Refactoring of kubernetes informers and local caches

2018-01-18 16:14:42 -03:00 · 2018-01-18 16:14:42 -03:00 · e9a00ff916
commit e9a00ff916
parent 8975800740
23 changed files with 1704 additions and 817 deletions
--- a/internal/net/ssl/ssl.go
+++ b/internal/net/ssl/ssl.go
@ -26,10 +26,8 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"math/big"
 	"net"
-	"os"
 	"strconv"
 	"time"

@ -47,10 +45,12 @@ var (
 )

 // AddOrUpdateCertAndKey creates a .pem file wth the cert and the key with the specified name
-func AddOrUpdateCertAndKey(name string, cert, key, ca []byte) (*ingress.SSLCert, error) {
+func AddOrUpdateCertAndKey(name string, cert, key, ca []byte,
+	fs file.Filesystem) (*ingress.SSLCert, error) {
+
 	pemName := fmt.Sprintf("%v.pem", name)
-	pemFileName := fmt.Sprintf("%v/%v", ingress.DefaultSSLDirectory, pemName)
-	tempPemFile, err := ioutil.TempFile(ingress.DefaultSSLDirectory, pemName)
+	pemFileName := fmt.Sprintf("%v/%v", file.DefaultSSLDirectory, pemName)
+	tempPemFile, err := fs.TempFile(file.DefaultSSLDirectory, pemName)

 	if err != nil {
 		return nil, fmt.Errorf("could not create temp pem file %v: %v", pemFileName, err)
@ -74,34 +74,30 @@ func AddOrUpdateCertAndKey(name string, cert, key, ca []byte) (*ingress.SSLCert,
 	if err != nil {
 		return nil, fmt.Errorf("could not close temp pem file %v: %v", tempPemFile.Name(), err)
 	}
+	defer fs.RemoveAll(tempPemFile.Name())

-	pemCerts, err := ioutil.ReadFile(tempPemFile.Name())
+	pemCerts, err := fs.ReadFile(tempPemFile.Name())
 	if err != nil {
-		_ = os.Remove(tempPemFile.Name())
 		return nil, err
 	}

 	pemBlock, _ := pem.Decode(pemCerts)
 	if pemBlock == nil {
-		_ = os.Remove(tempPemFile.Name())
 		return nil, fmt.Errorf("no valid PEM formatted block found")
 	}

 	// If the file does not start with 'BEGIN CERTIFICATE' it's invalid and must not be used.
 	if pemBlock.Type != "CERTIFICATE" {
-		_ = os.Remove(tempPemFile.Name())
 		return nil, fmt.Errorf("certificate %v contains invalid data, and must be created with 'kubectl create secret tls'", name)
 	}

 	pemCert, err := x509.ParseCertificate(pemBlock.Bytes)
 	if err != nil {
-		_ = os.Remove(tempPemFile.Name())
 		return nil, err
 	}

 	//Ensure that certificate and private key have a matching public key
 	if _, err := tls.X509KeyPair(cert, key); err != nil {
-		_ = os.Remove(tempPemFile.Name())
 		return nil, err
 	}

@ -129,7 +125,7 @@ func AddOrUpdateCertAndKey(name string, cert, key, ca []byte) (*ingress.SSLCert,
 		}
 	}

-	err = os.Rename(tempPemFile.Name(), pemFileName)
+	err = fs.Rename(tempPemFile.Name(), pemFileName)
 	if err != nil {
 		return nil, fmt.Errorf("could not move temp pem file %v to destination %v: %v", tempPemFile.Name(), pemFileName, err)
 	}
@ -147,18 +143,24 @@ func AddOrUpdateCertAndKey(name string, cert, key, ca []byte) (*ingress.SSLCert,
 			return nil, errors.New(oe)
 		}

-		caFile, err := os.OpenFile(pemFileName, os.O_RDWR|os.O_APPEND, 0600)
+		caData, err := fs.ReadFile(pemFileName)
 		if err != nil {
 			return nil, fmt.Errorf("could not open file %v for writing additional CA chains: %v", pemFileName, err)
 		}

-		defer caFile.Close()
+		caFile, err := fs.Create(pemFileName)
+		_, err = caFile.Write(caData)
+		if err != nil {
+			return nil, fmt.Errorf("could not append CA to cert file %v: %v", pemFileName, err)
+		}
+
 		_, err = caFile.Write([]byte("\n"))
 		if err != nil {
 			return nil, fmt.Errorf("could not append CA to cert file %v: %v", pemFileName, err)
 		}
 		caFile.Write(ca)
 		caFile.Write([]byte("\n"))
+		defer caFile.Close()

 		return &ingress.SSLCert{
 			Certificate: pemCert,
@ -249,10 +251,10 @@ func parseSANExtension(value []byte) (dnsNames, emailAddresses []string, ipAddre

 // AddCertAuth creates a .pem file with the specified CAs to be used in Cert Authentication
 // If it's already exists, it's clobbered.
-func AddCertAuth(name string, ca []byte) (*ingress.SSLCert, error) {
+func AddCertAuth(name string, ca []byte, fs file.Filesystem) (*ingress.SSLCert, error) {

 	caName := fmt.Sprintf("ca-%v.pem", name)
-	caFileName := fmt.Sprintf("%v/%v", ingress.DefaultSSLDirectory, caName)
+	caFileName := fmt.Sprintf("%v/%v", file.DefaultSSLDirectory, caName)

 	pemCABlock, _ := pem.Decode(ca)
 	if pemCABlock == nil {
@ -268,7 +270,13 @@ func AddCertAuth(name string, ca []byte) (*ingress.SSLCert, error) {
 		return nil, err
 	}

-	err = ioutil.WriteFile(caFileName, ca, 0644)
+	caFile, err := fs.Create(caFileName)
+	if err != nil {
+		return nil, fmt.Errorf("could not write CA file %v: %v", caFileName, err)
+	}
+	defer caFile.Close()
+
+	_, err = caFile.Write(ca)
 	if err != nil {
 		return nil, fmt.Errorf("could not write CA file %v: %v", caFileName, err)
 	}
@ -282,11 +290,11 @@ func AddCertAuth(name string, ca []byte) (*ingress.SSLCert, error) {
 }

 // AddOrUpdateDHParam creates a dh parameters file with the specified name
-func AddOrUpdateDHParam(name string, dh []byte) (string, error) {
+func AddOrUpdateDHParam(name string, dh []byte, fs file.Filesystem) (string, error) {
 	pemName := fmt.Sprintf("%v.pem", name)
-	pemFileName := fmt.Sprintf("%v/%v", ingress.DefaultSSLDirectory, pemName)
+	pemFileName := fmt.Sprintf("%v/%v", file.DefaultSSLDirectory, pemName)

-	tempPemFile, err := ioutil.TempFile(ingress.DefaultSSLDirectory, pemName)
+	tempPemFile, err := fs.TempFile(file.DefaultSSLDirectory, pemName)

 	glog.V(3).Infof("Creating temp file %v for DH param: %v", tempPemFile.Name(), pemName)
 	if err != nil {
@ -303,25 +311,24 @@ func AddOrUpdateDHParam(name string, dh []byte) (string, error) {
 		return "", fmt.Errorf("could not close temp pem file %v: %v", tempPemFile.Name(), err)
 	}

-	pemCerts, err := ioutil.ReadFile(tempPemFile.Name())
+	defer fs.RemoveAll(tempPemFile.Name())
+
+	pemCerts, err := fs.ReadFile(tempPemFile.Name())
 	if err != nil {
-		_ = os.Remove(tempPemFile.Name())
 		return "", err
 	}

 	pemBlock, _ := pem.Decode(pemCerts)
 	if pemBlock == nil {
-		_ = os.Remove(tempPemFile.Name())
 		return "", fmt.Errorf("no valid PEM formatted block found")
 	}

 	// If the file does not start with 'BEGIN DH PARAMETERS' it's invalid and must not be used.
 	if pemBlock.Type != "DH PARAMETERS" {
-		_ = os.Remove(tempPemFile.Name())
 		return "", fmt.Errorf("certificate %v contains invalid data", name)
 	}

-	err = os.Rename(tempPemFile.Name(), pemFileName)
+	err = fs.Rename(tempPemFile.Name(), pemFileName)
 	if err != nil {
 		return "", fmt.Errorf("could not move temp pem file %v to destination %v: %v", tempPemFile.Name(), pemFileName, err)
 	}
@ -382,13 +389,8 @@ func GetFakeSSLCert() ([]byte, []byte) {
 // FullChainCert checks if a certificate file contains issues in the intermediate CA chain
 // Returns a new certificate with the intermediate certificates.
 // If the certificate does not contains issues with the chain it return an empty byte array
-func FullChainCert(in string) ([]byte, error) {
-	inputFile, err := os.Open(in)
-	if err != nil {
-		return nil, err
-	}
-
-	data, err := ioutil.ReadAll(inputFile)
+func FullChainCert(in string, fs file.Filesystem) ([]byte, error) {
+	data, err := fs.ReadFile(in)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/net/ssl/ssl_test.go
+++ b/internal/net/ssl/ssl_test.go
@ -19,14 +19,13 @@ package ssl
 import (
 	"crypto/x509"
 	"fmt"
-	"io/ioutil"
 	"testing"
 	"time"

 	certutil "k8s.io/client-go/util/cert"
 	"k8s.io/client-go/util/cert/triple"

-	"k8s.io/ingress-nginx/internal/ingress"
+	"k8s.io/ingress-nginx/internal/file"
 )

 // generateRSACerts generates a self signed certificate using a self generated ca
@ -57,11 +56,7 @@ func generateRSACerts(host string) (*triple.KeyPair, *triple.KeyPair, error) {
 }

 func TestAddOrUpdateCertAndKey(t *testing.T) {
-	td, err := ioutil.TempDir("", "ssl")
-	if err != nil {
-		t.Fatalf("Unexpected error creating temporal directory: %v", err)
-	}
-	ingress.DefaultSSLDirectory = td
+	fs := newFS(t)

 	cert, _, err := generateRSACerts("echoheaders")
 	if err != nil {
@ -73,7 +68,7 @@ func TestAddOrUpdateCertAndKey(t *testing.T) {
 	c := certutil.EncodeCertPEM(cert.Cert)
 	k := certutil.EncodePrivateKeyPEM(cert.Key)

-	ngxCert, err := AddOrUpdateCertAndKey(name, c, k, []byte{})
+	ngxCert, err := AddOrUpdateCertAndKey(name, c, k, []byte{}, fs)
 	if err != nil {
 		t.Fatalf("unexpected error checking SSL certificate: %v", err)
 	}
@ -92,11 +87,7 @@ func TestAddOrUpdateCertAndKey(t *testing.T) {
 }

 func TestCACert(t *testing.T) {
-	td, err := ioutil.TempDir("", "ssl")
-	if err != nil {
-		t.Fatalf("Unexpected error creating temporal directory: %v", err)
-	}
-	ingress.DefaultSSLDirectory = td
+	fs := newFS(t)

 	cert, CA, err := generateRSACerts("echoheaders")
 	if err != nil {
@ -109,7 +100,7 @@ func TestCACert(t *testing.T) {
 	k := certutil.EncodePrivateKeyPEM(cert.Key)
 	ca := certutil.EncodeCertPEM(CA.Cert)

-	ngxCert, err := AddOrUpdateCertAndKey(name, c, k, ca)
+	ngxCert, err := AddOrUpdateCertAndKey(name, c, k, ca, fs)
 	if err != nil {
 		t.Fatalf("unexpected error checking SSL certificate: %v", err)
 	}
@ -129,11 +120,10 @@ func TestGetFakeSSLCert(t *testing.T) {
 }

 func TestAddCertAuth(t *testing.T) {
-	td, err := ioutil.TempDir("", "ssl")
+	fs, err := file.NewFakeFS()
 	if err != nil {
-		t.Fatalf("Unexpected error creating temporal directory: %v", err)
+		t.Fatalf("unexpected error creating filesystem: %v", err)
 	}
-	ingress.DefaultSSLDirectory = td

 	cn := "demo-ca"
 	_, ca, err := generateRSACerts(cn)
@ -141,7 +131,7 @@ func TestAddCertAuth(t *testing.T) {
 		t.Fatalf("unexpected error creating SSL certificate: %v", err)
 	}
 	c := certutil.EncodeCertPEM(ca.Cert)
-	ic, err := AddCertAuth(cn, c)
+	ic, err := AddCertAuth(cn, c, fs)
 	if err != nil {
 		t.Fatalf("unexpected error creating SSL certificate: %v", err)
 	}
@ -149,3 +139,11 @@ func TestAddCertAuth(t *testing.T) {
 		t.Fatalf("expected a valid CA file name")
 	}
 }
+
+func newFS(t *testing.T) file.Filesystem {
+	fs, err := file.NewFakeFS()
+	if err != nil {
+		t.Fatalf("unexpected error creating filesystem: %v", err)
+	}
+	return fs
+}