Replace secret workqueue
This commit is contained in:
Manuel de Brito Fontes
parent
7c635a8c83
commit
f28142ae8e
4 changed files with 86 additions and 136 deletions
|
|
@ -25,64 +25,52 @@ import (
|
|||
"github.com/golang/glog"
|
||||
|
||||
api "k8s.io/client-go/pkg/api/v1"
|
||||
extensions "k8s.io/client-go/pkg/apis/extensions/v1beta1"
|
||||
"k8s.io/client-go/tools/cache"
|
||||
|
||||
"k8s.io/ingress/core/pkg/ingress"
|
||||
"k8s.io/ingress/core/pkg/ingress/annotations/parser"
|
||||
ssl "k8s.io/ingress/core/pkg/net/ssl"
|
||||
)
|
||||
|
||||
// syncSecret keeps in sync Secrets used by Ingress rules with the files on
|
||||
// disk to allow being used in controllers.
|
||||
func (ic *GenericController) syncSecret(k interface{}) error {
|
||||
if ic.secretQueue.IsShuttingDown() {
|
||||
return nil
|
||||
}
|
||||
// disk to allow copy of the content of the secret to disk to be used
|
||||
// by external processes.
|
||||
func (ic *GenericController) syncSecret() {
|
||||
glog.V(3).Infof("starting syncing of secrets")
|
||||
|
||||
if !ic.controllersInSync() {
|
||||
time.Sleep(podStoreSyncedPollPeriod)
|
||||
return fmt.Errorf("deferring sync till endpoints controller has synced")
|
||||
glog.Warningf("deferring sync till endpoints controller has synced")
|
||||
return
|
||||
}
|
||||
|
||||
var key string
|
||||
var cert *ingress.SSLCert
|
||||
var err error
|
||||
|
||||
key = k.(string)
|
||||
|
||||
secObj, exists, err := ic.secrLister.Store.GetByKey(key)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error getting secret %v: %v", key, err)
|
||||
}
|
||||
if !exists {
|
||||
return fmt.Errorf("secret %v was not found", key)
|
||||
}
|
||||
sec := secObj.(*api.Secret)
|
||||
if !ic.secrReferenced(sec.Name, sec.Namespace) {
|
||||
glog.V(3).Infof("secret %v/%v is not used in Ingress rules. skipping ", sec.Namespace, sec.Name)
|
||||
return nil
|
||||
}
|
||||
|
||||
cert, err = ic.getPemCertificate(key)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// create certificates and add or update the item in the store
|
||||
cur, exists := ic.sslCertTracker.Get(key)
|
||||
if exists {
|
||||
s := cur.(*ingress.SSLCert)
|
||||
if reflect.DeepEqual(s, cert) {
|
||||
// no need to update
|
||||
return nil
|
||||
keys := ic.secretTracker.List()
|
||||
for _, k := range keys {
|
||||
key := k.(string)
|
||||
cert, err = ic.getPemCertificate(key)
|
||||
if err != nil {
|
||||
glog.Warningf("error obtaining PEM from secret %v: %v", key, err)
|
||||
continue
|
||||
}
|
||||
glog.Infof("updating secret %v/%v in the local store", sec.Namespace, sec.Name)
|
||||
ic.sslCertTracker.Update(key, cert)
|
||||
return nil
|
||||
|
||||
// create certificates and add or update the item in the store
|
||||
cur, exists := ic.sslCertTracker.Get(key)
|
||||
if exists {
|
||||
s := cur.(*ingress.SSLCert)
|
||||
if reflect.DeepEqual(s, cert) {
|
||||
// no need to update
|
||||
continue
|
||||
}
|
||||
glog.Infof("updating secret %v in the local store", key)
|
||||
ic.sslCertTracker.Update(key, cert)
|
||||
continue
|
||||
}
|
||||
|
||||
glog.Infof("adding secret %v to the local store", key)
|
||||
ic.sslCertTracker.Add(key, cert)
|
||||
}
|
||||
glog.Infof("adding secret %v/%v to the local store", sec.Namespace, sec.Name)
|
||||
ic.sslCertTracker.Add(key, cert)
|
||||
return nil
|
||||
}
|
||||
|
||||
// getPemCertificate receives a secret, and creates a ingress.SSLCert as return.
|
||||
|
|
@ -106,10 +94,10 @@ func (ic *GenericController) getPemCertificate(secretName string) (*ingress.SSLC
|
|||
|
||||
var s *ingress.SSLCert
|
||||
if okcert && okkey {
|
||||
glog.Infof("found certificate and private key, configuring %v as a TLS Secret", secretName)
|
||||
glog.V(3).Infof("found certificate and private key, configuring %v as a TLS Secret", secretName)
|
||||
s, err = ssl.AddOrUpdateCertAndKey(nsSecName, cert, key, ca)
|
||||
} else if ca != nil {
|
||||
glog.Infof("found only ca.crt, configuring %v as an Certificate Authentication secret", secretName)
|
||||
glog.V(3).Infof("found only ca.crt, configuring %v as an Certificate Authentication secret", secretName)
|
||||
s, err = ssl.AddCertAuth(nsSecName, ca)
|
||||
} else {
|
||||
return nil, fmt.Errorf("no keypair or CA cert could be found in %v", secretName)
|
||||
|
|
@ -124,30 +112,6 @@ func (ic *GenericController) getPemCertificate(secretName string) (*ingress.SSLC
|
|||
return s, nil
|
||||
}
|
||||
|
||||
// secrReferenced checks if a secret is referenced or not by one or more Ingress rules
|
||||
func (ic *GenericController) secrReferenced(name, namespace string) bool {
|
||||
for _, ingIf := range ic.ingLister.Store.List() {
|
||||
ing := ingIf.(*extensions.Ingress)
|
||||
|
||||
if ic.annotations.ContainsCertificateAuth(ing) {
|
||||
str, _ := parser.GetStringAnnotation("ingress.kubernetes.io/auth-tls-secret", ing)
|
||||
if str == fmt.Sprintf("%v/%v", namespace, name) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
|
||||
if ing.Namespace != namespace {
|
||||
continue
|
||||
}
|
||||
for _, tls := range ing.Spec.TLS {
|
||||
if tls.SecretName == name {
|
||||
return true
|
||||
}
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// sslCertTracker holds a store of referenced Secrets in Ingress rules
|
||||
type sslCertTracker struct {
|
||||
cache.ThreadSafeStore
|
||||
|
|
@ -158,3 +122,14 @@ func newSSLCertTracker() *sslCertTracker {
|
|||
cache.NewThreadSafeStore(cache.Indexers{}, cache.Indices{}),
|
||||
}
|
||||
}
|
||||
|
||||
// secretTracker holds a store of Secrets
|
||||
type secretTracker struct {
|
||||
cache.ThreadSafeStore
|
||||
}
|
||||
|
||||
func newSecretTracker() *secretTracker {
|
||||
return &secretTracker{
|
||||
cache.NewThreadSafeStore(cache.Indexers{}, cache.Indices{}),
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue