Support namespaced upstream service reference in VirtualServer (#8453)

* support namespaced upstream service
Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com>

Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com>

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* add example and fix comments
Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com>

Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com>

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* update readme
Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com>

Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com>

* handle exception
Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com>

Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com>

* Remove the commented-out code

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com>

* typo

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com>

* update docs
Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com>

Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com>

* update readme to add reminder about -watch-namespace flag
Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com>

Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com>

---------

Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Venktesh Shivam Patel <ve.patel@f5.com>
Co-authored-by: AlexFenlon <a.fenlon@f5.com>

Author: 5 people

config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml

@@ -1095,12 +1095,13 @@ spec:
                         ConfigMap key.
                       type: string
                     service:
-                      description: The name of a service. The service must belong
-                        to the same namespace as the resource. If the service doesn’t
-                        exist, NGINX will assume the service has zero endpoints and
-                        return a 502 response for requests for this upstream. For
-                        NGINX Plus only, services of type ExternalName are also supported
-                        .
+                      description: The name of a service. If the Service belongs to
+                        a different namespace than the VirtualServer or VirtualServerRoute,
+                        you need to include the namespace. For example, tea-namespace/tea.
+                        If the service doesn’t exist, NGINX will assume the service
+                        has zero endpoints and return a 502 response for requests
+                        for this upstream. For NGINX Plus only, services of type ExternalName
+                        are also supported in the same namespace.
                       type: string
                     sessionCookie:
                       description: The SessionCookie field configures session persistence

config/crd/bases/k8s.nginx.org_virtualservers.yaml

@@ -1284,12 +1284,13 @@ spec:
                         ConfigMap key.
                       type: string
                     service:
-                      description: The name of a service. The service must belong
-                        to the same namespace as the resource. If the service doesn’t
-                        exist, NGINX will assume the service has zero endpoints and
-                        return a 502 response for requests for this upstream. For
-                        NGINX Plus only, services of type ExternalName are also supported
-                        .
+                      description: The name of a service. If the Service belongs to
+                        a different namespace than the VirtualServer or VirtualServerRoute,
+                        you need to include the namespace. For example, tea-namespace/tea.
+                        If the service doesn’t exist, NGINX will assume the service
+                        has zero endpoints and return a 502 response for requests
+                        for this upstream. For NGINX Plus only, services of type ExternalName
+                        are also supported in the same namespace.
                       type: string
                     sessionCookie:
                       description: The SessionCookie field configures session persistence

deploy/crds.yaml

@@ -2133,12 +2133,13 @@ spec:
                         ConfigMap key.
                       type: string
                     service:
-                      description: The name of a service. The service must belong
-                        to the same namespace as the resource. If the service doesn’t
-                        exist, NGINX will assume the service has zero endpoints and
-                        return a 502 response for requests for this upstream. For
-                        NGINX Plus only, services of type ExternalName are also supported
-                        .
+                      description: The name of a service. If the Service belongs to
+                        a different namespace than the VirtualServer or VirtualServerRoute,
+                        you need to include the namespace. For example, tea-namespace/tea.
+                        If the service doesn’t exist, NGINX will assume the service
+                        has zero endpoints and return a 502 response for requests
+                        for this upstream. For NGINX Plus only, services of type ExternalName
+                        are also supported in the same namespace.
                       type: string
                     sessionCookie:
                       description: The SessionCookie field configures session persistence
@@ -3551,12 +3552,13 @@ spec:
                         ConfigMap key.
                       type: string
                     service:
-                      description: The name of a service. The service must belong
-                        to the same namespace as the resource. If the service doesn’t
-                        exist, NGINX will assume the service has zero endpoints and
-                        return a 502 response for requests for this upstream. For
-                        NGINX Plus only, services of type ExternalName are also supported
-                        .
+                      description: The name of a service. If the Service belongs to
+                        a different namespace than the VirtualServer or VirtualServerRoute,
+                        you need to include the namespace. For example, tea-namespace/tea.
+                        If the service doesn’t exist, NGINX will assume the service
+                        has zero endpoints and return a 502 response for requests
+                        for this upstream. For NGINX Plus only, services of type ExternalName
+                        are also supported in the same namespace.
                       type: string
                     sessionCookie:
                       description: The SessionCookie field configures session persistence

docs/crd/k8s.nginx.org_virtualserverroutes.md

@@ -209,7 +209,7 @@ The `.spec` object supports the following fields:
 | `upstreams[].queue.timeout` | `string` | The timeout of the queue. A request cannot be queued for a period longer than the timeout. The default is 60s. |
 | `upstreams[].read-timeout` | `string` | The timeout for reading a response from an upstream server. The default is specified in the proxy-read-timeout ConfigMap key. |
 | `upstreams[].send-timeout` | `string` | The timeout for transmitting a request to an upstream server. The default is specified in the proxy-send-timeout ConfigMap key. |
-| `upstreams[].service` | `string` | The name of a service. The service must belong to the same namespace as the resource. If the service doesn’t exist, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. For NGINX Plus only, services of type ExternalName are also supported . |
+| `upstreams[].service` | `string` | The name of a service. If the Service belongs to a different namespace than the VirtualServer or VirtualServerRoute, you need to include the namespace. For example, tea-namespace/tea. If the service doesn’t exist, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. For NGINX Plus only, services of type ExternalName are also supported in the same namespace. |
 | `upstreams[].sessionCookie` | `object` | The SessionCookie field configures session persistence which allows requests from the same client to be passed to the same upstream server. The information about the designated upstream server is passed in a session cookie generated by NGINX Plus. |
 | `upstreams[].sessionCookie.domain` | `string` | The domain for which the cookie is set. |
 | `upstreams[].sessionCookie.enable` | `boolean` | Enables session persistence with a session cookie for an upstream server. The default is false. |

docs/crd/k8s.nginx.org_virtualservers.md

@@ -244,7 +244,7 @@ The `.spec` object supports the following fields:
 | `upstreams[].queue.timeout` | `string` | The timeout of the queue. A request cannot be queued for a period longer than the timeout. The default is 60s. |
 | `upstreams[].read-timeout` | `string` | The timeout for reading a response from an upstream server. The default is specified in the proxy-read-timeout ConfigMap key. |
 | `upstreams[].send-timeout` | `string` | The timeout for transmitting a request to an upstream server. The default is specified in the proxy-send-timeout ConfigMap key. |
-| `upstreams[].service` | `string` | The name of a service. The service must belong to the same namespace as the resource. If the service doesn’t exist, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. For NGINX Plus only, services of type ExternalName are also supported . |
+| `upstreams[].service` | `string` | The name of a service. If the Service belongs to a different namespace than the VirtualServer or VirtualServerRoute, you need to include the namespace. For example, tea-namespace/tea. If the service doesn’t exist, NGINX will assume the service has zero endpoints and return a 502 response for requests for this upstream. For NGINX Plus only, services of type ExternalName are also supported in the same namespace. |
 | `upstreams[].sessionCookie` | `object` | The SessionCookie field configures session persistence which allows requests from the same client to be passed to the same upstream server. The information about the designated upstream server is passed in a session cookie generated by NGINX Plus. |
 | `upstreams[].sessionCookie.domain` | `string` | The domain for which the cookie is set. |
 | `upstreams[].sessionCookie.enable` | `boolean` | Enables session persistence with a session cookie for an upstream server. The default is false. |

examples/custom-resources/foreign-namespace-upstreams/README.md

@@ -0,0 +1,109 @@
+# Upstreams in foreign namespaces
+
+In this example we use the [VirtualServer and
+VirtualServerRoute](https://docs.nginx.com/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/)
+resources to configure load balancing for the modified cafe application from the [Basic
+Configuration](../basic-configuration/) example. We have put the load balancing configuration as well as the deployments
+and services into multiple namespaces. Instead of one namespace, we now use three: `tea`, `coffee`, and `cafe`.
+
+- In the tea namespace, we create the tea deployment and service.
+- In the coffee namespace, we create the coffee deployment and service.
+- In the cafe namespace, we create the cafe secret with the TLS certificate and key and the load-balancing configuration
+  for the cafe application. That configuration references the coffee and tea configurations.
+
+**Note:** When using upstreams in foreign namespaces, ensure that the NGINX Ingress Controller is configured to watch all the relevant namespaces. If you are using the `-watch-namespace` flag, make sure to include all namespaces that contain services referenced by your VirtualServer resources (in this case: `tea`, `coffee`, and `cafe`).
+
+## Prerequisites
+
+1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/)
+   instructions to deploy the Ingress Controller with custom resources enabled.
+1. Save the public IP address of the Ingress Controller into a shell variable:
+
+    ```console
+    IC_IP=XXX.YYY.ZZZ.III
+    ```
+
+1. Save the HTTPS port of the Ingress Controller into a shell variable:
+
+    ```console
+    IC_HTTPS_PORT=<port number>
+    ```
+
+## Step 1 - Create Namespaces
+
+Create the required tea, coffee, and cafe namespaces:
+
+```console
+kubectl create -f namespaces.yaml
+```
+
+## Step 2 - Deploy the Cafe Application
+
+1. Create the tea deployment and service in the tea namespace:
+
+    ```console
+    kubectl create -f tea.yaml
+    ```
+
+1. Create the coffee deployment and service in the coffee namespace:
+
+    ```console
+    kubectl create -f coffee.yaml
+    ```
+
+## Step 3 - Configure Load Balancing and TLS Termination
+
+1. Create the secret with the TLS certificate and key in the cafe namespace:
+
+    ```console
+    kubectl create -f cafe-secret.yaml
+    ```
+
+1. Create the VirtualServer resource for the cafe app in the cafe namespace:
+
+    ```console
+    kubectl create -f cafe-virtual-server.yaml
+    ```
+
+## Step 4 - Test the Configuration
+
+1. Check that the configuration has been successfully applied by inspecting the events of the VirtualServer:
+
+    ```console
+    kubectl describe virtualserver cafe -n cafe
+    ```
+
+    ```text
+    . . .
+    Events:
+      Type    Reason          Age   From                      Message
+      ----    ------          ----  ----                      -------
+      Normal  AddedOrUpdated  1m    nginx-ingress-controller  Configuration for cafe/cafe was added or updated
+    ```
+
+1. Access the application using curl. We'll use curl's `--insecure` option to turn off certificate verification of our
+   self-signed certificate and `--resolve` option to set the IP address and HTTPS port of the Ingress Controller to the
+   domain name of the cafe application:
+
+    To get coffee:
+
+    ```console
+    curl --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/coffee --insecure
+    ```
+
+    ```text
+    Server address: 10.16.1.193:80
+    Server name: coffee-7dbb5795f6-mltpf
+    ...
+    ```
+
+    If you prefer tea:
+
+    ```console
+    curl --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/tea --insecure
+    ```
+
+    ```text
+    Server address: 10.16.0.157:80
+    Server name: tea-7d57856c44-674b8
+    ...

examples/custom-resources/foreign-namespace-upstreams/cafe-secret.yaml

@@ -0,0 +1 @@
+../../common-secrets/cafe-secret-cafe-ns.example.com.yaml

examples/custom-resources/foreign-namespace-upstreams/cafe-virtual-server.yaml

@@ -0,0 +1,23 @@
+apiVersion: k8s.nginx.org/v1
+kind: VirtualServer
+metadata:
+  name: cafe
+  namespace: cafe
+spec:
+  host: cafe.example.com
+  tls:
+    secret: cafe-secret
+  routes:
+  - path: /coffee
+    action:
+      pass: coffee
+  - path: /tea
+    action:
+      pass: tea
+  upstreams:
+  - name: coffee
+    service: coffee/coffee-svc
+    port: 80
+  - name: tea
+    service: tea/tea-svc
+    port: 80

examples/custom-resources/foreign-namespace-upstreams/coffee.yaml

@@ -0,0 +1,70 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: coffee
+  namespace: coffee
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: coffee
+  template:
+    metadata:
+      labels:
+        app: coffee
+    spec:
+      containers:
+      - name: coffee
+        image: nginxdemos/nginx-hello:plain-text
+        ports:
+        - containerPort: 8080
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: coffee-svc
+  namespace: coffee
+spec:
+  ports:
+  - port: 80
+    targetPort: 8080
+    protocol: TCP
+    name: http
+  selector:
+    app: coffee
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: coffee
+  namespace: coffee2
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: coffee
+  template:
+    metadata:
+      labels:
+        app: coffee
+    spec:
+      containers:
+      - name: coffee
+        image: nginxdemos/nginx-hello:plain-text
+        ports:
+        - containerPort: 8080
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: coffee-svc
+  namespace: coffee2
+spec:
+  ports:
+  - port: 80
+    targetPort: 8080
+    protocol: TCP
+    name: http
+  selector:
+    app: coffee

examples/custom-resources/foreign-namespace-upstreams/namespaces.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cafe
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tea
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: coffee