Enhance Certificate Logging and Clearup Mutual Auth Docs

Adds better logging to errors caused when getting a Certificate. Adds notes and updates documentation for Mutual Authentication.
2017-09-26 22:46:22 -05:00 · 2017-09-26 22:46:22 -05:00 · 1ffeb2cee1
commit 1ffeb2cee1
parent 6e24dc68f7
8 changed files with 49 additions and 29 deletions
--- a/core/pkg/ingress/controller/backend_ssl.go
+++ b/core/pkg/ingress/controller/backend_ssl.go
@ -74,35 +74,47 @@ func (ic *GenericController) getPemCertificate(secretName string) (*ingress.SSLC

 	cert, okcert := secret.Data[apiv1.TLSCertKey]
 	key, okkey := secret.Data[apiv1.TLSPrivateKeyKey]
-
 	ca := secret.Data["ca.crt"]

+	// namespace/secretName -> namespace-secretName
 	nsSecName := strings.Replace(secretName, "/", "-", -1)

 	var s *ingress.SSLCert
 	if okcert && okkey {
-		if cert == nil || key == nil {
-			return nil, fmt.Errorf("error retrieving cert or key from secret %v: %v", secretName, err)
+		if cert == nil {
+			return nil, fmt.Errorf("secret %v has no 'tls.crt'", secretName)
 		}
+		if key == nil {
+			return nil, fmt.Errorf("secret %v has no 'tls.key'", secretName)
+		}
+
+		// If 'ca.crt' is also present, it will allow this secret to be used in the
+		// 'ingress.kubernetes.io/auth-tls-secret' annotation
 		s, err = ssl.AddOrUpdateCertAndKey(nsSecName, cert, key, ca)
 		if err != nil {
-			return nil, fmt.Errorf("unexpected error creating pem file %v", err)
+			return nil, fmt.Errorf("unexpected error creating pem file: %v", err)
 		}
-		glog.V(3).Infof("found certificate and private key, configuring %v as a TLS Secret (CN: %v)", secretName, s.CN)
+
+		glog.V(3).Infof("found 'tls.crt' and 'tls.key', configuring %v as a TLS Secret (CN: %v)", secretName, s.CN)
+		if ca != nil {
+			glog.V(3).Infof("found 'ca.crt', secret %v can also be used for Certificate Authentication", secretName)
+		}
+
 	} else if ca != nil {
-		glog.V(3).Infof("found only ca.crt, configuring %v as an Certificate Authentication secret", secretName)
 		s, err = ssl.AddCertAuth(nsSecName, ca)
+
 		if err != nil {
-			return nil, fmt.Errorf("unexpected error creating pem file %v", err)
+			return nil, fmt.Errorf("unexpected error creating pem file: %v", err)
 		}
+
+		// makes this secret in 'syncSecret' to be used for Certificate Authentication
+		// this does not enable Certificate Authentication
+		glog.V(3).Infof("found only 'ca.crt', configuring %v as an Certificate Authentication Secret", secretName)
+
 	} else {
 		return nil, fmt.Errorf("no keypair or CA cert could be found in %v", secretName)
 	}

-	if err != nil {
-		return nil, err
-	}
-
 	s.Name = secret.Name
 	s.Namespace = secret.Namespace
 	return s, nil