2016-11-10 22:56:29 +00:00
|
|
|
/*
|
|
|
|
|
Copyright 2015 The Kubernetes Authors.
|
|
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
|
limitations under the License.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
package controller
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
2017-03-10 15:34:13 +00:00
|
|
|
"reflect"
|
2016-11-10 22:56:29 +00:00
|
|
|
"strings"
|
|
|
|
|
|
2016-11-16 18:24:26 +00:00
|
|
|
"github.com/golang/glog"
|
|
|
|
|
|
2017-04-01 14:39:42 +00:00
|
|
|
api "k8s.io/client-go/pkg/api/v1"
|
|
|
|
|
"k8s.io/client-go/tools/cache"
|
2016-11-10 22:56:29 +00:00
|
|
|
|
|
|
|
|
"k8s.io/ingress/core/pkg/ingress"
|
2017-03-27 02:18:22 +00:00
|
|
|
"k8s.io/ingress/core/pkg/net/ssl"
|
2016-11-10 22:56:29 +00:00
|
|
|
)
|
|
|
|
|
|
2016-11-11 23:43:35 +00:00
|
|
|
// syncSecret keeps in sync Secrets used by Ingress rules with the files on
|
2017-04-09 16:52:10 +00:00
|
|
|
// disk to allow copy of the content of the secret to disk to be used
|
|
|
|
|
// by external processes.
|
2017-05-12 00:50:43 +00:00
|
|
|
func (ic *GenericController) syncSecret() {
|
2017-04-09 16:52:10 +00:00
|
|
|
glog.V(3).Infof("starting syncing of secrets")
|
|
|
|
|
|
2016-11-10 22:56:29 +00:00
|
|
|
var cert *ingress.SSLCert
|
|
|
|
|
var err error
|
|
|
|
|
|
2017-05-12 00:50:43 +00:00
|
|
|
for _, k := range ic.secretTracker.List() {
|
2017-04-09 16:52:10 +00:00
|
|
|
key := k.(string)
|
|
|
|
|
cert, err = ic.getPemCertificate(key)
|
|
|
|
|
if err != nil {
|
|
|
|
|
glog.Warningf("error obtaining PEM from secret %v: %v", key, err)
|
|
|
|
|
continue
|
|
|
|
|
}
|
2016-11-10 22:56:29 +00:00
|
|
|
|
2017-04-09 16:52:10 +00:00
|
|
|
// create certificates and add or update the item in the store
|
|
|
|
|
cur, exists := ic.sslCertTracker.Get(key)
|
|
|
|
|
if exists {
|
|
|
|
|
s := cur.(*ingress.SSLCert)
|
|
|
|
|
if reflect.DeepEqual(s, cert) {
|
|
|
|
|
// no need to update
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
glog.Infof("updating secret %v in the local store", key)
|
|
|
|
|
ic.sslCertTracker.Update(key, cert)
|
2017-07-12 17:31:15 +00:00
|
|
|
ic.reloadRequired = true
|
2017-04-09 16:52:10 +00:00
|
|
|
continue
|
2017-03-10 15:34:13 +00:00
|
|
|
}
|
2017-04-09 16:52:10 +00:00
|
|
|
|
|
|
|
|
glog.Infof("adding secret %v to the local store", key)
|
|
|
|
|
ic.sslCertTracker.Add(key, cert)
|
2017-07-12 17:31:15 +00:00
|
|
|
ic.reloadRequired = true
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-02-06 18:16:36 +00:00
|
|
|
// getPemCertificate receives a secret, and creates a ingress.SSLCert as return.
|
|
|
|
|
// It parses the secret and verifies if it's a keypair, or a 'ca.crt' secret only.
|
2016-11-10 22:56:29 +00:00
|
|
|
func (ic *GenericController) getPemCertificate(secretName string) (*ingress.SSLCert, error) {
|
|
|
|
|
secretInterface, exists, err := ic.secrLister.Store.GetByKey(secretName)
|
|
|
|
|
if err != nil {
|
2017-03-14 12:48:20 +00:00
|
|
|
return nil, fmt.Errorf("error retrieving secret %v: %v", secretName, err)
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
|
|
|
|
if !exists {
|
2017-03-14 12:47:34 +00:00
|
|
|
return nil, fmt.Errorf("secret named %v does not exist", secretName)
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
secret := secretInterface.(*api.Secret)
|
2017-02-06 18:16:36 +00:00
|
|
|
cert, okcert := secret.Data[api.TLSCertKey]
|
|
|
|
|
key, okkey := secret.Data[api.TLSPrivateKeyKey]
|
2016-11-10 22:56:29 +00:00
|
|
|
|
|
|
|
|
ca := secret.Data["ca.crt"]
|
|
|
|
|
|
|
|
|
|
nsSecName := strings.Replace(secretName, "/", "-", -1)
|
2017-02-06 18:16:36 +00:00
|
|
|
|
|
|
|
|
var s *ingress.SSLCert
|
|
|
|
|
if okcert && okkey {
|
|
|
|
|
s, err = ssl.AddOrUpdateCertAndKey(nsSecName, cert, key, ca)
|
2017-07-12 17:31:15 +00:00
|
|
|
glog.V(3).Infof("found certificate and private key, configuring %v as a TLS Secret (CN: %v)", secretName, s.CN)
|
2017-02-06 18:16:36 +00:00
|
|
|
} else if ca != nil {
|
2017-04-09 16:52:10 +00:00
|
|
|
glog.V(3).Infof("found only ca.crt, configuring %v as an Certificate Authentication secret", secretName)
|
2017-02-06 18:16:36 +00:00
|
|
|
s, err = ssl.AddCertAuth(nsSecName, ca)
|
|
|
|
|
} else {
|
2017-03-30 11:00:31 +00:00
|
|
|
return nil, fmt.Errorf("no keypair or CA cert could be found in %v", secretName)
|
2017-02-06 18:16:36 +00:00
|
|
|
}
|
|
|
|
|
|
2016-11-10 22:56:29 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
s.Name = secret.Name
|
|
|
|
|
s.Namespace = secret.Namespace
|
|
|
|
|
return s, nil
|
|
|
|
|
}
|
|
|
|
|
|
2016-11-11 23:43:35 +00:00
|
|
|
// sslCertTracker holds a store of referenced Secrets in Ingress rules
|
2016-11-10 22:56:29 +00:00
|
|
|
type sslCertTracker struct {
|
|
|
|
|
cache.ThreadSafeStore
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func newSSLCertTracker() *sslCertTracker {
|
|
|
|
|
return &sslCertTracker{
|
|
|
|
|
cache.NewThreadSafeStore(cache.Indexers{}, cache.Indices{}),
|
|
|
|
|
}
|
|
|
|
|
}
|
2017-04-09 16:52:10 +00:00
|
|
|
|
|
|
|
|
// secretTracker holds a store of Secrets
|
|
|
|
|
type secretTracker struct {
|
|
|
|
|
cache.ThreadSafeStore
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func newSecretTracker() *secretTracker {
|
|
|
|
|
return &secretTracker{
|
|
|
|
|
cache.NewThreadSafeStore(cache.Indexers{}, cache.Indices{}),
|
|
|
|
|
}
|
|
|
|
|
}
|
