Remove secrets from ingress after a Delete event

controllers/nginx/pkg/config/config_test.go

@@ -28,8 +28,8 @@ func TestBuildLogFormatUpstream(t *testing.T) {
 		curLogFormat     string
 		expected         string
 	}{
-		{true, logFormatUpstream, fmt.Sprintf(logFormatUpstream, "$proxy_protocol_addr")},
+		{true, logFormatUpstream, fmt.Sprintf(logFormatUpstream, "$the_x_forwarded_for")},
-		{false, logFormatUpstream, fmt.Sprintf(logFormatUpstream, "$remote_addr")},
+		{false, logFormatUpstream, fmt.Sprintf(logFormatUpstream, "$the_x_forwarded_for")},
 		{true, "my-log-format", "my-log-format"},
 		{false, "john-log-format", "john-log-format"},
 	}

controllers/nginx/pkg/template/configmap_test.go

@@ -76,8 +76,7 @@ func TestMergeConfigMapToStruct(t *testing.T) {
 }
 
 func TestDefaultLoadBalance(t *testing.T) {
-	conf := map[string]string{
+	conf := map[string]string{}
-	}
 	to := ReadConfig(conf)
 	if to.LoadBalanceAlgorithm != "least_conn" {
 		t.Errorf("default load balance algorithm wrong")

core/pkg/ingress/controller/backend_ssl.go

@@ -34,7 +34,7 @@ import (
 // syncSecret keeps in sync Secrets used by Ingress rules with the files on
 // disk to allow copy of the content of the secret to disk to be used
 // by external processes.
-func (ic *GenericController) syncSecret(key string) {
+func (ic *GenericController) syncSecret() {
 	glog.V(3).Infof("starting syncing of secrets")
 
 	if !ic.controllersInSync() {
@@ -46,14 +46,7 @@ func (ic *GenericController) syncSecret(key string) {
 	var cert *ingress.SSLCert
 	var err error
 
-	// by default we sync just one secret
+	for _, k := range ic.secretTracker.List() {
-	keys := []interface{}{key}
-	// if the key is empty we check all the secrets
-	if key == "" {
-		keys = ic.secretTracker.List()
-	}
-
-	for _, k := range keys {
 		key := k.(string)
 		cert, err = ic.getPemCertificate(key)
 		if err != nil {

core/pkg/ingress/controller/backend_ssl_test.go

@@ -167,7 +167,7 @@ func TestSyncSecret(t *testing.T) {
 			ic.secrLister.Add(secret)
 
 			// for add
-			ic.syncSecret("")
+			ic.syncSecret()
 			if foo.expectSuccess {
 				// validate
 				_, exist := ic.sslCertTracker.Get(foo.secretName)
@@ -175,7 +175,7 @@ func TestSyncSecret(t *testing.T) {
 					t.Errorf("Failed to sync secret: %s", foo.secretName)
 				} else {
 					// for update
-					ic.syncSecret("")
+					ic.syncSecret()
 				}
 			}
 		})

core/pkg/ingress/controller/controller.go

@@ -30,6 +30,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/apimachinery/pkg/util/wait"
 	clientset "k8s.io/client-go/kubernetes"
 	unversionedcore "k8s.io/client-go/kubernetes/typed/core/v1"
 	def_api "k8s.io/client-go/pkg/api"
@@ -204,13 +205,14 @@ func newIngressController(config *Configuration) *GenericController {
 	secrEventHandler := cache.ResourceEventHandlerFuncs{
 		UpdateFunc: func(old, cur interface{}) {
 			if !reflect.DeepEqual(old, cur) {
-				sec := cur.(*api.Secret)
+				ic.syncSecret()
-				ic.syncSecret(fmt.Sprintf("%v/%v", sec.Namespace, sec.Name))
 			}
 		},
 		DeleteFunc: func(obj interface{}) {
 			sec := obj.(*api.Secret)
-			ic.sslCertTracker.Delete(fmt.Sprintf("%v/%v", sec.Namespace, sec.Name))
+			key := fmt.Sprintf("%v/%v", sec.Namespace, sec.Name)
+			ic.sslCertTracker.Delete(key)
+			ic.secretTracker.Delete(key)
 		},
 	}
 
@@ -1012,9 +1014,11 @@ func (ic *GenericController) createServers(data []interface{},
 					} else {
 						glog.Warningf("ssl certificate %v does not contain a common name for host %v", key, host)
 					}
-				} else {
+
-					glog.Warningf("ssl certificate \"%v\" does not exist in local store", key)
+					continue
 				}
+
+				glog.Infof("ssl certificate \"%v\" does not exist in local store", key)
 			}
 		}
 	}
@@ -1200,6 +1204,8 @@ func (ic GenericController) Start() {
 
 	go ic.syncQueue.Run(10*time.Second, ic.stopCh)
 
+	go wait.Forever(ic.syncSecret, 10*time.Second)
+
 	if ic.syncStatus != nil {
 		go ic.syncStatus.Run(ic.stopCh)
 	}