Remove secrets from ingress after a Delete event

2017-05-11 21:50:43 -03:00 · 2017-05-11 21:50:43 -03:00 · a537d2d0fa
commit a537d2d0fa
parent 4bd4bf3be6
6 changed files with 24 additions and 26 deletions
--- a/controllers/nginx/pkg/cmd/controller/nginx.go
+++ b/controllers/nginx/pkg/cmd/controller/nginx.go
@ -85,9 +85,9 @@ func newNGINXController() ingress.Controller {
 		resolver:      h,
 		proxy: &proxy{
 			Default: &server{
-				Hostname: "localhost",
-				IP:       "127.0.0.1",
-				Port:     442,
+				Hostname:      "localhost",
+				IP:            "127.0.0.1",
+				Port:          442,
 				ProxyProtocol: true,
 			},
 		},
@ -534,9 +534,9 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) ([]byte, er

 		//TODO: Allow PassthroughBackends to specify they support proxy-protocol
 		servers = append(servers, &server{
-			Hostname: pb.Hostname,
-			IP:       svc.Spec.ClusterIP,
-			Port:     port,
+			Hostname:      pb.Hostname,
+			IP:            svc.Spec.ClusterIP,
+			Port:          port,
 			ProxyProtocol: false,
 		})
 	}
--- a/controllers/nginx/pkg/config/config_test.go
+++ b/controllers/nginx/pkg/config/config_test.go
@ -28,8 +28,8 @@ func TestBuildLogFormatUpstream(t *testing.T) {
 		curLogFormat     string
 		expected         string
 	}{
-		{true, logFormatUpstream, fmt.Sprintf(logFormatUpstream, "$proxy_protocol_addr")},
-		{false, logFormatUpstream, fmt.Sprintf(logFormatUpstream, "$remote_addr")},
+		{true, logFormatUpstream, fmt.Sprintf(logFormatUpstream, "$the_x_forwarded_for")},
+		{false, logFormatUpstream, fmt.Sprintf(logFormatUpstream, "$the_x_forwarded_for")},
 		{true, "my-log-format", "my-log-format"},
 		{false, "john-log-format", "john-log-format"},
 	}
--- a/controllers/nginx/pkg/template/configmap_test.go
+++ b/controllers/nginx/pkg/template/configmap_test.go
@ -76,8 +76,7 @@ func TestMergeConfigMapToStruct(t *testing.T) {
 }

 func TestDefaultLoadBalance(t *testing.T) {
-	conf := map[string]string{
-	}
+	conf := map[string]string{}
 	to := ReadConfig(conf)
 	if to.LoadBalanceAlgorithm != "least_conn" {
 		t.Errorf("default load balance algorithm wrong")
--- a/core/pkg/ingress/controller/backend_ssl.go
+++ b/core/pkg/ingress/controller/backend_ssl.go
@ -34,7 +34,7 @@ import (
 // syncSecret keeps in sync Secrets used by Ingress rules with the files on
 // disk to allow copy of the content of the secret to disk to be used
 // by external processes.
-func (ic *GenericController) syncSecret(key string) {
+func (ic *GenericController) syncSecret() {
 	glog.V(3).Infof("starting syncing of secrets")

 	if !ic.controllersInSync() {
@ -46,14 +46,7 @@ func (ic *GenericController) syncSecret(key string) {
 	var cert *ingress.SSLCert
 	var err error

-	// by default we sync just one secret
-	keys := []interface{}{key}
-	// if the key is empty we check all the secrets
-	if key == "" {
-		keys = ic.secretTracker.List()
-	}
-
-	for _, k := range keys {
+	for _, k := range ic.secretTracker.List() {
 		key := k.(string)
 		cert, err = ic.getPemCertificate(key)
 		if err != nil {
--- a/core/pkg/ingress/controller/backend_ssl_test.go
+++ b/core/pkg/ingress/controller/backend_ssl_test.go
@ -167,7 +167,7 @@ func TestSyncSecret(t *testing.T) {
 			ic.secrLister.Add(secret)

 			// for add
-			ic.syncSecret("")
+			ic.syncSecret()
 			if foo.expectSuccess {
 				// validate
 				_, exist := ic.sslCertTracker.Get(foo.secretName)
@ -175,7 +175,7 @@ func TestSyncSecret(t *testing.T) {
 					t.Errorf("Failed to sync secret: %s", foo.secretName)
 				} else {
 					// for update
-					ic.syncSecret("")
+					ic.syncSecret()
 				}
 			}
 		})
--- a/core/pkg/ingress/controller/controller.go
+++ b/core/pkg/ingress/controller/controller.go
@ -30,6 +30,7 @@ import (

 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/apimachinery/pkg/util/wait"
 	clientset "k8s.io/client-go/kubernetes"
 	unversionedcore "k8s.io/client-go/kubernetes/typed/core/v1"
 	def_api "k8s.io/client-go/pkg/api"
@ -204,13 +205,14 @@ func newIngressController(config *Configuration) *GenericController {
 	secrEventHandler := cache.ResourceEventHandlerFuncs{
 		UpdateFunc: func(old, cur interface{}) {
 			if !reflect.DeepEqual(old, cur) {
-				sec := cur.(*api.Secret)
-				ic.syncSecret(fmt.Sprintf("%v/%v", sec.Namespace, sec.Name))
+				ic.syncSecret()
 			}
 		},
 		DeleteFunc: func(obj interface{}) {
 			sec := obj.(*api.Secret)
-			ic.sslCertTracker.Delete(fmt.Sprintf("%v/%v", sec.Namespace, sec.Name))
+			key := fmt.Sprintf("%v/%v", sec.Namespace, sec.Name)
+			ic.sslCertTracker.Delete(key)
+			ic.secretTracker.Delete(key)
 		},
 	}

@ -1012,9 +1014,11 @@ func (ic *GenericController) createServers(data []interface{},
 					} else {
 						glog.Warningf("ssl certificate %v does not contain a common name for host %v", key, host)
 					}
-				} else {
-					glog.Warningf("ssl certificate \"%v\" does not exist in local store", key)
+
+					continue
 				}
+
+				glog.Infof("ssl certificate \"%v\" does not exist in local store", key)
 			}
 		}
 	}
@ -1200,6 +1204,8 @@ func (ic GenericController) Start() {

 	go ic.syncQueue.Run(10*time.Second, ic.stopCh)

+	go wait.Forever(ic.syncSecret, 10*time.Second)
+
 	if ic.syncStatus != nil {
 		go ic.syncStatus.Run(ic.stopCh)
 	}