Improve TLS secret configuration
This commit is contained in:
Joao Morais
parent
f5211458ce
commit
567041ea0d
1 changed files with 31 additions and 15 deletions
|
|
@ -200,19 +200,25 @@ func newIngressController(config *Configuration) *GenericController {
|
||||||
// the referenced secret is different?
|
// the referenced secret is different?
|
||||||
if diff := pretty.Compare(curIng.Spec.TLS, oldIng.Spec.TLS); diff != "" {
|
if diff := pretty.Compare(curIng.Spec.TLS, oldIng.Spec.TLS); diff != "" {
|
||||||
for _, secretName := range curIng.Spec.TLS {
|
for _, secretName := range curIng.Spec.TLS {
|
||||||
secKey := fmt.Sprintf("%v/%v", curIng.Namespace, secretName.SecretName)
|
secKey := ""
|
||||||
go func() {
|
if secretName.SecretName != "" {
|
||||||
glog.Infof("TLS section in ingress %v/%v changed (secret is now %v)", upIng.Namespace, upIng.Name, secKey)
|
secKey = fmt.Sprintf("%v/%v", curIng.Namespace, secretName.SecretName)
|
||||||
// we need to wait until the ingress store is updated
|
}
|
||||||
time.Sleep(10 * time.Second)
|
glog.Infof("TLS section in ingress %v/%v changed (secret is now \"%v\")", upIng.Namespace, upIng.Name, secKey)
|
||||||
key, err := ic.GetSecret(secKey)
|
// default cert is already queued
|
||||||
if err != nil {
|
if secKey != "" {
|
||||||
glog.Errorf("unexpected error: %v", err)
|
go func() {
|
||||||
}
|
// we need to wait until the ingress store is updated
|
||||||
if key != nil {
|
time.Sleep(10 * time.Second)
|
||||||
ic.secretQueue.Enqueue(key)
|
key, err := ic.GetSecret(secKey)
|
||||||
}
|
if err != nil {
|
||||||
}()
|
glog.Errorf("unexpected error: %v", err)
|
||||||
|
}
|
||||||
|
if key != nil {
|
||||||
|
ic.secretQueue.Enqueue(key)
|
||||||
|
}
|
||||||
|
}()
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if ic.annotations.ContainsCertificateAuth(upIng) {
|
if ic.annotations.ContainsCertificateAuth(upIng) {
|
||||||
|
|
@ -951,18 +957,28 @@ func (ic *GenericController) createServers(data []interface{},
|
||||||
// TODO: TLS without secret?
|
// TODO: TLS without secret?
|
||||||
if len(ing.Spec.TLS) > 0 && servers[host].SSLCertificate == "" {
|
if len(ing.Spec.TLS) > 0 && servers[host].SSLCertificate == "" {
|
||||||
tlsSecretName := ""
|
tlsSecretName := ""
|
||||||
|
found := false
|
||||||
for _, tls := range ing.Spec.TLS {
|
for _, tls := range ing.Spec.TLS {
|
||||||
for _, tlsHost := range tls.Hosts {
|
for _, tlsHost := range tls.Hosts {
|
||||||
if tlsHost == host {
|
if tlsHost == host {
|
||||||
tlsSecretName = tls.SecretName
|
tlsSecretName = tls.SecretName
|
||||||
|
found = true
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// the current ing.Spec.Rules[].Host doesn't have an entry at
|
||||||
|
// ing.Spec.TLS[].Hosts[], skipping to the next Rule
|
||||||
|
if !found {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
// Current Host listed on ing.Spec.TLS[].Hosts[]
|
||||||
|
// but TLS[].SecretName is empty; using default cert
|
||||||
if tlsSecretName == "" {
|
if tlsSecretName == "" {
|
||||||
glog.Warningf("ingress rule %v/%v for host %v does not contains a matching tls host", ing.Namespace, ing.Name, host)
|
servers[host].SSLCertificate = defaultPemFileName
|
||||||
glog.V(2).Infof("%v", ing.Spec.TLS)
|
servers[host].SSLPemChecksum = defaultPemSHA
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue