Allow running outside a cluster

cmd/caddy/main.go

@@ -73,7 +73,7 @@
 // createApiserverClient creates a new Kubernetes REST client. We assume the
 // controller runs inside Kubernetes and use the in-cluster config.
 func createApiserverClient(logger *zap.SugaredLogger) (*kubernetes.Clientset, *version.Info, error) {
-	cfg, err := clientcmd.BuildConfigFromFlags("", "")
+	cfg, err := clientcmd.BuildConfigFromFlags("", os.Getenv("KUBECONFIG"))
 	if err != nil {
 		return nil, nil, err
 	}

internal/caddy/convert_test.go

@@ -21,7 +21,7 @@ func TestConvertToCaddyConfig(t *testing.T) {
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			cfg, err := Converter{}.ConvertToCaddyConfig(store.NewStore(store.Options{}, &store.PodInfo{}))
+			cfg, err := Converter{}.ConvertToCaddyConfig(store.NewStore(store.Options{}, "", &store.PodInfo{}))
 			require.NoError(t, err)
 
 			cfgJSON, err := json.Marshal(cfg)

internal/caddy/global/secrets_store.go

@@ -22,7 +22,7 @@
 	config.Storage = converter.Storage{
 		System: "secret_store",
 		StorageValues: converter.StorageValues{
-			Namespace: store.CurrentPod.Namespace,
+			Namespace: store.ConfigNamespace,
 			LeaseID:   store.Options.LeaseID,
 		},
 	}

internal/caddy/global/tls.go

@@ -40,7 +40,7 @@ func (p TLSPlugin) GlobalHandler(config *converter.Config, store *store.Store) e
 	}
 
 	if len(hosts) > 0 {
-		tlsApp.CertificatesRaw["load_folders"] = json.RawMessage(`["` + controller.CertFolder + `"]`)
+		tlsApp.CertificatesRaw["load_folders"] = json.RawMessage(`["` + controller.GetCertFolder() + `"]`)
 		// do not manage certificates for those hosts
 		httpServer.AutoHTTPS.SkipCerts = hosts
 	}

internal/caddy/global/tls_test.go

@@ -196,7 +196,7 @@ func TestIngressTlsSkipCertificates(t *testing.T) {
 		t.Run(tC.desc, func(t *testing.T) {
 			tp := TLSPlugin{}
 			c := converter.NewConfig()
-			s := store.NewStore(store.Options{}, &store.PodInfo{})
+			s := store.NewStore(store.Options{}, "", &store.PodInfo{})
 
 			for _, ing := range tC.ingresses {
 				s.AddIngress(ing)

internal/controller/action_tls.go

@@ -8,7 +8,21 @@
 	apiv1 "k8s.io/api/core/v1"
 )
 
-var CertFolder = filepath.FromSlash("/etc/caddy/certs")
+var certFolder = ""
+
+// GetCertFolder returns the staging path for storing certificates as files.
+func GetCertFolder() string {
+	if certFolder == "" {
+		// Use the systemd cache directory if possible.
+		runtimeDir := os.Getenv("RUNTIME_DIRECTORY")
+		if runtimeDir != "" {
+			certFolder = filepath.Join(runtimeDir, "certs")
+		} else {
+			certFolder = filepath.FromSlash("/etc/caddy/certs")
+		}
+	}
+	return certFolder
+}
 
 // SecretAddedAction provides an implementation of the action interface.
 type SecretAddedAction struct {
@@ -60,7 +74,7 @@
 		content = append(content, cert...)
 	}
 
-	err := os.WriteFile(filepath.Join(CertFolder, s.Name+".pem"), content, 0644)
+	err := os.WriteFile(filepath.Join(GetCertFolder(), s.Name+".pem"), content, 0644)
 	if err != nil {
 		return err
 	}
@@ -80,13 +94,17 @@
 
 func (r SecretDeletedAction) handle(c *CaddyController) error {
 	c.logger.Infof("TLS secret deleted (%s/%s)", r.resource.Namespace, r.resource.Name)
-	return os.Remove(filepath.Join(CertFolder, r.resource.Name+".pem"))
+	return os.Remove(filepath.Join(GetCertFolder(), r.resource.Name+".pem"))
 }
 
 // watchTLSSecrets Start listening to TLS secrets if at least one ingress needs it.
 // It will sync the CertFolder with TLS secrets
 func (c *CaddyController) watchTLSSecrets() error {
 	if c.informers.TLSSecret == nil && c.resourceStore.HasManagedTLS() {
+		if err := os.MkdirAll(GetCertFolder(), 0755); err != nil && !os.IsExist(err) {
+			return err
+		}
+
 		// Init informers
 		params := k8s.TLSSecretParams{
 			InformerFactory: c.factories.WatchedNamespace,
@@ -106,13 +124,6 @@
 			return err
 		}
 
-		if _, err := os.Stat(CertFolder); os.IsNotExist(err) {
-			err = os.MkdirAll(CertFolder, 0755)
-			if err != nil {
-				return err
-			}
-		}
-
 		for _, secret := range secrets {
 			if err := writeFile(secret); err != nil {
 				return err

internal/controller/controller.go

@@ -6,6 +6,7 @@
 	"encoding/json"
 	"fmt"
 	"os"
+	"strings"
 	"time"
 
 	"github.com/caddyserver/caddy/v2"
@@ -52,10 +53,10 @@
 
 // InformerFactory contains shared informer factory
 // We need to type of factory:
-// - One used to watch resources in the Pod namespaces (caddy config, secrets...)
+// - One used to watch ConfigMap and Secret resources
 // - Another one for Ingress resources in the selected namespace
 type InformerFactory struct {
-	PodNamespace     informers.SharedInformerFactory
+	ConfigNamespace  informers.SharedInformerFactory
 	WatchedNamespace informers.SharedInformerFactory
 }
 
@@ -105,16 +106,25 @@
 		factories:  &InformerFactory{},
 	}
 
-	podInfo, err := k8s.GetPodDetails(kubeClient)
+	podInfo, err := k8s.GetPodDetails(logger, kubeClient)
 	if err != nil {
 		logger.Fatalf("Unexpected error obtaining pod information: %v", err)
 	}
 
+	var configNamespace, configMapName string
+	if parts := strings.SplitN(opts.ConfigMapName, "/", 2); len(parts) == 2 {
+		configNamespace, configMapName = parts[0], parts[1]
+	} else if podInfo != nil {
+		configNamespace, configMapName = podInfo.Namespace, opts.ConfigMapName
+	} else {
+		logger.Fatalf("Must set a namespace for -config-map when running outside a cluster: %s", opts.ConfigMapName)
+	}
+
 	// Create informer factories
-	controller.factories.PodNamespace = informers.NewSharedInformerFactoryWithOptions(
+	controller.factories.ConfigNamespace = informers.NewSharedInformerFactoryWithOptions(
 		kubeClient,
 		resourcesSyncInterval,
-		informers.WithNamespace(podInfo.Namespace),
+		informers.WithNamespace(configNamespace),
 	)
 	controller.factories.WatchedNamespace = informers.NewSharedInformerFactoryWithOptions(
 		kubeClient,
@@ -136,9 +146,9 @@
 
 	// Watch Configmap in the pod's namespace for global options
 	cmOptionsParams := k8s.ConfigMapParams{
-		Namespace:       podInfo.Namespace,
-		InformerFactory: controller.factories.PodNamespace,
-		ConfigMapName:   opts.ConfigMapName,
+		Namespace:       configNamespace,
+		InformerFactory: controller.factories.ConfigNamespace,
+		ConfigMapName:   configMapName,
 	}
 	controller.informers.ConfigMap = k8s.WatchConfigMaps(cmOptionsParams, k8s.ConfigMapHandlers{
 		AddFunc:    controller.onConfigMapAdded,
@@ -147,7 +157,7 @@
 	})
 
 	// Create resource store
-	controller.resourceStore = store.NewStore(opts, podInfo)
+	controller.resourceStore = store.NewStore(opts, configNamespace, podInfo)
 
 	return controller
 }

internal/k8s/pod.go

@@ -6,6 +6,7 @@
 	"os"
 
 	"github.com/caddyserver/ingress/pkg/store"
+	"go.uber.org/zap"
 
 	apiv1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -18,6 +19,11 @@
 func GetAddresses(p *store.PodInfo, kubeClient *kubernetes.Clientset) ([]string, error) {
 	var addrs []string
 
+	// If not running inside a cluster, we currently don't report any addresses
+	if p == nil {
+		return addrs, nil
+	}
+
 	// Get services that may select this pod
 	svcs, err := kubeClient.CoreV1().Services(p.Namespace).List(context.TODO(), metav1.ListOptions{})
 	if err != nil {
@@ -78,10 +84,15 @@
 
 // GetPodDetails returns runtime information about the pod:
 // name, namespace and IP of the node where it is running
-func GetPodDetails(kubeClient *kubernetes.Clientset) (*store.PodInfo, error) {
+func GetPodDetails(logger *zap.SugaredLogger, kubeClient *kubernetes.Clientset) (*store.PodInfo, error) {
 	podName := os.Getenv("POD_NAME")
 	podNs := os.Getenv("POD_NAMESPACE")
 
+	if podName == "" && podNs == "" {
+		logger.Warn("POD_NAME and POD_NAMESPACE are not set, assuming the controller is running outside a cluster")
+		return nil, nil
+	}
+
 	if podName == "" || podNs == "" {
 		return nil, fmt.Errorf("unable to get POD information (missing POD_NAME or POD_NAMESPACE environment variable")
 	}

pkg/storage/storage.go

@@ -4,6 +4,7 @@
 	"context"
 	"fmt"
 	"io/fs"
+	"os"
 	"regexp"
 	"strings"
 	"time"
@@ -66,7 +67,7 @@
 
 // Provisions the SecretStorage instance.
 func (s *SecretStorage) Provision(ctx caddy.Context) error {
-	config, _ := clientcmd.BuildConfigFromFlags("", "")
+	config, _ := clientcmd.BuildConfigFromFlags("", os.Getenv("KUBECONFIG"))
 	// creates the clientset
 	clientset, _ := kubernetes.NewForConfig(config)
 

pkg/store/store.go

@@ -6,19 +6,21 @@ import (
 
 // Store contains resources used to generate Caddy config
 type Store struct {
-	Options    *Options
-	ConfigMap  *ConfigMapOptions
-	Ingresses  []*v1.Ingress
-	CurrentPod *PodInfo
+	Options         *Options
+	Ingresses       []*v1.Ingress
+	ConfigMap       *ConfigMapOptions
+	ConfigNamespace string
+	CurrentPod      *PodInfo
 }
 
 // NewStore returns a new store that keeps track of K8S resources needed by the controller.
-func NewStore(opts Options, podInfo *PodInfo) *Store {
+func NewStore(opts Options, configNamespace string, podInfo *PodInfo) *Store {
 	s := &Store{
-		Options:    &opts,
-		Ingresses:  []*v1.Ingress{},
-		ConfigMap:  &ConfigMapOptions{},
-		CurrentPod: podInfo,
+		Options:         &opts,
+		Ingresses:       []*v1.Ingress{},
+		ConfigMap:       &ConfigMapOptions{},
+		ConfigNamespace: configNamespace,
+		CurrentPod:      podInfo,
 	}
 	return s
 }

pkg/store/store_test.go

@@ -84,7 +84,7 @@ func TestStoreIngresses(t *testing.T) {
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			s := NewStore(Options{}, &PodInfo{})
+			s := NewStore(Options{}, "", &PodInfo{})
 			for _, uid := range test.addIngresses {
 				i := createIngress(uid)
 				s.AddIngress(&i)
@@ -164,7 +164,7 @@ func TestStoreReturnIfHasManagedTLS(t *testing.T) {
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			s := NewStore(Options{}, &PodInfo{})
+			s := NewStore(Options{}, "", &PodInfo{})
 			for _, i := range test.ingresses {
 				s.AddIngress(&i)
 			}