{"id":19102686,"url":"https://github.com/kayrus/ingress-terraform","last_synced_at":"2025-04-30T16:27:51.452Z","repository":{"id":64304165,"uuid":"212450199","full_name":"kayrus/ingress-terraform","owner":"kayrus","description":"A Kubernetes ingress controller, which allows to manage LBaaS resources using the Terraform","archived":false,"fork":false,"pushed_at":"2019-12-05T17:23:28.000Z","size":151,"stargazers_count":11,"open_issues_count":3,"forks_count":4,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-04-19T06:57:04.648Z","etag":null,"topics":["cloud","ingress","ingress-controller","kubernetes","lbaas","neutron","octavia","openstack","terraform","terraform-templates"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kayrus.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-10-02T22:07:08.000Z","updated_at":"2023-07-07T09:09:03.000Z","dependencies_parsed_at":"2023-01-15T10:15:26.947Z","dependency_job_id":null,"html_url":"https://github.com/kayrus/ingress-terraform","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kayrus%2Fingress-terraform","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kayrus%2Fingress-terraform/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kayrus%2Fingress-terraform/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kayrus%2Fingress-terraform/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kayrus","download_url":"https://codeload.github.com/kayrus/ingress-terraform/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251741662,"owners_count":21636295,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloud","ingress","ingress-controller","kubernetes","lbaas","neutron","octavia","openstack","terraform","terraform-templates"],"created_at":"2024-11-09T03:56:46.948Z","updated_at":"2025-04-30T16:27:51.183Z","avatar_url":"https://github.com/kayrus.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"## ingress-terraform\n\nA Kubernetes ingress controller, which allows to manage LBaaS resources using the Terraform.\n\n## Overview\n\nThe project is still in early alpha. There can be significan code and behavior changes.\n\nSince the LBaaS resources is not the part of the Kubernetes cluster, regular services cannot be accessed. Therefore if you want to expose the service for the loadbalancer, you have to expose it as a [node port](https://kubernetes.io/docs/concepts/services-networking/service/#nodeport).\n\nConfig [examples](/examples).\n\n## Why\n\nLoadbalancers can be created within the Kubernetes Cloud Providers, but their configuration is not flexible. Moreover the ingress-terraform allows to create one loadbalancer for multiple services.\n\n## Supported clouds\n\n* OpenStack ([Barbican](https://wiki.openstack.org/wiki/Barbican) is required for the `TERMINATED_HTTPS` support)\n\n## Features\n\n* TLS certificates (`TERMINATED_HTTPS`)\n* TCP listeners\n* UDP listeners (experimental, available only for Octavia API)\n* PROXY protocol pool members (experimental, available only for Octavia API)\n* Templated terraform script\n\n## Comparison with a regular ingress controller\n\nOn the left side is a regular ingress controller, which resides inside the Kubernetes cluster.\n\nOn the right side is a Terraform ingress controller. It doesn't receive the ingress traffic, but only manages the loadbalancer. If Terraform ingress controller is down, the loadbalancer will still work.\n\nEach Kubernetes ingress resource represents a loadbalancer.\n\n![ingress-controllers-comparison](ingress-controllers-comparison.png)\n\n## Configuration\n\nThe following OpenStack auth options are supported:\n\n* `auth-url`: The URL of the keystone API used to authenticate. On\n  OpenStack control panels, this can be found at Access and Security \u003e API\n  Access \u003e Credentials.\n* `password`: Refers to the password of a valid user set in keystone.\n* `username`: Refers to the username of a valid user set in keystone.\n* `domain-id`: Used to specify the ID of the domain your user belongs\n  to.\n* `domain-name`: Used to specify the name of the domain your user\n  belongs to.\n* `region`: Used to specify the identifier of the region to use when\n  running on a multi-region OpenStack cloud. A region is a general division of\n  an OpenStack deployment. Although a region does not have a strict geographical\n  connotation, a deployment can use a geographical name for a region identifier\n  such as `us-east`. Available regions are found under the `/v3/regions`\n  endpoint of the Keystone API.\n* `project-id`: Used to specify the ID of the project where you want\n  to create your resources.\n* `project-name`: Used to specify the name of the project where you\n  want to create your resources.\n* `project-domain-id`: Used to specify the ID of the domain your project belongs\n  to.\n* `project-domain-name`: Used to specify the name of the domain your project\n  belongs to.\n* `user-domain-id`: Used to specify the ID of the domain your user belongs to.\n* `user-domain-name`: Used to specify the name of the domain your user belongs\n  to.\n* `application-credential-id`: The ID of an application credential to\n  authenticate with. An `application-credential-secret` has to bet set along\n  with this parameter.\n* `application-credential-name`: The name of an application credential to\n  authenticate with.\n* `application-credential-secret`: The secret of an application credential to\n  authenticate with.\n\nExample auth config:\n\n```yaml\nkind: ConfigMap\napiVersion: v1\nmetadata:\n  name: terraform-ingress-controller-config\ndata:\n  config: |\n    cluster-name: terraform-ingress-cluster\n    openstack:\n      auth-url: %os_auth_url%\n      username: %os_username%\n      password: %os_password%\n      project-id: %os_project_id%\n      domain-id: %os_domain_id%\n      user-domain-id: %os_domain_id%\n    terraform:\n      subnet-id: 058d9dce-7a62-4d8c-ac82-6b217d697e81\n      floating-network-id: 8f408a7c-4d03-4355-81c1-07713fa0caec\n      floating-subnet-id: 9206c010-882f-4059-914e-f25b33139c40\n      manage-security-groups: true\n      create-monitor: true\n      monitor-delay: \"5\"\n      monitor-timeout: \"3\"\n      monitor-max-retries: 3\n```\n\n### Supported annotations\n\nWhen you specify a configmap name, make sure it exists within the same namespace as an ingress resource.\n\n|Name|Type|Default|Description|\n|-|-|-|-|\n|terraform.ingress.kubernetes.io/internal|true\\|false|false|whether to assign a floating IP to the loadbalancer or not|\n|terraform.ingress.kubernetes.io/tcp-configmap|string|N/A|a config map name with a TCP service ports map|\n|terraform.ingress.kubernetes.io/udp-configmap|string|N/A|a config map name with a UDP service ports map (supported only in Octavia API)|\n|terraform.ingress.kubernetes.io/template|string|N/A|a config map name with a custom terraform script template|\n|terraform.ingress.kubernetes.io/skip-http-listener|true\\|false|false|whether to skip the HTTP (80 TCP port) listener creation|\n|terraform.ingress.kubernetes.io/use-octavia|true\\|false|false|whether Terraform provider should use Octavia API instead of Neutron LBaaS v2|\n|terraform.ingress.kubernetes.io/lb-method|string|`ROUND_ROBIN`|a load balancer method, can be `ROUND_ROBIN`, `LEAST_CONNECTIONS` or `SOURCE_IP`|\n|terraform.ingress.kubernetes.io/proxy-protocol|true\\|false|false|whether to use PROXY protocol for pool members (supported only in Octavia API)|\n|terraform.ingress.kubernetes.io/lock-timeout|string|0s|specifies the [`-lock-timeout`](https://www.terraform.io/docs/commands/apply.html#lock-timeout-0s) Terraform CLI argument|\n|kubernetes.io/ingress.class|string|N/A|must have the `terraform` value to be processed by the Terraform Ingress Controller|\n\n## Getting started\n\n* Clone the repo\n* Change the current dir to `examples`\n* Modify the config file\n\n```sh\n$ kubectl -n kube-system apply -f config.yaml\n$ kubectl -n kube-system apply -f serviceaccount.yaml\n$ kubectl -n kube-system apply -f deployment.yaml\n```\n\nExpose the HTTP service as a node port and deploy the ingress resource:\n\n```sh\n$ kubectl run --image=nginx nginx --port=80\n$ kubectl expose deployment nginx --type=NodePort --target-port=80\n$ kubectl apply -f test-terraform-ingress.yaml\n```\n\nRead ingress controller logs:\n\n```sh\n$ kubectl -n kube-system logs -f -l k8s-app=terraform-ingress-controller\n```\n\n### Expose UDP\n\nFor example coredns deplyment:\n\n```sh\n$ kubectl -n kube-system expose deployment coredns --type=NodePort --port=53 --protocol=UDP --target-port=53\n```\n\nThe configmap should look like:\n\n```yaml\napiVersion: v1\nkind: ConfigMap\nmetadata:\n  name: ingress-udp-services\ndata:\n  53: \"coredns:53\"\n```\n\nThe ingress resource annotation should look like:\n\n```yaml\nterraform.ingress.kubernetes.io/udp-configmap: ingress-udp-services\n```\n\n## TODO\n\n* Handle signals, e.g. wait for terraform to finish, when ingress controller received the exit signal\n* Add finalizer to the ingress resource\n* Retry on error\n* Add intermediate CA support (so far they can be concatenated into the certificate)\n* Output terraform script diff\n* Prepend logging loadbalancer UID\n* Put openstack secrets into the secret and watch for its modification\n* Add terraform execution time measurements\n* Add additional annotations into ingress to pass custom resources into the template\n* Remove OpenStack-only requirement\n* Add more watchers and update loadbalancers on tls/node/secret/configmap change events\n* Add parallel workers\n* Add tests\n* Proper logging\n\n## Credits\n\nThe current project is based on the [octavia-ingress-controller](https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/using-octavia-ingress-controller.md) code.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkayrus%2Fingress-terraform","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkayrus%2Fingress-terraform","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkayrus%2Fingress-terraform/lists"}