Merge pull request #2678 from hnrytrn/refactor-cert

Refactor server type to include SSLCert
2018-06-22 12:34:04 -07:00 · 2018-06-22 12:34:04 -07:00 · 700a2275d1
commit 700a2275d1
parent 06df822c2b 86def984a3
5 changed files with 27 additions and 46 deletions
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@ -858,9 +858,11 @@ func (n *NGINXController) createServers(data []*extensions.Ingress,

 	// initialize default server and root location
 	servers[defServerName] = &ingress.Server{
-		Hostname:       defServerName,
-		SSLCertificate: defaultPemFileName,
-		SSLPemChecksum: defaultPemSHA,
+		Hostname: defServerName,
+		SSLCert: ingress.SSLCert{
+			PemFileName: defaultPemFileName,
+			PemSHA:      defaultPemSHA,
+		},
 		Locations: []*ingress.Location{
 			{
 				Path:         rootLocation,
@ -989,7 +991,7 @@ func (n *NGINXController) createServers(data []*extensions.Ingress,
 			}

 			// only add a certificate if the server does not have one previously configured
-			if servers[host].SSLCertificate != "" {
+			if servers[host].SSLCert.PemFileName != "" {
 				continue
 			}

@ -1002,8 +1004,8 @@ func (n *NGINXController) createServers(data []*extensions.Ingress,

 			if tlsSecretName == "" {
 				glog.V(3).Infof("Host %q is listed in the TLS section but secretName is empty. Using default certificate.", host)
-				servers[host].SSLCertificate = defaultPemFileName
-				servers[host].SSLPemChecksum = defaultPemSHA
+				servers[host].SSLCert.PemFileName = defaultPemFileName
+				servers[host].SSLCert.PemSHA = defaultPemSHA
 				continue
 			}

@ -1027,10 +1029,7 @@ func (n *NGINXController) createServers(data []*extensions.Ingress,
 				}
 			}

-			servers[host].SSLCertificate = cert.PemFileName
-			servers[host].SSLFullChainCertificate = cert.FullChainPemFileName
-			servers[host].SSLPemChecksum = cert.PemSHA
-			servers[host].SSLExpireTime = cert.ExpireTime
+			servers[host].SSLCert = *cert

 			if cert.ExpireTime.Before(time.Now().Add(240 * time.Hour)) {
 				glog.Warningf("SSL certificate for server %q is about to expire (%v)", cert.ExpireTime)
--- a/internal/ingress/controller/metrics.go
+++ b/internal/ingress/controller/metrics.go
@ -114,7 +114,7 @@ func ConfigSuccessTime() {
 func setSSLExpireTime(servers []*ingress.Server) {
 	for _, s := range servers {
 		if s.Hostname != defServerName {
-			sslExpireTime.WithLabelValues(s.Hostname).Set(float64(s.SSLExpireTime.Unix()))
+			sslExpireTime.WithLabelValues(s.Hostname).Set(float64(s.SSLCert.ExpireTime.Unix()))
 		}
 	}
 }
--- a/internal/ingress/types.go
+++ b/internal/ingress/types.go
@ -17,8 +17,6 @@ limitations under the License.
 package ingress

 import (
-	"time"
-
 	apiv1 "k8s.io/api/core/v1"
 	extensions "k8s.io/api/extensions/v1beta1"
 	"k8s.io/apimachinery/pkg/util/intstr"
@ -143,18 +141,8 @@ type Server struct {
 	// SSLPassthrough indicates if the TLS termination is realized in
 	// the server or in the remote endpoint
 	SSLPassthrough bool `json:"sslPassthrough"`
-	// SSLCertificate path to the SSL certificate on disk
-	SSLCertificate string `json:"sslCertificate"`
-	// SSLFullChainCertificate path to the SSL certificate on disk
-	// This certificate contains the full chain (ca + intermediates + cert)
-	SSLFullChainCertificate string `json:"sslFullChainCertificate"`
-	// SSLExpireTime has the expire date of this certificate
-	SSLExpireTime time.Time `json:"sslExpireTime"`
-	// SSLPemChecksum returns the checksum of the certificate file on disk.
-	// There is no restriction in the hash generator. This checksum can be
-	// used to  determine if the secret changed without the use of file
-	// system notifications
-	SSLPemChecksum string `json:"sslPemChecksum"`
+	// SSLCert describes the certificate that will be used on the server
+	SSLCert SSLCert `json:"sslCert"`
 	// Locations list of URIs configured in the server.
 	Locations []*Location `json:"locations,omitempty"`
 	// Alias return the alias of the server name
--- a/internal/ingress/types_equals.go
+++ b/internal/ingress/types_equals.go
@ -263,16 +263,7 @@ func (s1 *Server) Equal(s2 *Server) bool {
 	if s1.SSLPassthrough != s2.SSLPassthrough {
 		return false
 	}
-	if s1.SSLCertificate != s2.SSLCertificate {
-		return false
-	}
-	if s1.SSLFullChainCertificate != s2.SSLFullChainCertificate {
-		return false
-	}
-	if !s1.SSLExpireTime.Equal(s2.SSLExpireTime) {
-		return false
-	}
-	if s1.SSLPemChecksum != s2.SSLPemChecksum {
+	if !(&s1.SSLCert).Equal(&s2.SSLCert) {
 		return false
 	}
 	if s1.Alias != s2.Alias {
@ -494,7 +485,7 @@ func (l4b1 *L4Backend) Equal(l4b2 *L4Backend) bool {
 	return true
 }

-// Equal tests for equality between two L4Backend types
+// Equal tests for equality between two SSLCert types
 func (s1 *SSLCert) Equal(s2 *SSLCert) bool {
 	if s1 == s2 {
 		return true
@ -511,6 +502,9 @@ func (s1 *SSLCert) Equal(s2 *SSLCert) bool {
 	if !s1.ExpireTime.Equal(s2.ExpireTime) {
 		return false
 	}
+	if s1.FullChainPemFileName != s2.FullChainPemFileName {
+		return false
+	}

 	for _, cn1 := range s1.CN {
 		found := false