Refactoring of kubernetes informers and local caches

internal/ingress/controller/store/backend_ssl.go

@@ -0,0 +1,223 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package store
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/golang/glog"
+	"github.com/imdario/mergo"
+
+	apiv1 "k8s.io/api/core/v1"
+	extensions "k8s.io/api/extensions/v1beta1"
+
+	"k8s.io/ingress-nginx/internal/file"
+	"k8s.io/ingress-nginx/internal/ingress"
+	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
+	"k8s.io/ingress-nginx/internal/k8s"
+	"k8s.io/ingress-nginx/internal/net/ssl"
+)
+
+// syncSecret keeps in sync Secrets used by Ingress rules with the files on
+// disk to allow copy of the content of the secret to disk to be used
+// by external processes.
+func (s k8sStore) syncSecret(key string) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	glog.V(3).Infof("starting syncing of secret %v", key)
+
+	// TODO: getPemCertificate should not write to disk to avoid unnecessary overhead
+	cert, err := s.getPemCertificate(key)
+	if err != nil {
+		glog.Warningf("error obtaining PEM from secret %v: %v", key, err)
+		return
+	}
+
+	// create certificates and add or update the item in the store
+	cur, err := s.GetLocalSecret(key)
+	if err == nil {
+		if cur.Equal(cert) {
+			// no need to update
+			return
+		}
+		glog.Infof("updating secret %v in the local store", key)
+		s.sslStore.Update(key, cert)
+		// this update must trigger an update
+		// (like an update event from a change in Ingress)
+		s.sendDummyEvent()
+		return
+	}
+
+	glog.Infof("adding secret %v to the local store", key)
+	s.sslStore.Add(key, cert)
+	// this update must trigger an update
+	// (like an update event from a change in Ingress)
+	s.sendDummyEvent()
+}
+
+// getPemCertificate receives a secret, and creates a ingress.SSLCert as return.
+// It parses the secret and verifies if it's a keypair, or a 'ca.crt' secret only.
+func (s k8sStore) getPemCertificate(secretName string) (*ingress.SSLCert, error) {
+	secret, err := s.listers.Secret.ByKey(secretName)
+	if err != nil {
+		return nil, fmt.Errorf("error retrieving secret %v: %v", secretName, err)
+	}
+
+	cert, okcert := secret.Data[apiv1.TLSCertKey]
+	key, okkey := secret.Data[apiv1.TLSPrivateKeyKey]
+	ca := secret.Data["ca.crt"]
+
+	// namespace/secretName -> namespace-secretName
+	nsSecName := strings.Replace(secretName, "/", "-", -1)
+
+	var sslCert *ingress.SSLCert
+	if okcert && okkey {
+		if cert == nil {
+			return nil, fmt.Errorf("secret %v has no 'tls.crt'", secretName)
+		}
+		if key == nil {
+			return nil, fmt.Errorf("secret %v has no 'tls.key'", secretName)
+		}
+
+		// If 'ca.crt' is also present, it will allow this secret to be used in the
+		// 'nginx.ingress.kubernetes.io/auth-tls-secret' annotation
+		sslCert, err = ssl.AddOrUpdateCertAndKey(nsSecName, cert, key, ca, s.filesystem)
+		if err != nil {
+			return nil, fmt.Errorf("unexpected error creating pem file: %v", err)
+		}
+
+		glog.V(3).Infof("found 'tls.crt' and 'tls.key', configuring %v as a TLS Secret (CN: %v)", secretName, sslCert.CN)
+		if ca != nil {
+			glog.V(3).Infof("found 'ca.crt', secret %v can also be used for Certificate Authentication", secretName)
+		}
+	} else if ca != nil {
+		sslCert, err = ssl.AddCertAuth(nsSecName, ca, s.filesystem)
+
+		if err != nil {
+			return nil, fmt.Errorf("unexpected error creating pem file: %v", err)
+		}
+
+		// makes this secret in 'syncSecret' to be used for Certificate Authentication
+		// this does not enable Certificate Authentication
+		glog.V(3).Infof("found only 'ca.crt', configuring %v as an Certificate Authentication Secret", secretName)
+
+	} else {
+		return nil, fmt.Errorf("no keypair or CA cert could be found in %v", secretName)
+	}
+
+	sslCert.Name = secret.Name
+	sslCert.Namespace = secret.Namespace
+
+	return sslCert, nil
+}
+
+func (s k8sStore) checkSSLChainIssues() {
+	for _, item := range s.ListLocalSecrets() {
+		secretName := k8s.MetaNamespaceKey(item)
+		secret, err := s.GetLocalSecret(secretName)
+		if err != nil {
+			continue
+		}
+
+		if secret.FullChainPemFileName != "" {
+			// chain already checked
+			continue
+		}
+
+		data, err := ssl.FullChainCert(secret.PemFileName, s.filesystem)
+		if err != nil {
+			glog.Errorf("unexpected error generating SSL certificate with full intermediate chain CA certs: %v", err)
+			continue
+		}
+
+		fullChainPemFileName := fmt.Sprintf("%v/%v-%v-full-chain.pem", file.DefaultSSLDirectory, secret.Namespace, secret.Name)
+
+		file, err := s.filesystem.Create(fullChainPemFileName)
+		if err != nil {
+			glog.Errorf("unexpected error creating SSL certificate file %v: %v", fullChainPemFileName, err)
+			continue
+		}
+
+		_, err = file.Write(data)
+		if err != nil {
+			glog.Errorf("unexpected error creating SSL certificate: %v", err)
+			continue
+		}
+
+		dst := &ingress.SSLCert{}
+
+		err = mergo.MergeWithOverwrite(dst, secret)
+		if err != nil {
+			glog.Errorf("unexpected error creating SSL certificate: %v", err)
+			continue
+		}
+
+		dst.FullChainPemFileName = fullChainPemFileName
+
+		glog.Infof("updating local copy of ssl certificate %v with missing intermediate CA certs", secretName)
+		s.sslStore.Update(secretName, dst)
+		// this update must trigger an update
+		// (like an update event from a change in Ingress)
+		s.sendDummyEvent()
+	}
+}
+
+// checkMissingSecrets verifies if one or more ingress rules contains
+// a reference to a secret that is not present in the local secret store.
+func (s k8sStore) checkMissingSecrets() {
+	for _, ing := range s.ListIngresses() {
+		for _, tls := range ing.Spec.TLS {
+			if tls.SecretName == "" {
+				continue
+			}
+
+			key := fmt.Sprintf("%v/%v", ing.Namespace, tls.SecretName)
+			if _, ok := s.sslStore.Get(key); !ok {
+				s.syncSecret(key)
+			}
+		}
+
+		key, _ := parser.GetStringAnnotation("auth-tls-secret", ing)
+		if key == "" {
+			return
+		}
+
+		if _, ok := s.sslStore.Get(key); !ok {
+			s.syncSecret(key)
+		}
+	}
+}
+
+// ReadSecrets extracts information about secrets from an Ingress rule
+func (s k8sStore) ReadSecrets(ing *extensions.Ingress) {
+	for _, tls := range ing.Spec.TLS {
+		if tls.SecretName == "" {
+			continue
+		}
+
+		key := fmt.Sprintf("%v/%v", ing.Namespace, tls.SecretName)
+		s.syncSecret(key)
+	}
+
+	key, _ := parser.GetStringAnnotation("auth-tls-secret", ing)
+	if key == "" {
+		return
+	}
+	s.syncSecret(key)
+}

internal/ingress/controller/store/backend_ssl_test.go

@@ -0,0 +1,223 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package store
+
+import (
+	"encoding/base64"
+
+	apiv1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	testclient "k8s.io/client-go/kubernetes/fake"
+	cache_client "k8s.io/client-go/tools/cache"
+)
+
+const (
+	// openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
+	tlsCrt    = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURIekNDQWdlZ0F3SUJBZ0lKQU1KZld6Mm81cWVnTUEwR0NTcUdTSWIzRFFFQkN3VUFNQ1l4RVRBUEJnTlYKQkFNTUNHNW5hVzU0YzNaak1SRXdEd1lEVlFRS0RBaHVaMmx1ZUhOMll6QWVGdzB4TnpBME1URXdNakF3TlRCYQpGdzB5TnpBME1Ea3dNakF3TlRCYU1DWXhFVEFQQmdOVkJBTU1DRzVuYVc1NGMzWmpNUkV3RHdZRFZRUUtEQWh1CloybHVlSE4yWXpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTUgzVTYvY3ArODAKU3hJRjltSnlUcGI5RzBodnhsM0JMaGdQWDBTWjZ3d1lISGJXeTh2dmlCZjVwWTdvVHd0b2FPaTN1VFNsL2RtVwpvUi9XNm9GVWM5a2l6NlNXc3p6YWRXL2l2Q21LMmxOZUFVc2gvaXY0aTAvNXlreDJRNXZUT2tVL1dra2JPOW1OCjdSVTF0QW1KT3M0T1BVc3hZZkw2cnJJUzZPYktHS2UvYUVkek9QS2NPMDJ5NUxDeHM0TFhhWDIzU1l6TG1XYVAKYVZBallrN1NRZm1xUm5mYlF4RWlpaDFQWTFRRXgxWWs0RzA0VmtHUitrSVVMaWF0L291ZjQxY0dXRTZHMTF4NQpkV1BHeS9XcGtqRGlaM0UwekdNZnJBVUZibnErN1dhRTJCRzVoUVV3ZG9SQUtWTnMzaVhLRlRkT3hoRll5bnBwCjA3cDJVNS96ZHRrQ0F3RUFBYU5RTUU0d0hRWURWUjBPQkJZRUZCL2U5UnVna0Mwc0VNTTZ6enRCSjI1U1JxalMKTUI4R0ExVWRJd1FZTUJhQUZCL2U5UnVna0Mwc0VNTTZ6enRCSjI1U1JxalNNQXdHQTFVZEV3UUZNQU1CQWY4dwpEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBRys4MXdaSXRuMmFWSlFnejNkNmJvZW1nUXhSSHpaZDhNc1IrdFRvCnpJLy9ac1Nwc2FDR3F0TkdTaHVGKzB3TVZ4NjlpQ3lJTnJJb2J4K29NTHBsQzFQSk9uektSUUdvZEhYNFZaSUwKVlhxSFd2VStjK3ZtT0QxUEt3UjcwRi9rTXk2Yk4xMVI2amhIZ3RPZGdLKzdRczhRMVlUSC9RS2dMd3RJTFRHRwpTZlYxWFlmbnF1TXlZKzFzck00U3ZRSmRzdmFUQmJkZHE2RllpdjhXZFpIaG51ZGlSODdZcFgzOUlTSlFkOXF2CnR6OGthZTVqQVFEUWFiZnFsVWZNT1hmUnhyei96S2NvN3dMeWFMWTh1eVhEWUVIZmlHRWdablV0RjgxVlhDZUIKeU80UERBR0FuVmlXTndFM0NZcGI4RkNGelMyaVVVMDJaQWJRajlvUnYyUWNON1E9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
+	tlsKey    = "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRREI5MU92M0tmdk5Fc1MKQmZaaWNrNlcvUnRJYjhaZHdTNFlEMTlFbWVzTUdCeDIxc3ZMNzRnWCthV082RThMYUdqb3Q3azBwZjNabHFFZgoxdXFCVkhQWklzK2tsck04Mm5WdjRyd3BpdHBUWGdGTElmNHIrSXRQK2NwTWRrT2IwenBGUDFwSkd6dlpqZTBWCk5iUUppVHJPRGoxTE1XSHkrcTZ5RXVqbXloaW52MmhIY3pqeW5EdE5zdVN3c2JPQzEybDl0MG1NeTVsbWoybFEKSTJKTzBrSDVxa1ozMjBNUklvb2RUMk5VQk1kV0pPQnRPRlpCa2ZwQ0ZDNG1yZjZMbitOWEJsaE9odGRjZVhWagp4c3YxcVpJdzRtZHhOTXhqSDZ3RkJXNTZ2dTFtaE5nUnVZVUZNSGFFUUNsVGJONGx5aFUzVHNZUldNcDZhZE82CmRsT2Y4M2JaQWdNQkFBRUNnZ0VBRGU1WW1XSHN3ZFpzcWQrNXdYcGFRS2Z2SkxXNmRwTmdYeVFEZ0tiWlplWDUKYldPaUFZU3pycDBra2U0SGQxZEphYVdBYk5LYk45eUV1QWUwa2hOaHVxK3dZQzdlc3JreUJCWXgwMzRBamtwTApKMzFLaHhmejBZdXNSdStialg2UFNkZnlBUnd1b1VKN1M3R3V1NXlhbDZBWU1PVmNGcHFBbjVPU0hMbFpLZnNLClN3NXZyM3NKUjNyOENNWVZoUmQ0citGam9lMXlaczJhUHl2bno5c0U3T0ZCSVRGSVBKcE4veG53VUNpWW5vSEMKV2F2TzB5RCtPeTUyN2hBQ1FwaFVMVjRaZXV2bEZwd2ZlWkZveUhnc2YrM1FxeGhpdGtJb3NGakx2Y0xlL2xjZwpSVHNRUnU5OGJNUTdSakJpYU5kaURadjBaWEMvUUMvS054SEw0bXgxTFFLQmdRRHVDY0pUM2JBZmJRY2YvSGh3CjNxRzliNE9QTXpwOTl2ajUzWU1hZHo5Vlk1dm9RR3RGeFlwbTBRVm9MR1lkQ3BHK0lXaDdVVHBMV0JUeGtMSkYKd3EwcEFmRVhmdHB0anhmcyt0OExWVUFtSXJiM2hwUjZDUjJmYjFJWVZRWUJ4dUdzN0hWMmY3NnRZMVAzSEFnNwpGTDJNTnF3ZDd5VmlsVXdSTVptcmJKV3Qwd0tCZ1FEUW1qZlgzc1NWSWZtN1FQaVQvclhSOGJMM1B3V0lNa3NOCldJTVRYeDJmaG0vd0hOL0pNdCtEK2VWbGxjSXhLMmxSYlNTQ1NwU2hzRUVsMHNxWHZUa1FFQnJxN3RFZndRWU0KbGxNbDJQb0ovV2E5c2VYSTAzWWRNeC94Vm5sbzNaUG9MUGg4UmtKekJTWkhnMlB6cCs0VmlnUklBcGdYMXo3TwpMbHg0SEVtaEl3S0JnUURES1RVdVZYL2xCQnJuV3JQVXRuT2RRU1IzNytSeENtQXZYREgxTFBlOEpxTFkxSmdlCjZFc0U2VEtwcWwwK1NrQWJ4b0JIT3QyMGtFNzdqMHJhYnpaUmZNb1NIV3N3a0RWcGtuWDBjTHpiaDNMRGxvOTkKVHFQKzUrSkRHTktIK210a3Y2bStzaFcvU3NTNHdUN3VVWjdtcXB5TEhsdGtiRXVsZlNra3B5NUJDUUtCZ0RmUwpyVk1GZUZINGI1NGV1dWJQNk5Rdi9CYVNOT2JIbnJJSmw3b2RZQTRLcWZYMXBDVnhpY01Gb3MvV2pjc2V0T1puCmNMZTFRYVVyUjZQWmp3R2dUNTd1MEdWQ1Y1QkoxVmFVKzlkTEEwNmRFMXQ4T2VQT1F2TjVkUGplalVyMDBObjIKL3VBeTVTRm1wV0hKMVh1azJ0L0V1WFNUelNQRUpEaUV5NVlRNjl0RkFvR0JBT2tDcW1jVGZGYlpPTjJRK2JqdgpvVmQvSFpLR3YrbEhqcm5maVlhODVxcUszdWJmb0FSNGppR3V3TThqc3hZZW8vb0hQdHJDTkxINndsYlZNTUFGCmlRZG80ZUF3S0xxRHo1MUx4U2hMckwzUUtNQ1FuZVhkT0VjaEdqSW9zRG5Zekd5RTBpSzJGbWNvWHVSQU1QOHgKWDFreUlkazdENDFxSjQ5WlM1OEdBbXlLCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K"
+	tlscaName = "ca.crt"
+)
+
+type MockQueue struct {
+	cache_client.Store
+	Synced bool
+}
+
+func (f *MockQueue) HasSynced() bool {
+	return f.Synced
+}
+
+func (f *MockQueue) AddIfNotPresent(obj interface{}) error {
+	return nil
+}
+
+func (f *MockQueue) Pop(process cache_client.PopProcessFunc) (interface{}, error) {
+	return nil, nil
+}
+
+func (f *MockQueue) Close() {
+	// just mock
+}
+
+func buildSimpleClientSetForBackendSSL() *testclient.Clientset {
+	return testclient.NewSimpleClientset()
+}
+
+func buildIngListenerForBackendSSL() IngressLister {
+	ingLister := IngressLister{}
+	ingLister.Store = cache_client.NewStore(cache_client.DeletionHandlingMetaNamespaceKeyFunc)
+	return ingLister
+}
+
+func buildSecretForBackendSSL() *apiv1.Secret {
+	return &apiv1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "foo_secret",
+			Namespace: metav1.NamespaceDefault,
+		},
+	}
+}
+
+func buildSecrListerForBackendSSL() SecretLister {
+	secrLister := SecretLister{}
+	secrLister.Store = cache_client.NewStore(cache_client.DeletionHandlingMetaNamespaceKeyFunc)
+
+	return secrLister
+}
+
+/*
+func buildListers() *ingress.StoreLister {
+	sl := &ingress.StoreLister{}
+	sl.Ingress.Store = buildIngListenerForBackendSSL()
+	sl.Secret.Store = buildSecrListerForBackendSSL()
+	return sl
+}
+*/
+func buildControllerForBackendSSL() cache_client.Controller {
+	cfg := &cache_client.Config{
+		Queue: &MockQueue{Synced: true},
+	}
+
+	return cache_client.New(cfg)
+}
+
+/*
+func buildGenericControllerForBackendSSL() *NGINXController {
+	gc := &NGINXController{
+		syncRateLimiter: flowcontrol.NewTokenBucketRateLimiter(0.3, 1),
+		cfg: &Configuration{
+			Client: buildSimpleClientSetForBackendSSL(),
+		},
+		listers:        buildListers(),
+		sslCertTracker: NewSSLCertTracker(),
+	}
+
+	gc.syncQueue = task.NewTaskQueue(gc.syncIngress)
+	return gc
+}
+*/
+
+func buildCrtKeyAndCA() ([]byte, []byte, []byte, error) {
+	dCrt, err := base64.StdEncoding.DecodeString(tlsCrt)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	dKey, err := base64.StdEncoding.DecodeString(tlsKey)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	dCa := dCrt
+
+	return dCrt, dKey, dCa, nil
+}
+
+/*
+func TestSyncSecret(t *testing.T) {
+	// prepare for test
+	dCrt, dKey, dCa, err := buildCrtKeyAndCA()
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+
+	foos := []struct {
+		tn            string
+		secretName    string
+		Data          map[string][]byte
+		expectSuccess bool
+	}{
+		{"getPemCertificate_error", "default/foo_secret", map[string][]byte{api.TLSPrivateKeyKey: dKey}, false},
+		{"normal_test", "default/foo_secret", map[string][]byte{api.TLSCertKey: dCrt, api.TLSPrivateKeyKey: dKey, tlscaName: dCa}, true},
+	}
+
+	for _, foo := range foos {
+		t.Run(foo.tn, func(t *testing.T) {
+			ic := buildGenericControllerForBackendSSL()
+
+			// init secret for getPemCertificate
+			secret := buildSecretForBackendSSL()
+			secret.SetNamespace("default")
+			secret.SetName("foo_secret")
+			secret.Data = foo.Data
+			ic.listers.Secret.Add(secret)
+
+			key := "default/foo_secret"
+			// for add
+			ic.syncSecret(key)
+			if foo.expectSuccess {
+				// validate
+				_, exist := ic.sslCertTracker.Get(key)
+				if !exist {
+					t.Errorf("Failed to sync secret: %s", foo.secretName)
+				} else {
+					// for update
+					ic.syncSecret(key)
+				}
+			}
+		})
+	}
+}
+
+func TestGetPemCertificate(t *testing.T) {
+	// prepare
+	dCrt, dKey, dCa, err := buildCrtKeyAndCA()
+	if err != nil {
+		t.Fatalf("Unexpected error: %v", err)
+	}
+
+	foos := []struct {
+		tn         string
+		secretName string
+		Data       map[string][]byte
+		eErr       bool
+	}{
+		{"sceret_not_exist", "default/foo_secret_not_exist", nil, true},
+		{"data_not_complete_all_not_exist", "default/foo_secret", map[string][]byte{}, true},
+		{"data_not_complete_TLSCertKey_not_exist", "default/foo_secret", map[string][]byte{api.TLSPrivateKeyKey: dKey, tlscaName: dCa}, false},
+		{"data_not_complete_TLSCertKeyAndCA_not_exist", "default/foo_secret", map[string][]byte{api.TLSPrivateKeyKey: dKey}, true},
+		{"data_not_complete_TLSPrivateKeyKey_not_exist", "default/foo_secret", map[string][]byte{api.TLSCertKey: dCrt, tlscaName: dCa}, false},
+		{"data_not_complete_TLSPrivateKeyKeyAndCA_not_exist", "default/foo_secret", map[string][]byte{api.TLSCertKey: dCrt}, true},
+		{"data_not_complete_CA_not_exist", "default/foo_secret", map[string][]byte{api.TLSCertKey: dCrt, api.TLSPrivateKeyKey: dKey}, false},
+		{"normal_test", "default/foo_secret", map[string][]byte{api.TLSCertKey: dCrt, api.TLSPrivateKeyKey: dKey, tlscaName: dCa}, false},
+	}
+
+	for _, foo := range foos {
+		t.Run(foo.tn, func(t *testing.T) {
+			ic := buildGenericControllerForBackendSSL()
+			secret := buildSecretForBackendSSL()
+			secret.Data = foo.Data
+			ic.listers.Secret.Add(secret)
+			sslCert, err := ic.getPemCertificate(foo.secretName)
+
+			if foo.eErr {
+				if err == nil {
+					t.Fatal("Expected error")
+				}
+			} else {
+				if err != nil {
+					t.Fatalf("Unexpected error: %v", err)
+				}
+
+				if sslCert == nil {
+					t.Error("Expected an ingress.SSLCert")
+				}
+			}
+		})
+	}
+}
+*/

internal/ingress/controller/store/configmap.go

@@ -0,0 +1,41 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package store
+
+import (
+	"fmt"
+
+	apiv1 "k8s.io/api/core/v1"
+	"k8s.io/client-go/tools/cache"
+)
+
+// ConfigMapLister makes a Store that lists Configmaps.
+type ConfigMapLister struct {
+	cache.Store
+}
+
+// ByKey searches for a configmap in the local configmaps Store
+func (cml *ConfigMapLister) ByKey(key string) (*apiv1.ConfigMap, error) {
+	s, exists, err := cml.GetByKey(key)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, fmt.Errorf("configmap %v was not found", key)
+	}
+	return s.(*apiv1.ConfigMap), nil
+}

internal/ingress/controller/store/endpoint.go

@@ -0,0 +1,40 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package store
+
+import (
+	"fmt"
+
+	apiv1 "k8s.io/api/core/v1"
+	"k8s.io/client-go/tools/cache"
+)
+
+// EndpointLister makes a Store that lists Endpoints.
+type EndpointLister struct {
+	cache.Store
+}
+
+// GetServiceEndpoints returns the endpoints of a service, matched on service name.
+func (s *EndpointLister) GetServiceEndpoints(svc *apiv1.Service) (*apiv1.Endpoints, error) {
+	for _, m := range s.Store.List() {
+		ep := m.(*apiv1.Endpoints)
+		if svc.Name == ep.Name && svc.Namespace == ep.Namespace {
+			return ep, nil
+		}
+	}
+	return nil, fmt.Errorf("could not find endpoints for service: %v", svc.Name)
+}

internal/ingress/controller/store/ingress.go

@@ -0,0 +1,41 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package store
+
+import (
+	"fmt"
+
+	extensions "k8s.io/api/extensions/v1beta1"
+	"k8s.io/client-go/tools/cache"
+)
+
+// IngressLister makes a Store that lists Ingress.
+type IngressLister struct {
+	cache.Store
+}
+
+// ByKey searches for an ingress in the local ingress Store
+func (il IngressLister) ByKey(key string) (*extensions.Ingress, error) {
+	i, exists, err := il.GetByKey(key)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, fmt.Errorf("ingress %v was not found", key)
+	}
+	return i.(*extensions.Ingress), nil
+}

internal/ingress/controller/store/ingress_annotation.go

@@ -0,0 +1,26 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package store
+
+import (
+	"k8s.io/client-go/tools/cache"
+)
+
+// IngressAnnotationsLister makes a Store that lists annotations in Ingress rules.
+type IngressAnnotationsLister struct {
+	cache.Store
+}

internal/ingress/controller/store/local_secret.go

@@ -0,0 +1,46 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package store
+
+import (
+	"fmt"
+
+	"k8s.io/client-go/tools/cache"
+
+	"k8s.io/ingress-nginx/internal/ingress"
+)
+
+// SSLCertTracker holds a store of referenced Secrets in Ingress rules
+type SSLCertTracker struct {
+	cache.ThreadSafeStore
+}
+
+// NewSSLCertTracker creates a new SSLCertTracker store
+func NewSSLCertTracker() *SSLCertTracker {
+	return &SSLCertTracker{
+		cache.NewThreadSafeStore(cache.Indexers{}, cache.Indices{}),
+	}
+}
+
+// ByKey searches for an ingress in the local ingress Store
+func (s SSLCertTracker) ByKey(key string) (*ingress.SSLCert, error) {
+	cert, exists := s.Get(key)
+	if !exists {
+		return nil, fmt.Errorf("local SSL certificate %v was not found", key)
+	}
+	return cert.(*ingress.SSLCert), nil
+}

internal/ingress/controller/store/local_secret_test.go

@@ -0,0 +1,39 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package store
+
+import "testing"
+
+func TestSSLCertTracker(t *testing.T) {
+	tracker := NewSSLCertTracker()
+
+	items := len(tracker.List())
+	if items != 0 {
+		t.Errorf("expected 0 items in the store but %v returned", items)
+	}
+
+	tracker.Add("key", "value")
+	items = len(tracker.List())
+	if items != 1 {
+		t.Errorf("expected 1 item in the store but %v returned", items)
+	}
+
+	item, exists := tracker.Get("key")
+	if !exists || item == nil {
+		t.Errorf("expected an item from the store but none returned")
+	}
+}

internal/ingress/controller/store/secret.go

@@ -0,0 +1,41 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package store
+
+import (
+	"fmt"
+
+	apiv1 "k8s.io/api/core/v1"
+	"k8s.io/client-go/tools/cache"
+)
+
+// SecretLister makes a Store that lists Secrets.
+type SecretLister struct {
+	cache.Store
+}
+
+// ByKey searches for a secret in the local secrets Store
+func (sl *SecretLister) ByKey(key string) (*apiv1.Secret, error) {
+	s, exists, err := sl.GetByKey(key)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, fmt.Errorf("secret %v was not found", key)
+	}
+	return s.(*apiv1.Secret), nil
+}

internal/ingress/controller/store/service.go

@@ -0,0 +1,41 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package store
+
+import (
+	"fmt"
+
+	apiv1 "k8s.io/api/core/v1"
+	"k8s.io/client-go/tools/cache"
+)
+
+// ServiceLister makes a Store that lists Services.
+type ServiceLister struct {
+	cache.Store
+}
+
+// ByKey searches for a service in the local secrets Store
+func (sl *ServiceLister) ByKey(key string) (*apiv1.Service, error) {
+	s, exists, err := sl.GetByKey(key)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, fmt.Errorf("service %v was not found", key)
+	}
+	return s.(*apiv1.Service), nil
+}

internal/ingress/controller/store/store.go

@@ -0,0 +1,559 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package store
+
+import (
+	"encoding/base64"
+	"fmt"
+	"io/ioutil"
+	"reflect"
+	"sync"
+	"time"
+
+	"github.com/golang/glog"
+
+	apiv1 "k8s.io/api/core/v1"
+	extensions "k8s.io/api/extensions/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/wait"
+	clientset "k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/kubernetes/scheme"
+	v1core "k8s.io/client-go/kubernetes/typed/core/v1"
+	"k8s.io/client-go/tools/cache"
+	cache_client "k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/tools/record"
+
+	"k8s.io/ingress-nginx/internal/file"
+	"k8s.io/ingress-nginx/internal/ingress"
+	"k8s.io/ingress-nginx/internal/ingress/annotations"
+	"k8s.io/ingress-nginx/internal/ingress/annotations/class"
+	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
+	ngx_config "k8s.io/ingress-nginx/internal/ingress/controller/config"
+	ngx_template "k8s.io/ingress-nginx/internal/ingress/controller/template"
+	"k8s.io/ingress-nginx/internal/ingress/defaults"
+	"k8s.io/ingress-nginx/internal/ingress/resolver"
+	"k8s.io/ingress-nginx/internal/k8s"
+)
+
+// Storer is the interface that wraps the required methods to gather information
+// about ingresses, services, secrets and ingress annotations.
+type Storer interface {
+	// GetBackendConfiguration returns the nginx configuration stored in a configmap
+	GetBackendConfiguration() ngx_config.Configuration
+
+	// GetConfigMap returns a ConfigmMap using the namespace and name as key
+	GetConfigMap(key string) (*apiv1.ConfigMap, error)
+
+	// GetSecret returns a Secret using the namespace and name as key
+	GetSecret(key string) (*apiv1.Secret, error)
+
+	// GetService returns a Service using the namespace and name as key
+	GetService(key string) (*apiv1.Service, error)
+
+	GetServiceEndpoints(svc *apiv1.Service) (*apiv1.Endpoints, error)
+
+	// GetSecret returns an Ingress using the namespace and name as key
+	GetIngress(key string) (*extensions.Ingress, error)
+
+	// ListIngresses returns the list of Ingresses
+	ListIngresses() []*extensions.Ingress
+
+	// GetIngressAnnotations returns the annotations associated to an Ingress
+	GetIngressAnnotations(ing *extensions.Ingress) (*annotations.Ingress, error)
+
+	// GetLocalSecret returns the local copy of a Secret
+	GetLocalSecret(name string) (*ingress.SSLCert, error)
+
+	// ListLocalSecrets returns the list of local Secrets
+	ListLocalSecrets() []*ingress.SSLCert
+
+	// GetAuthCertificate resolves a given secret name into an SSL certificate.
+	// The secret must contain 3 keys named:
+	//   ca.crt: contains the certificate chain used for authentication
+	GetAuthCertificate(string) (*resolver.AuthSSLCert, error)
+
+	// GetDefaultBackend returns the default backend configuration
+	GetDefaultBackend() defaults.Backend
+
+	// Run initiates the synchronization of the controllers
+	Run(stopCh chan struct{})
+
+	// ReadSecrets extracts information about secrets from an Ingress rule
+	ReadSecrets(*extensions.Ingress)
+}
+
+// EventType type of event associated with an informer
+type EventType string
+
+const (
+	// CreateEvent event associated with new objects in an informer
+	CreateEvent EventType = "CREATE"
+	// UpdateEvent event associated with an object update in an informer
+	UpdateEvent EventType = "UPDATE"
+	// DeleteEvent event associated when an object is removed from an informer
+	DeleteEvent EventType = "DELETE"
+)
+
+// Event holds the context of an event
+type Event struct {
+	Type EventType
+	Obj  interface{}
+}
+
+// Lister returns the stores for ingresses, services, endpoints, secrets and configmaps.
+type Lister struct {
+	Ingress           IngressLister
+	Service           ServiceLister
+	Endpoint          EndpointLister
+	Secret            SecretLister
+	ConfigMap         ConfigMapLister
+	IngressAnnotation IngressAnnotationsLister
+}
+
+// Controller defines the required controllers that interact agains the api server
+type Controller struct {
+	Ingress   cache.Controller
+	Endpoint  cache.Controller
+	Service   cache.Controller
+	Secret    cache.Controller
+	Configmap cache.Controller
+}
+
+// Run initiates the synchronization of the controllers against the api server
+func (c *Controller) Run(stopCh chan struct{}) {
+	go c.Endpoint.Run(stopCh)
+	go c.Service.Run(stopCh)
+	go c.Secret.Run(stopCh)
+	go c.Configmap.Run(stopCh)
+
+	// Wait for all involved caches to be synced, before processing items from the queue is started
+	if !cache.WaitForCacheSync(stopCh,
+		c.Endpoint.HasSynced,
+		c.Service.HasSynced,
+		c.Secret.HasSynced,
+		c.Configmap.HasSynced,
+	) {
+		runtime.HandleError(fmt.Errorf("Timed out waiting for caches to sync"))
+	}
+
+	// We need to wait before start syncing the ingress rules
+	// because the rules requires content from other listers
+	time.Sleep(1 * time.Second)
+	go c.Ingress.Run(stopCh)
+	if !cache.WaitForCacheSync(stopCh,
+		c.Ingress.HasSynced,
+	) {
+		runtime.HandleError(fmt.Errorf("Timed out waiting for caches to sync"))
+	}
+}
+
+// k8sStore internal Storer implementation using informers and thread safe stores
+type k8sStore struct {
+	isOCSPCheckEnabled bool
+
+	backendConfig ngx_config.Configuration
+
+	cache *Controller
+	// listers
+	listers *Lister
+
+	// sslStore local store of SSL certificates (certificates used in ingress)
+	// this is required because the certificates must be present in the
+	// container filesystem
+	sslStore *SSLCertTracker
+
+	annotations annotations.Extractor
+
+	filesystem file.Filesystem
+
+	updateCh chan Event
+
+	mu *sync.Mutex
+}
+
+// New creates a new object store to be used in the ingress controller
+func New(checkOCSP bool,
+	namespace, configmap, tcp, udp string,
+	resyncPeriod time.Duration,
+	client clientset.Interface,
+	fs file.Filesystem,
+	updateCh chan Event) Storer {
+
+	store := &k8sStore{
+		isOCSPCheckEnabled: checkOCSP,
+		cache:              &Controller{},
+		listers:            &Lister{},
+		sslStore:           NewSSLCertTracker(),
+		filesystem:         fs,
+		updateCh:           updateCh,
+		backendConfig:      ngx_config.NewDefault(),
+		mu:                 &sync.Mutex{},
+	}
+
+	eventBroadcaster := record.NewBroadcaster()
+	eventBroadcaster.StartLogging(glog.Infof)
+	eventBroadcaster.StartRecordingToSink(&v1core.EventSinkImpl{
+		Interface: client.CoreV1().Events(namespace),
+	})
+	recorder := eventBroadcaster.NewRecorder(scheme.Scheme, apiv1.EventSource{
+		Component: "nginx-ingress-controller",
+	})
+
+	// k8sStore fulfils resolver.Resolver interface
+	store.annotations = annotations.NewAnnotationExtractor(store)
+
+	ingEventHandler := cache.ResourceEventHandlerFuncs{
+		AddFunc: func(obj interface{}) {
+			addIng := obj.(*extensions.Ingress)
+			if !class.IsValid(addIng) {
+				a, _ := parser.GetStringAnnotation(class.IngressKey, addIng)
+				glog.Infof("ignoring add for ingress %v based on annotation %v with value %v", addIng.Name, class.IngressKey, a)
+				return
+			}
+
+			store.extractAnnotations(addIng)
+			recorder.Eventf(addIng, apiv1.EventTypeNormal, "CREATE", fmt.Sprintf("Ingress %s/%s", addIng.Namespace, addIng.Name))
+			updateCh <- Event{
+				Type: CreateEvent,
+				Obj:  obj,
+			}
+		},
+		DeleteFunc: func(obj interface{}) {
+			delIng, ok := obj.(*extensions.Ingress)
+			if !ok {
+				// If we reached here it means the ingress was deleted but its final state is unrecorded.
+				tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
+				if !ok {
+					glog.Errorf("couldn't get object from tombstone %#v", obj)
+					return
+				}
+				delIng, ok = tombstone.Obj.(*extensions.Ingress)
+				if !ok {
+					glog.Errorf("Tombstone contained object that is not an Ingress: %#v", obj)
+					return
+				}
+			}
+			if !class.IsValid(delIng) {
+				glog.Infof("ignoring delete for ingress %v based on annotation %v", delIng.Name, class.IngressKey)
+				return
+			}
+			recorder.Eventf(delIng, apiv1.EventTypeNormal, "DELETE", fmt.Sprintf("Ingress %s/%s", delIng.Namespace, delIng.Name))
+			store.listers.IngressAnnotation.Delete(delIng)
+			updateCh <- Event{
+				Type: DeleteEvent,
+				Obj:  obj,
+			}
+		},
+		UpdateFunc: func(old, cur interface{}) {
+			oldIng := old.(*extensions.Ingress)
+			curIng := cur.(*extensions.Ingress)
+			validOld := class.IsValid(oldIng)
+			validCur := class.IsValid(curIng)
+			if !validOld && validCur {
+				glog.Infof("creating ingress %v based on annotation %v", curIng.Name, class.IngressKey)
+				recorder.Eventf(curIng, apiv1.EventTypeNormal, "CREATE", fmt.Sprintf("Ingress %s/%s", curIng.Namespace, curIng.Name))
+			} else if validOld && !validCur {
+				glog.Infof("removing ingress %v based on annotation %v", curIng.Name, class.IngressKey)
+				recorder.Eventf(curIng, apiv1.EventTypeNormal, "DELETE", fmt.Sprintf("Ingress %s/%s", curIng.Namespace, curIng.Name))
+			} else if validCur && !reflect.DeepEqual(old, cur) {
+				recorder.Eventf(curIng, apiv1.EventTypeNormal, "UPDATE", fmt.Sprintf("Ingress %s/%s", curIng.Namespace, curIng.Name))
+			}
+
+			store.extractAnnotations(curIng)
+			updateCh <- Event{
+				Type: UpdateEvent,
+				Obj:  cur,
+			}
+		},
+	}
+
+	secrEventHandler := cache.ResourceEventHandlerFuncs{
+		UpdateFunc: func(old, cur interface{}) {
+			if !reflect.DeepEqual(old, cur) {
+				sec := cur.(*apiv1.Secret)
+				_, exists := store.sslStore.Get(k8s.MetaNamespaceKey(sec))
+				if exists {
+					updateCh <- Event{
+						Type: UpdateEvent,
+						Obj:  cur,
+					}
+				}
+			}
+		},
+		DeleteFunc: func(obj interface{}) {
+			sec, ok := obj.(*apiv1.Secret)
+			if !ok {
+				// If we reached here it means the secret was deleted but its final state is unrecorded.
+				tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
+				if !ok {
+					glog.Errorf("couldn't get object from tombstone %#v", obj)
+					return
+				}
+				sec, ok = tombstone.Obj.(*apiv1.Secret)
+				if !ok {
+					glog.Errorf("Tombstone contained object that is not a Secret: %#v", obj)
+					return
+				}
+			}
+			store.sslStore.Delete(k8s.MetaNamespaceKey(sec))
+			updateCh <- Event{
+				Type: DeleteEvent,
+				Obj:  obj,
+			}
+		},
+	}
+
+	eventHandler := cache.ResourceEventHandlerFuncs{
+		AddFunc: func(obj interface{}) {
+			updateCh <- Event{
+				Type: CreateEvent,
+				Obj:  obj,
+			}
+		},
+		DeleteFunc: func(obj interface{}) {
+			updateCh <- Event{
+				Type: DeleteEvent,
+				Obj:  obj,
+			}
+		},
+		UpdateFunc: func(old, cur interface{}) {
+			oep := old.(*apiv1.Endpoints)
+			ocur := cur.(*apiv1.Endpoints)
+			if !reflect.DeepEqual(ocur.Subsets, oep.Subsets) {
+				updateCh <- Event{
+					Type: UpdateEvent,
+					Obj:  cur,
+				}
+			}
+		},
+	}
+
+	mapEventHandler := cache.ResourceEventHandlerFuncs{
+		AddFunc: func(obj interface{}) {
+			m := obj.(*apiv1.ConfigMap)
+			mapKey := fmt.Sprintf("%s/%s", m.Namespace, m.Name)
+			if mapKey == configmap {
+				glog.V(2).Infof("adding configmap %v to backend", mapKey)
+				store.setConfig(m)
+				updateCh <- Event{
+					Type: CreateEvent,
+					Obj:  obj,
+				}
+			}
+		},
+		UpdateFunc: func(old, cur interface{}) {
+			if !reflect.DeepEqual(old, cur) {
+				m := cur.(*apiv1.ConfigMap)
+				mapKey := fmt.Sprintf("%s/%s", m.Namespace, m.Name)
+				if mapKey == configmap {
+					glog.V(2).Infof("updating configmap backend (%v)", mapKey)
+					store.setConfig(m)
+					updateCh <- Event{
+						Type: UpdateEvent,
+						Obj:  cur,
+					}
+				}
+				// updates to configuration configmaps can trigger an update
+				if mapKey == configmap || mapKey == tcp || mapKey == udp {
+					recorder.Eventf(m, apiv1.EventTypeNormal, "UPDATE", fmt.Sprintf("ConfigMap %v", mapKey))
+					updateCh <- Event{
+						Type: UpdateEvent,
+						Obj:  cur,
+					}
+				}
+			}
+		},
+	}
+
+	store.listers.IngressAnnotation.Store = cache_client.NewStore(cache_client.DeletionHandlingMetaNamespaceKeyFunc)
+
+	store.listers.Ingress.Store, store.cache.Ingress = cache.NewInformer(
+		cache.NewListWatchFromClient(client.ExtensionsV1beta1().RESTClient(), "ingresses", namespace, fields.Everything()),
+		&extensions.Ingress{}, resyncPeriod, ingEventHandler)
+
+	store.listers.Endpoint.Store, store.cache.Endpoint = cache.NewInformer(
+		cache.NewListWatchFromClient(client.CoreV1().RESTClient(), "endpoints", namespace, fields.Everything()),
+		&apiv1.Endpoints{}, resyncPeriod, eventHandler)
+
+	store.listers.Secret.Store, store.cache.Secret = cache.NewInformer(
+		cache.NewListWatchFromClient(client.CoreV1().RESTClient(), "secrets", namespace, fields.Everything()),
+		&apiv1.Secret{}, resyncPeriod, secrEventHandler)
+
+	store.listers.ConfigMap.Store, store.cache.Configmap = cache.NewInformer(
+		cache.NewListWatchFromClient(client.CoreV1().RESTClient(), "configmaps", namespace, fields.Everything()),
+		&apiv1.ConfigMap{}, resyncPeriod, mapEventHandler)
+
+	store.listers.Service.Store, store.cache.Service = cache.NewInformer(
+		cache.NewListWatchFromClient(client.CoreV1().RESTClient(), "services", namespace, fields.Everything()),
+		&apiv1.Service{}, resyncPeriod, cache.ResourceEventHandlerFuncs{})
+
+	return store
+}
+
+func (s k8sStore) extractAnnotations(ing *extensions.Ingress) {
+	anns := s.annotations.Extract(ing)
+	glog.V(3).Infof("updating annotations information for ingres %v/%v", anns.Namespace, anns.Name)
+	err := s.listers.IngressAnnotation.Update(anns)
+	if err != nil {
+		glog.Error(err)
+	}
+}
+
+// GetSecret returns a Secret using the namespace and name as key
+func (s k8sStore) GetSecret(key string) (*apiv1.Secret, error) {
+	return s.listers.Secret.ByKey(key)
+}
+
+// ListLocalSecrets returns the list of local Secrets
+func (s k8sStore) ListLocalSecrets() []*ingress.SSLCert {
+	var certs []*ingress.SSLCert
+	for _, item := range s.sslStore.List() {
+		if s, ok := item.(*ingress.SSLCert); ok {
+			certs = append(certs, s)
+		}
+	}
+
+	return certs
+}
+
+// GetService returns a Service using the namespace and name as key
+func (s k8sStore) GetService(key string) (*apiv1.Service, error) {
+	return s.listers.Service.ByKey(key)
+}
+
+// GetSecret returns an Ingress using the namespace and name as key
+func (s k8sStore) GetIngress(key string) (*extensions.Ingress, error) {
+	return s.listers.Ingress.ByKey(key)
+}
+
+// ListIngresses returns the list of Ingresses
+func (s k8sStore) ListIngresses() []*extensions.Ingress {
+	// filter ingress rules
+	var ingresses []*extensions.Ingress
+	for _, item := range s.listers.Ingress.List() {
+		ing := item.(*extensions.Ingress)
+		if !class.IsValid(ing) {
+			continue
+		}
+
+		ingresses = append(ingresses, ing)
+	}
+
+	return ingresses
+}
+
+// GetIngressAnnotations returns the annotations associated to an Ingress
+func (s k8sStore) GetIngressAnnotations(ing *extensions.Ingress) (*annotations.Ingress, error) {
+	key := fmt.Sprintf("%v/%v", ing.Namespace, ing.Name)
+	item, exists, err := s.listers.IngressAnnotation.GetByKey(key)
+	if err != nil {
+		return &annotations.Ingress{}, fmt.Errorf("unexpected error getting ingress annotation %v: %v", key, err)
+	}
+	if !exists {
+		return &annotations.Ingress{}, fmt.Errorf("ingress annotations %v was not found", key)
+	}
+	return item.(*annotations.Ingress), nil
+}
+
+// GetLocalSecret returns the local copy of a Secret
+func (s k8sStore) GetLocalSecret(key string) (*ingress.SSLCert, error) {
+	return s.sslStore.ByKey(key)
+}
+
+func (s k8sStore) GetConfigMap(key string) (*apiv1.ConfigMap, error) {
+	return s.listers.ConfigMap.ByKey(key)
+}
+
+func (s k8sStore) GetServiceEndpoints(svc *apiv1.Service) (*apiv1.Endpoints, error) {
+	return s.listers.Endpoint.GetServiceEndpoints(svc)
+}
+
+// GetAuthCertificate is used by the auth-tls annotations to get a cert from a secret
+func (s k8sStore) GetAuthCertificate(name string) (*resolver.AuthSSLCert, error) {
+	if _, err := s.GetLocalSecret(name); err != nil {
+		s.syncSecret(name)
+	}
+
+	cert, err := s.GetLocalSecret(name)
+	if err != nil {
+		return nil, err
+	}
+
+	return &resolver.AuthSSLCert{
+		Secret:     name,
+		CAFileName: cert.CAFileName,
+		PemSHA:     cert.PemSHA,
+	}, nil
+}
+
+// GetDefaultBackend returns the default backend
+func (s k8sStore) GetDefaultBackend() defaults.Backend {
+	return s.backendConfig.Backend
+}
+
+func (s k8sStore) GetBackendConfiguration() ngx_config.Configuration {
+	return s.backendConfig
+}
+
+func (s *k8sStore) setConfig(cmap *apiv1.ConfigMap) {
+	s.backendConfig = ngx_template.ReadConfig(cmap.Data)
+
+	// TODO: this should not be done here
+	if s.backendConfig.SSLSessionTicketKey != "" {
+		d, err := base64.StdEncoding.DecodeString(s.backendConfig.SSLSessionTicketKey)
+		if err != nil {
+			glog.Warningf("unexpected error decoding key ssl-session-ticket-key: %v", err)
+			s.backendConfig.SSLSessionTicketKey = ""
+		}
+		ioutil.WriteFile("/etc/nginx/tickets.key", d, 0644)
+	}
+}
+
+// Run initiates the synchronization of the controllers
+// and the initial synchronization of the secrets.
+func (s k8sStore) Run(stopCh chan struct{}) {
+	// start controllers
+	s.cache.Run(stopCh)
+
+	// initial sync of secrets to avoid unnecessary reloads
+	glog.Info("running initial sync of secrets")
+	for _, ing := range s.ListIngresses() {
+		s.ReadSecrets(ing)
+	}
+
+	// start goroutine to check for missing local secrets
+	go wait.Until(s.checkMissingSecrets, 10*time.Second, stopCh)
+
+	if s.isOCSPCheckEnabled {
+		go wait.Until(s.checkSSLChainIssues, 60*time.Second, stopCh)
+	}
+}
+
+// sendDummyEvent sends a dummy event to trigger an update
+func (s *k8sStore) sendDummyEvent() {
+	s.updateCh <- Event{
+		Type: UpdateEvent,
+		Obj: &extensions.Ingress{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "dummy",
+				Namespace: "dummy",
+			},
+		},
+	}
+}

internal/ingress/controller/store/store_test.go

@@ -0,0 +1,526 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package store
+
+import (
+	"fmt"
+	"os"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	apiv1 "k8s.io/api/core/v1"
+	"k8s.io/api/extensions/v1beta1"
+	extensions "k8s.io/api/extensions/v1beta1"
+	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/client-go/kubernetes"
+
+	"k8s.io/ingress-nginx/internal/file"
+	"k8s.io/ingress-nginx/test/e2e/framework"
+)
+
+func TestStore(t *testing.T) {
+	// TODO: find a way to avoid the need to use a real api server
+	home := os.Getenv("HOME")
+	kubeConfigFile := fmt.Sprintf("%v/.kube/config", home)
+	kubeContext := ""
+
+	kubeConfig, err := framework.LoadConfig(kubeConfigFile, kubeContext)
+	if err != nil {
+		t.Errorf("unexpected error loading kubeconfig file: %v", err)
+	}
+
+	clientSet, err := kubernetes.NewForConfig(kubeConfig)
+	if err != nil {
+		t.Errorf("unexpected error creating ingress client: %v", err)
+	}
+
+	t.Run("should return an error searching for non existing objects", func(t *testing.T) {
+		ns := createNamespace(clientSet, t)
+		defer deleteNamespace(ns, clientSet, t)
+
+		stopCh := make(chan struct{})
+		updateCh := make(chan Event, 1024)
+
+		go func(ch chan Event) {
+			for {
+				<-ch
+			}
+		}(updateCh)
+
+		fs := newFS(t)
+		storer := New(true,
+			ns.Name,
+			fmt.Sprintf("%v/config", ns.Name),
+			fmt.Sprintf("%v/tcp", ns.Name),
+			fmt.Sprintf("%v/udp", ns.Name),
+			10*time.Minute,
+			clientSet,
+			fs,
+			updateCh)
+
+		storer.Run(stopCh)
+
+		key := fmt.Sprintf("%v/anything", ns.Name)
+		ing, err := storer.GetIngress(key)
+		if err == nil {
+			t.Errorf("expected an error but none returned")
+		}
+		if ing != nil {
+			t.Errorf("expected an Ingres but none returned")
+		}
+
+		ls, err := storer.GetLocalSecret(key)
+		if err == nil {
+			t.Errorf("expected an error but none returned")
+		}
+		if ls != nil {
+			t.Errorf("expected an Ingres but none returned")
+		}
+
+		s, err := storer.GetSecret(key)
+		if err == nil {
+			t.Errorf("expected an error but none returned")
+		}
+		if s != nil {
+			t.Errorf("expected an Ingres but none returned")
+		}
+
+		svc, err := storer.GetService(key)
+		if err == nil {
+			t.Errorf("expected an error but none returned")
+		}
+		if svc != nil {
+			t.Errorf("expected an Ingres but none returned")
+		}
+
+		close(updateCh)
+		close(stopCh)
+	})
+
+	t.Run("should return ingress one event for add, update and delete", func(t *testing.T) {
+		ns := createNamespace(clientSet, t)
+		defer deleteNamespace(ns, clientSet, t)
+
+		stopCh := make(chan struct{})
+		updateCh := make(chan Event, 1024)
+
+		var add uint64
+		var upd uint64
+		var del uint64
+
+		go func(ch chan Event) {
+			for {
+				e, ok := <-ch
+				if !ok {
+					return
+				}
+
+				if e.Obj == nil {
+					continue
+				}
+				if _, ok := e.Obj.(*extensions.Ingress); !ok {
+					t.Errorf("expected an Ingress type but %T returned", e.Obj)
+				}
+				switch e.Type {
+				case CreateEvent:
+					atomic.AddUint64(&add, 1)
+				case UpdateEvent:
+					atomic.AddUint64(&upd, 1)
+				case DeleteEvent:
+					atomic.AddUint64(&del, 1)
+				}
+			}
+		}(updateCh)
+
+		fs := newFS(t)
+		storer := New(true,
+			ns.Name,
+			fmt.Sprintf("%v/config", ns.Name),
+			fmt.Sprintf("%v/tcp", ns.Name),
+			fmt.Sprintf("%v/udp", ns.Name),
+			10*time.Minute,
+			clientSet,
+			fs,
+			updateCh)
+
+		storer.Run(stopCh)
+
+		ing, err := ensureIngress(&v1beta1.Ingress{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "dummy",
+				Namespace: ns.Name,
+			},
+			Spec: v1beta1.IngressSpec{
+				Rules: []v1beta1.IngressRule{
+					{
+						Host: "dummy",
+						IngressRuleValue: v1beta1.IngressRuleValue{
+							HTTP: &v1beta1.HTTPIngressRuleValue{
+								Paths: []v1beta1.HTTPIngressPath{
+									{
+										Path: "/",
+										Backend: v1beta1.IngressBackend{
+											ServiceName: "http-svc",
+											ServicePort: intstr.FromInt(80),
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		}, clientSet)
+		if err != nil {
+			t.Errorf("unexpected error creating ingress: %v", err)
+		}
+
+		// create an invalid ingress (different class)
+		_, err = ensureIngress(&v1beta1.Ingress{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "custom-class",
+				Namespace: ns.Name,
+				Annotations: map[string]string{
+					"kubernetes.io/ingress.class": "something",
+				},
+			},
+			Spec: v1beta1.IngressSpec{
+				Rules: []v1beta1.IngressRule{
+					{
+						Host: "dummy",
+						IngressRuleValue: v1beta1.IngressRuleValue{
+							HTTP: &v1beta1.HTTPIngressRuleValue{
+								Paths: []v1beta1.HTTPIngressPath{
+									{
+										Path: "/",
+										Backend: v1beta1.IngressBackend{
+											ServiceName: "http-svc",
+											ServicePort: intstr.FromInt(80),
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		}, clientSet)
+		if err != nil {
+			t.Errorf("unexpected error creating ingress: %v", err)
+		}
+
+		ni := ing.DeepCopy()
+		ni.Spec.Rules[0].Host = "update-dummy"
+		_, err = ensureIngress(ni, clientSet)
+		if err != nil {
+			t.Errorf("unexpected error creating ingress: %v", err)
+		}
+
+		err = clientSet.ExtensionsV1beta1().
+			Ingresses(ni.Namespace).
+			Delete(ni.Name, &metav1.DeleteOptions{})
+		if err != nil {
+			t.Errorf("unexpected error creating ingress: %v", err)
+		}
+
+		framework.WaitForNoIngressInNamespace(clientSet, ni.Namespace, ni.Name)
+
+		if atomic.LoadUint64(&add) != 1 {
+			t.Errorf("expected 1 event of type Create but %v ocurred", add)
+		}
+		if atomic.LoadUint64(&upd) != 1 {
+			t.Errorf("expected 1 event of type Update but %v ocurred", upd)
+		}
+		if atomic.LoadUint64(&del) != 1 {
+			t.Errorf("expected 1 event of type Delete but %v ocurred", del)
+		}
+
+		close(updateCh)
+		close(stopCh)
+	})
+
+	t.Run("should not receive events from new secret no referenced from ingress", func(t *testing.T) {
+		ns := createNamespace(clientSet, t)
+		defer deleteNamespace(ns, clientSet, t)
+
+		stopCh := make(chan struct{})
+		updateCh := make(chan Event, 1024)
+
+		var add uint64
+		var upd uint64
+		var del uint64
+
+		go func(ch chan Event) {
+			for {
+				e, ok := <-ch
+				if !ok {
+					return
+				}
+
+				if e.Obj == nil {
+					continue
+				}
+				switch e.Type {
+				case CreateEvent:
+					atomic.AddUint64(&add, 1)
+				case UpdateEvent:
+					atomic.AddUint64(&upd, 1)
+				case DeleteEvent:
+					atomic.AddUint64(&del, 1)
+				}
+			}
+		}(updateCh)
+
+		fs := newFS(t)
+		storer := New(true,
+			ns.Name,
+			fmt.Sprintf("%v/config", ns.Name),
+			fmt.Sprintf("%v/tcp", ns.Name),
+			fmt.Sprintf("%v/udp", ns.Name),
+			10*time.Minute,
+			clientSet,
+			fs,
+			updateCh)
+
+		storer.Run(stopCh)
+
+		secretName := "no-referenced"
+		_, _, _, err = framework.CreateIngressTLSSecret(clientSet, []string{"foo"}, secretName, ns.Name)
+		if err != nil {
+			t.Errorf("unexpected error creating secret: %v", err)
+		}
+
+		time.Sleep(1 * time.Second)
+
+		if atomic.LoadUint64(&add) != 0 {
+			t.Errorf("expected 0 events of type Create but %v ocurred", add)
+		}
+		if atomic.LoadUint64(&upd) != 0 {
+			t.Errorf("expected 0 events of type Update but %v ocurred", upd)
+		}
+		if atomic.LoadUint64(&del) != 0 {
+			t.Errorf("expected 0 events of type Delete but %v ocurred", del)
+		}
+
+		err = clientSet.CoreV1().Secrets(ns.Name).Delete(secretName, &metav1.DeleteOptions{})
+		if err != nil {
+			t.Errorf("unexpected error deleting secret: %v", err)
+		}
+
+		time.Sleep(1 * time.Second)
+
+		if atomic.LoadUint64(&add) != 0 {
+			t.Errorf("expected 0 events of type Create but %v ocurred", add)
+		}
+		if atomic.LoadUint64(&upd) != 0 {
+			t.Errorf("expected 0 events of type Update but %v ocurred", upd)
+		}
+		if atomic.LoadUint64(&del) != 1 {
+			t.Errorf("expected 1 events of type Delete but %v ocurred", del)
+		}
+
+		close(updateCh)
+		close(stopCh)
+	})
+
+	t.Run("should create an ingress with a secret it doesn't exists", func(t *testing.T) {
+		ns := createNamespace(clientSet, t)
+		defer deleteNamespace(ns, clientSet, t)
+
+		stopCh := make(chan struct{})
+		updateCh := make(chan Event, 1024)
+
+		var add uint64
+		var upd uint64
+		var del uint64
+
+		go func(ch <-chan Event) {
+			for {
+				e, ok := <-ch
+				if !ok {
+					return
+				}
+
+				if e.Obj == nil {
+					continue
+				}
+				switch e.Type {
+				case CreateEvent:
+					atomic.AddUint64(&add, 1)
+				case UpdateEvent:
+					atomic.AddUint64(&upd, 1)
+				case DeleteEvent:
+					atomic.AddUint64(&del, 1)
+				}
+			}
+		}(updateCh)
+
+		fs := newFS(t)
+		storer := New(true,
+			ns.Name,
+			fmt.Sprintf("%v/config", ns.Name),
+			fmt.Sprintf("%v/tcp", ns.Name),
+			fmt.Sprintf("%v/udp", ns.Name),
+			10*time.Minute,
+			clientSet,
+			fs,
+			updateCh)
+
+		storer.Run(stopCh)
+
+		name := "ingress-with-secret"
+		secretHosts := []string{name}
+
+		_, err := ensureIngress(&v1beta1.Ingress{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: ns.Name,
+			},
+			Spec: v1beta1.IngressSpec{
+				TLS: []v1beta1.IngressTLS{
+					{
+						Hosts:      secretHosts,
+						SecretName: name,
+					},
+				},
+				Rules: []v1beta1.IngressRule{
+					{
+						Host: name,
+						IngressRuleValue: v1beta1.IngressRuleValue{
+							HTTP: &v1beta1.HTTPIngressRuleValue{
+								Paths: []v1beta1.HTTPIngressPath{
+									{
+										Path: "/",
+										Backend: v1beta1.IngressBackend{
+											ServiceName: "http-svc",
+											ServicePort: intstr.FromInt(80),
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		}, clientSet)
+		if err != nil {
+			t.Errorf("unexpected error creating ingress: %v", err)
+		}
+
+		err = framework.WaitForIngressInNamespace(clientSet, ns.Name, name)
+		if err != nil {
+			t.Errorf("unexpected error waiting for secret: %v", err)
+		}
+
+		if atomic.LoadUint64(&add) != 1 {
+			t.Errorf("expected 1 events of type Create but %v ocurred", add)
+		}
+		if atomic.LoadUint64(&upd) != 0 {
+			t.Errorf("expected 0 events of type Update but %v ocurred", upd)
+		}
+		if atomic.LoadUint64(&del) != 0 {
+			t.Errorf("expected 0 events of type Delete but %v ocurred", del)
+		}
+
+		_, _, _, err = framework.CreateIngressTLSSecret(clientSet, secretHosts, name, ns.Name)
+		if err != nil {
+			t.Errorf("unexpected error creating secret: %v", err)
+		}
+
+		t.Run("should exists a secret in the local store and filesystem", func(t *testing.T) {
+			err := framework.WaitForSecretInNamespace(clientSet, ns.Name, name)
+			if err != nil {
+				t.Errorf("unexpected error waiting for secret: %v", err)
+			}
+
+			time.Sleep(30 * time.Second)
+
+			pemFile := fmt.Sprintf("%v/%v-%v.pem", file.DefaultSSLDirectory, ns.Name, name)
+			err = framework.WaitForFileInFS(pemFile, fs)
+			if err != nil {
+				t.Errorf("unexpected error waiting for file to exists in the filesystem: %v", err)
+			}
+
+			secretName := fmt.Sprintf("%v/%v", ns.Name, name)
+			sslCert, err := storer.GetLocalSecret(secretName)
+			if err != nil {
+				t.Errorf("unexpected error reading local secret %v: %v", secretName, err)
+			}
+
+			if sslCert == nil {
+				t.Errorf("expected a secret but none returned")
+			}
+
+			pemSHA := file.SHA1(pemFile)
+			if sslCert.PemSHA != pemSHA {
+				t.Errorf("SHA of secret on disk differs from local secret store (%v != %v)", pemSHA, sslCert.PemSHA)
+			}
+		})
+
+		close(updateCh)
+		close(stopCh)
+	})
+
+	// test add ingress with secret it doesn't exists and then add secret
+	// check secret is generated on fs
+	// check ocsp
+	// check invalid secret (missing crt)
+	// check invalid secret (missing key)
+	// check invalid secret (missing ca)
+}
+
+func createNamespace(clientSet *kubernetes.Clientset, t *testing.T) *apiv1.Namespace {
+	t.Log("creating temporal namespace")
+	ns, err := framework.CreateKubeNamespace("store-test", clientSet)
+	if err != nil {
+		t.Errorf("unexpected error creating ingress client: %v", err)
+	}
+	t.Logf("temporal namespace %v created", ns.Name)
+
+	return ns
+}
+
+func deleteNamespace(ns *apiv1.Namespace, clientSet *kubernetes.Clientset, t *testing.T) {
+	t.Logf("deleting temporal namespace %v created", ns.Name)
+	err := framework.DeleteKubeNamespace(clientSet, ns.Name)
+	if err != nil {
+		t.Errorf("unexpected error creating ingress client: %v", err)
+	}
+	t.Logf("temporal namespace %v deleted", ns.Name)
+}
+
+func ensureIngress(ingress *extensions.Ingress, clientSet *kubernetes.Clientset) (*extensions.Ingress, error) {
+	s, err := clientSet.ExtensionsV1beta1().Ingresses(ingress.Namespace).Update(ingress)
+	if err != nil {
+		if k8sErrors.IsNotFound(err) {
+			return clientSet.ExtensionsV1beta1().Ingresses(ingress.Namespace).Create(ingress)
+		}
+		return nil, err
+	}
+	return s, nil
+}
+
+func newFS(t *testing.T) file.Filesystem {
+	fs, err := file.NewFakeFS()
+	if err != nil {
+		t.Fatalf("unexpected error creating filesystem: %v", err)
+	}
+	return fs
+}