adds tls reconciler

[OliverMKing]

Description

Adds a tls reconciler that adds the TLS portion to Ingresses that have the keyvault tls cert managed by us. We reconcile the Ingress object to point to the managed secret that contains the cert pulled from keyvault if the Ingress contains a specific annotation.

To use this feature, users will need to add the kubernetes.azure.com/tls-cert-keyvault-managed: true annotation to their Ingress.

Essentially, the reconcile logic is as follows:

• Do nothing if the Ingress' IngressClass is not an App Routing IngressClass
• Do nothing if the Ingress doesn't contain the kubernetes.azure.com/tls-cert-keyvault-managed: true annotation
• If the Ingress has the kubernetes.azure.com/tls-cert-keyvault-managed: true annotation but doesn't contain the kubernetes.azure.com/tls-cert-keyvault-uri: <uri> annotation then we push an Event to the Ingress informing them that we can't manage TLS without that.
• If the Ingress contains both required annotations we always set the TLS section of the Ingress to point to the App Routing managed Secret. We also update the TLS hosts to exactly match the hosts section of the rules part of the Ingress spec. We do this regardless of if the TLS section was empty before. This is a truly "managed" experience. If we chose not to reconcile if the TLS section was non-empty then we wouldn't be able to handle the case of a user adding a new Rule and hostname to the spec of the Ingress.

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

unit

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

[coveralls]

Pull Request Test Coverage Report for Build 8391179182

Details

• 49 of 78 (62.82%) changed or added relevant lines in 3 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage decreased (-0.4%) to 79.45%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
pkg/controller/controller.go	0	4	0.0%
pkg/controller/keyvault/ingress_tls.go	44	69	63.77%

Totals
Change from base Build 8391177511:	-0.4%
Covered Lines:	2656
Relevant Lines:	3343

---

💛 - Coveralls

[OliverMKing]

/ok-to-test sha=8177500

[sabbour]

Approving the logic. Looks good, thank you.

[OliverMKing]

/ok-to-test sha=b886254

[OliverMKing]

/ok-to-test sha=0f31414

[OliverMKing]

/ok-to-test sha=cec8cd3

[OliverMKing]

/ok-to-test sha=acfd433

[aamgayle]

LGTM

[OliverMKing]

/ok-to-test sha=28adffb

[davidgamero]

in the description,

If the Ingress contains both required Ingresses

this is referring to annotations right?

[OliverMKing]

in the description,

If the Ingress contains both required Ingresses

this is referring to annotations right?

yes

[davidgamero]

lgtm