Adding an ingress tls secret with a non matching certificate and private key break at least the nginx-controller permanently until the offending secret is deleted.
In that case nginx refuses to start/reload with an error like this:
```
Error: exit status 1
2017/06/13 12:16:53 [emerg] 51#51: SSL_CTX_use_PrivateKey_file("/ingress-controller/ssl/monsoon3-tls-baremetal-3-eu-de-1-cloud-sap.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/ingress-controller/ssl/tls-baremetal-3-example-com.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /tmp/nginx-cfg728491545 test failed
```
This will allow json logging in nginx ingress controllers which greatly
improves ease of log indexing and searching via elasticsearch.
After this change is made, users could set the following property in the
ingress configmap to enable json logging:
log-format-upstream: '{"proxy_protocol_addr": "$proxy_protocol_addr", "proxy_add_x_forwarded_for": "$proxy_add_x_forwarded_for", "remote_user": "$remote_user", "time_iso8601": "$time_iso8601", "request": "$request", "status": "$status", "body_bytes_sent": "$body_bytes_sent", "http_referer": "$http_referer", "http_user_agent": "$http_user_agent", "request_length": "$request_length", "request_time": "$request_time", "proxy_upstream_name": "$proxy_upstream_name", "upstream_addr": "$upstream_addr", "upstream_response_length": "$upstream_response_length", "upstream_response_time": "$upstream_response_time", "upstream_status": "$upstream_status"}'
Using gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.7
the nginx-controller needs to handle leader-election via configmaps.
To perform the leader-election the nginx-controller needs to have the
appropiate RBAC permissions.
Previously to this fix, the following errors occured:
- cannot get configmaps in the namespace "NAMESPACE_PLACEHOLDER". (get configmaps ingress-controller-leader-nginx)
- initially creating leader election record: User "system:serviceaccount:NAMESPACE_PLACEHOLDER" cannot create configmaps in the namespace "NAMESPACE_PLACEHOLDER". (post configmaps)
fix ingress rbac roles
There was 2 things that the current IC (0.9 beta7) needs.
The ClusterRole was missing `get nodes`:
```
RBAC DENY: user "system:serviceaccount:kube-system:nginx-ingress-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "get" resource "nodes" named "xxx" cluster-wide
```
The Role was missing `update configmaps`:
```RBAC DENY: user "system:serviceaccount:kube-system:nginx-ingress-controller" groups [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] cannot "update" resource "configmaps" named "ingress-controller-leader-nginx" in namespace "kube-system"```
removed update configmap because of #798
rebased on master, moved get nodes to own rule
added get nodes to cluster permissions
