Fix sync of secrets (kube lego)

2017-09-30 20:42:42 -03:00 · 2017-09-30 20:42:42 -03:00 · 73bca9f192
commit 73bca9f192
parent cbb703c950
3 changed files with 47 additions and 15 deletions
--- a/core/pkg/ingress/controller/backend_ssl.go
+++ b/core/pkg/ingress/controller/backend_ssl.go
@ -24,9 +24,12 @@ import (
 	"github.com/golang/glog"

 	apiv1 "k8s.io/api/core/v1"
+	extensions "k8s.io/api/extensions/v1beta1"
 	"k8s.io/client-go/tools/cache"

 	"k8s.io/ingress/core/pkg/ingress"
+	"k8s.io/ingress/core/pkg/ingress/annotations/class"
+	"k8s.io/ingress/core/pkg/ingress/annotations/parser"
 	"k8s.io/ingress/core/pkg/net/ssl"
 )

@ -56,12 +59,15 @@ func (ic *GenericController) syncSecret(key string) {
 		ic.syncSecret(key)
 		// this update must trigger an update
 		// (like an update event from a change in Ingress)
-		ic.syncIngress("secret-update")
+		ic.syncIngress("update-secret")
 		return
 	}

 	glog.Infof("adding secret %v to the local store", key)
 	ic.sslCertTracker.Add(key, cert)
+	// this new secret must trigger an update
+	// (like an update event from a change in Ingress)
+	ic.syncIngress("add-secret")
 }

 // getPemCertificate receives a secret, and creates a ingress.SSLCert as return.
@ -120,6 +126,41 @@ func (ic *GenericController) getPemCertificate(secretName string) (*ingress.SSLC
 	return s, nil
 }

+// checkMissingSecrets verify if one or more ingress rules contains a reference
+// to a secret that is not present in the local secret store.
+// In this case we call syncSecret.
+func (ic *GenericController) checkMissingSecrets() {
+	for _, key := range ic.listers.Ingress.ListKeys() {
+		if obj, exists, _ := ic.listers.Ingress.GetByKey(key); exists {
+			ing := obj.(*extensions.Ingress)
+
+			if !class.IsValid(ing, ic.cfg.IngressClass, ic.cfg.DefaultIngressClass) {
+				continue
+			}
+
+			for _, tls := range ing.Spec.TLS {
+				if tls.SecretName == "" {
+					continue
+				}
+
+				key := fmt.Sprintf("%v/%v", ing.Namespace, tls.SecretName)
+				if _, ok := ic.sslCertTracker.Get(key); !ok {
+					ic.syncSecret(key)
+				}
+			}
+
+			key, _ := parser.GetStringAnnotation("ingress.kubernetes.io/auth-tls-secret", ing)
+			if key == "" {
+				continue
+			}
+
+			if _, ok := ic.sslCertTracker.Get(key); !ok {
+				ic.syncSecret(key)
+			}
+		}
+	}
+}
+
 // sslCertTracker holds a store of referenced Secrets in Ingress rules
 type sslCertTracker struct {
 	cache.ThreadSafeStore