Avoid periodic check for secret changes

core/pkg/ingress/controller/backend_ssl.go

@@ -34,7 +34,7 @@ import (
 // syncSecret keeps in sync Secrets used by Ingress rules with the files on
 // disk to allow copy of the content of the secret to disk to be used
 // by external processes.
-func (ic *GenericController) syncSecret() {
+func (ic *GenericController) syncSecret(key string) {
 	glog.V(3).Infof("starting syncing of secrets")
 
 	if !ic.controllersInSync() {
@@ -46,7 +46,13 @@ func (ic *GenericController) syncSecret() {
 	var cert *ingress.SSLCert
 	var err error
 
-	keys := ic.secretTracker.List()
+	// by default we sync just one secret
+	keys := []interface{}{key}
+	// if the key is empty we check all the secrets
+	if key == "" {
+		keys = ic.secretTracker.List()
+	}
+
 	for _, k := range keys {
 		key := k.(string)
 		cert, err = ic.getPemCertificate(key)

core/pkg/ingress/controller/backend_ssl_test.go

@@ -22,6 +22,7 @@ import (
 	"testing"
 
 	"fmt"
+
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	testclient "k8s.io/client-go/kubernetes/fake"
 	api_v1 "k8s.io/client-go/pkg/api/v1"
@@ -166,7 +167,7 @@ func TestSyncSecret(t *testing.T) {
 			ic.secrLister.Add(secret)
 
 			// for add
-			ic.syncSecret()
+			ic.syncSecret("")
 			if foo.expectSuccess {
 				// validate
 				_, exist := ic.sslCertTracker.Get(foo.secretName)
@@ -174,7 +175,7 @@ func TestSyncSecret(t *testing.T) {
 					t.Errorf("Failed to sync secret: %s", foo.secretName)
 				} else {
 					// for update
-					ic.syncSecret()
+					ic.syncSecret("")
 				}
 			}
 		})

core/pkg/ingress/controller/controller.go

@@ -30,7 +30,6 @@ import (
 
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/util/intstr"
-	"k8s.io/apimachinery/pkg/util/wait"
 	clientset "k8s.io/client-go/kubernetes"
 	unversionedcore "k8s.io/client-go/kubernetes/typed/core/v1"
 	def_api "k8s.io/client-go/pkg/api"
@@ -203,6 +202,12 @@ func newIngressController(config *Configuration) *GenericController {
 	}
 
 	secrEventHandler := cache.ResourceEventHandlerFuncs{
+		UpdateFunc: func(old, cur interface{}) {
+			if !reflect.DeepEqual(old, cur) {
+				sec := cur.(*api.Secret)
+				ic.syncSecret(fmt.Sprintf("%v/%v", sec.Namespace, sec.Name))
+			}
+		},
 		DeleteFunc: func(obj interface{}) {
 			sec := obj.(*api.Secret)
 			ic.sslCertTracker.Delete(fmt.Sprintf("%v/%v", sec.Namespace, sec.Name))
@@ -1151,6 +1156,10 @@ func (ic GenericController) extractSecretNames(ing *extensions.Ingress) {
 	}
 
 	for _, tls := range ing.Spec.TLS {
+		if tls.SecretName == "" {
+			continue
+		}
+
 		key := fmt.Sprintf("%v/%v", ing.Namespace, tls.SecretName)
 		_, exists := ic.secretTracker.Get(key)
 		if !exists {
@@ -1191,8 +1200,6 @@ func (ic GenericController) Start() {
 
 	go ic.syncQueue.Run(10*time.Second, ic.stopCh)
 
-	go wait.Forever(ic.syncSecret, 10*time.Second)
-
 	if ic.syncStatus != nil {
 		go ic.syncStatus.Run(ic.stopCh)
 	}