Support for Ambassador OSS as an Ingress (#6135)

Support for Ambassador OSS as an Ingress Controller when
settings `ingress_ambassador_enabled: true`.

Signed-off-by: Alvaro Saurin <alvaro.saurin@gmail.com>

docs/ansible.md

@@ -138,6 +138,7 @@ The following tags are defined in playbooks:
 |                   upload | Distributing images/binaries across hosts
 |                    weave | Network plugin Weave
 |              ingress_alb | AWS ALB Ingress Controller
+|              ambassador  | Ambassador Ingress Controller
 
 Note: Use the ``bash scripts/gen_tags.sh`` command to generate a list of all
 tags found in the codebase. New tags will be listed with the empty "Used for"

inventory/sample/group_vars/k8s-cluster/addons.yml

@@ -103,6 +103,11 @@ ingress_publish_status_address: ""
 # ingress_nginx_extra_args:
 #   - --default-ssl-certificate=default/foo-tls
 
+# ambassador ingress controller deployment
+ingress_ambassador_enabled: false
+# ingress_ambassador_namespace: "ambassador"
+# ingress_ambassador_version: "*"
+
 # ALB ingress controller deployment
 ingress_alb_enabled: false
 # alb_ingress_aws_region: "us-east-1"

roles/download/defaults/main.yml

@@ -482,6 +482,8 @@ local_path_provisioner_image_repo: "{{ docker_image_repo }}/rancher/local-path-p
 local_path_provisioner_image_tag: "v0.0.14"
 ingress_nginx_controller_image_repo: "{{ quay_image_repo }}/kubernetes-ingress-controller/nginx-ingress-controller"
 ingress_nginx_controller_image_tag: "0.32.0"
+ingress_ambassador_image_repo: "{{ quay_image_repo }}/datawire/ambassador-operator"
+ingress_ambassador_image_tag: "v1.2.8"
 alb_ingress_image_repo: "{{ docker_image_repo }}/amazon/aws-alb-ingress-controller"
 alb_ingress_image_tag: "v1.1.8"
 cert_manager_version: "v0.11.1"
@@ -980,6 +982,15 @@ downloads:
     groups:
     - kube-node
 
+  ingress_ambassador_controller:
+    enabled: "{{ ingress_ambassador_enabled }}"
+    container: true
+    repo: "{{ ingress_ambassador_image_repo }}"
+    tag: "{{ ingress_ambassador_image_tag }}"
+    sha256: "{{ ingress_ambassador_digest_checksum|default(None) }}"
+    groups:
+    - kube-node
+
   ingress_alb_controller:
     enabled: "{{ ingress_alb_enabled }}"
     container: true

roles/kubernetes-apps/ingress_controller/ambassador/README.md

@@ -0,0 +1,37 @@
+# Installation Guide
+
+- [Installation Guide](#installation-guide)
+  - [Ambassador](#ambassador)
+  - [Ambassador Operator](#ambassador-operator)
+  - [Configuration](#configuration)
+  - [Ingress annotations](#ingress-annotations)
+
+## Ambassador
+
+The Ambassador API Gateway provides all the functionality of a traditional ingress controller
+(e.g., path-based routing) while exposing many additional capabilities such as authentication,
+URL rewriting, CORS, rate limiting, and automatic metrics collection.
+
+## Ambassador Operator
+
+This addon deploys the Ambassador Operator, which in turn will install Ambassador in
+a kubespray cluster.
+
+The Ambassador Operator is a Kubernetes Operator that controls Ambassador's complete lifecycle
+in your cluster, automating many of the repeatable tasks you would otherwise have to perform
+yourself.  Once installed, the Operator will complete installations and seamlessly upgrade to new
+versions of Ambassador as they become available.
+
+## Configuration
+
+* `ingress_ambassador_namespace` (default `ambassador`): namespace for installing Ambassador.
+* `ingress_ambassador_update_window` (default `0 0 * * SUN`): _crontab_-like expression
+  for specifying when the Operator should try to update the Ambassador API Gateway.
+* `ingress_ambassador_version` (defaulkt: `*`): SemVer rule for versions allowed for
+  installation/updates.
+
+## Ingress annotations
+
+The Ambassador API Gateway will automatically load balance `Ingress` resources
+that include the annotation `kubernetes.io/ingress.class=ambassador`. All the other
+resources will be just ignored.

roles/kubernetes-apps/ingress_controller/ambassador/defaults/main.yml

@@ -0,0 +1,9 @@
+---
+ingress_ambassador_namespace: "ambassador"
+ingress_ambassador_version: "*"
+ingress_ambassador_update_window: "0 0 * * SUN"
+ingress_ambassador_replicas: 1
+ingress_ambassador_insecure_port: 80
+ingress_ambassador_secure_port: 443
+ingress_ambassador_extra_args: []
+ingress_ambassador_host_network: false

roles/kubernetes-apps/ingress_controller/ambassador/tasks/main.yml

@@ -0,0 +1,72 @@
+---
+
+- name: Ambassador | Create addon dir
+  file:
+    path: "{{ kube_config_dir }}/addons/ambassador"
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+- name: Ambassador | Templates list
+  set_fact:
+    ingress_ambassador_templates:
+      - { name: 00-namespace, file: 00-namespace.yml, type: ns }
+      - { name: crd-ambassador-installation, file: crd-ambassador-installation.yml, type: customresourcedefinition }
+      - { name: sa-ambassador, file: sa-ambassador.yml, type: sa }
+      - { name: clusterrole-ambassador, file: clusterrole-ambassador.yml, type: clusterrole }
+      - { name: clusterrolebinding-ambassador, file: clusterrolebinding-ambassador.yml, type: clusterrolebinding }
+      - { name: role-ambassador, file: role-ambassador.yml, type: role }
+      - { name: rolebinding-ambassador, file: rolebinding-ambassador.yml, type: rolebinding }
+      - { name: deploy-ambassador, file: deploy-ambassador.yml, type: deploy }
+
+- name: Ambassador | Create manifests
+  template:
+    src: "{{ item.file }}.j2"
+    dest: "{{ kube_config_dir }}/addons/ambassador/{{ item.file }}"
+  loop: "{{ ingress_ambassador_templates }}"
+  register: ingress_ambassador_manifests
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+- name: Ambassador | Apply manifests
+  kube:
+    name: "{{ item.item.name }}"
+    namespace: "{{ ingress_ambassador_namespace }}"
+    kubectl: "{{ bin_dir }}/kubectl"
+    resource: "{{ item.item.type }}"
+    filename: "{{ kube_config_dir }}/addons/ambassador/{{ item.item.file }}"
+    state: "latest"
+  loop: "{{ ingress_ambassador_manifests.results }}"
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+# load the AmbassadorInstallation _after_ the CustomResourceDefinition has been loaded
+
+- name: Ambassador | AmbassadorInstallation template
+  set_fact:
+    ingress_ambassador_cr_templates:
+      - { name: cr-ambassador-installation, file: cr-ambassador-installation.yml, type: cr }
+
+- name: Ambassador | Create installation manifests
+  template:
+    src: "{{ item.file }}.j2"
+    dest: "{{ kube_config_dir }}/addons/ambassador/{{ item.file }}"
+  loop: "{{ ingress_ambassador_cr_templates }}"
+  register: ingress_ambassador_cr_manifests
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+
+- name: Ambassador | Apply AmbassadorInstallation
+  kube:
+    name: "{{ item.item.name }}"
+    namespace: "{{ ingress_ambassador_namespace }}"
+    kubectl: "{{ bin_dir }}/kubectl"
+    resource: "{{ item.item.type }}"
+    filename: "{{ kube_config_dir }}/addons/ambassador/{{ item.item.file }}"
+    state: "latest"
+  loop: "{{ ingress_ambassador_cr_manifests.results }}"
+  when:
+    - inventory_hostname == groups['kube-master'][0]

roles/kubernetes-apps/ingress_controller/ambassador/templates/00-namespace.yml.j2

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ ingress_ambassador_namespace }}
+  labels:
+    name: {{ ingress_ambassador_namespace }}

roles/kubernetes-apps/ingress_controller/ambassador/templates/clusterrole-ambassador.yml.j2

@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ambassador-operator-cluster
+  labels:
+    app.kubernetes.io/name: ambassador-operator
+    app.kubernetes.io/part-of: ambassador-operator
+rules:
+  - apiGroups: ['*']
+    resources: ['*']
+    verbs: ['*']
+  - nonResourceURLs: ['*']
+    verbs: ['*']

roles/kubernetes-apps/ingress_controller/ambassador/templates/clusterrolebinding-ambassador.yml.j2

@@ -0,0 +1,16 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ambassador-operator-cluster
+  labels:
+    app.kubernetes.io/name: ambassador-operator
+    app.kubernetes.io/part-of: ambassador-operator
+subjects:
+  - kind: ServiceAccount
+    name: ambassador-operator
+    namespace: {{ ingress_ambassador_namespace }}
+roleRef:
+  kind: ClusterRole
+  name: ambassador-operator-cluster
+  apiGroup: rbac.authorization.k8s.io

roles/kubernetes-apps/ingress_controller/ambassador/templates/cr-ambassador-installation.yml.j2

@@ -0,0 +1,37 @@
+apiVersion: getambassador.io/v2
+kind: AmbassadorInstallation
+metadata:
+  name: ambassador
+  labels:
+    app.kubernetes.io/name: ambassador-operator
+    app.kubernetes.io/part-of: ambassador-operator
+spec:
+  installOSS: true
+{% if ingress_ambassador_update_window %}
+  updateWindow: "{{ ingress_ambassador_update_window }}"
+{% endif %}
+{% if ingress_ambassador_version %}
+  version: "{{ ingress_ambassador_version }}"
+{% endif %}
+  helmValues:
+    tolerations:
+      - key: "node-role.kubernetes.io/master"
+        operator: Equal
+        effect: NoSchedule
+    deploymentTool: amb-oper-kubespray
+{% if ingress_ambassador_host_network %}
+    hostNetwork: true
+{% endif %}
+    replicaCount: {{ ingress_ambassador_replicas }}
+    service:
+      ports:
+        - name: http
+          port: 80
+          hostPort: {{ ingress_ambassador_insecure_port }}
+          targetPort: 8080
+          protocol: TCP
+        - name: https
+          port: 443
+          hostPort: {{ ingress_ambassador_secure_port }}
+          targetPort: 8443
+          protocol: TCP