From 1e2a83c6b488a0eef2874846f1d1f48c8d508824 Mon Sep 17 00:00:00 2001
From: Luis Garnica Guilarte <lgg42@users.noreply.github.com>
Date: Tue, 16 Jun 2020 17:04:04 +0200
Subject: [PATCH] [stable/nginx-ingress] Add support for an internal load
 balancer along with an external one (#22758)

* [stable/nginx-ingress] Add support for an internal load balancer along with an external one

Signed-off-by: Luis Garnica Guilarte <luisgarnica42@gmail.com>

* [stable/nginx-ingress] Add support for an internal load balancer along with an external one

Signed-off-by: Luis Garnica Guilarte <luisgarnica42@gmail.com>
---
 stable/nginx-ingress/Chart.yaml               |  2 +-
 stable/nginx-ingress/README.md                | 43 ++++++++++++++++++
 .../ci/daemonset-internal-lb-values.yaml      |  7 +++
 .../ci/deployment-internal-lb-values.yaml     |  6 +++
 .../controller-service-internal.yaml          | 45 +++++++++++++++++++
 stable/nginx-ingress/values.yaml              |  6 +++
 6 files changed, 108 insertions(+), 1 deletion(-)
 create mode 100644 stable/nginx-ingress/ci/daemonset-internal-lb-values.yaml
 create mode 100644 stable/nginx-ingress/ci/deployment-internal-lb-values.yaml
 create mode 100644 stable/nginx-ingress/templates/controller-service-internal.yaml

diff --git a/stable/nginx-ingress/Chart.yaml b/stable/nginx-ingress/Chart.yaml
index cb7a44cdf9e4..094b14adda81 100644
--- a/stable/nginx-ingress/Chart.yaml
+++ b/stable/nginx-ingress/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 name: nginx-ingress
-version: 1.39.1
+version: 1.40.0
 appVersion: 0.32.0
 home: https://github.com/kubernetes/ingress-nginx
 description: An nginx Ingress controller that uses ConfigMap to store the nginx configuration.
diff --git a/stable/nginx-ingress/README.md b/stable/nginx-ingress/README.md
index 0879e208e13d..10405b478493 100644
--- a/stable/nginx-ingress/README.md
+++ b/stable/nginx-ingress/README.md
@@ -120,6 +120,8 @@ Parameter | Description | Default
 `controller.service.nodePorts.https` | If `controller.service.type` is either `NodePort` or `LoadBalancer` and this is non-empty, it sets the nodePort that maps to the Ingress' port 443 | `""`
 `controller.service.nodePorts.tcp` | Sets the nodePort for an entry referenced by its key from `tcp` | `{}`
 `controller.service.nodePorts.udp` | Sets the nodePort for an entry referenced by its key from `udp` | `{}`
+`controller.service.internal.enabled` | Enables an (additional) internal load balancer | false
+`controller.service.internal.annotations` | Annotations for configuring the additional internal load balancer | `{}`
 `controller.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 10
 `controller.livenessProbe.periodSeconds` | How often to perform the probe | 10
 `controller.livenessProbe.timeoutSeconds` | When the probe times out | 5
@@ -346,6 +348,47 @@ controller:
       domainName: "kubernetes-example.com"
 ```
 
+## Additional internal load balancer
+
+This setup is useful when you need both external and internal load balancers but don't want to have multiple ingress controllers and multiple ingress objects per application.
+
+By default, the ingress object will point to the external load balancer address, but if correctly configured, you can make use of the internal one if the URL you are looking up resolves to the internal load balancer's URL.
+
+You'll need to set both the following values:
+
+`controller.service.internal.enabled`
+`controller.service.internal.annotations`
+
+If one of them is missing the internal load balancer will not be deployed. Example you may have `controller.service.internal.enabled=true` but no annotations set, in this case no action will be taken.
+
+`controller.service.internal.annotations` varies with the cloud service you're using.
+
+Example for AWS
+```
+controller:
+  service:
+    internal:
+      enabled: true
+      annotations:
+        # Create internal ELB
+        service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
+        # Any other annotation can be declared here.
+```
+
+Example for GCE
+```
+controller:
+  service:
+    internal:
+      enabled: true
+      annotations:
+        # Create internal LB
+        cloud.google.com/load-balancer-type: "Internal"
+        # Any other annotation can be declared here.
+```
+
+An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object.
+
 ## Ingress Admission Webhooks
 
 With nginx-ingress-controller version 0.25+, the nginx ingress controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster.
diff --git a/stable/nginx-ingress/ci/daemonset-internal-lb-values.yaml b/stable/nginx-ingress/ci/daemonset-internal-lb-values.yaml
new file mode 100644
index 000000000000..58ef116a9044
--- /dev/null
+++ b/stable/nginx-ingress/ci/daemonset-internal-lb-values.yaml
@@ -0,0 +1,7 @@
+controller:
+  kind: DaemonSet
+  service:
+    internal:
+      enabled: true
+      annotations:
+        service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
diff --git a/stable/nginx-ingress/ci/deployment-internal-lb-values.yaml b/stable/nginx-ingress/ci/deployment-internal-lb-values.yaml
new file mode 100644
index 000000000000..342910f7d949
--- /dev/null
+++ b/stable/nginx-ingress/ci/deployment-internal-lb-values.yaml
@@ -0,0 +1,6 @@
+controller:
+  service:
+    internal:
+      enabled: true
+      annotations:
+        service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
diff --git a/stable/nginx-ingress/templates/controller-service-internal.yaml b/stable/nginx-ingress/templates/controller-service-internal.yaml
new file mode 100644
index 000000000000..04cb171c1eda
--- /dev/null
+++ b/stable/nginx-ingress/templates/controller-service-internal.yaml
@@ -0,0 +1,45 @@
+{{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled .Values.controller.service.internal.annotations}}
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+  {{- range $key, $value := .Values.controller.service.internal.annotations }}
+    {{ $key }}: {{ $value | quote }}
+  {{- end }}
+  labels:
+{{- if .Values.controller.service.labels }}
+{{ toYaml .Values.controller.service.labels | indent 4 }}
+{{- end }}
+    app: {{ template "nginx-ingress.name" . }}
+    chart: {{ template "nginx-ingress.chart" . }}
+    component: "{{ .Values.controller.name }}"
+    heritage: {{ .Release.Service }}
+    release: {{ template "nginx-ingress.releaseLabel" . }}
+  name: {{ template "nginx-ingress.controller.fullname" . }}-internal
+spec:
+  ports:
+    {{- $setNodePorts := (or (eq .Values.controller.service.type "NodePort") (eq .Values.controller.service.type "LoadBalancer")) }}
+    {{- if .Values.controller.service.enableHttp }}
+    - name: http
+      port: {{ .Values.controller.service.ports.http }}
+      protocol: TCP
+      targetPort: {{ .Values.controller.service.targetPorts.http }}
+      {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }}
+      nodePort: {{ .Values.controller.service.nodePorts.http }}
+      {{- end }}
+    {{- end }}
+    {{- if .Values.controller.service.enableHttps }}
+    - name: https
+      port: {{ .Values.controller.service.ports.https }}
+      protocol: TCP
+      targetPort: {{ .Values.controller.service.targetPorts.https }}
+      {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }}
+      nodePort: {{ .Values.controller.service.nodePorts.https }}
+      {{- end }}
+    {{- end }}
+  selector:
+    app: {{ template "nginx-ingress.name" . }}
+    release: {{ template "nginx-ingress.releaseLabel" . }}
+    app.kubernetes.io/component: controller
+  type: "{{ .Values.controller.service.type }}"
+{{- end }}
diff --git a/stable/nginx-ingress/values.yaml b/stable/nginx-ingress/values.yaml
index 13c51c29c6d7..0b146f1d0b37 100644
--- a/stable/nginx-ingress/values.yaml
+++ b/stable/nginx-ingress/values.yaml
@@ -294,6 +294,12 @@ controller:
       tcp: {}
       udp: {}
 
+    ## Enables an additional internal load balancer (besides the external one).
+    ## Annotations are mandatory for the load balancer to come up. Varies with the cloud service.
+    internal:
+      enabled: false
+      annotations: {}
+
   extraContainers: []
   ## Additional containers to be added to the controller pod.
   ## See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example.