Add AWS ALB Ingress Controller (#5489)

* Add AWS ALB Ingress Controller Ansible role

* remove trailing spaces

* update owners

* ALB ingress: update rbac clusterrole and remove role

* Move alb-ingress role to roles/kubernetes-apps/ingress_controller folder

docs/ansible.md

@@ -137,6 +137,7 @@ The following tags are defined in playbooks:
 |                  upgrade | Upgrading, f.e. container images/binaries
 |                   upload | Distributing images/binaries across hosts
 |                    weave | Network plugin Weave
+|              ingress_alb | AWS ALB Ingress Controller
 
 Note: Use the ``bash scripts/gen_tags.sh`` command to generate a list of all
 tags found in the codebase. New tags will be listed with the empty "Used for"

inventory/sample/group_vars/k8s-cluster/addons.yml

@@ -101,6 +101,15 @@ ingress_publish_status_address: ""
 # ingress_nginx_extra_args:
 #   - --default-ssl-certificate=default/foo-tls
 
+# ALB ingress controller deployment
+ingress_alb_enabled: false
+# alb_ingress_aws_region: "us-east-1"
+# alb_ingress_restrict_scheme: "false"
+# alb_ingress_log_level: "WARN"
+# Enables logging on all outbound requests sent to the AWS API.
+# If logging is desired, set to true.
+# alb_ingress_aws_debug: "false"
+
 # Cert manager deployment
 cert_manager_enabled: false
 # cert_manager_namespace: "cert-manager"

roles/download/defaults/main.yml

@@ -485,6 +485,8 @@ local_path_provisioner_image_repo: "{{ docker_image_repo }}/rancher/local-path-p
 local_path_provisioner_image_tag: "v0.0.2"
 ingress_nginx_controller_image_repo: "{{ quay_image_repo }}/kubernetes-ingress-controller/nginx-ingress-controller"
 ingress_nginx_controller_image_tag: "0.28.0"
+alb_ingress_image_repo: "docker.io/amazon/aws-alb-ingress-controller"
+alb_ingress_image_tag: "v1.1.4"
 cert_manager_version: "v0.11.0"
 cert_manager_controller_image_repo: "{{ quay_image_repo }}/jetstack/cert-manager-controller"
 cert_manager_controller_image_tag: "{{ cert_manager_version }}"
@@ -991,6 +993,15 @@ downloads:
     groups:
       - kube-node
 
+  ingress_alb_controller:
+    enabled: "{{ ingress_alb_enabled }}"
+    container: true
+    repo: "{{ alb_ingress_image_repo }}"
+    tag: "{{ alb_ingress_image_tag }}"
+    sha256: "{{ ingress_alb_controller_digest_checksum|default(None) }}"
+    groups:
+      - kube-node
+
   cert_manager_controller:
     enabled: "{{ cert_manager_enabled }}"
     container: true

roles/kubernetes-apps/ingress_controller/alb_ingress_controller/OWNERS

@@ -0,0 +1,6 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+approvers:
+  - kubespray-approvers
+reviewers:
+  - kubespray-reviewers

roles/kubernetes-apps/ingress_controller/alb_ingress_controller/README.md

@@ -0,0 +1,42 @@
+# AWS ALB Ingress Controller
+
+**NOTE:** The current image version is `v1.1.4`. Please file any issues you find and note the version used.
+
+The AWS ALB Ingress Controller satisfies Kubernetes [ingress resources](https://kubernetes.io/docs/user-guide/ingress) by provisioning [Application Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html).
+
+This project was originated by [Ticketmaster](https://github.com/ticketmaster) and [CoreOS](https://github.com/coreos) as part of Ticketmaster's move to AWS and CoreOS Tectonic. Learn more about Ticketmaster's Kubernetes initiative from Justin Dean's video at [Tectonic Summit](https://www.youtube.com/watch?v=wqXVKneP0Hg).
+
+This project was donated to Kubernetes SIG-AWS to allow AWS, CoreOS, Ticketmaster and other SIG-AWS contributors to officially maintain the project. SIG-AWS reached this consensus on June 1, 2018.
+
+## Documentation
+
+Checkout our [Live Docs](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/)!
+
+## Getting started
+
+To get started with the controller, see our [walkthrough](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/walkthrough/echoserver/).
+
+## Setup
+- See [controller setup](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/controller/setup/) on how to install ALB ingress controller
+- See [external-dns setup](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/external-dns/setup/) for how to setup the external-dns to manage route 53 records.
+
+## Building
+
+For details on building this project, see our [building guide](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/BUILDING/).
+
+## Community, discussion, contribution, and support
+
+Learn how to engage with the Kubernetes community on the [community page](http://kubernetes.io/community/).
+
+You can reach the maintainers of this project at:
+
+- [Slack channel](https://kubernetes.slack.com/messages/sig-aws)
+- [Mailing list](https://groups.google.com/forum/#!forum/kubernetes-sig-aws)
+
+### Code of conduct
+
+Participation in the Kubernetes community is governed by the [Kubernetes Code of Conduct](code-of-conduct.md).
+
+## License
+
+[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fcoreos%2Falb-ingress-controller.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fcoreos%2Falb-ingress-controller?ref=badge_large)

roles/kubernetes-apps/ingress_controller/alb_ingress_controller/defaults/main.yml

@@ -0,0 +1,9 @@
+---
+alb_ingress_controller_namespace: kube-system
+alb_ingress_aws_region: "us-east-1"
+
+# Enables logging on all outbound requests sent to the AWS API.
+# If logging is desired, set to true.
+alb_ingress_aws_debug: "false"
+
+alb_ingress_log_level: "WARN"

roles/kubernetes-apps/ingress_controller/alb_ingress_controller/tasks/main.yml

@@ -0,0 +1,35 @@
+---
+
+- name: ALB Ingress Controller | Create addon dir
+  file:
+    path: "{{ kube_config_dir }}/addons/alb_ingress"
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+
+- name: ALB Ingress Controller | Create manifests
+  template:
+    src: "{{ item.file }}.j2"
+    dest: "{{ kube_config_dir }}/addons/alb_ingress/{{ item.file }}"
+  with_items:
+    - { name: alb-ingress-clusterrole, file: alb-ingress-clusterrole.yml, type: clusterrole }
+    - { name: alb-ingress-clusterrolebinding, file: alb-ingress-clusterrolebinding.yml, type: clusterrolebinding }
+    - { name: alb-ingress-ns, file: alb-ingress-ns.yml, type: ns }
+    - { name: alb-ingress-sa, file: alb-ingress-sa.yml, type: sa }
+    - { name: alb-ingress-deploy, file: alb-ingress-deploy.yml, type: deploy }
+  register: alb_ingress_manifests
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+- name: ALB Ingress Controller | Apply manifests
+  kube:
+    name: "{{ item.item.name }}"
+    namespace: "{{ alb_ingress_controller_namespace }}"
+    kubectl: "{{ bin_dir }}/kubectl"
+    resource: "{{ item.item.type }}"
+    filename: "{{ kube_config_dir }}/addons/alb_ingress/{{ item.item.file }}"
+    state: "latest"
+  with_items: "{{ alb_ingress_manifests.results }}"
+  when:
+    - inventory_hostname == groups['kube-master'][0]

roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-clusterrole.yml.j2

@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: alb-ingress
+  namespace: {{ alb_ingress_controller_namespace }}
+rules:
+  - apiGroups: ["", "extensions"]
+    resources: ["configmaps", "endpoints", "nodes", "pods", "secrets", "events", "ingresses", "ingresses/status", "services"]
+    verbs: ["list", "create", "get", "update", "watch", "patch"]
+  - apiGroups: ["", "extensions"]
+    resources: ["nodes", "pods", "secrets", "services", "namespaces"]
+    verbs: ["get", "list", "watch"]

roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-clusterrolebinding.yml.j2

@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: alb-ingress
+  namespace: {{ alb_ingress_controller_namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: alb-ingress
+    namespace: {{ alb_ingress_controller_namespace }}
+roleRef:
+  kind: ClusterRole
+  name: alb-ingress
+  apiGroup: rbac.authorization.k8s.io

roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-deploy.yml.j2

@@ -0,0 +1,74 @@
+# Application Load Balancer (ALB) Ingress Controller Deployment Manifest.
+# This manifest details sensible defaults for deploying an ALB Ingress Controller.
+# GitHub: https://github.com/coreos/alb-ingress-controller
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: alb-ingress-controller
+  labels:
+    k8s-app: alb-ingress-controller
+  # Namespace the ALB Ingress Controller should run in. Does not impact which
+  # namespaces it's able to resolve ingress resource for. For limiting ingress
+  # namespace scope, see --watch-namespace.
+  namespace: {{ alb_ingress_controller_namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      k8s-app: alb-ingress-controller
+  strategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 1
+    type: RollingUpdate
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        k8s-app: alb-ingress-controller
+    spec:
+      containers:
+      - args:
+        # Limit the namespace where this ALB Ingress Controller deployment will
+        # resolve ingress resources. If left commented, all namespaces are used.
+        #- --watch-namespace=your-k8s-namespace
+        
+        # Setting the ingress-class flag below will ensure that only ingress resources with the
+        # annotation kubernetes.io/ingress.class: "alb" are respected by the controller. You may
+        # choose any class you'd like for this controller to respect.
+        - --ingress-class=alb
+        # Name of your cluster. Used when naming resources created
+        # by the ALB Ingress Controller, providing distinction between
+        # clusters.
+        - --cluster-name={{ cluster_name }}
+        
+        # Enables logging on all outbound requests sent to the AWS API.
+        # If logging is desired, set to true.
+        # - ---aws-api-debug
+{% if alb_ingress_aws_debug %}
+        - --aws-api-debug
+{% endif %}
+        # Maximum number of times to retry the aws calls.
+        # defaults to 10.
+        # - --aws-max-retries=10
+
+        # AWS region this ingress controller will operate in.
+        # If unspecified, it will be discovered from ec2metadata.
+        # List of regions: http://docs.aws.amazon.com/general/latest/gr/rande.html#vpc_region
+{% if alb_ingress_aws_region is defined %}
+        - --aws-region={{ alb_ingress_aws_region }}
+{% endif %}
+
+        image: "{{ alb_ingress_image_repo }}:{{ alb_ingress_image_tag }}"
+        imagePullPolicy: {{ k8s_image_pull_policy }}
+        name: server
+        resources: {}
+        terminationMessagePath: /dev/termination-log
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      securityContext: {}
+      terminationGracePeriodSeconds: 30
+{% if rbac_enabled %}
+      serviceAccountName: alb-ingress
+{% endif %}

roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-ns.yml.j2

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ alb_ingress_controller_namespace }}
+  labels:
+    name: {{ alb_ingress_controller_namespace }}

roles/kubernetes-apps/ingress_controller/alb_ingress_controller/templates/alb-ingress-sa.yml.j2

@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: alb-ingress
+  namespace: {{ alb_ingress_controller_namespace }}

roles/kubernetes-apps/ingress_controller/meta/main.yml

@@ -13,3 +13,9 @@ dependencies:
       - apps
       - cert-manager
       - ingress-controller
+
+  - role: kubernetes-apps/ingress_controller/alb_ingress_controller
+    when: ingress_alb_enabled
+    tags:
+      - apps
+      - ingress_alb

roles/kubespray-defaults/defaults/main.yaml

@@ -308,6 +308,7 @@ persistent_volumes_enabled: false
 cephfs_provisioner_enabled: false
 rbd_provisioner_enabled: false
 ingress_nginx_enabled: false
+ingress_alb_enabled: false
 cert_manager_enabled: false
 expand_persistent_volumes: false