We have several options for doing the ingress object configuration in kubernetes. We can namespace the ingress objects and allow users to manage them via the API (mostly via the webservice command) or maintain the config in a daemon under our control.
Open question. How do we prevent tool2 maintainer from adding this config?:
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: tool2-ingress namespace: tool2 spec: rules: - host: tool1.toolsbeta.wmflabs.org <---- wrong! http: paths: - backend: serviceName: tool2-svc servicePort: 8081
It seems we have 3 options:
- a daemon detecting which tools are online and generating the ingress config automagically. The webservice command does not generate the ingress config. Management of ingress objects in the API is forbidden for end users.
- a custom admission controller to enforce correct ingress config, and have the webservice command generate it. The API allows users to manage ingress objects, because we are enforcing a valid config in the API.
- some mixed thing using a CRD.