From a537d2d0faf68b477883c15a2ae23f6e40cb7bdd Mon Sep 17 00:00:00 2001 From: Manuel de Brito Fontes Date: Thu, 11 May 2017 21:50:43 -0300 Subject: [PATCH] Remove secrets from ingress after a Delete event --- controllers/nginx/pkg/cmd/controller/nginx.go | 12 ++++++------ controllers/nginx/pkg/config/config_test.go | 4 ++-- controllers/nginx/pkg/template/configmap_test.go | 3 +-- core/pkg/ingress/controller/backend_ssl.go | 11 ++--------- core/pkg/ingress/controller/backend_ssl_test.go | 4 ++-- core/pkg/ingress/controller/controller.go | 16 +++++++++++----- 6 files changed, 24 insertions(+), 26 deletions(-) diff --git a/controllers/nginx/pkg/cmd/controller/nginx.go b/controllers/nginx/pkg/cmd/controller/nginx.go index 5d9d9c547..6f4981700 100644 --- a/controllers/nginx/pkg/cmd/controller/nginx.go +++ b/controllers/nginx/pkg/cmd/controller/nginx.go @@ -85,9 +85,9 @@ func newNGINXController() ingress.Controller { resolver: h, proxy: &proxy{ Default: &server{ - Hostname: "localhost", - IP: "127.0.0.1", - Port: 442, + Hostname: "localhost", + IP: "127.0.0.1", + Port: 442, ProxyProtocol: true, }, }, @@ -534,9 +534,9 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) ([]byte, er //TODO: Allow PassthroughBackends to specify they support proxy-protocol servers = append(servers, &server{ - Hostname: pb.Hostname, - IP: svc.Spec.ClusterIP, - Port: port, + Hostname: pb.Hostname, + IP: svc.Spec.ClusterIP, + Port: port, ProxyProtocol: false, }) } diff --git a/controllers/nginx/pkg/config/config_test.go b/controllers/nginx/pkg/config/config_test.go index 359cb1306..f0a511c8e 100644 --- a/controllers/nginx/pkg/config/config_test.go +++ b/controllers/nginx/pkg/config/config_test.go @@ -28,8 +28,8 @@ func TestBuildLogFormatUpstream(t *testing.T) { curLogFormat string expected string }{ - {true, logFormatUpstream, fmt.Sprintf(logFormatUpstream, "$proxy_protocol_addr")}, - {false, logFormatUpstream, fmt.Sprintf(logFormatUpstream, "$remote_addr")}, + {true, logFormatUpstream, fmt.Sprintf(logFormatUpstream, "$the_x_forwarded_for")}, + {false, logFormatUpstream, fmt.Sprintf(logFormatUpstream, "$the_x_forwarded_for")}, {true, "my-log-format", "my-log-format"}, {false, "john-log-format", "john-log-format"}, } diff --git a/controllers/nginx/pkg/template/configmap_test.go b/controllers/nginx/pkg/template/configmap_test.go index 9eb658070..130a452a6 100644 --- a/controllers/nginx/pkg/template/configmap_test.go +++ b/controllers/nginx/pkg/template/configmap_test.go @@ -76,8 +76,7 @@ func TestMergeConfigMapToStruct(t *testing.T) { } func TestDefaultLoadBalance(t *testing.T) { - conf := map[string]string{ - } + conf := map[string]string{} to := ReadConfig(conf) if to.LoadBalanceAlgorithm != "least_conn" { t.Errorf("default load balance algorithm wrong") diff --git a/core/pkg/ingress/controller/backend_ssl.go b/core/pkg/ingress/controller/backend_ssl.go index c8bd334a0..aadebd836 100644 --- a/core/pkg/ingress/controller/backend_ssl.go +++ b/core/pkg/ingress/controller/backend_ssl.go @@ -34,7 +34,7 @@ import ( // syncSecret keeps in sync Secrets used by Ingress rules with the files on // disk to allow copy of the content of the secret to disk to be used // by external processes. -func (ic *GenericController) syncSecret(key string) { +func (ic *GenericController) syncSecret() { glog.V(3).Infof("starting syncing of secrets") if !ic.controllersInSync() { @@ -46,14 +46,7 @@ func (ic *GenericController) syncSecret(key string) { var cert *ingress.SSLCert var err error - // by default we sync just one secret - keys := []interface{}{key} - // if the key is empty we check all the secrets - if key == "" { - keys = ic.secretTracker.List() - } - - for _, k := range keys { + for _, k := range ic.secretTracker.List() { key := k.(string) cert, err = ic.getPemCertificate(key) if err != nil { diff --git a/core/pkg/ingress/controller/backend_ssl_test.go b/core/pkg/ingress/controller/backend_ssl_test.go index 248bb20b2..e7fb991d5 100644 --- a/core/pkg/ingress/controller/backend_ssl_test.go +++ b/core/pkg/ingress/controller/backend_ssl_test.go @@ -167,7 +167,7 @@ func TestSyncSecret(t *testing.T) { ic.secrLister.Add(secret) // for add - ic.syncSecret("") + ic.syncSecret() if foo.expectSuccess { // validate _, exist := ic.sslCertTracker.Get(foo.secretName) @@ -175,7 +175,7 @@ func TestSyncSecret(t *testing.T) { t.Errorf("Failed to sync secret: %s", foo.secretName) } else { // for update - ic.syncSecret("") + ic.syncSecret() } } }) diff --git a/core/pkg/ingress/controller/controller.go b/core/pkg/ingress/controller/controller.go index 1985d44f6..5f65ddc55 100644 --- a/core/pkg/ingress/controller/controller.go +++ b/core/pkg/ingress/controller/controller.go @@ -30,6 +30,7 @@ import ( "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/apimachinery/pkg/util/wait" clientset "k8s.io/client-go/kubernetes" unversionedcore "k8s.io/client-go/kubernetes/typed/core/v1" def_api "k8s.io/client-go/pkg/api" @@ -204,13 +205,14 @@ func newIngressController(config *Configuration) *GenericController { secrEventHandler := cache.ResourceEventHandlerFuncs{ UpdateFunc: func(old, cur interface{}) { if !reflect.DeepEqual(old, cur) { - sec := cur.(*api.Secret) - ic.syncSecret(fmt.Sprintf("%v/%v", sec.Namespace, sec.Name)) + ic.syncSecret() } }, DeleteFunc: func(obj interface{}) { sec := obj.(*api.Secret) - ic.sslCertTracker.Delete(fmt.Sprintf("%v/%v", sec.Namespace, sec.Name)) + key := fmt.Sprintf("%v/%v", sec.Namespace, sec.Name) + ic.sslCertTracker.Delete(key) + ic.secretTracker.Delete(key) }, } @@ -1012,9 +1014,11 @@ func (ic *GenericController) createServers(data []interface{}, } else { glog.Warningf("ssl certificate %v does not contain a common name for host %v", key, host) } - } else { - glog.Warningf("ssl certificate \"%v\" does not exist in local store", key) + + continue } + + glog.Infof("ssl certificate \"%v\" does not exist in local store", key) } } } @@ -1200,6 +1204,8 @@ func (ic GenericController) Start() { go ic.syncQueue.Run(10*time.Second, ic.stopCh) + go wait.Forever(ic.syncSecret, 10*time.Second) + if ic.syncStatus != nil { go ic.syncStatus.Run(ic.stopCh) }