Merge pull request #991 from aledbf/ssl-refactoring

Remove secret sync loop
2017-07-19 12:19:36 -04:00 · 2017-07-19 12:19:36 -04:00 · e59ac13eba
commit e59ac13eba
parent bc6e5840b6 5a1f845593
3 changed files with 67 additions and 66 deletions
--- a/core/pkg/ingress/controller/backend_ssl.go
+++ b/core/pkg/ingress/controller/backend_ssl.go
@ -24,47 +24,46 @@ import (
 	"github.com/golang/glog"

 	api "k8s.io/client-go/pkg/api/v1"
+	extensions "k8s.io/client-go/pkg/apis/extensions/v1beta1"
 	"k8s.io/client-go/tools/cache"

 	"k8s.io/ingress/core/pkg/ingress"
+	"k8s.io/ingress/core/pkg/ingress/annotations/parser"
 	"k8s.io/ingress/core/pkg/net/ssl"
 )

 // syncSecret keeps in sync Secrets used by Ingress rules with the files on
 // disk to allow copy of the content of the secret to disk to be used
 // by external processes.
-func (ic *GenericController) syncSecret() {
-	glog.V(3).Infof("starting syncing of secrets")
+func (ic *GenericController) syncSecret(key string) {
+	glog.V(3).Infof("starting syncing of secret %v", key)

 	var cert *ingress.SSLCert
 	var err error

-	for _, k := range ic.secretTracker.List() {
-		key := k.(string)
-		cert, err = ic.getPemCertificate(key)
-		if err != nil {
-			glog.Warningf("error obtaining PEM from secret %v: %v", key, err)
-			continue
-		}
-
-		// create certificates and add or update the item in the store
-		cur, exists := ic.sslCertTracker.Get(key)
-		if exists {
-			s := cur.(*ingress.SSLCert)
-			if reflect.DeepEqual(s, cert) {
-				// no need to update
-				continue
-			}
-			glog.Infof("updating secret %v in the local store", key)
-			ic.sslCertTracker.Update(key, cert)
-			ic.reloadRequired = true
-			continue
-		}
-
-		glog.Infof("adding secret %v to the local store", key)
-		ic.sslCertTracker.Add(key, cert)
-		ic.reloadRequired = true
+	cert, err = ic.getPemCertificate(key)
+	if err != nil {
+		glog.Warningf("error obtaining PEM from secret %v: %v", key, err)
+		return
 	}
+
+	// create certificates and add or update the item in the store
+	cur, exists := ic.sslCertTracker.Get(key)
+	if exists {
+		s := cur.(*ingress.SSLCert)
+		if reflect.DeepEqual(s, cert) {
+			// no need to update
+			return
+		}
+		glog.Infof("updating secret %v in the local store", key)
+		ic.sslCertTracker.Update(key, cert)
+		ic.reloadRequired = true
+		return
+	}
+
+	glog.Infof("adding secret %v to the local store", key)
+	ic.sslCertTracker.Add(key, cert)
+	ic.reloadRequired = true
 }

 // getPemCertificate receives a secret, and creates a ingress.SSLCert as return.
@ -112,6 +111,26 @@ func (ic *GenericController) getPemCertificate(secretName string) (*ingress.SSLC
 	return s, nil
 }

+// secrReferenced checks if a secret is referenced or not by one or more Ingress rules
+func (ic *GenericController) secrReferenced(name, namespace string) bool {
+	for _, ingIf := range ic.ingLister.Store.List() {
+		ing := ingIf.(*extensions.Ingress)
+		str, err := parser.GetStringAnnotation("ingress.kubernetes.io/auth-tls-secret", ing)
+		if err == nil && str == fmt.Sprintf("%v/%v", namespace, name) {
+			return true
+		}
+		if ing.Namespace != namespace {
+			continue
+		}
+		for _, tls := range ing.Spec.TLS {
+			if tls.SecretName == name {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 // sslCertTracker holds a store of referenced Secrets in Ingress rules
 type sslCertTracker struct {
 	cache.ThreadSafeStore
@ -123,13 +142,6 @@ func newSSLCertTracker() *sslCertTracker {
 	}
 }

-// secretTracker holds a store of Secrets
-type secretTracker struct {
-	cache.ThreadSafeStore
-}
-
-func newSecretTracker() *secretTracker {
-	return &secretTracker{
-		cache.NewThreadSafeStore(cache.Indexers{}, cache.Indices{}),
-	}
+func (s *sslCertTracker) DeleteAll(key string) {
+	s.Delete(key)
 }