Populating AWS Alb Ingress Annotations from ConfigMap

问题

I am creating a 'alb.ingress' resource as part of my Helm chart.

apiVersion: extenstions/v1beta1
kind: Ingress
metadate:
  annotation:
    alb.ingress.kubernetes.io/certification-arn: $cert_arn
    alb.ingress.kubernetes.io/security-group: $sg
    ...

The values required in the 'alb.ingress' resource annotation sections, are available in my ConfigMap.

 env:
   - name: cert_arn
     valueFrom: 
       configMapKeyRef: 
         name: environmental-variables
         key: certification_arn
   - name: sg
     valueFrom: 
       configMapKeyRef: 
         name: environmental-variables
         key: security-groups
    ...

Is there a way to populate the annotations using the config-map?

回答1:

The way I solved this challenge was to create the ingress resource using Helm and the variables I had prior to creating the resource, such as name of the application, namespaces etc.

apiVersion: extenstions/v1beta1
kind: Ingress
metadata:
name: "{{ .Values.application.name }}-ingress"
namespace: "{{ .Values.env.name }}"
labels:
  app: "{{ .Values.application.name  }}"
specs:
  rules:
    - host: "{{ .Values.environment.name }}.{{ .Values.application.name }}.{{ .Values.domain.name }}"
      https: 
       ....

I used a pod (a job is also an option) to annotate the newly created ingress resource using the environmental values from the configmap.

apiVersion: extenstions/v1beta1
kind: Ingress
metadate:
  name: annotate-ingress-alb
spec:
  serviceAccountName: internal-kubectl
containers:
   - name: modify-alb-ingress-controller
     image: "{{ .Values.images.varion }}"
  command: ["sh", "-c"]
  args:
    - '...
       kubectl annotate ingress -n {{ .Values.env.name }} {{ .Values.application.name }}-ingress alb.ingress.kubernetes.io/certificate-arn=$CERT_ARN;
 env:
  - name: cert_arn
    valueFrom: 
    configMapKeyRef: 
     name: environmental-variables
     key: certification_arn

Note that the pod should have the right service account with the right permission roles are attached to it. For instance, in this case for the pod to be able to annotate the ALB, it had to have extensions apiGroup and the ingress resources in the list of permissions (I have not restricted the verbiage yet).

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: service-account-role
rules:
  - apiGroups:
  - ""
  - extensions
resources:
  - ingresses
verbs: ["*"]

Hope this helps someone in the future.

来源：https://stackoverflow.com/questions/65211284/populating-aws-alb-ingress-annotations-from-configmap