diff --git a/core/pkg/ingress/controller/backend_ssl.go b/core/pkg/ingress/controller/backend_ssl.go index a038b6fd9..ebd997895 100644 --- a/core/pkg/ingress/controller/backend_ssl.go +++ b/core/pkg/ingress/controller/backend_ssl.go @@ -33,38 +33,34 @@ import ( // syncSecret keeps in sync Secrets used by Ingress rules with the files on // disk to allow copy of the content of the secret to disk to be used // by external processes. -func (ic *GenericController) syncSecret() { +func (ic *GenericController) syncSecret(s *api.Secret) { glog.V(3).Infof("starting syncing of secrets") var cert *ingress.SSLCert var err error + key := ic.secretKey(s.Namespace, s.Name) + ic.secretTracker.Add(key, key) - for _, k := range ic.secretTracker.List() { - key := k.(string) - cert, err = ic.getPemCertificate(key) - if err != nil { - glog.Warningf("error obtaining PEM from secret %v: %v", key, err) - continue - } - - // create certificates and add or update the item in the store - cur, exists := ic.sslCertTracker.Get(key) - if exists { - s := cur.(*ingress.SSLCert) - if reflect.DeepEqual(s, cert) { - // no need to update - continue - } - glog.Infof("updating secret %v in the local store", key) - ic.sslCertTracker.Update(key, cert) - ic.reloadRequired = true - continue - } - - glog.Infof("adding secret %v to the local store", key) - ic.sslCertTracker.Add(key, cert) - ic.reloadRequired = true + cert, err = ic.getPemCertificate(key) + if err != nil { + glog.Warningf("error obtaining PEM from secret %v: %v", key, err) + return } + + // create certificates and add or update the item in the store + cur, exists := ic.sslCertTracker.Get(key) + if exists { + s := cur.(*ingress.SSLCert) + if reflect.DeepEqual(s, cert) { + // no need to update + return + } + glog.Infof("updating secret %v in the local store", key) + ic.sslCertTracker.Update(key, cert) + } + + glog.Infof("adding secret %v to the local store", key) + ic.sslCertTracker.Add(key, cert) } // getPemCertificate receives a secret, and creates a ingress.SSLCert as return. diff --git a/core/pkg/ingress/controller/backend_ssl_test.go b/core/pkg/ingress/controller/backend_ssl_test.go index e7fb991d5..b1ef0e21a 100644 --- a/core/pkg/ingress/controller/backend_ssl_test.go +++ b/core/pkg/ingress/controller/backend_ssl_test.go @@ -167,7 +167,7 @@ func TestSyncSecret(t *testing.T) { ic.secrLister.Add(secret) // for add - ic.syncSecret() + ic.syncSecret(secret) if foo.expectSuccess { // validate _, exist := ic.sslCertTracker.Get(foo.secretName) @@ -175,7 +175,7 @@ func TestSyncSecret(t *testing.T) { t.Errorf("Failed to sync secret: %s", foo.secretName) } else { // for update - ic.syncSecret() + ic.syncSecret(secret) } } }) diff --git a/core/pkg/ingress/controller/controller.go b/core/pkg/ingress/controller/controller.go index 0453325c9..9a4743489 100644 --- a/core/pkg/ingress/controller/controller.go +++ b/core/pkg/ingress/controller/controller.go @@ -32,7 +32,6 @@ import ( "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/runtime" - "k8s.io/apimachinery/pkg/util/wait" clientset "k8s.io/client-go/kubernetes" "k8s.io/client-go/kubernetes/scheme" unversionedcore "k8s.io/client-go/kubernetes/typed/core/v1" @@ -219,16 +218,32 @@ func newIngressController(config *Configuration) *GenericController { } secrEventHandler := cache.ResourceEventHandlerFuncs{ + AddFunc: func(obj interface{}) { + sec := obj.(*api.Secret) + ic.recorder.Eventf(sec, api.EventTypeNormal, "ADD", fmt.Sprintf("Secret %s/%s", sec.Namespace, sec.Name)) + if sec.Type == api.SecretTypeTLS { + ic.syncSecret(sec) + ic.syncQueue.Enqueue(sec) + } + }, UpdateFunc: func(old, cur interface{}) { if !reflect.DeepEqual(old, cur) { - ic.syncSecret() + curlSec := cur.(*api.Secret) + ic.recorder.Eventf(curlSec, api.EventTypeNormal, "UPDATE", fmt.Sprintf("Secret %s/%s", curlSec.Namespace, curlSec.Name)) + if curlSec.Type == api.SecretTypeTLS { + ic.syncSecret(curlSec) + ic.syncQueue.Enqueue(cur) + } } }, DeleteFunc: func(obj interface{}) { sec := obj.(*api.Secret) - key := fmt.Sprintf("%v/%v", sec.Namespace, sec.Name) - ic.sslCertTracker.Delete(key) - ic.secretTracker.Delete(key) + ic.recorder.Eventf(sec, api.EventTypeNormal, "DELETE", fmt.Sprintf("Secret %s/%s", sec.Namespace, sec.Name)) + if sec.Type == api.SecretTypeTLS { + key := ic.secretKey(sec.Namespace, sec.Name) + ic.sslCertTracker.Delete(key) + ic.secretTracker.Delete(key) + } }, } @@ -328,7 +343,7 @@ func newIngressController(config *Configuration) *GenericController { glog.Warning("Update of ingress status is disabled (flag --update-status=false was specified)") } - ic.annotations = newAnnotationExtractor(ic) + ic.annotations = newAnnotationExtractor(&ic) ic.cfg.Backend.SetListers(ingress.StoreLister{ Ingress: ic.ingLister, @@ -341,24 +356,26 @@ func newIngressController(config *Configuration) *GenericController { return &ic } - +func (ic *GenericController) secretKey(ns, name string) string { + return fmt.Sprintf("%v/%v", ns, name) +} // Info returns information about the backend -func (ic GenericController) Info() *ingress.BackendInfo { +func (ic *GenericController) Info() *ingress.BackendInfo { return ic.cfg.Backend.Info() } // IngressClass returns information about the backend -func (ic GenericController) IngressClass() string { +func (ic *GenericController) IngressClass() string { return ic.cfg.IngressClass } // GetDefaultBackend returns the default backend -func (ic GenericController) GetDefaultBackend() defaults.Backend { +func (ic *GenericController) GetDefaultBackend() defaults.Backend { return ic.cfg.Backend.BackendDefaults() } // GetSecret searches for a secret in the local secrets Store -func (ic GenericController) GetSecret(name string) (*api.Secret, error) { +func (ic *GenericController) GetSecret(name string) (*api.Secret, error) { s, exists, err := ic.secrLister.Store.GetByKey(name) if err != nil { return nil, err @@ -753,7 +770,7 @@ func (ic *GenericController) getBackendServers() ([]*ingress.Backend, []*ingress } // GetAuthCertificate ... -func (ic GenericController) GetAuthCertificate(secretName string) (*resolver.AuthSSLCert, error) { +func (ic *GenericController) GetAuthCertificate(secretName string) (*resolver.AuthSSLCert, error) { if _, exists := ic.secretTracker.Get(secretName); !exists { ic.secretTracker.Add(secretName, secretName) } @@ -1161,13 +1178,13 @@ func (ic *GenericController) getEndpoints( } // extractSecretNames extracts information about secrets inside the Ingress rule -func (ic GenericController) extractSecretNames(ing *extensions.Ingress) { +func (ic *GenericController) extractSecretNames(ing *extensions.Ingress) { for _, tls := range ing.Spec.TLS { if tls.SecretName == "" { continue } - key := fmt.Sprintf("%v/%v", ing.Namespace, tls.SecretName) + key := ic.secretKey(ing.Namespace, tls.SecretName) _, exists := ic.secretTracker.Get(key) if !exists { ic.secretTracker.Add(key, key) @@ -1176,7 +1193,7 @@ func (ic GenericController) extractSecretNames(ing *extensions.Ingress) { } // Stop stops the loadbalancer controller. -func (ic GenericController) Stop() error { +func (ic *GenericController) Stop() error { ic.stopLock.Lock() defer ic.stopLock.Unlock() @@ -1195,7 +1212,7 @@ func (ic GenericController) Stop() error { } // Start starts the Ingress controller. -func (ic GenericController) Start() { +func (ic *GenericController) Start() { glog.Infof("starting Ingress controller") go ic.ingController.Run(ic.stopCh) @@ -1219,8 +1236,6 @@ func (ic GenericController) Start() { go ic.syncQueue.Run(10*time.Second, ic.stopCh) - go wait.Forever(ic.syncSecret, 10*time.Second) - if ic.syncStatus != nil { go ic.syncStatus.Run(ic.stopCh) }