingress *networkingv1.Ingress) (*uint32, error) { 110 val, exists := annotation.Get(ingress, SecureNodePortAnnotation, SecureNodePortAnnotationAlias) 111 if !exists { 112 return nil, nil 113 } 114 intVal, err := strconv.ParseInt(val, 10, 32) 115 if err != nil { 116 return nil, err 117 } 118 res := uint32(intVal) 119 return &res, nil 120 } 121 122 // GetAnnotationInsecureNodePort returns the insecure node port for the ingress if possible. 123 func GetAnnotationInsecureNodePort(ingress *networkingv1.Ingress) (*uint32, error) { 124 val, exists := annotation.Get(ingress, InsecureNodePortAnnotation, InsecureNodePortAnnotationAlias) 125 if !exists { 126 return nil, nil 127 } 128 intVal, err := strconv.ParseInt(val, 10, 32) 129 if err != nil { 130 return nil, err 131 } 132 res := uint32(intVal) 133 return &res, nil 134 } 135 136 // GetAnnotationHostListenerPort returns the host listener port for the ingress if possible. 137 func GetAnnotationHostListenerPort(ingress *networkingv1.Ingress) (*uint32, error) { 138 val, exists := annotation.Get(ingress, HostListenerPortAnnotation) 139 if !exists { 140 return nil, nil 141 } 142 intVal, err := strconv.ParseInt(val, 10, 32) 143 if err != nil { 144 return nil, err 145 } 146 res := uint32(intVal) 147 return &res, nil 148 } 149 150 func GetAnnotationTLSPassthroughEnabled(ingress *networkingv1.Ingress) bool { 151 val, exists := annotation.Get(ingress, TLSPassthroughAnnotation, TLSPassthroughAnnotationAlias) 152 if !exists { 153 return false 154 } 155 156 if val == enabled { 157 return true 158 } 159 160 boolVal, err := strconv.ParseBool(val) 161 if err != nil { 162 return false 163 } 164 165 return boolVal 166 } 167 168 // GetAnnotationEnforceHTTPSEnabled retrieves the EnforceHTTPS annotation's value. 169 // This uses a string rather than a bool because the empty string means "unset". 170 // In this case this matters because if the value is unset, it can be overridden 171 // by the global config option `--enforce-ingress-https`. 172 // 173 // If the annotation is set, will override the global config option in all cases. 174 // 175 // Note that `enabled`, `disabled` and `true` or `false` style values (as understood by 176 // strconv.ParseBool() ) will work. The annotation being present but set to any 177 // other value will result in returning the empty string (as in, the same as if 178 // unset). 179 // 180 // If the annotation is unset, this returns `nil`. 181 // 182 // The only valid values are: 183 // - &true - the annotation is present and set to a truthy value 184 // - &false - the annovation is present and set to a false value 185 // - nil - the annotatation is not present 186 func GetAnnotationForceHTTPSEnabled(ingress *networkingv1.Ingress) *bool { 187 val, exists := annotation.Get(ingress, ForceHTTPSAnnotation) 188 if !exists { 189 return nil 190 } 191 192 if val == enabled { 193 return model.AddressOf(true) 194 } 195 196 if val == disabled { 197 return model.AddressOf(false) 198 } 199 200 boolVal, err := strconv.ParseBool(val) 201 if err != nil { 202 return nil 203 } 204 205 if boolVal { 206 return model.AddressOf(true) 207 } 208 209 return model.AddressOf(false) 210 }