Bugfix: don't requeue if a PEM Secret is not found on delete Secret.

pkg/controller/secret.go

@@ -184,6 +184,12 @@ func (worker *NamespaceWorker) isVikingIngressTLSSecret(
 func (worker *NamespaceWorker) deleteTLSSecret(secret *api_v1.Secret) error {
 	certSecret, err := worker.vsecr.Get(certSecretName)
 	if err != nil {
+		if errors.IsNotFound(err) {
+			// XXX classify as fatal when we refactor error handling
+			worker.log.Errorf("PEM Secret %s/%s not found, not "+
+				"requeuing", worker.namespace, certSecretName)
+			return nil
+		}
 		return err
 	}
 

pkg/controller/secret_test.go

@@ -38,10 +38,14 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes/fake"
+	core_v1_listers "k8s.io/client-go/listers/core/v1"
 	ext_listers "k8s.io/client-go/listers/extensions/v1beta1"
 	"k8s.io/client-go/tools/cache"
 
 	"github.com/sirupsen/logrus"
+	logtest "github.com/sirupsen/logrus/hooks/test"
+
+	"code.uplex.de/uplex-varnish/k8s-ingress/pkg/haproxy"
 )
 
 func setupIngLister(
@@ -249,3 +253,105 @@ func TestNoIngsForTLSSecret(t *testing.T) {
 		t.Error("isVikingIngressTLSSecret(): wanted false, got true")
 	}
 }
+
+func setupSecrLister(
+	ctx context.Context, client *fake.Clientset, ns string,
+) core_v1_listers.SecretNamespaceLister {
+	infFactory := informers.NewSharedInformerFactory(client, 0)
+	secrInformer := infFactory.Core().V1().Secrets().Informer()
+	secrLister := infFactory.Core().V1().Secrets().Lister()
+	secrNsLister := secrLister.Secrets(ns)
+
+	infFactory.Start(ctx.Done())
+	cache.WaitForCacheSync(ctx.Done(), secrInformer.HasSynced)
+	return secrNsLister
+}
+
+func TestDeletePEMSecret(t *testing.T) {
+	ns := "test-ns"
+
+	ingTLSSecret := &api_v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: ns,
+			Name:      "viking-ingress-tls-secret",
+		},
+	}
+	spec := haproxy.SecretSpec{
+		Namespace: ingTLSSecret.ObjectMeta.Namespace,
+		Name:      ingTLSSecret.ObjectMeta.Name,
+	}
+	pemName := spec.CertName()
+	client := fake.NewSimpleClientset(
+		&api_v1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: ns,
+				Name:      certSecretName,
+			},
+			Data: map[string][]byte{
+				pemName: []byte("pem-data"),
+			},
+		},
+	)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	secrNsLister := setupSecrLister(ctx, client, ns)
+
+	worker := &NamespaceWorker{
+		client: client,
+		log:    &logrus.Logger{Out: ioutil.Discard},
+		vsecr:  secrNsLister,
+	}
+	err := worker.deleteTLSSecret(ingTLSSecret)
+	if err != nil {
+		t.Fatal("deleteTLSSecret(): ", err)
+	}
+	updSecret, err := worker.vsecr.Get(certSecretName)
+	if err != nil {
+		t.Fatalf("Get(%s) after deleteTLSSecret(): %+v", certSecretName,
+			err)
+	}
+	if val, ok := updSecret.Data[pemName]; ok {
+		t.Errorf("Secret %s/%s field %s after deleteTLSSecret(), "+
+			"expected no value, got: %s", ns, certSecretName,
+			pemName, val)
+	}
+}
+
+func TestDeleteNoPEMSecret(t *testing.T) {
+	ns := "test-ns"
+
+	ingTLSSecret := &api_v1.Secret{}
+	client := fake.NewSimpleClientset()
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	secrNsLister := setupSecrLister(ctx, client, ns)
+
+	logger, hook := logtest.NewNullLogger()
+	worker := &NamespaceWorker{
+		client:    client,
+		namespace: ns,
+		log:       logger,
+		vsecr:     secrNsLister,
+	}
+	worker.log.Level = logrus.TraceLevel
+	err := worker.deleteTLSSecret(ingTLSSecret)
+	if err != nil {
+		t.Fatal("deleteTLSSecret(): ", err)
+	}
+	logEntry := hook.LastEntry()
+	if logEntry == nil {
+		t.Fatal("deleteTLSSecret(): no log entry")
+	}
+	if logEntry.Level != logrus.ErrorLevel {
+		t.Errorf("deleteTLSSecret() log level wanted Error got %s",
+			logEntry.Level)
+	}
+	msg := "PEM Secret " + ns + "/" + certSecretName +
+		" not found, not requeuing"
+	if logEntry.Message != msg {
+		t.Errorf("deleteTLSSecret() log entry wanted [%s] got [%s]",
+			msg, logEntry.Message)
+	}
+}