From 50f688fb53c50cf04c0874e792b8aede928a45fa Mon Sep 17 00:00:00 2001 From: Ricardo Pchevuzinske Katz Date: Mon, 6 Mar 2017 16:29:33 -0300 Subject: [PATCH] Removes wrong secret enqueing and improve the Fake Cert generation --- core/pkg/ingress/controller/backend_ssl.go | 21 +-------------------- core/pkg/ingress/controller/controller.go | 17 +++++++++-------- core/pkg/net/ssl/ssl.go | 1 + 3 files changed, 11 insertions(+), 28 deletions(-) diff --git a/core/pkg/ingress/controller/backend_ssl.go b/core/pkg/ingress/controller/backend_ssl.go index 35e7dd59f..f67ff4743 100644 --- a/core/pkg/ingress/controller/backend_ssl.go +++ b/core/pkg/ingress/controller/backend_ssl.go @@ -43,28 +43,9 @@ func (ic *GenericController) syncSecret(k interface{}) error { return fmt.Errorf("deferring sync till endpoints controller has synced") } - // check if the default certificate is configured - key := fmt.Sprintf("default/%v", defServerName) - _, exists := ic.sslCertTracker.Get(key) + var key string var cert *ingress.SSLCert var err error - if !exists { - if ic.cfg.DefaultSSLCertificate != "" { - cert, err = ic.getPemCertificate(ic.cfg.DefaultSSLCertificate) - if err != nil { - return err - } - } else { - defCert, defKey := ssl.GetFakeSSLCert() - cert, err = ssl.AddOrUpdateCertAndKey("default-fake-certificate", defCert, defKey, []byte{}) - if err != nil { - return nil - } - } - cert.Name = defServerName - cert.Namespace = api.NamespaceDefault - ic.sslCertTracker.Add(key, cert) - } key = k.(string) diff --git a/core/pkg/ingress/controller/controller.go b/core/pkg/ingress/controller/controller.go index e7759803f..207861e98 100644 --- a/core/pkg/ingress/controller/controller.go +++ b/core/pkg/ingress/controller/controller.go @@ -838,26 +838,27 @@ func (ic *GenericController) createServers(data []interface{}, CookiePath: bdef.ProxyCookiePath, } - // This adds the Default Certificate to Default Backend and also for vhosts missing the secret + // This adds the Default Certificate to Default Backend (or generates a new self signed one) var defaultPemFileName, defaultPemSHA string - defaultCertificate, err := ic.getPemCertificate(ic.cfg.DefaultSSLCertificate) - // If no default Certificate was supplied, tries to generate a new dumb one - if err != nil { - var cert *ingress.SSLCert + // Tries to fetch the default Certificate. If it does not exists, generate a new self signed one. + defaultCertificate, err := ic.getPemCertificate(ic.cfg.DefaultSSLCertificate) + if err != nil { + // This means the Default Secret does not exists, so we will create a new one. fakeCertificate := "default-fake-certificate" fakeCertificatePath := fmt.Sprintf("%v/%v.pem", ingress.DefaultSSLDirectory, fakeCertificate) // Only generates a new certificate if it doesn't exists physically _, err := os.Stat(fakeCertificatePath) if err != nil { + glog.V(3).Infof("No Default SSL Certificate found. Generating a new one") defCert, defKey := ssl.GetFakeSSLCert() - cert, err = ssl.AddOrUpdateCertAndKey(fakeCertificate, defCert, defKey, []byte{}) + defaultCertificate, err = ssl.AddOrUpdateCertAndKey(fakeCertificate, defCert, defKey, []byte{}) if err != nil { glog.Fatalf("Error generating self signed certificate: %v", err) } - defaultPemFileName = cert.PemFileName - defaultPemSHA = cert.PemSHA + defaultPemFileName = defaultCertificate.PemFileName + defaultPemSHA = defaultCertificate.PemSHA } else { defaultPemFileName = fakeCertificatePath defaultPemSHA = ssl.PemSHA1(fakeCertificatePath) diff --git a/core/pkg/net/ssl/ssl.go b/core/pkg/net/ssl/ssl.go index cd5f57beb..b007d8bba 100644 --- a/core/pkg/net/ssl/ssl.go +++ b/core/pkg/net/ssl/ssl.go @@ -78,6 +78,7 @@ func AddOrUpdateCertAndKey(name string, cert, key, ca []byte) (*ingress.SSLCert, // If the file does not start with 'BEGIN CERTIFICATE' it's invalid and must not be used. if pemBlock.Type != "CERTIFICATE" { + _ = os.Remove(tempPemFile.Name()) return nil, fmt.Errorf("Certificate %v contains invalid data, and must be created with 'kubectl create secret tls'", name) }