Merge pull request #1046 from aledbf/auth-sha

Add field FileSHA in BasicDigest struct

core/pkg/file/file.go

@@ -0,0 +1,19 @@
+package file
+
+import (
+	"crypto/sha1"
+	"encoding/hex"
+	"io/ioutil"
+)
+
+// SHA1 returns the SHA1 of a file.
+func SHA1(filename string) string {
+	hasher := sha1.New()
+	s, err := ioutil.ReadFile(filename)
+	if err != nil {
+		return ""
+	}
+
+	hasher.Write(s)
+	return hex.EncodeToString(hasher.Sum(nil))
+}

core/pkg/ingress/annotations/auth/main.go

@@ -27,6 +27,7 @@ import (
 	api "k8s.io/api/core/v1"
 	extensions "k8s.io/api/extensions/v1beta1"
 
+	"k8s.io/ingress/core/pkg/file"
 	"k8s.io/ingress/core/pkg/ingress/annotations/parser"
 	ing_errors "k8s.io/ingress/core/pkg/ingress/errors"
 	"k8s.io/ingress/core/pkg/ingress/resolver"
@@ -51,6 +52,7 @@ type BasicDigest struct {
 	Realm   string `json:"realm"`
 	File    string `json:"file"`
 	Secured bool   `json:"secured"`
+	FileSHA string `json:"fileSha"`
 }
 
 // Equal tests for equality between two BasicDigest types
@@ -73,6 +75,9 @@ func (bd1 *BasicDigest) Equal(bd2 *BasicDigest) bool {
 	if bd1.Secured != bd2.Secured {
 		return false
 	}
+	if bd1.FileSHA != bd2.FileSHA {
+		return false
+	}
 
 	return true
 }
@@ -140,6 +145,7 @@ func (a auth) Parse(ing *extensions.Ingress) (interface{}, error) {
 		Realm:   realm,
 		File:    passFile,
 		Secured: true,
+		FileSHA: file.SHA1(passFile),
 	}, nil
 }
 

core/pkg/ingress/controller/controller.go

@@ -42,6 +42,7 @@ import (
 	"k8s.io/client-go/util/flowcontrol"
 
 	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/ingress/core/pkg/file"
 	"k8s.io/ingress/core/pkg/ingress"
 	"k8s.io/ingress/core/pkg/ingress/annotations/class"
 	"k8s.io/ingress/core/pkg/ingress/annotations/healthcheck"
@@ -982,7 +983,7 @@ func (ic *GenericController) createServers(data []interface{},
 			defaultPemSHA = defaultCertificate.PemSHA
 		} else {
 			defaultPemFileName = fakeCertificatePath
-			defaultPemSHA = ssl.PemSHA1(fakeCertificatePath)
+			defaultPemSHA = file.SHA1(fakeCertificatePath)
 		}
 	} else {
 		defaultPemFileName = defaultCertificate.PemFileName

core/pkg/net/ssl/ssl.go

@@ -19,12 +19,10 @@ package ssl
 import (
 	"crypto/rand"
 	"crypto/rsa"
-	"crypto/sha1"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
-	"encoding/hex"
 	"encoding/pem"
 	"errors"
 	"fmt"
@@ -38,6 +36,7 @@ import (
 	"github.com/golang/glog"
 
 	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/ingress/core/pkg/file"
 	"k8s.io/ingress/core/pkg/ingress"
 )
 
@@ -163,7 +162,7 @@ func AddOrUpdateCertAndKey(name string, cert, key, ca []byte) (*ingress.SSLCert,
 		return &ingress.SSLCert{
 			CAFileName:  pemFileName,
 			PemFileName: pemFileName,
-			PemSHA:      PemSHA1(pemFileName),
+			PemSHA:      file.SHA1(pemFileName),
 			CN:          cn.List(),
 			ExpireTime:  pemCert.NotAfter,
 		}, nil
@@ -171,7 +170,7 @@ func AddOrUpdateCertAndKey(name string, cert, key, ca []byte) (*ingress.SSLCert,
 
 	return &ingress.SSLCert{
 		PemFileName: pemFileName,
-		PemSHA:      PemSHA1(pemFileName),
+		PemSHA:      file.SHA1(pemFileName),
 		CN:          cn.List(),
 		ExpireTime:  pemCert.NotAfter,
 	}, nil
@@ -273,7 +272,7 @@ func AddCertAuth(name string, ca []byte) (*ingress.SSLCert, error) {
 	return &ingress.SSLCert{
 		CAFileName:  caFileName,
 		PemFileName: caFileName,
-		PemSHA:      PemSHA1(caFileName),
+		PemSHA:      file.SHA1(caFileName),
 	}, nil
 }
 
@@ -325,19 +324,6 @@ func AddOrUpdateDHParam(name string, dh []byte) (string, error) {
 	return pemFileName, nil
 }
 
-// PemSHA1 returns the SHA1 of a pem file. This is used to
-// reload NGINX in case a secret with a SSL certificate changed.
-func PemSHA1(filename string) string {
-	hasher := sha1.New()
-	s, err := ioutil.ReadFile(filename)
-	if err != nil {
-		return ""
-	}
-
-	hasher.Write(s)
-	return hex.EncodeToString(hasher.Sum(nil))
-}
-
 // GetFakeSSLCert creates a Self Signed Certificate
 // Based in the code https://golang.org/src/crypto/tls/generate_cert.go
 func GetFakeSSLCert() ([]byte, []byte) {