Remove secrets from ingress after a Delete event
This commit is contained in:
Manuel de Brito Fontes
parent
4bd4bf3be6
commit
a537d2d0fa
6 changed files with 24 additions and 26 deletions
|
|
@ -85,9 +85,9 @@ func newNGINXController() ingress.Controller {
|
||||||
resolver: h,
|
resolver: h,
|
||||||
proxy: &proxy{
|
proxy: &proxy{
|
||||||
Default: &server{
|
Default: &server{
|
||||||
Hostname: "localhost",
|
Hostname: "localhost",
|
||||||
IP: "127.0.0.1",
|
IP: "127.0.0.1",
|
||||||
Port: 442,
|
Port: 442,
|
||||||
ProxyProtocol: true,
|
ProxyProtocol: true,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
@ -534,9 +534,9 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) ([]byte, er
|
||||||
|
|
||||||
//TODO: Allow PassthroughBackends to specify they support proxy-protocol
|
//TODO: Allow PassthroughBackends to specify they support proxy-protocol
|
||||||
servers = append(servers, &server{
|
servers = append(servers, &server{
|
||||||
Hostname: pb.Hostname,
|
Hostname: pb.Hostname,
|
||||||
IP: svc.Spec.ClusterIP,
|
IP: svc.Spec.ClusterIP,
|
||||||
Port: port,
|
Port: port,
|
||||||
ProxyProtocol: false,
|
ProxyProtocol: false,
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -28,8 +28,8 @@ func TestBuildLogFormatUpstream(t *testing.T) {
|
||||||
curLogFormat string
|
curLogFormat string
|
||||||
expected string
|
expected string
|
||||||
}{
|
}{
|
||||||
{true, logFormatUpstream, fmt.Sprintf(logFormatUpstream, "$proxy_protocol_addr")},
|
{true, logFormatUpstream, fmt.Sprintf(logFormatUpstream, "$the_x_forwarded_for")},
|
||||||
{false, logFormatUpstream, fmt.Sprintf(logFormatUpstream, "$remote_addr")},
|
{false, logFormatUpstream, fmt.Sprintf(logFormatUpstream, "$the_x_forwarded_for")},
|
||||||
{true, "my-log-format", "my-log-format"},
|
{true, "my-log-format", "my-log-format"},
|
||||||
{false, "john-log-format", "john-log-format"},
|
{false, "john-log-format", "john-log-format"},
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -76,8 +76,7 @@ func TestMergeConfigMapToStruct(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestDefaultLoadBalance(t *testing.T) {
|
func TestDefaultLoadBalance(t *testing.T) {
|
||||||
conf := map[string]string{
|
conf := map[string]string{}
|
||||||
}
|
|
||||||
to := ReadConfig(conf)
|
to := ReadConfig(conf)
|
||||||
if to.LoadBalanceAlgorithm != "least_conn" {
|
if to.LoadBalanceAlgorithm != "least_conn" {
|
||||||
t.Errorf("default load balance algorithm wrong")
|
t.Errorf("default load balance algorithm wrong")
|
||||||
|
|
|
||||||
|
|
@ -34,7 +34,7 @@ import (
|
||||||
// syncSecret keeps in sync Secrets used by Ingress rules with the files on
|
// syncSecret keeps in sync Secrets used by Ingress rules with the files on
|
||||||
// disk to allow copy of the content of the secret to disk to be used
|
// disk to allow copy of the content of the secret to disk to be used
|
||||||
// by external processes.
|
// by external processes.
|
||||||
func (ic *GenericController) syncSecret(key string) {
|
func (ic *GenericController) syncSecret() {
|
||||||
glog.V(3).Infof("starting syncing of secrets")
|
glog.V(3).Infof("starting syncing of secrets")
|
||||||
|
|
||||||
if !ic.controllersInSync() {
|
if !ic.controllersInSync() {
|
||||||
|
|
@ -46,14 +46,7 @@ func (ic *GenericController) syncSecret(key string) {
|
||||||
var cert *ingress.SSLCert
|
var cert *ingress.SSLCert
|
||||||
var err error
|
var err error
|
||||||
|
|
||||||
// by default we sync just one secret
|
for _, k := range ic.secretTracker.List() {
|
||||||
keys := []interface{}{key}
|
|
||||||
// if the key is empty we check all the secrets
|
|
||||||
if key == "" {
|
|
||||||
keys = ic.secretTracker.List()
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, k := range keys {
|
|
||||||
key := k.(string)
|
key := k.(string)
|
||||||
cert, err = ic.getPemCertificate(key)
|
cert, err = ic.getPemCertificate(key)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
||||||
|
|
@ -167,7 +167,7 @@ func TestSyncSecret(t *testing.T) {
|
||||||
ic.secrLister.Add(secret)
|
ic.secrLister.Add(secret)
|
||||||
|
|
||||||
// for add
|
// for add
|
||||||
ic.syncSecret("")
|
ic.syncSecret()
|
||||||
if foo.expectSuccess {
|
if foo.expectSuccess {
|
||||||
// validate
|
// validate
|
||||||
_, exist := ic.sslCertTracker.Get(foo.secretName)
|
_, exist := ic.sslCertTracker.Get(foo.secretName)
|
||||||
|
|
@ -175,7 +175,7 @@ func TestSyncSecret(t *testing.T) {
|
||||||
t.Errorf("Failed to sync secret: %s", foo.secretName)
|
t.Errorf("Failed to sync secret: %s", foo.secretName)
|
||||||
} else {
|
} else {
|
||||||
// for update
|
// for update
|
||||||
ic.syncSecret("")
|
ic.syncSecret()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
|
||||||
|
|
@ -30,6 +30,7 @@ import (
|
||||||
|
|
||||||
"k8s.io/apimachinery/pkg/fields"
|
"k8s.io/apimachinery/pkg/fields"
|
||||||
"k8s.io/apimachinery/pkg/util/intstr"
|
"k8s.io/apimachinery/pkg/util/intstr"
|
||||||
|
"k8s.io/apimachinery/pkg/util/wait"
|
||||||
clientset "k8s.io/client-go/kubernetes"
|
clientset "k8s.io/client-go/kubernetes"
|
||||||
unversionedcore "k8s.io/client-go/kubernetes/typed/core/v1"
|
unversionedcore "k8s.io/client-go/kubernetes/typed/core/v1"
|
||||||
def_api "k8s.io/client-go/pkg/api"
|
def_api "k8s.io/client-go/pkg/api"
|
||||||
|
|
@ -204,13 +205,14 @@ func newIngressController(config *Configuration) *GenericController {
|
||||||
secrEventHandler := cache.ResourceEventHandlerFuncs{
|
secrEventHandler := cache.ResourceEventHandlerFuncs{
|
||||||
UpdateFunc: func(old, cur interface{}) {
|
UpdateFunc: func(old, cur interface{}) {
|
||||||
if !reflect.DeepEqual(old, cur) {
|
if !reflect.DeepEqual(old, cur) {
|
||||||
sec := cur.(*api.Secret)
|
ic.syncSecret()
|
||||||
ic.syncSecret(fmt.Sprintf("%v/%v", sec.Namespace, sec.Name))
|
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
DeleteFunc: func(obj interface{}) {
|
DeleteFunc: func(obj interface{}) {
|
||||||
sec := obj.(*api.Secret)
|
sec := obj.(*api.Secret)
|
||||||
ic.sslCertTracker.Delete(fmt.Sprintf("%v/%v", sec.Namespace, sec.Name))
|
key := fmt.Sprintf("%v/%v", sec.Namespace, sec.Name)
|
||||||
|
ic.sslCertTracker.Delete(key)
|
||||||
|
ic.secretTracker.Delete(key)
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -1012,9 +1014,11 @@ func (ic *GenericController) createServers(data []interface{},
|
||||||
} else {
|
} else {
|
||||||
glog.Warningf("ssl certificate %v does not contain a common name for host %v", key, host)
|
glog.Warningf("ssl certificate %v does not contain a common name for host %v", key, host)
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
glog.Warningf("ssl certificate \"%v\" does not exist in local store", key)
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
|
glog.Infof("ssl certificate \"%v\" does not exist in local store", key)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -1200,6 +1204,8 @@ func (ic GenericController) Start() {
|
||||||
|
|
||||||
go ic.syncQueue.Run(10*time.Second, ic.stopCh)
|
go ic.syncQueue.Run(10*time.Second, ic.stopCh)
|
||||||
|
|
||||||
|
go wait.Forever(ic.syncSecret, 10*time.Second)
|
||||||
|
|
||||||
if ic.syncStatus != nil {
|
if ic.syncStatus != nil {
|
||||||
go ic.syncStatus.Run(ic.stopCh)
|
go ic.syncStatus.Run(ic.stopCh)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue