cleanup unused certificates

2019-09-24 09:53:22 -04:00 · 2019-09-24 09:53:22 -04:00 · e392c8a8af
commit e392c8a8af
parent 1dc4d184a0
4 changed files with 96 additions and 56 deletions
--- a/internal/ingress/controller/nginx.go
+++ b/internal/ingress/controller/nginx.go
@ -67,6 +67,7 @@ import (

 const (
 	tempNginxPattern = "nginx-cfg"
+	emptyUID         = "-1"
 )

 // NewNGINXController creates a new NGINX Ingress controller.
@ -1004,39 +1005,35 @@ func configureCertificates(rawServers []*ingress.Server) error {
 		Servers:      map[string]string{},
 	}

+	configure := func(hostname string, sslCert *ingress.SSLCert) {
+		uid := emptyUID
+
+		if sslCert != nil {
+			uid = sslCert.UID
+
+			if _, ok := configuration.Certificates[uid]; !ok {
+				configuration.Certificates[uid] = sslCert.PemCertKey
+			}
+		}
+
+		configuration.Servers[hostname] = uid
+	}
+
 	for _, rawServer := range rawServers {
-		if rawServer.SSLCert == nil {
-			continue
-		}
-
-		uid := rawServer.SSLCert.UID
-
-		if _, ok := configuration.Certificates[uid]; !ok {
-			configuration.Certificates[uid] = rawServer.SSLCert.PemCertKey
-		}
-
-		configuration.Servers[rawServer.Hostname] = uid
+		configure(rawServer.Hostname, rawServer.SSLCert)

 		for _, alias := range rawServer.Aliases {
-			if !ssl.IsValidHostname(alias, rawServer.SSLCert.CN) {
-				continue
+			if rawServer.SSLCert != nil && ssl.IsValidHostname(alias, rawServer.SSLCert.CN) {
+				configuration.Servers[alias] = rawServer.SSLCert.UID
+			} else {
+				configuration.Servers[alias] = emptyUID
 			}
-
-			configuration.Servers[alias] = uid
 		}
 	}

 	redirects := buildRedirects(rawServers)
 	for _, redirect := range redirects {
-		if redirect.SSLCert == nil {
-			continue
-		}
-
-		configuration.Servers[redirect.From] = redirect.SSLCert.UID
-
-		if _, ok := configuration.Certificates[redirect.SSLCert.UID]; !ok {
-			configuration.Certificates[redirect.SSLCert.UID] = redirect.SSLCert.PemCertKey
-		}
+		configure(redirect.From, redirect.SSLCert)
 	}

 	statusCode, _, err := nginx.NewPostStatusRequest("/configuration/servers", "application/json", configuration)
--- a/internal/ingress/controller/nginx_test.go
+++ b/internal/ingress/controller/nginx_test.go
@ -205,7 +205,7 @@ func TestConfigureDynamically(t *testing.T) {
 					}
 				case "/configuration/servers":
 					{
-						if !strings.Contains(body, `{"certificates":{},"servers":{}}`) {
+						if !strings.Contains(body, `{"certificates":{},"servers":{"myapp.fake":"-1"}}`) {
 							t.Errorf("controllerPodsCount should be present in JSON content: %v", body)
 						}
 					}
@ -330,13 +330,18 @@ func TestConfigureCertificates(t *testing.T) {
 	}
 	defer streamListener.Close()

-	servers := []*ingress.Server{{
-		Hostname: "myapp.fake",
-		SSLCert: &ingress.SSLCert{
-			PemCertKey: "fake-cert",
-			UID:        "c89a5111-b2e9-4af8-be19-c2a4a924c256",
+	servers := []*ingress.Server{
+		{
+			Hostname: "myapp.fake",
+			SSLCert: &ingress.SSLCert{
+				PemCertKey: "fake-cert",
+				UID:        "c89a5111-b2e9-4af8-be19-c2a4a924c256",
+			},
 		},
-	}}
+		{
+			Hostname: "myapp.nossl",
+		},
+	}

 	server := &httptest.Server{
 		Listener: listener,
@ -363,8 +368,14 @@ func TestConfigureCertificates(t *testing.T) {
 				}

 				for _, server := range servers {
-					if server.SSLCert.UID != conf.Servers[server.Hostname] {
-						t.Errorf("Expected servers and posted servers to be equal")
+					if server.SSLCert == nil {
+						if conf.Servers[server.Hostname] != emptyUID {
+							t.Errorf("Expected server %s to have UID of %s but got %s", server.Hostname, emptyUID, conf.Servers[server.Hostname])
+						}
+					} else {
+						if server.SSLCert.UID != conf.Servers[server.Hostname] {
+							t.Errorf("Expected server %s to have UID of %s but got %s", server.Hostname, server.SSLCert.UID, conf.Servers[server.Hostname])
+						}
 					}
 				}
 			}),