Bugfixes

cmd/main.go

@@ -192,10 +192,10 @@ func main() {
 	}
 	crtGetter := watcher.GetCrtGetter()
 	files := watcher.GetFiles()
-	bndls := watcher.GetBundles()
+	bndl := watcher.GetBundle()
 
 	server := rest.NewServer(*addrF, version, *udsGidF, int(udsMode), log,
-		files, bndls, crtGetter)
+		files, bndl, crtGetter)
 
 	watcher.Run(uint16(*metricsPortF))
 	if err = server.Start(); err != nil {

pkg/cacrt/testdata/ca-bundle.crt

+foo_bar.crt
\ No newline at end of file

pkg/k8s/client.go

@@ -109,7 +109,7 @@ type Watcher struct {
 	cancel   context.CancelFunc
 	getter   *crt.Getter
 	files    *pem.Files
-	bndls    *cacrt.Bundles
+	bndl     *cacrt.Bundle
 }
 
 // NewWatcher creates an API client.
@@ -165,13 +165,13 @@ func NewWatcher(
 	if err != nil {
 		return nil, err
 	}
-	watcher.bndls, err = cacrt.NewBundles(caBase, distroCABundle, gid,
+	watcher.bndl, err = cacrt.NewBundle(caBase, distroCABundle, gid,
 		watcher.getter)
 	if err != nil {
 		return nil, err
 	}
 	watcher.nsQs = NewNamespaceQueues(watcher.log, watcher.files,
-		watcher.bndls, recorder)
+		watcher.bndl, recorder)
 
 	// InitMetrics()
 
@@ -190,10 +190,10 @@ func (watcher *Watcher) GetFiles() *pem.Files {
 	return watcher.files
 }
 
-// GetBundles returns a cacrt.Bundles that manages CA certificate
+// GetBundle returns a cacrt.Bundle that manages CA certificate
 // bundle files and their metadata
-func (watcher *Watcher) GetBundles() *cacrt.Bundles {
-	return watcher.bndls
+func (watcher *Watcher) GetBundle() *cacrt.Bundle {
+	return watcher.bndl
 }
 
 func (watcher *Watcher) getSecret(obj interface{}) (*api_v1.Secret, bool) {

pkg/k8s/worker.go

@@ -31,7 +31,6 @@ package k8s
 import (
 	"fmt"
 	"os"
-	"strings"
 	"sync"
 
 	"code.uplex.de/k8s/k8s-crt-dnldr/pkg/cacrt"
@@ -56,7 +55,7 @@ type NamespaceWorker struct {
 	log       *logrus.Logger
 	queue     workqueue.RateLimitingInterface
 	files     *pem.Files
-	bndls     *cacrt.Bundles
+	bndl      *cacrt.Bundle
 	recorder  record.EventRecorder
 	wg        *sync.WaitGroup
 }
@@ -107,72 +106,36 @@ func (worker *NamespaceWorker) deleteTLS(secret *api_v1.Secret) Status {
 }
 
 func (worker *NamespaceWorker) updateSecret(secret *api_v1.Secret) Status {
-	have, upToDate, updated := []string{}, []string{}, []string{}
-	for _, f := range worker.bndls.Files {
-		if !f.HaveSecret(secret.Namespace, secret.Name,
-			string(secret.UID), secret.ResourceVersion) {
-			continue
-		}
-		have = append(have, f.Namespace+"/"+f.Name)
-		if worker.bndls.Check(f.Namespace, f.Name) {
-			upToDate = append(upToDate, f.Namespace+"/"+f.Name)
-			continue
-		}
-		if err := worker.bndls.Write(f.Namespace, f.Name); err != nil {
-			if os.IsPermission(err) {
-				return MakeFatal(
-					"cannot update CA bundle for Service "+
-						"%s/%s: %s", f.Namespace,
-					f.Name, err)
-			}
-			return MakeRecoverable(
-				"updating CA bundle for Service %s/%s: %v",
-				f.Namespace, f.Name, err)
-		}
-		updated = append(updated, f.Namespace+"/"+f.Name)
+	if !worker.bndl.HaveSecret(secret.Namespace, secret.Name,
+		string(secret.UID), secret.ResourceVersion) {
+		return MakeNoop("Secret not in a CA certificate bundle")
 	}
-	if len(have) == 0 {
-		return MakeNoop("no Service has the Secret in a CA bundle")
+	if worker.bndl.Check() {
+		return MakeNoop("CA certificate bundle is already up to date")
 	}
-	if len(updated) == 0 {
-		return MakeNoop("already up to date in CA bundle(s) for " +
-			"Service(s): [" + strings.Join(have, ",") + "] ")
+	if err := worker.bndl.Write(); err != nil {
+		if os.IsPermission(err) {
+			return MakeFatal("cannot update CA bundle: %+v", err)
+		}
+		return MakeRecoverable("updating CA bundle: %+v", err)
 	}
-	return MakeSuccess(
-		"Secret in CA bundle(s) for Service(s): [" +
-			strings.Join(have, ",") + "], already up to date in: " +
-			"[" + strings.Join(upToDate, ",") + "], " +
-			"successfully updated for: [" +
-			strings.Join(updated, ",") + "]")
+	return MakeSuccess("CA cerificate bundle successfully updated")
 }
 
 func (worker *NamespaceWorker) deleteSecret(secret *api_v1.Secret) Status {
-	have := []string{}
-	for _, f := range worker.bndls.Files {
-		if !f.HaveSecret(secret.Namespace, secret.Name,
-			string(secret.UID), secret.ResourceVersion) {
-			continue
-		}
-		have = append(have, f.Namespace+"/"+f.Name)
-		if err := worker.bndls.DeleteSecret(f.Namespace, f.Name,
-			secret.Namespace, secret.Name); err != nil {
-			if os.IsPermission(err) {
-				return MakeFatal(
-					"cannot update CA bundle for Service "+
-						"%s/%s: %s", f.Namespace,
-					f.Name, err)
-			}
-			return MakeRecoverable(
-				"updating CA bundle for Service %s/%s: %v",
-				f.Namespace, f.Name, err)
-		}
+	if !worker.bndl.HaveSecret(secret.Namespace, secret.Name,
+		string(secret.UID), secret.ResourceVersion) {
+		return MakeNoop("Secret not in CA certificate bundle")
 	}
-	if len(have) == 0 {
-		return MakeNoop("no Service has the Secret in a CA bundle")
+	if err := worker.bndl.DeleteSecret(secret.Namespace,
+		secret.Name); err != nil {
+		if os.IsPermission(err) {
+			return MakeFatal(
+				"cannot update CA bundle: %+v", err)
+		}
+		return MakeRecoverable("updating CA bundle: %v", err)
 	}
-	return MakeSuccess(
-		"successfully deleted in CA bundle(s) for Service(s): [" +
-			strings.Join(have, ",") + "]")
+	return MakeSuccess("successfully deleted in CA certificate bundle")
 }
 
 func (worker *NamespaceWorker) syncSuccess(syncType SyncType,
@@ -266,7 +229,7 @@ type NamespaceQueues struct {
 	log      *logrus.Logger
 	workers  map[string]*NamespaceWorker
 	files    *pem.Files
-	bndls    *cacrt.Bundles
+	bndl     *cacrt.Bundle
 	recorder record.EventRecorder
 	wg       *sync.WaitGroup
 }
@@ -279,7 +242,7 @@ type NamespaceQueues struct {
 func NewNamespaceQueues(
 	log *logrus.Logger,
 	files *pem.Files,
-	bndls *cacrt.Bundles,
+	bndl *cacrt.Bundle,
 	recorder record.EventRecorder,
 ) *NamespaceQueues {
 	q := workqueue.NewRateLimitingQueue(
@@ -289,7 +252,7 @@ func NewNamespaceQueues(
 		log:      log,
 		workers:  make(map[string]*NamespaceWorker),
 		files:    files,
-		bndls:    bndls,
+		bndl:     bndl,
 		recorder: recorder,
 		wg:       new(sync.WaitGroup),
 	}
@@ -318,7 +281,7 @@ func (qs *NamespaceQueues) next() {
 			log:       qs.log,
 			queue:     q,
 			files:     qs.files,
-			bndls:     qs.bndls,
+			bndl:      qs.bndl,
 			recorder:  qs.recorder,
 			wg:        qs.wg,
 		}

pkg/rest/handlers.go

@@ -63,7 +63,6 @@ type ErrorDetails struct {
 
 var (
 	pemsRegex = regexp.MustCompile("^" + pemsPfx + "([^/]+)/([^/]+)$")
-	bndlRegex = regexp.MustCompile("^" + bndlPfx + "([^/]+)/([^/]+)$")
 
 	allowedRdonly = map[string]struct{}{
 		http.MethodGet:  struct{}{},
@@ -131,12 +130,6 @@ var (
 		Detail: "",
 	}
 
-	errBndlPattern = ErrorDetails{
-		Type:  "/errors/ca-bndl/urlPattern",
-		Title: "Invalid /v1/ca-bndl/ URL path",
-		Detail: "/v1/ca-bndl/ URL path does not match " +
-			"/v1/ca-bndl/{namespace}/{name}",
-	}
 	errBndlContentType = ErrorDetails{
 		Type:   "/errors/ca-bndl/contentType",
 		Title:  "Request Content-Type not application/json",
@@ -557,9 +550,9 @@ func (h *pemsHndlr) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
 }
 
 type bndlHndlr struct {
-	log   *logrus.Logger
-	bndls *cacrt.Bundles
-	crt   *crt.Getter
+	log  *logrus.Logger
+	bndl *cacrt.Bundle
+	crt  *crt.Getter
 }
 
 // XXX currently no reponses for GET or HEAD
@@ -569,13 +562,6 @@ func (h *bndlHndlr) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
 	resp.Header().Set("Content-Length", "0")
 	status := http.StatusTeapot
 
-	matches := bndlRegex.FindStringSubmatch(req.URL.Path)
-	if matches == nil {
-		errorResponse(resp, req, now, http.StatusNotFound,
-			errBndlPattern, nil, h.log)
-		return
-	}
-
 	if _, ok := allowedRW[req.Method]; !ok {
 		status = http.StatusMethodNotAllowed
 		resp.Header().Set("Allow", allowRW)
@@ -583,10 +569,9 @@ func (h *bndlHndlr) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
 		reqLog(h.log, req, now, status, 0)
 		return
 	}
-	ns, name := matches[1], matches[2]
 
 	if req.Method == http.MethodDelete {
-		if exist, err := h.bndls.Delete(ns, name); !exist ||
+		if exist, err := h.bndl.Delete(); !exist ||
 			(err != nil && os.IsNotExist(err)) {
 			errorResponse(resp, req, now, http.StatusNotFound,
 				errBndlNotFound, err, h.log)
@@ -606,7 +591,7 @@ func (h *bndlHndlr) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
 
 	// XXX If-Match: uid/version
 	// XXX If-Unmodified-Since: compare file mtime
-	have := h.bndls.Have(ns, name)
+	have := h.bndl.Have()
 	if have && req.Method == http.MethodPost {
 		status = http.StatusConflict
 		resp.WriteHeader(status)
@@ -661,7 +646,7 @@ func (h *bndlHndlr) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
 		}
 	}
 	if srcs.Distro {
-		if !h.bndls.HasDistroBundle() {
+		if !h.bndl.HasDistroBundle() {
 			errorResponse(resp, req, now, http.StatusNotFound,
 				errBndlNoDistro, nil, h.log)
 			return
@@ -669,19 +654,17 @@ func (h *bndlHndlr) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
 	}
 
 	file := &cacrt.File{
-		Namespace: ns,
-		Name:      name,
-		Sources:   srcs,
+		Sources: srcs,
 	}
 
-	if h.bndls.CheckFileData(file) {
+	if h.bndl.CheckFileData(file) {
 		status = http.StatusNoContent
 		resp.Header().Del("Content-Length")
 		resp.WriteHeader(status)
 		reqLog(h.log, req, now, status, 0)
 		return
 	}
-	if err := h.bndls.AddOrUpdate(file); err != nil {
+	if err := h.bndl.AddOrUpdate(file); err != nil {
 		if os.IsPermission(err) {
 			errorResponse(resp, req, now,
 				http.StatusInternalServerError,

pkg/rest/server.go

@@ -46,8 +46,7 @@ const (
 	healthzPath = "/v1/healthz"
 	pemsPfx     = "/v1/pems/"
 	pemsAll     = "/v1/pems"
-	bndlPfx     = "/v1/ca-bndl/"
-	bndlAll     = "/v1/ca-bndl"
+	bndlPath    = "/v1/ca-bndl"
 )
 
 // Server encapsulates the HTTP server for the REST API.
@@ -59,7 +58,7 @@ type Server struct {
 	version   string
 	log       *logrus.Logger
 	files     *pem.Files
-	bndls     *cacrt.Bundles
+	bndl      *cacrt.Bundle
 	crtGetter *crt.Getter
 }
 
@@ -88,7 +87,7 @@ func NewServer(
 	gid, mode int,
 	log *logrus.Logger,
 	files *pem.Files,
-	bndls *cacrt.Bundles,
+	bndl *cacrt.Bundle,
 	crtGetter *crt.Getter,
 ) *Server {
 	srv := &Server{
@@ -98,7 +97,7 @@ func NewServer(
 		version:   version,
 		log:       log,
 		files:     files,
-		bndls:     bndls,
+		bndl:      bndl,
 		crtGetter: crtGetter,
 	}
 	if gid >= 0 {
@@ -171,14 +170,13 @@ func (srv *Server) Start() error {
 		crtGetter: srv.crtGetter,
 	}
 	bndlHandler := &bndlHndlr{
-		log:   srv.log,
-		bndls: srv.bndls,
-		crt:   srv.crtGetter,
+		log:  srv.log,
+		bndl: srv.bndl,
+		crt:  srv.crtGetter,
 	}
 	mux.Handle(pemsPfx, pemsHandler)
 	mux.Handle(pemsAll, pemsHandler)
-	mux.Handle(bndlPfx, bndlHandler)
-	mux.Handle(bndlAll, bndlHandler)
+	mux.Handle(bndlPath, bndlHandler)
 	srv.server = http.Server{Handler: mux}
 	go func() {
 		if err := srv.server.Serve(lsnr); err != nil {