charm-k8s-ingress

Merge ~cbelu/charm-k8s-ingress:multiple-relations into charm-k8s-ingress:master

Proposed by Claudiu Belu on 2022-02-10

Status:

Merged

Approved by:

Tom Haddon on 2022-02-15

Approved revision:

59f1ca1b4dec1a3fc7cb659b554800ae15b943d3

Merged at revision:

59f1ca1b4dec1a3fc7cb659b554800ae15b943d3

Proposed branch:

~cbelu/charm-k8s-ingress:multiple-relations

Merge into:

charm-k8s-ingress:master

Diff against target:

1544 lines (+888/-131)

4 files modified

lib/charms/nginx_ingress_integrator/v0/ingress.py (+4/-4)
metadata.yaml (+0/-1)
src/charm.py (+328/-67)
tests/unit/test_charm.py (+556/-59)

Medium

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Tom Haddon		2022-02-10	Approve on 2022-02-15
Review via email: mp+415394@code.launchpad.net

Commit message

Refactors charm for adding multiple relations support

Updates IngressBrokenEvent to be based on RelationEvent, and include the relation in the event data, which will help us determine which relation has been broken.

Separates the config / relation data into the _ConfigOrRelation object, which receives the config and a relation in its constructor. This will allow us to get necessary data from a specific relation (which is overriden by the config options).

Adds multiple ingress relations support

Removes the 1 limit from metadata.yaml

Currently, the Ingress Name is based on the service-name. However, that name can be a bit inconsistent when it comes to having multiple relations. Changes the Ingress Name used to app.name-ingress.

The nginx/nginx-ingress Controller typically used in EKS doesn't handle multiple Kubernetes Ingress Resources having the same hostname in the same way as the k8s.gcr.io/ingress-nginx/controller:v1.1.0 Controller used in microk8s. The former doesn't handle them at all, unless you specify certain
annotations, and an additional Kubernetes Ingress Resource [1]. But both Controllers can handle one Kubernetes Ingress Resource containing multiple hosts / routes.

This charm will now group all the Ingress rules by the required hostnames from all the relations (with config option overrides) and create Kubernetes Ingress Resources per required hostname. When a relation is broken, its ingress-related data will be removed from the Ingress Resources. If no relation will require a particular Ingress Resource anymore, it will be removed.

Adds unit tests to validate the cases in which multiple relations are being used.

Adds TLS information for each additional-hostname defined (each new hostname has its own Kubernetes Ingress Resource). Previously, TLS was being set only for the given service hostname, and not any additional-hostnames given.

On multiple relations, if we're required to have different annotations on the same Ingress Resource (same hostname), we cannot satisfy that request. In this case, we enter BlockedStatus.

On multiple relations, if there are multiple matching route paths on the same hostname, we enter BlockedStatus.

On multiple relations, we should use the service-name, service-port, and route-paths from the relation data fist, instead of reading them from the config options first. This will prevent us from having Service name conflicts and route path conflicts.

If there is only one relation, the config option will still override the relation data (to maintain backwards compatibility).

Adds unit tests to verify this behaviour.

[1] https://github.com/nginxinc/kubernetes-ingress/tree/master/examples/mergeable-ingress-types

Revision history for this message

🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote on 2022-02-10:

This merge proposal is being monitored by mergebot. Change the status to Approved to merge.

Revision history for this message

Tom Haddon (mthaddon) wrote on 2022-02-11:

Thanks very much for working on this!

Have added some comments/questions inline. I haven't reviewed the tests yet, but can do that in a later pass.

Revision history for this message

Jon Seager (jnsgruk) on 2022-02-11:

Revision history for this message

Claudiu Belu (cbelu) on 2022-02-11:

Revision history for this message

Claudiu Belu (cbelu) on 2022-02-11:

Revision history for this message

Jon Seager (jnsgruk) wrote on 2022-02-11:

Latest commit LGTM!

Revision history for this message

Claudiu Belu (cbelu) wrote on 2022-02-14:

Added TLS information for each additional-hostname defined (each new hostname has its own Kubernetes Ingress Resource). Previously, TLS was being set only for the given service hostname, and not any additional-hostnames given.

Revision history for this message

Tom Haddon (mthaddon) wrote on 2022-02-14:

I have a general question about how this will be used, which came out of noticing that if we have annotations that don't match you're logging an error here.

Do we expect that this will be used to generate multiple ingresses for multiple entirely separate hostnames in a model (i.e. not just alternate hostnames on one ingress definition), or more likely it will be used to generate an ingress for multiple applications that should respond on the same hostname within a model? Also, are we expecting that this will be used to combine applications under the same that have been designed to work together, or that it might be used to combine applications that have no knowledge of each other under the same hostname?

The reason I ask is that it seems to me that if we consider it an error that we have annotations that don't match, I think it might be better to put the nginx-ingress-integrator charm into a blocked state with a message in juju status saying something like "incompatible annotations found, please set manually via juju config". This would then allow the user to see that there may be some unforeseen side effects of relating certain applications to this charm and lets them resolve that issue.

The other thing to note here is if we are allowing multiple entirely separate ingress objects pointing to different backend applications, the current approach of having the option to override relation settings via configuration is going to potentially be very confusing. We would end up having to apply these options to all defined ingresses, which may not be what's wanted, or needed. For example, how would you override the service-hostname, which I'd expect you'd always want to be able to do in a production deployment?

One option to resolve this would be to decide to only allow one ingress definition that could be serving content for multiple applications under one hostname, and if applications are related to this charm that would cause it to generate multiple ingress definitions we put the charm into blocked state and show an error in juju status saying that this should only be used to generate one ingress definition.

I hope I'm explaining this clearly, let me know what you think.

I have a general question about how this will be used, which came out of noticing that if we have annotations that don't match you're logging an error here.

I hope I'm explaining this clearly, let me know what you think.

Revision history for this message

Claudiu Belu (cbelu) wrote on 2022-02-14:

The original intent for this was to serve multiple applications under the same hostname. These applications are related to each other, and require each other. Having them under different hostnames would raise some XSS-related issues. Generating different ingresses for different hostnames came as a consequence of allowing multiple relations.

Regarding the annotation mismatch, indeed, we could put the charm into a blocked state until that conflict gets resolved.

Regarding config option overrides: indeed, it's something I've been pondering as well. There are some config options that shouldn't be used in the multiple relations scenario, like path-routes and service-name. Those should come from the relation. But most of the other config options are still fine, and can still be used to override the relation data, including the service-hostname. Overriding the service-hostname will mean that the applications can now be accessed through a different hostname than the one set in the relation data.

Regarding your suggestion for only one ingress definition for only one hostname: We still have the additional-hostnames config option / relation data that would result in multiple ingress resource definition, and blocking in that scenario would be backwards incompatible.

Revision history for this message

Tom Haddon (mthaddon) wrote on 2022-02-14:

In terms of the "additional-hostnames" option, this creates identical ingress resource definitions, and I think could continue to work in the same way (if they're identical it makes sense that any annotations/config options should be applied to them all in the same way). I think the case we need to be concerned about is if someone relates completely different applications that create completely differing resource definitions, as we'd have no way of setting run-time config for each one.

Revision history for this message

Claudiu Belu (cbelu) wrote on 2022-02-15:

Added BlockedStatus for conflicting annotations and routes, which can be resolved with juju config. Added unit test to verify that behaviour.

On multiple relations, we now get the service-name, service-port, and route-paths from the relations themselves rather than the config. This way, we are not defining the same service / same routes for every relation.

Revision history for this message

Tom Haddon (mthaddon) wrote on 2022-02-15:

LGTM, thanks.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Claudiu Belu

ingress-charmers

 diff --git a/lib/charms/nginx_ingress_integrator/v0/ingress.py b/lib/charms/nginx_ingress_integrator/v0/ingress.py
 index c3fac4c..fea2e50 100644
 --- a/lib/charms/nginx_ingress_integrator/v0/ingress.py
 +++ b/lib/charms/nginx_ingress_integrator/v0/ingress.py
@@ -54,7 +54,7 @@ the event was fired).
  import logging
--from ops.charm import CharmEvents
++from ops.charm import CharmEvents, RelationEvent
  from ops.framework import EventBase, EventSource, Object
  from ops.model import BlockedStatus
@@ -96,7 +96,7 @@ class IngressAvailableEvent(EventBase):
      pass
--class IngressBrokenEvent(EventBase):
++class IngressBrokenEvent(RelationEvent):
      pass
@@ -218,10 +218,10 @@ class IngressProvides(Object):
          # configure the ingress.
          self.charm.on.ingress_available.emit()
--    def _on_relation_broken(self, _):
++    def _on_relation_broken(self, event):
          """Handle a relation-broken event in the ingress relation."""
          if not self.model.unit.is_leader():
              return
          # Create an event that our charm can use to remove the ingress resource.
--        self.charm.on.ingress_broken.emit()
++        self.charm.on.ingress_broken.emit(event.relation)
 diff --git a/metadata.yaml b/metadata.yaml
 index ff29738..8f07769 100644
 --- a/metadata.yaml
 +++ b/metadata.yaml
@@ -19,4 +19,3 @@ resources:
  provides:
    ingress:
      interface: ingress
--    limit: 1
 diff --git a/src/charm.py b/src/charm.py
 index 48bc2d7..b3bf263 100755
 --- a/src/charm.py
 +++ b/src/charm.py
@@ -3,6 +3,7 @@
  # See LICENSE file for licensing details.
  import logging
++import re
  import kubernetes.client
@@ -17,6 +18,8 @@ from ops.model import ActiveStatus, BlockedStatus
  logger = logging.getLogger(__name__)
++_INGRESS_SUB_REGEX = re.compile("[^0-9a-zA-Z]")
++
  BOOLEAN_CONFIG_FIELDS = ["rewrite-enabled"]
@@ -30,32 +33,33 @@ def _networking_v1_api():
      return kubernetes.client.NetworkingV1Api()
--class NginxIngressCharm(CharmBase):
--    """Charm the service."""
++class ConflictingAnnotationsException(Exception):
++    pass
--    _authed = False
--    on = IngressCharmEvents()
--    def __init__(self, *args):
--        super().__init__(*args)
--        self.framework.observe(self.on.config_changed, self._on_config_changed)
--        self.framework.observe(self.on.describe_ingresses_action, self._describe_ingresses_action)
++class ConflictingRoutesException(Exception):
++    pass
--        # 'ingress' relation handling.
--        self.ingress = IngressProvides(self)
--        # When the 'ingress' is ready to configure, do so.
--        self.framework.observe(self.on.ingress_available, self._on_config_changed)
--        self.framework.observe(self.on.ingress_broken, self._on_ingress_broken)
--    def _describe_ingresses_action(self, event):
--        """Handle the 'describe-ingresses' action."""
--        self.k8s_auth()
--        api = _networking_v1_api()
--        ingresses = api.list_namespaced_ingress(namespace=self._namespace)
--        event.set_results({"ingresses": ingresses})
++class _ConfigOrRelation(object):
++    """Class containing data from the Charm configuration, or from a relation."""
--    def _get_config_or_relation_data(self, field, fallback):
--        """Helper method to get data from config or the ingress relation."""
++    def __init__(self, model, config, relation, multiple_relations):
++        """Creates a _ConfigOrRelation Object.
++
++        :param model: The charm model.
++        :param config: The charm's configuration.
++        :param relation: One of the charm's relations, if any.
++        :param multiple_relations: If the charm has more than one relation.
++        """
++        super().__init__()
++        self.model = model
++        self.config = config
++        self.relation = relation
++        self.multiple_relations = multiple_relations
++
++    def _get_config(self, field):
++        """Helper method to get data from config."""
          # Config fields with a default of None don't appear in the dict
          config_data = self.config.get(field, None)
          # A value of False is valid in these fields, so check it's not a null-value instead
@@ -63,13 +67,41 @@ class NginxIngressCharm(CharmBase):
              return config_data
          if config_data:
              return config_data
--        relation = self.model.get_relation("ingress")
--        if relation:
++
++        return None
++
++    def _get_relation(self, field):
++        """Helper method to get data from the relation, if any."""
++        if self.relation:
              try:
--                return relation.data[relation.app][field]
++                return self.relation.data[self.relation.app][field]
              except KeyError:
                  # Our relation isn't passing the information we're querying.
--                return fallback
++                return None
++        return None
++
++    def _get_config_or_relation_data(self, field, fallback):
++        """Helper method to get data from config or the ingress relation, in that order."""
++        data = self._get_config(field)
++        if data is not None:
++            return data
++
++        data = self._get_relation(field)
++        if data is not None:
++            return data
++
++        return fallback
++
++    def _get_relation_data_or_config(self, field, fallback):
++        """Helper method to get data from the ingress relation or config, in that order."""
++        data = self._get_relation(field)
++        if data is not None:
++            return data
++
++        data = self._get_config(field)
++        if data is not None:
++            return data
++
          return fallback
      @property
@@ -83,8 +115,14 @@ class NginxIngressCharm(CharmBase):
      @property
      def _ingress_name(self):
          """Return an ingress name for use creating a k8s ingress."""
--        # Follow the same naming convention as Juju.
--        return "{}-ingress".format(self._get_config_or_relation_data("service-name", ""))
++        # If there are 2 or more services configured to use the same service-hostname, the
++        # controller nginx/nginx-ingress requires them to be in the same Kubernetes Ingress object.
++        # Otherwise, Ingress will be served for only one of the services.
++        # Because of this, we'll have to group all ingresses into the same Kubernetes Resource
++        # based on their requested service-hostname.
++        svc_hostname = self._get_config_or_relation_data("service-hostname", "")
++        ingress_name = _INGRESS_SUB_REGEX.sub("-", svc_hostname)
++        return "{}-ingress".format(ingress_name)
      @property
      def _limit_rps(self):
@@ -160,12 +198,28 @@ class NginxIngressCharm(CharmBase):
      @property
      def _service_name(self):
          """Return the name of the service we're connecting to."""
++        # NOTE: If the charm has multiple relations, use the service name given by the relation
++        # in order to avoid service name conflicts.
++        if self.multiple_relations:
++            return self._get_relation_data_or_config("service-name", "")
          return self._get_config_or_relation_data("service-name", "")
      @property
      def _service_port(self):
          """Return the port for the service we're connecting to."""
--        return int(self._get_config_or_relation_data("service-port", 0))
++        # NOTE: If the charm has multiple relations, use the service port given by the relation.
++        if self.multiple_relations:
++            return int(self._get_relation_data_or_config("service-port", 0))
++        return int(self._get_relation_data_or_config("service-port", 0))
++
++    @property
++    def _path_routes(self):
++        """Return the path routes to use for the k8s ingress."""
++        # NOTE: If the charm has multiple relations, use the path routes given by the relation
++        # in order to avoid same route conflicts.
++        if self.multiple_relations:
++            return self._get_relation_data_or_config("path-routes", "/").split(",")
++        return self._get_config_or_relation_data("path-routes", "/").split(",")
      @property
      def _session_cookie_max_age(self):
@@ -181,15 +235,6 @@ class NginxIngressCharm(CharmBase):
          """Return the tls-secret-name to use for k8s ingress (if any)."""
          return self._get_config_or_relation_data("tls-secret-name", "")
--    def k8s_auth(self):
--        """Authenticate to kubernetes."""
--        if self._authed:
--            return
--
--        kubernetes.config.load_incluster_config()
--
--        self._authed = True
--
      def _get_k8s_service(self):
          """Get a K8s service definition."""
          return kubernetes.client.V1Service(
@@ -210,7 +255,6 @@ class NginxIngressCharm(CharmBase):
      def _get_k8s_ingress(self):
          """Get a K8s ingress definition."""
--        paths = self._get_config_or_relation_data("path-routes", "/").split(",")
          ingress_paths = [
              kubernetes.client.V1HTTPIngressPath(
                  path=path,
@@ -224,7 +268,7 @@ class NginxIngressCharm(CharmBase):
                      ),
                  ),
+             )
--            for path in paths
++            for path in self._path_routes
+         ]
          hostnames = [self._service_hostname]
@@ -290,31 +334,89 @@ class NginxIngressCharm(CharmBase):
              spec=spec,
+         )
++
++class NginxIngressCharm(CharmBase):
++    """Charm the service."""
++
++    _authed = False
++    on = IngressCharmEvents()
++
++    def __init__(self, *args):
++        super().__init__(*args)
++        self.framework.observe(self.on.config_changed, self._on_config_changed)
++        self.framework.observe(self.on.describe_ingresses_action, self._describe_ingresses_action)
++
++        # 'ingress' relation handling.
++        self.ingress = IngressProvides(self)
++        # When the 'ingress' is ready to configure, do so.
++        self.framework.observe(self.on.ingress_available, self._on_config_changed)
++        self.framework.observe(self.on.ingress_broken, self._on_ingress_broken)
++
++    @property
++    def _all_config_or_relations(self):
++        all_relations = self.model.relations["ingress"] or [None]
++        multiple_rels = self._multiple_relations
++        return [
++            _ConfigOrRelation(self.model, self.config, relation, multiple_rels)
++            for relation in all_relations
++        ]
++
++    @property
++    def _multiple_relations(self):
++        return len(self.model.relations["ingress"]) > 1
++
++    @property
++    def _namespace(self):
++        return self._all_config_or_relations[0]._namespace
++
++    def _describe_ingresses_action(self, event):
++        """Handle the 'describe-ingresses' action."""
++        self.k8s_auth()
++        api = _networking_v1_api()
++
++        ingresses = api.list_namespaced_ingress(namespace=self._namespace)
++        event.set_results({"ingresses": ingresses})
++
++    def k8s_auth(self):
++        """Authenticate to kubernetes."""
++        if self._authed:
++            return
++
++        kubernetes.config.load_incluster_config()
++
++        self._authed = True
++
      def _report_service_ips(self):
          """Report on service IP(s)."""
          self.k8s_auth()
          api = _core_v1_api()
          services = api.list_namespaced_service(namespace=self._namespace)
++        all_k8s_service_names = [rel._k8s_service_name for rel in self._all_config_or_relations]
          return [
--            x.spec.cluster_ip for x in services.items if x.metadata.name == self._k8s_service_name
++            x.spec.cluster_ip for x in services.items if x.metadata.name in all_k8s_service_names
+         ]
--    def _define_service(self):
++    def _define_services(self):
++        """Create or update the services in Kubernetes from multiple ingress relations."""
++        for conf_or_rel in self._all_config_or_relations:
++            self._define_service(conf_or_rel)
++
++    def _define_service(self, conf_or_rel: _ConfigOrRelation):
          """Create or update a service in kubernetes."""
          self.k8s_auth()
          api = _core_v1_api()
--        body = self._get_k8s_service()
++        body = conf_or_rel._get_k8s_service()
          services = api.list_namespaced_service(namespace=self._namespace)
--        if self._k8s_service_name in [x.metadata.name for x in services.items]:
++        if conf_or_rel._k8s_service_name in [x.metadata.name for x in services.items]:
              api.patch_namespaced_service(
--                name=self._k8s_service_name,
++                name=conf_or_rel._k8s_service_name,
                  namespace=self._namespace,
                  body=body,
+             )
              logger.info(
                  "Service updated in namespace %s with name %s",
                  self._namespace,
--                self._service_name,
++                conf_or_rel._service_name,
+             )
          else:
              api.create_namespaced_service(
@@ -324,23 +426,23 @@ class NginxIngressCharm(CharmBase):
              logger.info(
                  "Service created in namespace %s with name %s",
                  self._namespace,
--                self._service_name,
++                conf_or_rel._service_name,
+             )
--    def _remove_service(self):
++    def _remove_service(self, conf_or_rel: _ConfigOrRelation):
          """Remove the created service in kubernetes."""
          self.k8s_auth()
          api = _core_v1_api()
          services = api.list_namespaced_service(namespace=self._namespace)
--        if self._k8s_service_name in [x.metadata.name for x in services.items]:
++        if conf_or_rel._k8s_service_name in [x.metadata.name for x in services.items]:
              api.delete_namespaced_service(
--                name=self._k8s_service_name,
++                name=conf_or_rel._k8s_service_name,
                  namespace=self._namespace,
+             )
              logger.info(
                  "Service deleted in namespace %s with name %s",
                  self._namespace,
--                self._service_name,
++                conf_or_rel._service_name,
+             )
      def _look_up_and_set_ingress_class(self, api, body):
@@ -372,23 +474,153 @@ class NginxIngressCharm(CharmBase):
          body.spec.ingress_class_name = ingress_class
--    def _define_ingress(self):
++    def _define_ingresses(self, excluded_relation=None):
++        """(Re)Creates the Ingress Resources in Kubernetes from multiple ingress relations.
++
++        Creates the Kubernetes Ingress Resource if it does not exist, or updates it if it does.
++        The Ingress-related data is retrieved from the Charm's configuration and from the ingress
++        relations.
++
++        :param excluded_relation: The relation for which Ingress rules should not be created.
++            For example, when a relation is broken, Ingress rules for it are no longer
++            necessary, hence, it is to be excluded. Additionally, any Ingress objects that it
++            required and that are no longer needed by other relations will be deleted.
++        """
++        config_or_relations = self._all_config_or_relations
++        if excluded_relation:
++            config_or_relations = filter(
++                lambda conf_or_rel: conf_or_rel.relation != excluded_relation, config_or_relations
++            )
++
++        ingresses = [conf_or_rel._get_k8s_ingress() for conf_or_rel in config_or_relations]
++
++        ingresses = self._process_ingresses(ingresses)
++
++        # Check if we need to remove any Ingresses from the excluded relation. If it has hostnames
++        # that are not used by any other relation, we need to remove them.
++        if excluded_relation:
++            conf_or_rel = _ConfigOrRelation(
++                self.model, self.config, excluded_relation, self._multiple_relations
++            )
++            excluded_ingress = conf_or_rel._get_k8s_ingress()
++
++            # The Kubernetes Ingress Resources we're creating only has 1 rule per hostname.
++            used_hostnames = [ingress.spec.rules[0].host for ingress in ingresses]
++            for rule in excluded_ingress.spec.rules:
++                if rule.host not in used_hostnames:
++                    self._remove_ingress(self._ingress_name(rule.host))
++
++        for ingress in ingresses:
++            self._define_ingress(ingress)
++
++    def _process_ingresses(self, ingresses):
++        # If there are Ingress rules for the same service-hostname, we need to squash those
++        # rules together. This will be used to group the rules by their host.
++        ingress_paths = {}
++
++        # Mapping between a hostname and the first ingress defining that hostname. Its metadata
++        # will be used for defining the Kubernetes Ingress Resource for the rules having the
++        # same hostname. The metadata used will be from the first rule that references that
++        # hostname.
++        hostname_ingress = {}
++        for ingress in ingresses:
++            # A relation could have defined additional-hostnames, so there could be more than
++            # one rule. Those hostnames might also be used in other relations.
++            for rule in ingress.spec.rules:
++                if rule.host not in ingress_paths:
++                    ingress_paths[rule.host] = rule.http.paths
++                    hostname_ingress[rule.host] = ingress
++                    continue
++
++                # Ensure that the annotations for this rule match the others in the same group.
++                other_metadata = hostname_ingress[rule.host].metadata
++                if ingress.metadata.annotations != other_metadata.annotations:
++                    logger.error(
++                        "Annotations that will be set do not match for the rule:\n"
++                        "Rule: %s\nAnnotations: %s\nUsed Annotations: %s",
++                        rule,
++                        ingress.metadata.annotations,
++                        other_metadata.annotations,
++                    )
++                    raise ConflictingAnnotationsException()
++
++                # Ensure that the exact same route for this route was not yet defined.
++                defined_paths = ingress_paths[rule.host]
++                for path in rule.http.paths:
++                    duplicate_paths = list(filter(lambda p: p.path == path.path, defined_paths))
++                    if duplicate_paths:
++                        logger.error(
++                            "Duplicate routes found:\nFirst route: %s\nSecond route: %s",
++                            duplicate_paths[0],
++                            path,
++                        )
++                        raise ConflictingRoutesException()
++
++                # Extend the list of routes for this hostname.
++                ingress_paths[rule.host].extend(rule.http.paths)
++
++        # Create the new Kubernetes Ingress Objects that are to be added.
++        ingress_objs = []
++        for hostname, paths in ingress_paths.items():
++            # Use the metadata from the first rule.
++            initial_ingress = hostname_ingress[hostname]
++            add_ingress = self._create_k8s_ingress_obj(hostname, initial_ingress, paths)
++            ingress_objs.append(add_ingress)
++
++        return ingress_objs
++
++    def _ingress_name(self, hostname):
++        """Returns the Kubernetes Ingress Resource name based on the given hostname."""
++        ingress_name = _INGRESS_SUB_REGEX.sub("-", hostname)
++        return "{}-ingress".format(ingress_name)
++
++    def _create_k8s_ingress_obj(self, svc_hostname, initial_ingress, paths):
++        """Creates a Kubernetes Ingress Resources with the given data."""
++
++        # Create a Ingress Object with the new ingress rules and return it.
++        rule = kubernetes.client.V1IngressRule(
++            host=svc_hostname,
++            http=kubernetes.client.V1HTTPIngressRuleValue(paths=paths),
++        )
++        # We're going to use an ingress name based on the desired service hostname.
++        ingress_name = self._ingress_name(svc_hostname)
++        new_spec = kubernetes.client.V1IngressSpec(rules=[rule])
++
++        # The service hostname might be configured to use TLS.
++        if initial_ingress.spec.tls:
++            new_spec.tls = [
++                kubernetes.client.V1IngressTLS(
++                    hosts=[svc_hostname],
++                    secret_name=initial_ingress.spec.tls[0].secret_name,
++                )
++            ]
++        return kubernetes.client.V1Ingress(
++            api_version="networking.k8s.io/v1",
++            kind="Ingress",
++            metadata=kubernetes.client.V1ObjectMeta(
++                name=ingress_name,
++                annotations=initial_ingress.metadata.annotations,
++            ),
++            spec=new_spec,
++        )
++
++    def _define_ingress(self, body):
          """Create or update an ingress in kubernetes."""
          self.k8s_auth()
          api = _networking_v1_api()
--        body = self._get_k8s_ingress()
          self._look_up_and_set_ingress_class(api, body)
++        ingress_name = body.metadata.name
          ingresses = api.list_namespaced_ingress(namespace=self._namespace)
--        if self._ingress_name in [x.metadata.name for x in ingresses.items]:
++        if ingress_name in [x.metadata.name for x in ingresses.items]:
              api.replace_namespaced_ingress(
--                name=self._ingress_name,
++                name=ingress_name,
                  namespace=self._namespace,
                  body=body,
+             )
              logger.info(
                  "Ingress updated in namespace %s with name %s",
                  self._namespace,
--                self._ingress_name,
++                ingress_name,
+             )
          else:
              api.create_namespaced_ingress(
@@ -398,20 +630,20 @@ class NginxIngressCharm(CharmBase):
              logger.info(
                  "Ingress created in namespace %s with name %s",
                  self._namespace,
--                self._ingress_name,
++                ingress_name,
+             )
--    def _remove_ingress(self):
++    def _remove_ingress(self, ingress_name):
          """Remove ingress resource."""
          self.k8s_auth()
          api = _networking_v1_api()
          ingresses = api.list_namespaced_ingress(namespace=self._namespace)
--        if self._ingress_name in [x.metadata.name for x in ingresses.items]:
--            api.delete_namespaced_ingress(self._ingress_name, self._namespace)
++        if ingress_name in [x.metadata.name for x in ingresses.items]:
++            api.delete_namespaced_ingress(ingress_name, self._namespace)
              logger.info(
                  "Ingress deleted in namespace %s with name %s",
                  self._namespace,
--                self._ingress_name,
++                ingress_name,
+             )
      def _on_config_changed(self, _):
@@ -419,10 +651,12 @@ class NginxIngressCharm(CharmBase):
          msg = ""
          # We only want to do anything here if we're the leader to avoid
          # collision if we've scaled out this application.
--        if self.unit.is_leader() and self._service_name:
++        svc_names = [conf_or_rel._service_name for conf_or_rel in self._all_config_or_relations]
++        if self.unit.is_leader() and any(svc_names):
              try:
--                self._define_service()
--                self._define_ingress()
++                self._define_services()
++                self._define_ingresses()
++
                  # It's not recommended to do this via ActiveStatus, but we don't
                  # have another way of reporting status yet.
                  msg = "Ingress with service IP(s): {}".format(
@@ -442,14 +676,29 @@ class NginxIngressCharm(CharmBase):
                      return
                  else:
                      raise
++            except ConflictingAnnotationsException:
++                self.unit.status = BlockedStatus(
++                    "Conflicting annotations from relations. Run juju debug-log for details. "
++                    "Set manually via juju config."
++                )
++                return
++            except ConflictingRoutesException:
++                self.unit.status = BlockedStatus(
++                    "Duplicate route found; cannot add ingress. Run juju debug-log for details."
++                )
++                return
          self.unit.status = ActiveStatus(msg)
--    def _on_ingress_broken(self, _):
++    def _on_ingress_broken(self, event):
          """Handle the ingress broken event."""
--        if self.unit.is_leader() and self._ingress_name:
++        conf_or_rel = _ConfigOrRelation(self.model, {}, event.relation, self._multiple_relations)
++        if self.unit.is_leader() and conf_or_rel._ingress_name:
              try:
--                self._remove_ingress()
--                self._remove_service()
++                # NOTE: _define_ingresses will recreate the Kubernetes Ingress Resources based
++                # on the existing relations, and remove any resources that are no longer needed
++                # (they were needed by the event relation).
++                self._define_ingresses(excluded_relation=event.relation)
++                self._remove_service(conf_or_rel)
              except kubernetes.client.exceptions.ApiException as e:
                  if e.status == 403:
                      logger.error(
@@ -464,6 +713,18 @@ class NginxIngressCharm(CharmBase):
                      return
                  else:
                      raise
++            except ConflictingAnnotationsException:
++                self.unit.status = BlockedStatus(
++                    "Conflicting annotations from relations. Run juju debug-log for details. "
++                    "Set manually via juju config."
++                )
++                return
++            except ConflictingRoutesException:
++                self.unit.status = BlockedStatus(
++                    "Duplicate route found; cannot add ingress. Run juju debug-log for details."
++                )
++                return
++
          self.unit.status = ActiveStatus()
 diff --git a/tests/unit/test_charm.py b/tests/unit/test_charm.py
 index 538322a..d11634d 100644
 --- a/tests/unit/test_charm.py
 +++ b/tests/unit/test_charm.py
@@ -3,6 +3,7 @@
  import unittest
++from unittest import mock
  from unittest.mock import MagicMock, patch
  import kubernetes
@@ -78,9 +79,10 @@ class TestCharm(unittest.TestCase):
      def test_get_ingress_relation_data(self):
          """Test for getting our ingress relation data."""
          # Confirm we don't have any relation data yet in the relevant properties
--        self.assertEqual(self.harness.charm._service_name, "")
--        self.assertEqual(self.harness.charm._service_hostname, "")
--        self.assertEqual(self.harness.charm._service_port, 0)
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        self.assertEqual(conf_or_rel._service_name, "")
++        self.assertEqual(conf_or_rel._service_hostname, "")
++        self.assertEqual(conf_or_rel._service_port, 0)
          relation_id = self.harness.add_relation('ingress', 'gunicorn')
          self.harness.add_relation_unit(relation_id, 'gunicorn/0')
          relations_data = {
@@ -90,9 +92,10 @@ class TestCharm(unittest.TestCase):
+         }
          self.harness.update_relation_data(relation_id, 'gunicorn', relations_data)
          # And now confirm we have the expected data in the relevant properties.
--        self.assertEqual(self.harness.charm._service_name, "gunicorn")
--        self.assertEqual(self.harness.charm._service_hostname, "foo.internal")
--        self.assertEqual(self.harness.charm._service_port, 80)
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        self.assertEqual(conf_or_rel._service_name, "gunicorn")
++        self.assertEqual(conf_or_rel._service_hostname, "foo.internal")
++        self.assertEqual(conf_or_rel._service_port, 80)
      def test_multiple_routes_with_relation_data(self):
          """Test for getting our ingress relation data."""
@@ -138,14 +141,16 @@ class TestCharm(unittest.TestCase):
                  'path_type': 'Prefix',
              },
+         ]
--        result_dict = self.harness.charm._get_k8s_ingress().to_dict()
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        result_dict = conf_or_rel._get_k8s_ingress().to_dict()
          self.assertEqual(result_dict['spec']['rules'][0]['http']['paths'], expected)
      def test_max_body_size(self):
          """Test for the max-body-size property."""
          # First set via config.
          self.harness.update_config({"max-body-size": 80})
--        self.assertEqual(self.harness.charm._max_body_size, "80m")
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        self.assertEqual(conf_or_rel._max_body_size, "80m")
          # Now set via the StoredState. This will be set to a string, as all
          # relation data must be a string.
          relation_id = self.harness.add_relation('ingress', 'gunicorn')
@@ -158,10 +163,11 @@ class TestCharm(unittest.TestCase):
+         }
          self.harness.update_relation_data(relation_id, 'gunicorn', relations_data)
          # Still 80 because it's set via config.
--        self.assertEqual(self.harness.charm._max_body_size, "80m")
++        self.assertEqual(conf_or_rel._max_body_size, "80m")
          self.harness.update_config({"max-body-size": 0})
          # Now it's the value from the relation.
--        self.assertEqual(self.harness.charm._max_body_size, "88m")
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        self.assertEqual(conf_or_rel._max_body_size, "88m")
      def test_namespace(self):
          """Test for the namespace property."""
@@ -199,7 +205,8 @@ class TestCharm(unittest.TestCase):
      def test_owasp_modsecurity_crs(self):
          """Test the owasp-modsecurity-crs property."""
          # Test undefined.
--        self.assertEqual(self.harness.charm._owasp_modsecurity_crs, False)
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        self.assertEqual(conf_or_rel._owasp_modsecurity_crs, False)
          # Test we have no annotations with this set to False.
          self.harness.disable_hooks()
          self.harness.update_config(
@@ -209,7 +216,8 @@ class TestCharm(unittest.TestCase):
                  "service-port": 80,
+             }
+         )
--        result_dict = self.harness.charm._get_k8s_ingress().to_dict()
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        result_dict = conf_or_rel._get_k8s_ingress().to_dict()
          expected = {
              "nginx.ingress.kubernetes.io/proxy-body-size": "20m",
              "nginx.ingress.kubernetes.io/rewrite-target": "/",
@@ -219,8 +227,8 @@ class TestCharm(unittest.TestCase):
          # Test if we set the value we get the correct annotations and the
          # correct charm property.
          self.harness.update_config({"owasp-modsecurity-crs": True})
--        self.assertEqual(self.harness.charm._owasp_modsecurity_crs, True)
--        result_dict = self.harness.charm._get_k8s_ingress().to_dict()
++        self.assertEqual(conf_or_rel._owasp_modsecurity_crs, True)
++        result_dict = conf_or_rel._get_k8s_ingress().to_dict()
          expected = {
              "nginx.ingress.kubernetes.io/enable-modsecurity": "true",
              "nginx.ingress.kubernetes.io/enable-owasp-modsecurity-crs": "true",
@@ -236,21 +244,23 @@ class TestCharm(unittest.TestCase):
      def test_retry_errors(self):
          """Test the retry-errors property."""
          # Test empty value.
--        self.assertEqual(self.harness.charm._retry_errors, "")
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        self.assertEqual(conf_or_rel._retry_errors, "")
          # Test we deal with spaces or not spaces properly.
          self.harness.update_config({"retry-errors": "error, timeout, http_502, http_503"})
--        self.assertEqual(self.harness.charm._retry_errors, "error timeout http_502 http_503")
++        self.assertEqual(conf_or_rel._retry_errors, "error timeout http_502 http_503")
          self.harness.update_config({"retry-errors": "error,timeout,http_502,http_503"})
--        self.assertEqual(self.harness.charm._retry_errors, "error timeout http_502 http_503")
++        self.assertEqual(conf_or_rel._retry_errors, "error timeout http_502 http_503")
          # Test unknown value.
          self.harness.update_config({"retry-errors": "error,timeout,http_502,http_418"})
--        self.assertEqual(self.harness.charm._retry_errors, "error timeout http_502")
++        self.assertEqual(conf_or_rel._retry_errors, "error timeout http_502")
      def test_service_port(self):
          """Test the service-port property."""
          # First set via config.
          self.harness.update_config({"service-port": 80})
--        self.assertEqual(self.harness.charm._service_port, 80)
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        self.assertEqual(conf_or_rel._service_port, 80)
          # Now set via the relation.
          relation_id = self.harness.add_relation('ingress', 'gunicorn')
          self.harness.add_relation_unit(relation_id, 'gunicorn/0')
@@ -261,16 +271,18 @@ class TestCharm(unittest.TestCase):
+         }
          self.harness.update_relation_data(relation_id, 'gunicorn', relations_data)
          # Config still overrides the relation value.
--        self.assertEqual(self.harness.charm._service_port, 80)
++        self.assertEqual(conf_or_rel._service_port, 80)
          self.harness.update_config({"service-port": 0})
          # Now it's the value from the relation.
--        self.assertEqual(self.harness.charm._service_port, 88)
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        self.assertEqual(conf_or_rel._service_port, 88)
      def test_service_hostname(self):
          """Test the service-hostname property."""
          # First set via config.
          self.harness.update_config({"service-hostname": "foo.internal"})
--        self.assertEqual(self.harness.charm._service_hostname, "foo.internal")
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        self.assertEqual(conf_or_rel._service_hostname, "foo.internal")
          # Now set via the relation.
          relation_id = self.harness.add_relation('ingress', 'gunicorn')
          self.harness.add_relation_unit(relation_id, 'gunicorn/0')
@@ -281,20 +293,22 @@ class TestCharm(unittest.TestCase):
+         }
          self.harness.update_relation_data(relation_id, 'gunicorn', relations_data)
          # Config still overrides the relation value.
--        self.assertEqual(self.harness.charm._service_hostname, "foo.internal")
++        self.assertEqual(conf_or_rel._service_hostname, "foo.internal")
          self.harness.update_config({"service-hostname": ""})
          # Now it's the value from the relation.
--        self.assertEqual(self.harness.charm._service_hostname, "foo-bar.internal")
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        self.assertEqual(conf_or_rel._service_hostname, "foo-bar.internal")
      def test_session_cookie_max_age(self):
          """Test the session-cookie-max-age property."""
          # First set via config.
          self.harness.update_config({"session-cookie-max-age": 3600})
--        self.assertEqual(self.harness.charm._session_cookie_max_age, "3600")
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        self.assertEqual(conf_or_rel._session_cookie_max_age, "3600")
          # Confirm if we set this to 0 we get a False value, e.g. it doesn't
          # return a string of "0" which would be evaluated to True.
          self.harness.update_config({"session-cookie-max-age": 0})
--        self.assertFalse(self.harness.charm._session_cookie_max_age)
++        self.assertFalse(conf_or_rel._session_cookie_max_age)
          # Now set via the relation.
          relation_id = self.harness.add_relation('ingress', 'gunicorn')
          self.harness.add_relation_unit(relation_id, 'gunicorn/0')
@@ -305,12 +319,18 @@ class TestCharm(unittest.TestCase):
              "session-cookie-max-age": "3688",
+         }
          self.harness.update_relation_data(relation_id, 'gunicorn', relations_data)
--        self.assertEqual(self.harness.charm._session_cookie_max_age, "3688")
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        self.assertEqual(conf_or_rel._session_cookie_max_age, "3688")
--    def test_tls_secret_name(self):
++    @patch('charm.NginxIngressCharm._report_service_ips')
++    @patch('charm.NginxIngressCharm._define_ingress')
++    @patch('charm.NginxIngressCharm._define_services')
++    def test_tls_secret_name(self, mock_def_svc, mock_def_ingress, mock_report_ips):
          """Test the tls-secret-name property."""
++        mock_report_ips.return_value = ["10.0.1.12"]
          self.harness.update_config({"tls-secret-name": "gunicorn-tls"})
--        self.assertEqual(self.harness.charm._tls_secret_name, "gunicorn-tls")
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        self.assertEqual(conf_or_rel._tls_secret_name, "gunicorn-tls")
          # Now set via the relation.
          relation_id = self.harness.add_relation('ingress', 'gunicorn')
          self.harness.add_relation_unit(relation_id, 'gunicorn/0')
@@ -319,19 +339,62 @@ class TestCharm(unittest.TestCase):
              "service-hostname": "foo.internal",
              "service-port": "80",
              "tls-secret-name": "gunicorn-tls-new",
++            "additional-hostnames": "lish.internal",
+         }
          self.harness.update_relation_data(relation_id, 'gunicorn', relations_data)
          # Config still overrides the relation data.
--        self.assertEqual(self.harness.charm._tls_secret_name, "gunicorn-tls")
++        self.assertEqual(conf_or_rel._tls_secret_name, "gunicorn-tls")
++
++        # The charm will not create any resource if it's not the leader.
++        # Check to see if the charm will use the TLS secret name for the additional hostname.
++        self.harness.set_leader(True)
          self.harness.update_config({"tls-secret-name": ""})
          # Now it's the value from the relation.
--        self.assertEqual(self.harness.charm._tls_secret_name, "gunicorn-tls-new")
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        self.assertEqual(conf_or_rel._tls_secret_name, "gunicorn-tls-new")
++
++        mock_def_svc.assert_called_once()
++        base_ingress = conf_or_rel._get_k8s_ingress()
++
++        tls_lish = kubernetes.client.V1IngressTLS(
++            hosts=["lish.internal"],
++            secret_name=base_ingress.spec.tls[0].secret_name,
++        )
++        ingress_lish = kubernetes.client.V1Ingress(
++            api_version=base_ingress.api_version,
++            kind=base_ingress.kind,
++            metadata=kubernetes.client.V1ObjectMeta(
++                name="lish-internal-ingress",
++                annotations=base_ingress.metadata.annotations,
++            ),
++            spec=kubernetes.client.V1IngressSpec(
++                tls=[tls_lish],
++                rules=[
++                    kubernetes.client.V1IngressRule(
++                        host="lish.internal",
++                        http=base_ingress.spec.rules[1].http,
++                    )
++                ],
++            ),
++        )
++
++        # Since the hostnames are different, it's expected that 2 different Ingress Resources
++        # are created. base_ingress contains the rules for both.
++        base_ingress.spec.rules = [base_ingress.spec.rules[0]]
++
++        mock_def_ingress.assert_has_calls(
++            [
++                mock.call(base_ingress),
++                mock.call(ingress_lish),
++            ]
++        )
      def test_rewrite_enabled_property(self):
          """Test for enabling request rewrites."""
          # First set via config.
          self.harness.update_config({"rewrite-enabled": True})
--        self.assertEqual(self.harness.charm._rewrite_enabled, True)
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        self.assertEqual(conf_or_rel._rewrite_enabled, True)
          relation_id = self.harness.add_relation("ingress", "gunicorn")
          self.harness.add_relation_unit(relation_id, "gunicorn/0")
          relations_data = {
@@ -341,9 +404,10 @@ class TestCharm(unittest.TestCase):
+         }
          self.harness.update_relation_data(relation_id, "gunicorn", relations_data)
          # Still /test-target because it's set via config.
--        self.assertEqual(self.harness.charm._rewrite_enabled, True)
++        self.assertEqual(conf_or_rel._rewrite_enabled, True)
          self.harness.update_config({"rewrite-enabled": ""})
--        self.assertEqual(self.harness.charm._rewrite_enabled, False)
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        self.assertEqual(conf_or_rel._rewrite_enabled, False)
      def test_rewrite_annotations(self):
          self.harness.disable_hooks()
@@ -354,7 +418,8 @@ class TestCharm(unittest.TestCase):
                  "service-port": 80,
+             }
+         )
--        result_dict = self.harness.charm._get_k8s_ingress().to_dict()
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        result_dict = conf_or_rel._get_k8s_ingress().to_dict()
          expected = {
              "nginx.ingress.kubernetes.io/proxy-body-size": "20m",
              "nginx.ingress.kubernetes.io/rewrite-target": "/",
@@ -363,7 +428,7 @@ class TestCharm(unittest.TestCase):
          self.assertEqual(result_dict["metadata"]["annotations"], expected)
          self.harness.update_config({"rewrite-enabled": False})
--        result_dict = self.harness.charm._get_k8s_ingress().to_dict()
++        result_dict = conf_or_rel._get_k8s_ingress().to_dict()
          expected = {
              "nginx.ingress.kubernetes.io/proxy-body-size": "20m",
              "nginx.ingress.kubernetes.io/ssl-redirect": "false",
@@ -378,7 +443,7 @@ class TestCharm(unittest.TestCase):
              "nginx.ingress.kubernetes.io/rewrite-target": "/test-target",
              "nginx.ingress.kubernetes.io/ssl-redirect": "false",
+         }
--        result_dict = self.harness.charm._get_k8s_ingress().to_dict()
++        result_dict = conf_or_rel._get_k8s_ingress().to_dict()
          self.assertEqual(result_dict["metadata"]["annotations"], expected)
      @patch('charm.NginxIngressCharm._on_config_changed')
@@ -418,9 +483,10 @@ class TestCharm(unittest.TestCase):
+         }
          self.harness.update_relation_data(relation_id, 'gunicorn', relations_data)
          # Test we get the values we expect:
--        self.assertEqual(self.harness.charm._service_hostname, "foo.internal")
--        self.assertEqual(self.harness.charm._service_name, "gunicorn")
--        self.assertEqual(self.harness.charm._service_port, 80)
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        self.assertEqual(conf_or_rel._service_hostname, "foo.internal")
++        self.assertEqual(conf_or_rel._service_name, "gunicorn")
++        self.assertEqual(conf_or_rel._service_port, 80)
      @patch('charm.NginxIngressCharm._remove_ingress')
      @patch('charm.NginxIngressCharm._remove_service')
@@ -430,7 +496,7 @@ class TestCharm(unittest.TestCase):
          # to make sure the relation is created and therefore can be removed.
          self.test_on_ingress_relation_changed()
          relation = self.harness.charm.model.get_relation("ingress")
--        self.harness.charm.on.ingress_relation_broken.emit(relation)
++        self.harness.remove_relation(relation.id)
          self.assertEqual(_remove_ingress.call_count, 1)
          self.assertEqual(_remove_service.call_count, 1)
@@ -440,11 +506,12 @@ class TestCharm(unittest.TestCase):
          self.harness.update_config(
              {"service-hostname": "foo.internal", "service-name": "gunicorn", "service-port": 80}
+         )
++        expected_ingress_name = "foo-internal-ingress"
          expected = kubernetes.client.V1Ingress(
              api_version="networking.k8s.io/v1",
              kind="Ingress",
              metadata=kubernetes.client.V1ObjectMeta(
--                name="gunicorn-ingress",
++                name=expected_ingress_name,
                  annotations={
                      "nginx.ingress.kubernetes.io/proxy-body-size": "20m",
                      "nginx.ingress.kubernetes.io/rewrite-target": "/",
@@ -475,14 +542,15 @@ class TestCharm(unittest.TestCase):
+                 ]
              ),
+         )
--        self.assertEqual(self.harness.charm._get_k8s_ingress(), expected)
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        self.assertEqual(conf_or_rel._get_k8s_ingress(), expected)
          # Test additional hostnames
          self.harness.update_config({"additional-hostnames": "bar.internal,foo.external"})
          expected = kubernetes.client.V1Ingress(
              api_version="networking.k8s.io/v1",
              kind="Ingress",
              metadata=kubernetes.client.V1ObjectMeta(
--                name="gunicorn-ingress",
++                name=expected_ingress_name,
                  annotations={
                      "nginx.ingress.kubernetes.io/proxy-body-size": "20m",
                      "nginx.ingress.kubernetes.io/rewrite-target": "/",
@@ -551,14 +619,14 @@ class TestCharm(unittest.TestCase):
+                 ]
              ),
+         )
--        self.assertEqual(self.harness.charm._get_k8s_ingress(), expected)
++        self.assertEqual(conf_or_rel._get_k8s_ingress(), expected)
          self.harness.update_config({"additional-hostnames": ""})
          # Test multiple paths
          expected = kubernetes.client.V1Ingress(
              api_version="networking.k8s.io/v1",
              kind="Ingress",
              metadata=kubernetes.client.V1ObjectMeta(
--                name="gunicorn-ingress",
++                name=expected_ingress_name,
                  annotations={
                      "nginx.ingress.kubernetes.io/proxy-body-size": "20m",
                      "nginx.ingress.kubernetes.io/rewrite-target": "/",
@@ -602,14 +670,14 @@ class TestCharm(unittest.TestCase):
              ),
+         )
          self.harness.update_config({"path-routes": "/admin,/portal"})
--        self.assertEqual(self.harness.charm._get_k8s_ingress(), expected)
++        self.assertEqual(conf_or_rel._get_k8s_ingress(), expected)
          self.harness.update_config({"path-routes": "/"})
          # Test with TLS.
          expected = kubernetes.client.V1Ingress(
              api_version="networking.k8s.io/v1",
              kind="Ingress",
              metadata=kubernetes.client.V1ObjectMeta(
--                name="gunicorn-ingress",
++                name=expected_ingress_name,
                  annotations={
                      "nginx.ingress.kubernetes.io/proxy-body-size": "20m",
                      "nginx.ingress.kubernetes.io/rewrite-target": "/",
@@ -646,7 +714,7 @@ class TestCharm(unittest.TestCase):
              ),
+         )
          self.harness.update_config({"tls-secret-name": "gunicorn_tls"})
--        self.assertEqual(self.harness.charm._get_k8s_ingress(), expected)
++        self.assertEqual(conf_or_rel._get_k8s_ingress(), expected)
          # Test ingress-class, max_body_size, retry_http_errors and
          # session-cookie-max-age config options.
          self.harness.update_config(
@@ -662,7 +730,7 @@ class TestCharm(unittest.TestCase):
              api_version="networking.k8s.io/v1",
              kind="Ingress",
              metadata=kubernetes.client.V1ObjectMeta(
--                name="gunicorn-ingress",
++                name=expected_ingress_name,
                  annotations={
                      "nginx.ingress.kubernetes.io/affinity": "cookie",
                      "nginx.ingress.kubernetes.io/affinity-mode": "balanced",
@@ -702,10 +770,10 @@ class TestCharm(unittest.TestCase):
+                 ]
              ),
+         )
--        self.assertEqual(self.harness.charm._get_k8s_ingress(), expected)
++        self.assertEqual(conf_or_rel._get_k8s_ingress(), expected)
          # Test limit-whitelist on its own makes no change.
          self.harness.update_config({"limit-whitelist": "10.0.0.0/16"})
--        self.assertEqual(self.harness.charm._get_k8s_ingress(), expected)
++        self.assertEqual(conf_or_rel._get_k8s_ingress(), expected)
          # And if we set limit-rps we get both. Unset other options to minimize output.
          self.harness.update_config(
+             {
@@ -720,7 +788,7 @@ class TestCharm(unittest.TestCase):
              api_version="networking.k8s.io/v1",
              kind="Ingress",
              metadata=kubernetes.client.V1ObjectMeta(
--                name="gunicorn-ingress",
++                name=expected_ingress_name,
                  annotations={
                      "nginx.ingress.kubernetes.io/limit-rps": "5",
                      "nginx.ingress.kubernetes.io/limit-whitelist": "10.0.0.0/16",
@@ -753,7 +821,7 @@ class TestCharm(unittest.TestCase):
+                 ]
              ),
+         )
--        self.assertEqual(self.harness.charm._get_k8s_ingress(), expected)
++        self.assertEqual(conf_or_rel._get_k8s_ingress(), expected)
      def test_get_k8s_service(self):
          """Test getting our definition of a k8s service."""
@@ -774,7 +842,8 @@ class TestCharm(unittest.TestCase):
                  ],
              ),
+         )
--        self.assertEqual(self.harness.charm._get_k8s_service(), expected)
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        self.assertEqual(conf_or_rel._get_k8s_service(), expected)
  INGRESS_CLASS_PUBLIC_DEFAULT = kubernetes.client.V1beta1IngressClass(
@@ -853,27 +922,455 @@ class TestCharmLookUpAndSetIngressClass(unittest.TestCase):
      def test_zero_ingress_class(self):
          """If there are no ingress classes, there's nothing to choose from."""
          api = _make_mock_api_list_ingress_class(ZERO_INGRESS_CLASS_LIST)
--        body = self.harness.charm._get_k8s_ingress()
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        body = conf_or_rel._get_k8s_ingress()
          self.harness.charm._look_up_and_set_ingress_class(api, body)
          self.assertIsNone(body.spec.ingress_class_name)
      def test_one_ingress_class(self):
          """If there's one default ingress class, choose that."""
          api = _make_mock_api_list_ingress_class(ONE_INGRESS_CLASS_LIST)
--        body = self.harness.charm._get_k8s_ingress()
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        body = conf_or_rel._get_k8s_ingress()
          self.harness.charm._look_up_and_set_ingress_class(api, body)
          self.assertEqual(body.spec.ingress_class_name, 'public')
      def test_two_ingress_classes(self):
          """If there are two ingress classes, one default, choose that."""
          api = _make_mock_api_list_ingress_class(TWO_INGRESS_CLASSES_LIST)
--        body = self.harness.charm._get_k8s_ingress()
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        body = conf_or_rel._get_k8s_ingress()
          self.harness.charm._look_up_and_set_ingress_class(api, body)
          self.assertEqual(body.spec.ingress_class_name, 'public')
      def test_two_ingress_classes_two_default(self):
          """If there are two ingress classes, both default, choose neither."""
          api = _make_mock_api_list_ingress_class(TWO_INGRESS_CLASSES_LIST_TWO_DEFAULT)
--        body = self.harness.charm._get_k8s_ingress()
++        conf_or_rel = self.harness.charm._all_config_or_relations[0]
++        body = conf_or_rel._get_k8s_ingress()
          self.harness.charm._look_up_and_set_ingress_class(api, body)
          self.assertIsNone(body.spec.ingress_class_name)
++
++
++class TestCharmMultipleRelations(unittest.TestCase):
++    def setUp(self):
++        """Setup the harness object."""
++        self.harness = Harness(NginxIngressCharm)
++        self.addCleanup(self.harness.cleanup)
++        self.harness.begin()
++
++    def _add_ingress_relation(self, relator_name, rel_data):
++        relation_id = self.harness.add_relation('ingress', relator_name)
++        self.harness.add_relation_unit(relation_id, '%s/0' % relator_name)
++
++        self.harness.update_relation_data(relation_id, relator_name, rel_data)
++        return relation_id
++
++    def test_get_multiple_ingress_relation_data(self):
++        """Test for getting our multiple ingress relation data."""
++        # Confirm we don't have any relation data yet in the relevant properties
++        # NOTE(claudiub): _all_config_or_relations will always have at least one element.
++        conf_or_rels = self.harness.charm._all_config_or_relations
++        self.assertEqual(0, len(self.harness.charm.model.relations['ingress']))
++        self.assertEqual(1, len(conf_or_rels))
++
++        self.assertEqual(conf_or_rels[0]._service_name, "")
++        self.assertEqual(conf_or_rels[0]._service_hostname, "")
++        self.assertEqual(conf_or_rels[0]._service_port, 0)
++
++        # Add the first relation.
++        rel_data = {
++            "service-name": "gunicorn",
++            "service-hostname": "foo.in.ternal",
++            "service-port": "80",
++            "path-routes": "/gunicorn",
++        }
++        rel_id1 = self._add_ingress_relation('gunicorn', rel_data)
++
++        # Add another relation with the same hostname.
++        rel_data = {
++            "service-name": "funicorn",
++            "service-hostname": "foo.in.ternal",
++            "service-port": "8080",
++        }
++        rel_id2 = self._add_ingress_relation('funicorn', rel_data)
++
++        # And now, confirm we have 2 relations and their respective data, and that the expected
++        # data is in the relevant properties.
++        conf_or_rels = self.harness.charm._all_config_or_relations
++        self.assertEqual(2, len(self.harness.charm.model.relations['ingress']))
++        self.assertEqual(2, len(conf_or_rels))
++
++        self.assertEqual(conf_or_rels[0]._service_name, "gunicorn")
++        self.assertEqual(conf_or_rels[0]._service_hostname, "foo.in.ternal")
++        self.assertEqual(conf_or_rels[0]._service_port, 80)
++
++        self.assertEqual(conf_or_rels[1]._service_name, "funicorn")
++        self.assertEqual(conf_or_rels[1]._service_hostname, "foo.in.ternal")
++        self.assertEqual(conf_or_rels[1]._service_port, 8080)
++
++        # Update the service hostname config option and expect it to be used instead of the
++        # service hostname set in the relations (config options have precedence over relations)
++        self.harness.update_config({"service-hostname": "lish.internal"})
++        conf_or_rels = self.harness.charm._all_config_or_relations
++        self.assertEqual(conf_or_rels[0]._service_hostname, "lish.internal")
++        self.assertEqual(conf_or_rels[1]._service_hostname, "lish.internal")
++
++        # Reset the service hostname config option and expect that the original service hostnames
++        # are used instead.
++        self.harness.update_config({"service-hostname": ""})
++        conf_or_rels = self.harness.charm._all_config_or_relations
++        self.assertEqual(conf_or_rels[0]._service_hostname, "foo.in.ternal")
++        self.assertEqual(conf_or_rels[1]._service_hostname, "foo.in.ternal")
++
++        # Check that the service name, service port, and path routes come from relation data,
++        # not config options.
++        self.harness.update_config(
++            {
++                "service-name": "foo",
++                "service-port": "1111",
++                "path-routes": "/foo",
++            }
++        )
++
++        conf_or_rels = self.harness.charm._all_config_or_relations
++        self.assertEqual(conf_or_rels[0]._service_name, "gunicorn")
++        self.assertEqual(conf_or_rels[0]._service_port, 80)
++        self.assertEqual(conf_or_rels[0]._path_routes, ["/gunicorn"])
++
++        # Remove the relations and assert that there are no relations to be found.
++        self.harness.remove_relation(rel_id1)
++        self.harness.remove_relation(rel_id2)
++
++        self.assertEqual(0, len(self.harness.charm.model.relations['ingress']))
++
++    @patch('charm.NginxIngressCharm._report_service_ips')
++    @patch('charm.NginxIngressCharm._remove_ingress')
++    @patch('charm.NginxIngressCharm._define_ingress')
++    @patch('charm._core_v1_api')
++    def test_services_for_multiple_relations(
++        self, mock_api, mock_define_ingress, mock_remove_ingress, mock_report_ips
++    ):
++        """Test for checking Service creation / deletion for multiple relations."""
++        # Setting the leader to True will allow us to test the Service creation.
++        self.harness.set_leader(True)
++        self.harness.charm._authed = True
++
++        mock_report_ips.return_value = ["10.0.1.12"]
++        mock_list_services = mock_api.return_value.list_namespaced_service
++        # We'll consider we don't have any service set yet.
++        mock_list_services.return_value.items = []
++
++        # Add the first relation.
++        rel_data = {
++            "service-name": "gunicorn",
++            "service-hostname": "foo.in.ternal",
++            "service-port": "80",
++        }
++        self._add_ingress_relation('gunicorn', rel_data)
++
++        conf_or_rels = self.harness.charm._all_config_or_relations
++        mock_create_service = mock_api.return_value.create_namespaced_service
++        mock_create_service.assert_called_once_with(
++            namespace=self.harness.charm._namespace,
++            body=conf_or_rels[0]._get_k8s_service(),
++        )
++
++        # Reset the create service mock, and add a second relation. Expect the first service to
++        # be updated, and the second one to be created.
++        mock_create_service.reset_mock()
++        mock_service1 = MagicMock()
++        mock_service1.metadata.name = "gunicorn-service"
++        mock_list_services.return_value.items = [mock_service1]
++
++        rel_data = {
++            "service-name": "funicorn",
++            "service-hostname": "foo.in.ternal",
++            "service-port": "8080",
++        }
++        self._add_ingress_relation('funicorn', rel_data)
++
++        conf_or_rels = self.harness.charm._all_config_or_relations
++        mock_patch_service = mock_api.return_value.patch_namespaced_service
++        mock_patch_service.assert_called_once_with(
++            name=conf_or_rels[0]._k8s_service_name,
++            namespace=self.harness.charm._namespace,
++            body=conf_or_rels[0]._get_k8s_service(),
++        )
++        mock_create_service.assert_called_once_with(
++            namespace=self.harness.charm._namespace,
++            body=conf_or_rels[1]._get_k8s_service(),
++        )
++
++        # Remove the first relation and assert that only the first service is removed.
++        mock_service2 = MagicMock()
++        mock_service2.metadata.name = "funicorn-service"
++        mock_list_services.return_value.items = [mock_service1, mock_service2]
++
++        relation = self.harness.charm.model.relations["ingress"][0]
++        self.harness.charm.on.ingress_relation_broken.emit(relation)
++
++        mock_delete_service = mock_api.return_value.delete_namespaced_service
++        mock_delete_service.assert_called_once_with(
++            name=conf_or_rels[0]._k8s_service_name,
++            namespace=self.harness.charm._namespace,
++        )
++
++    @patch('charm.NginxIngressCharm._report_service_ips')
++    @patch('charm.NginxIngressCharm._remove_service')
++    @patch('charm.NginxIngressCharm._define_service')
++    @patch('charm._networking_v1_api')
++    def test_ingresses_for_multiple_relations_same_hostname(
++        self, mock_api, mock_define_service, mock_remove_service, mock_report_ips
++    ):
++        """Test for checking Ingress creation / deletion for multiple relations.
++
++        This test will check that the charm will not create multiple Resources for the same
++        hostname, and that it won't remove the resource if there's still an active relation
++        using it.
++        """
++        # Setting the leader to True will allow us to test the Ingress creation.
++        self.harness.set_leader(True)
++        self.harness.charm._authed = True
++
++        mock_report_ips.return_value = ["10.0.1.12"]
++        mock_list_ingress = mock_api.return_value.list_namespaced_ingress
++        # We'll consider we don't have any ingresses set yet.
++        mock_list_ingress.return_value.items = []
++
++        # Add the first relation.
++        rel_data = {
++            "service-name": "gunicorn",
++            "service-hostname": "foo.in.ternal",
++            "service-port": "80",
++        }
++        rel_id1 = self._add_ingress_relation('gunicorn', rel_data)
++
++        conf_or_rels = self.harness.charm._all_config_or_relations
++        mock_create_ingress = mock_api.return_value.create_namespaced_ingress
++
++        # Since we only have one relation, the merged ingress rule should be the same as before
++        # the merge.
++        mock_create_ingress.assert_called_once_with(
++            namespace=self.harness.charm._namespace,
++            body=conf_or_rels[0]._get_k8s_ingress(),
++        )
++
++        # Reset the create ingress mock, and add a second relation.
++        mock_create_ingress.reset_mock()
++        mock_ingress1 = MagicMock()
++        mock_ingress1.metadata.name = "foo-in-ternal-ingress"
++        mock_list_ingress.return_value.items = [mock_ingress1]
++
++        rel_data = {
++            "service-name": "funicorn",
++            "service-hostname": "foo.in.ternal",
++            "service-port": "8080",
++            # Since it has the same service-hostname as gunicorn, we need a different route.
++            "path-routes": "/funicorn",
++        }
++        rel_id2 = self._add_ingress_relation('funicorn', rel_data)
++
++        # We're expecting that the K8s Ingress Resource will be replaced by one that contains
++        # paths from both relations. A new one should not have been created.
++        mock_create_ingress.assert_not_called()
++
++        conf_or_rels = self.harness.charm._all_config_or_relations
++        expected_body = conf_or_rels[0]._get_k8s_ingress()
++        second_body = conf_or_rels[1]._get_k8s_ingress()
++
++        expected_body.spec.rules[0].http.paths.extend(second_body.spec.rules[0].http.paths)
++        mock_replace_ingress = mock_api.return_value.replace_namespaced_ingress
++        mock_replace_ingress.assert_called_once_with(
++            name=conf_or_rels[0]._ingress_name,
++            namespace=self.harness.charm._namespace,
++            body=expected_body,
++        )
++
++        # Remove the first relation and assert that the Kubernetes Ingress Resource was updated
++        # and not removed.
++        mock_create_ingress.reset_mock()
++        mock_replace_ingress.reset_mock()
++
++        self.harness.remove_relation(rel_id1)
++
++        # Assert that the ingress was replaced, not deleted (we still have a relation).
++        mock_delete_ingress = mock_api.return_value.delete_namespaced_ingress
++        mock_delete_ingress.assert_not_called()
++
++        conf_or_rels = self.harness.charm._all_config_or_relations
++        mock_replace_ingress.assert_called_once_with(
++            name=conf_or_rels[0]._ingress_name,
++            namespace=self.harness.charm._namespace,
++            body=second_body,
++        )
++
++        # Remove the second relation. This should cause the K8s Ingress Resource to be removed,
++        # since we no longer have any relations needing it.
++        mock_replace_ingress.reset_mock()
++        mock_delete_ingress.reset_mock()
++        self.harness.remove_relation(rel_id2)
++
++        mock_create_ingress.assert_not_called()
++        mock_replace_ingress.assert_not_called()
++        mock_delete_ingress.assert_called_once_with(
++            conf_or_rels[0]._ingress_name,
++            self.harness.charm._namespace,
++        )
++
++    @patch('charm.NginxIngressCharm._report_service_ips')
++    @patch('charm.NginxIngressCharm._remove_service')
++    @patch('charm.NginxIngressCharm._define_service')
++    @patch('charm._networking_v1_api')
++    def test_ingresses_for_multiple_relations_different_hostnames(
++        self, mock_api, mock_define_service, mock_remove_service, mock_report_ips
++    ):
++        """Test for checking Ingress creation / deletion for multiple relations.
++
++        This test will check that the charm will create multiple Resources for different hostnames.
++        """
++        # Setting the leader to True will allow us to test the Ingress creation.
++        self.harness.set_leader(True)
++        self.harness.charm._authed = True
++
++        mock_report_ips.return_value = ["10.0.1.12"]
++        mock_list_ingress = mock_api.return_value.list_namespaced_ingress
++        # We'll consider we don't have any ingresses set yet.
++        mock_list_ingress.return_value.items = []
++
++        # Add the first relation.
++        rel_data = {
++            "service-name": "gunicorn",
++            "service-hostname": "foo.in.ternal",
++            "service-port": "80",
++        }
++        rel_id1 = self._add_ingress_relation('gunicorn', rel_data)
++
++        # Since we only have one relation, the merged ingress rule should be the same as before
++        # the merge.
++        conf_or_rels = self.harness.charm._all_config_or_relations
++        mock_create_ingress = mock_api.return_value.create_namespaced_ingress
++        mock_create_ingress.assert_called_once_with(
++            namespace=self.harness.charm._namespace,
++            body=conf_or_rels[0]._get_k8s_ingress(),
++        )
++
++        # Reset the create ingress mock, and add a second relation with a different
++        # service-hostname. A different K8s Ingress Resource should be created.
++        mock_create_ingress.reset_mock()
++        mock_ingress1 = MagicMock()
++        mock_ingress1.metadata.name = "foo-in-ternal-ingress"
++        mock_list_ingress.return_value.items = [mock_ingress1]
++
++        rel_data = {
++            "service-name": "punicorn",
++            "service-hostname": "lish.in.ternal",
++            "service-port": "9090",
++        }
++        rel_id2 = self._add_ingress_relation('punicorn', rel_data)
++
++        # We're expecting that the first K8s Ingress Resource will be updated, but it will not
++        # change, and that a new K8s Ingress Resource will be created for the new relation,
++        # since it has a different service-hostname.
++        conf_or_rels = self.harness.charm._all_config_or_relations
++        mock_create_ingress.assert_called_once_with(
++            namespace=self.harness.charm._namespace,
++            body=conf_or_rels[1]._get_k8s_ingress(),
++        )
++        mock_replace_ingress = mock_api.return_value.replace_namespaced_ingress
++        mock_replace_ingress.assert_called_once_with(
++            name=conf_or_rels[0]._ingress_name,
++            namespace=self.harness.charm._namespace,
++            body=conf_or_rels[0]._get_k8s_ingress(),
++        )
++
++        # Remove the first relation and assert that only the first ingress is removed.
++        mock_ingress2 = MagicMock()
++        mock_ingress2.metadata.name = "lish-in-ternal-ingress"
++        mock_list_ingress.return_value.items = [mock_ingress1, mock_ingress2]
++        mock_create_ingress.reset_mock()
++        mock_replace_ingress.reset_mock()
++        self.harness.remove_relation(rel_id1)
++
++        # Assert that only the ingress for the first relation was removed.
++        mock_delete_ingress = mock_api.return_value.delete_namespaced_ingress
++        mock_delete_ingress.assert_called_once_with(
++            conf_or_rels[0]._ingress_name,
++            self.harness.charm._namespace,
++        )
++        mock_create_ingress.assert_not_called()
++        mock_replace_ingress.assert_called_once_with(
++            name=conf_or_rels[1]._ingress_name,
++            namespace=self.harness.charm._namespace,
++            body=conf_or_rels[1]._get_k8s_ingress(),
++        )
++
++        # Remove the second relation.
++        mock_replace_ingress.reset_mock()
++        mock_delete_ingress.reset_mock()
++        self.harness.remove_relation(rel_id2)
++
++        mock_delete_ingress.assert_called_once_with(
++            conf_or_rels[1]._ingress_name,
++            self.harness.charm._namespace,
++        )
++        mock_create_ingress.assert_not_called()
++        mock_replace_ingress.assert_not_called()
++
++    @patch('charm.NginxIngressCharm._report_service_ips')
++    @patch('charm.NginxIngressCharm._define_ingress')
++    @patch('charm.NginxIngressCharm._define_service')
++    @patch('charm._networking_v1_api')
++    def test_ingresses_for_multiple_relations_blocked(
++        self, mock_api, mock_define_service, mock_define_ingress, mock_report_ips
++    ):
++        """Test for checking the Blocked cases for multiple relations."""
++        # Setting the leader to True will allow us to test the Ingress creation.
++        self.harness.set_leader(True)
++        self.harness.charm._authed = True
++
++        mock_report_ips.return_value = ["10.0.1.12"]
++        mock_list_ingress = mock_api.return_value.list_namespaced_ingress
++        # We'll consider we don't have any ingresses set yet.
++        mock_list_ingress.return_value.items = []
++
++        # Add the first relation.
++        rel_data = {
++            "service-name": "gunicorn",
++            "service-hostname": "foo.in.ternal",
++            "service-port": "80",
++        }
++        self._add_ingress_relation('gunicorn', rel_data)
++
++        # Add the second relation. It will have the same service-hostname as the first relation.
++        # It will also have a conflicting annotation, and conflicting route "/", which will cause
++        # the relation to become Blocked.
++        rel_data = {
++            "service-name": "funicorn",
++            "service-hostname": "foo.in.ternal",
++            "service-port": "9090",
++            "retry-errors": "error,timeout",
++        }
++        rel_id = self._add_ingress_relation('funicorn', rel_data)
++
++        expected_status = BlockedStatus(
++            "Conflicting annotations from relations. Run juju debug-log for details. "
++            "Set manually via juju config."
++        )
++        self.assertEqual(expected_status, self.harness.charm.unit.status)
++
++        # Override the rewrite target through the config option. It should fix the problem.
++        self.harness.update_config({"retry-errors": "error,timeout"})
++
++        # We still have the issue with the duplicate route.
++        expected_status = BlockedStatus(
++            "Duplicate route found; cannot add ingress. Run juju debug-log for details."
++        )
++        self.assertEqual(expected_status, self.harness.charm.unit.status)
++
++        # Update the relation data to have a different route.
++        rel_data["path-routes"] = "/funicorn"
++        self.harness.update_relation_data(rel_id, "funicorn", rel_data)
++
++        expected_status = ActiveStatus("Ingress with service IP(s): 10.0.1.12")
++        self.assertEqual(expected_status, self.harness.charm.unit.status)

charm-k8s-ingress

Merge ~cbelu/charm-k8s-ingress:multiple-relations into charm-k8s-ingress:master

Commit message

Description of the change

Preview Diff

Subscribers