feat(openbaocluster): add ingress integration readiness (#409)

Signed-off-by: Roel de Cort <roel.decort@adfinis.com>

Author: dc-tec

api/v1alpha1/openbaocluster_types.go

@@ -73,6 +73,9 @@ const (
 	// the referenced Gateway and GatewayClass integration contract for the chosen
 	// Gateway API mode.
 	ConditionGatewayIntegrationReady ConditionType = "GatewayIntegrationReady"
+	// ConditionIngressIntegrationReady indicates whether the operator can verify
+	// the managed Ingress integration contract for the chosen ingress mode.
+	ConditionIngressIntegrationReady ConditionType = "IngressIntegrationReady"
 	// ConditionAPIServerNetworkReady indicates whether the operator can validate
 	// the Kubernetes API egress contract used by the operator-managed NetworkPolicy.
 	// Unknown means the common service-VIP path is configured, but some CNIs may
@@ -352,6 +355,34 @@ type ReadReplicaConfig struct {
 	Storage *ReadReplicaStorageConfig `json:"storage,omitempty"`
 }
 
+// IngressPathType identifies how a Kubernetes Ingress path should match requests.
+// +kubebuilder:validation:Enum=Prefix;Exact;ImplementationSpecific
+type IngressPathType string
+
+const (
+	// IngressPathTypePrefix uses prefix path matching.
+	IngressPathTypePrefix IngressPathType = "Prefix"
+	// IngressPathTypeExact uses exact path matching.
+	IngressPathTypeExact IngressPathType = "Exact"
+	// IngressPathTypeImplementationSpecific defers path matching to the controller.
+	IngressPathTypeImplementationSpecific IngressPathType = "ImplementationSpecific"
+)
+
+// IngressReadinessMode identifies how the operator decides whether ingress
+// integration is ready for endpoint publication.
+// +kubebuilder:validation:Enum=Created;LoadBalancerPublished
+type IngressReadinessMode string
+
+const (
+	// IngressReadinessModeCreated considers ingress integration ready once the
+	// managed Ingress object exists.
+	IngressReadinessModeCreated IngressReadinessMode = "Created"
+	// IngressReadinessModeLoadBalancerPublished considers ingress integration
+	// ready only after the managed Ingress reports a published load balancer
+	// address in status.
+	IngressReadinessModeLoadBalancerPublished IngressReadinessMode = "LoadBalancerPublished"
+)
+
 // IngressConfig controls optional HTTP(S) ingress in front of the OpenBao Service.
 type IngressConfig struct {
 	// Enabled controls whether the Operator manages an Ingress for external access.
@@ -366,12 +397,21 @@ type IngressConfig struct {
 	// Path is the HTTP path to route to OpenBao, defaulting to "/".
 	// +optional
 	Path string `json:"path,omitempty"`
+	// PathType identifies how the ingress controller should interpret Path.
+	// +kubebuilder:default=Prefix
+	// +optional
+	PathType IngressPathType `json:"pathType,omitempty"`
 	// TLSSecretName is an optional TLS Secret name; when empty the cluster TLS Secret is used.
 	// +optional
 	TLSSecretName string `json:"tlsSecretName,omitempty"`
 	// Annotations are additional annotations to apply to the Ingress.
 	// +optional
 	Annotations map[string]string `json:"annotations,omitempty"`
+	// ReadinessMode identifies when the operator should consider ingress
+	// integration ready for endpoint publication.
+	// +kubebuilder:default=LoadBalancerPublished
+	// +optional
+	ReadinessMode IngressReadinessMode `json:"readinessMode,omitempty"`
 }
 
 // MaintenanceConfig defines supported maintenance operations.

charts/openbao-operator/crds/openbao.org_openbaoclusters.yaml

@@ -860,6 +860,24 @@ spec:
                     description: Path is the HTTP path to route to OpenBao, defaulting
                       to "/".
                     type: string
+                  pathType:
+                    default: Prefix
+                    description: PathType identifies how the ingress controller should
+                      interpret Path.
+                    enum:
+                    - Prefix
+                    - Exact
+                    - ImplementationSpecific
+                    type: string
+                  readinessMode:
+                    default: LoadBalancerPublished
+                    description: |-
+                      ReadinessMode identifies when the operator should consider ingress
+                      integration ready for endpoint publication.
+                    enum:
+                    - Created
+                    - LoadBalancerPublished
+                    type: string
                   tlsSecretName:
                     description: TLSSecretName is an optional TLS Secret name; when
                       empty the cluster TLS Secret is used.

config/crd/bases/openbao.org_openbaoclusters.yaml

@@ -859,6 +859,24 @@ spec:
                     description: Path is the HTTP path to route to OpenBao, defaulting
                       to "/".
                     type: string
+                  pathType:
+                    default: Prefix
+                    description: PathType identifies how the ingress controller should
+                      interpret Path.
+                    enum:
+                    - Prefix
+                    - Exact
+                    - ImplementationSpecific
+                    type: string
+                  readinessMode:
+                    default: LoadBalancerPublished
+                    description: |-
+                      ReadinessMode identifies when the operator should consider ingress
+                      integration ready for endpoint publication.
+                    enum:
+                    - Created
+                    - LoadBalancerPublished
+                    type: string
                   tlsSecretName:
                     description: TLSSecretName is an optional TLS Secret name; when
                       empty the cluster TLS Secret is used.

docs/reference/api.md

@@ -687,8 +687,48 @@ _Appears in:_
 | `className` _string_ | ClassName is an optional IngressClassName (for example, "nginx", "traefik"). |  | Optional: \{\} <br /> |
 | `host` _string_ | Host is the primary host for external access, for example "bao.example.com". |  | MinLength: 1 <br /> |
 | `path` _string_ | Path is the HTTP path to route to OpenBao, defaulting to "/". |  | Optional: \{\} <br /> |
+| `pathType` _[IngressPathType](#ingresspathtype)_ | PathType identifies how the ingress controller should interpret Path. | Prefix | Enum: [Prefix Exact ImplementationSpecific] <br />Optional: \{\} <br /> |
 | `tlsSecretName` _string_ | TLSSecretName is an optional TLS Secret name; when empty the cluster TLS Secret is used. |  | Optional: \{\} <br /> |
 | `annotations` _object (keys:string, values:string)_ | Annotations are additional annotations to apply to the Ingress. |  | Optional: \{\} <br /> |
+| `readinessMode` _[IngressReadinessMode](#ingressreadinessmode)_ | ReadinessMode identifies when the operator should consider ingress<br />integration ready for endpoint publication. | LoadBalancerPublished | Enum: [Created LoadBalancerPublished] <br />Optional: \{\} <br /> |
+
+
+#### IngressPathType
+
+_Underlying type:_ _string_
+
+IngressPathType identifies how a Kubernetes Ingress path should match requests.
+
+_Validation:_
+- Enum: [Prefix Exact ImplementationSpecific]
+
+_Appears in:_
+- [IngressConfig](#ingressconfig)
+
+| Field | Description |
+| --- | --- |
+| `Prefix` | IngressPathTypePrefix uses prefix path matching.<br /> |
+| `Exact` | IngressPathTypeExact uses exact path matching.<br /> |
+| `ImplementationSpecific` | IngressPathTypeImplementationSpecific defers path matching to the controller.<br /> |
+
+
+#### IngressReadinessMode
+
+_Underlying type:_ _string_
+
+IngressReadinessMode identifies how the operator decides whether ingress
+integration is ready for endpoint publication.
+
+_Validation:_
+- Enum: [Created LoadBalancerPublished]
+
+_Appears in:_
+- [IngressConfig](#ingressconfig)
+
+| Field | Description |
+| --- | --- |
+| `Created` | IngressReadinessModeCreated considers ingress integration ready once the<br />managed Ingress object exists.<br /> |
+| `LoadBalancerPublished` | IngressReadinessModeLoadBalancerPublished considers ingress integration<br />ready only after the managed Ingress reports a published load balancer<br />address in status.<br /> |
 
 
 #### InitContainerConfig

internal/app/openbaocluster/ingress_integration.go

@@ -0,0 +1,89 @@
+package openbaocluster
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	openbaov1alpha1 "github.com/dc-tec/openbao-operator/api/v1alpha1"
+	"github.com/dc-tec/openbao-operator/internal/platform/constants"
+	networkingmanager "github.com/dc-tec/openbao-operator/internal/service/networking"
+)
+
+// IngressIntegrationDependencies groups infrastructure readers required to
+// evaluate the operator-owned ingress integration contract.
+type IngressIntegrationDependencies struct {
+	Client            client.Client
+	APIReader         client.Reader
+	Scheme            *runtime.Scheme
+	OperatorNamespace string
+	Platform          string
+}
+
+// IngressIntegrationResult is the controller-facing evaluation result for the
+// operator-managed ingress contract.
+type IngressIntegrationResult struct {
+	Status  metav1.ConditionStatus
+	Reason  string
+	Message string
+}
+
+// EvaluateIngressIntegration validates the operator-managed ingress
+// prerequisites and controller support for the selected ingress mode.
+func EvaluateIngressIntegration(
+	ctx context.Context,
+	deps IngressIntegrationDependencies,
+	cluster *openbaov1alpha1.OpenBaoCluster,
+) IngressIntegrationResult {
+	manager := networkingmanager.NewManagerWithReader(
+		deps.Client,
+		deps.APIReader,
+		deps.Scheme,
+		deps.OperatorNamespace,
+		deps.Platform,
+	)
+	err := manager.ValidateIngressIntegration(ctx, cluster)
+
+	switch {
+	case err == nil:
+		return IngressIntegrationResult{
+			Status:  metav1.ConditionTrue,
+			Reason:  constants.ReasonIngressIntegrationReady,
+			Message: "Ingress integration prerequisites are satisfied",
+		}
+	case errors.Is(err, networkingmanager.ErrIngressClassMissing):
+		return IngressIntegrationResult{
+			Status:  metav1.ConditionFalse,
+			Reason:  constants.ReasonIngressClassMissing,
+			Message: err.Error(),
+		}
+	case errors.Is(err, networkingmanager.ErrIngressObjectMissing):
+		return IngressIntegrationResult{
+			Status:  metav1.ConditionUnknown,
+			Reason:  constants.ReasonIngressObjectPending,
+			Message: err.Error(),
+		}
+	case errors.Is(err, networkingmanager.ErrIngressLoadBalancerPending):
+		return IngressIntegrationResult{
+			Status:  metav1.ConditionUnknown,
+			Reason:  constants.ReasonIngressLoadBalancerPending,
+			Message: err.Error(),
+		}
+	case errors.Is(err, networkingmanager.ErrIngressCapabilitiesUnknown):
+		return IngressIntegrationResult{
+			Status:  metav1.ConditionUnknown,
+			Reason:  constants.ReasonIngressCapabilitiesUnknown,
+			Message: err.Error(),
+		}
+	default:
+		return IngressIntegrationResult{
+			Status:  metav1.ConditionUnknown,
+			Reason:  constants.ReasonUnknown,
+			Message: fmt.Sprintf("Failed to evaluate ingress integration prerequisites: %v", err),
+		}
+	}
+}

internal/controller/openbaocluster/constants.go

@@ -48,6 +48,7 @@ const (
 	ReasonACMEIntegrationReady                   = constants.ReasonACMEIntegrationReady
 	ReasonACMECacheReady                         = "ACMECacheReady"
 	ReasonGatewayIntegrationReady                = constants.ReasonGatewayIntegrationReady
+	ReasonIngressIntegrationReady                = constants.ReasonIngressIntegrationReady
 	ReasonAPIServerNetworkReady                  = constants.ReasonAPIServerNetworkReady
 	ReasonAPIServerEndpointIPsRecommended        = constants.ReasonAPIServerEndpointIPsRecommended
 	ReasonGatewayReferenceMissing                = constants.ReasonGatewayReferenceMissing
@@ -60,6 +61,10 @@ const (
 	ReasonGatewayNotProgrammed                   = constants.ReasonGatewayNotProgrammed
 	ReasonGatewayProgrammingPending              = constants.ReasonGatewayProgrammingPending
 	ReasonGatewayListenerIncompatible            = constants.ReasonGatewayListenerIncompatible
+	ReasonIngressClassMissing                    = constants.ReasonIngressClassMissing
+	ReasonIngressCapabilitiesUnknown             = constants.ReasonIngressCapabilitiesUnknown
+	ReasonIngressObjectPending                   = constants.ReasonIngressObjectPending
+	ReasonIngressLoadBalancerPending             = constants.ReasonIngressLoadBalancerPending
 	ReasonACMECacheNotConfigured                 = "ACMECacheNotConfigured"
 	ReasonACMECacheMissing                       = "ACMECacheMissing"
 	ReasonACMECachePending                       = "ACMECachePending"

internal/controller/openbaocluster/dependencies.go

@@ -92,6 +92,16 @@ func (r *OpenBaoClusterReconciler) gatewayIntegrationDependencies() appopenbaocl
 	}
 }
 
+func (r *OpenBaoClusterReconciler) ingressIntegrationDependencies() appopenbaocluster.IngressIntegrationDependencies {
+	return appopenbaocluster.IngressIntegrationDependencies{
+		Client:            r.Client,
+		APIReader:         r.APIReader,
+		Scheme:            r.ControllerRuntime.Scheme,
+		OperatorNamespace: r.OperatorNamespace,
+		Platform:          r.Platform,
+	}
+}
+
 func (r *OpenBaoClusterReconciler) apiServerNetworkDependencies() appopenbaocluster.APIServerNetworkDependencies {
 	return appopenbaocluster.APIServerNetworkDependencies{
 		Client:            r.Client,

internal/controller/openbaocluster/status.go

@@ -34,6 +34,7 @@ func (r *OpenBaoClusterReconciler) updateStatus(ctx context.Context, logger logr
 	r.setACMEIntegrationReadyCondition(ctx, cluster)
 	r.setACMECacheReadyCondition(ctx, cluster)
 	r.setGatewayIntegrationReadyCondition(ctx, cluster)
+	r.setIngressIntegrationReadyCondition(ctx, cluster)
 	r.setBackupConfigurationReadyCondition(ctx, cluster)
 	r.setCloudUnsealIdentityReadyCondition(ctx, cluster)
 

internal/controller/openbaocluster/status_condition_contract.go

@@ -67,6 +67,17 @@ var gatewayIntegrationReadyConditionContract = newConditionContract(
 	conditionContractEntry{reason: reasonUnknown, status: metav1.ConditionUnknown},
 )
 
+var ingressIntegrationReadyConditionContract = newConditionContract(
+	conditionContractEntry{reason: ReasonIngressIntegrationReady, status: metav1.ConditionTrue},
+	conditionContractEntry{reason: ReasonIngressClassMissing, status: metav1.ConditionFalse},
+	conditionContractEntry{reason: ReasonIngressCapabilitiesUnknown, status: metav1.ConditionUnknown},
+	conditionContractEntry{reason: ReasonIngressObjectPending, status: metav1.ConditionUnknown},
+	conditionContractEntry{reason: ReasonIngressLoadBalancerPending, status: metav1.ConditionUnknown},
+	conditionContractEntry{reason: reasonPaused, status: metav1.ConditionUnknown},
+	conditionContractEntry{reason: ReasonProfileNotSet, status: metav1.ConditionUnknown},
+	conditionContractEntry{reason: reasonUnknown, status: metav1.ConditionUnknown},
+)
+
 var apiServerNetworkReadyConditionContract = newConditionContract(
 	conditionContractEntry{reason: ReasonAPIServerNetworkReady, status: metav1.ConditionTrue},
 	conditionContractEntry{reason: ReasonAPIServerEndpointIPsRecommended, status: metav1.ConditionUnknown},
@@ -235,6 +246,19 @@ func setGatewayIntegrationReadyEvaluatedCondition(
 	)
 }
 
+func setIngressIntegrationReadyEvaluatedCondition(
+	cluster *openbaov1alpha1.OpenBaoCluster,
+	result appopenbaocluster.IngressIntegrationResult,
+) {
+	applyConditionContract(
+		&cluster.Status.Conditions,
+		openbaov1alpha1.ConditionIngressIntegrationReady,
+		cluster.Generation,
+		statusConditionResult{Status: result.Status, Reason: result.Reason, Message: result.Message},
+		ingressIntegrationReadyConditionContract,
+	)
+}
+
 func setAPIServerNetworkReadyEvaluatedCondition(
 	cluster *openbaov1alpha1.OpenBaoCluster,
 	result appopenbaocluster.APIServerNetworkResult,