2016-11-10 22:56:29 +00:00
|
|
|
/*
|
|
|
|
|
Copyright 2015 The Kubernetes Authors.
|
|
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
|
limitations under the License.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
package controller
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
2017-03-10 15:34:13 +00:00
|
|
|
"reflect"
|
2016-11-10 22:56:29 +00:00
|
|
|
"strings"
|
|
|
|
|
|
2016-11-16 18:24:26 +00:00
|
|
|
"github.com/golang/glog"
|
|
|
|
|
|
2017-09-17 18:42:31 +00:00
|
|
|
apiv1 "k8s.io/api/core/v1"
|
2017-04-01 14:39:42 +00:00
|
|
|
"k8s.io/client-go/tools/cache"
|
2016-11-10 22:56:29 +00:00
|
|
|
|
|
|
|
|
"k8s.io/ingress/core/pkg/ingress"
|
2017-03-27 02:18:22 +00:00
|
|
|
"k8s.io/ingress/core/pkg/net/ssl"
|
2016-11-10 22:56:29 +00:00
|
|
|
)
|
|
|
|
|
|
2016-11-11 23:43:35 +00:00
|
|
|
// syncSecret keeps in sync Secrets used by Ingress rules with the files on
|
2017-04-09 16:52:10 +00:00
|
|
|
// disk to allow copy of the content of the secret to disk to be used
|
|
|
|
|
// by external processes.
|
2017-07-18 18:21:38 +00:00
|
|
|
func (ic *GenericController) syncSecret(key string) {
|
|
|
|
|
glog.V(3).Infof("starting syncing of secret %v", key)
|
2017-04-09 16:52:10 +00:00
|
|
|
|
2017-07-27 17:46:33 +00:00
|
|
|
cert, err := ic.getPemCertificate(key)
|
2017-07-18 18:21:38 +00:00
|
|
|
if err != nil {
|
|
|
|
|
glog.Warningf("error obtaining PEM from secret %v: %v", key, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
2016-11-10 22:56:29 +00:00
|
|
|
|
2017-07-18 18:21:38 +00:00
|
|
|
// create certificates and add or update the item in the store
|
|
|
|
|
cur, exists := ic.sslCertTracker.Get(key)
|
|
|
|
|
if exists {
|
|
|
|
|
s := cur.(*ingress.SSLCert)
|
|
|
|
|
if reflect.DeepEqual(s, cert) {
|
|
|
|
|
// no need to update
|
|
|
|
|
return
|
2017-03-10 15:34:13 +00:00
|
|
|
}
|
2017-07-18 18:21:38 +00:00
|
|
|
glog.Infof("updating secret %v in the local store", key)
|
|
|
|
|
ic.sslCertTracker.Update(key, cert)
|
2017-09-13 14:14:24 +00:00
|
|
|
// we need to force the sync of the secret to disk
|
|
|
|
|
ic.syncSecret(key)
|
|
|
|
|
// this update must trigger an update
|
|
|
|
|
// (like an update event from a change in Ingress)
|
|
|
|
|
ic.syncIngress("secret-update")
|
2017-07-18 18:21:38 +00:00
|
|
|
return
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
2017-07-18 18:21:38 +00:00
|
|
|
|
|
|
|
|
glog.Infof("adding secret %v to the local store", key)
|
|
|
|
|
ic.sslCertTracker.Add(key, cert)
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
|
|
|
|
|
2017-02-06 18:16:36 +00:00
|
|
|
// getPemCertificate receives a secret, and creates a ingress.SSLCert as return.
|
|
|
|
|
// It parses the secret and verifies if it's a keypair, or a 'ca.crt' secret only.
|
2016-11-10 22:56:29 +00:00
|
|
|
func (ic *GenericController) getPemCertificate(secretName string) (*ingress.SSLCert, error) {
|
2017-09-18 23:53:26 +00:00
|
|
|
secret, err := ic.listers.Secret.GetByName(secretName)
|
2016-11-10 22:56:29 +00:00
|
|
|
if err != nil {
|
2017-03-14 12:48:20 +00:00
|
|
|
return nil, fmt.Errorf("error retrieving secret %v: %v", secretName, err)
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
|
|
|
|
|
2017-09-17 18:42:31 +00:00
|
|
|
cert, okcert := secret.Data[apiv1.TLSCertKey]
|
|
|
|
|
key, okkey := secret.Data[apiv1.TLSPrivateKeyKey]
|
2016-11-10 22:56:29 +00:00
|
|
|
ca := secret.Data["ca.crt"]
|
|
|
|
|
|
2017-09-27 03:46:22 +00:00
|
|
|
// namespace/secretName -> namespace-secretName
|
2016-11-10 22:56:29 +00:00
|
|
|
nsSecName := strings.Replace(secretName, "/", "-", -1)
|
2017-02-06 18:16:36 +00:00
|
|
|
|
|
|
|
|
var s *ingress.SSLCert
|
|
|
|
|
if okcert && okkey {
|
2017-09-27 03:46:22 +00:00
|
|
|
if cert == nil {
|
|
|
|
|
return nil, fmt.Errorf("secret %v has no 'tls.crt'", secretName)
|
|
|
|
|
}
|
|
|
|
|
if key == nil {
|
|
|
|
|
return nil, fmt.Errorf("secret %v has no 'tls.key'", secretName)
|
2017-09-18 14:38:23 +00:00
|
|
|
}
|
2017-09-27 03:46:22 +00:00
|
|
|
|
|
|
|
|
// If 'ca.crt' is also present, it will allow this secret to be used in the
|
|
|
|
|
// 'ingress.kubernetes.io/auth-tls-secret' annotation
|
2017-02-06 18:16:36 +00:00
|
|
|
s, err = ssl.AddOrUpdateCertAndKey(nsSecName, cert, key, ca)
|
2017-07-18 20:26:28 +00:00
|
|
|
if err != nil {
|
2017-09-27 03:46:22 +00:00
|
|
|
return nil, fmt.Errorf("unexpected error creating pem file: %v", err)
|
2017-07-18 20:26:28 +00:00
|
|
|
}
|
2017-09-27 03:46:22 +00:00
|
|
|
|
|
|
|
|
glog.V(3).Infof("found 'tls.crt' and 'tls.key', configuring %v as a TLS Secret (CN: %v)", secretName, s.CN)
|
|
|
|
|
if ca != nil {
|
|
|
|
|
glog.V(3).Infof("found 'ca.crt', secret %v can also be used for Certificate Authentication", secretName)
|
|
|
|
|
}
|
|
|
|
|
|
2017-02-06 18:16:36 +00:00
|
|
|
} else if ca != nil {
|
|
|
|
|
s, err = ssl.AddCertAuth(nsSecName, ca)
|
2017-09-27 03:46:22 +00:00
|
|
|
|
2017-07-18 20:26:28 +00:00
|
|
|
if err != nil {
|
2017-09-27 03:46:22 +00:00
|
|
|
return nil, fmt.Errorf("unexpected error creating pem file: %v", err)
|
2017-07-18 20:26:28 +00:00
|
|
|
}
|
2017-09-27 03:46:22 +00:00
|
|
|
|
|
|
|
|
// makes this secret in 'syncSecret' to be used for Certificate Authentication
|
|
|
|
|
// this does not enable Certificate Authentication
|
|
|
|
|
glog.V(3).Infof("found only 'ca.crt', configuring %v as an Certificate Authentication Secret", secretName)
|
|
|
|
|
|
2017-02-06 18:16:36 +00:00
|
|
|
} else {
|
2017-03-30 11:00:31 +00:00
|
|
|
return nil, fmt.Errorf("no keypair or CA cert could be found in %v", secretName)
|
2017-02-06 18:16:36 +00:00
|
|
|
}
|
|
|
|
|
|
2016-11-10 22:56:29 +00:00
|
|
|
s.Name = secret.Name
|
|
|
|
|
s.Namespace = secret.Namespace
|
|
|
|
|
return s, nil
|
|
|
|
|
}
|
|
|
|
|
|
2016-11-11 23:43:35 +00:00
|
|
|
// sslCertTracker holds a store of referenced Secrets in Ingress rules
|
2016-11-10 22:56:29 +00:00
|
|
|
type sslCertTracker struct {
|
|
|
|
|
cache.ThreadSafeStore
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func newSSLCertTracker() *sslCertTracker {
|
|
|
|
|
return &sslCertTracker{
|
|
|
|
|
cache.NewThreadSafeStore(cache.Indexers{}, cache.Indices{}),
|
|
|
|
|
}
|
|
|
|
|
}
|
2017-04-09 16:52:10 +00:00
|
|
|
|
2017-07-18 18:21:38 +00:00
|
|
|
func (s *sslCertTracker) DeleteAll(key string) {
|
|
|
|
|
s.Delete(key)
|
2017-04-09 16:52:10 +00:00
|
|
|
}
|
