Bugfix: only act on delete TLS Secret if it's relevant to viking.

For that, the Secret must be named as the TLS Secret by an Ingress in the same namespace that identifies out ingress.class. This means that the controller doesn't need to try delete an element from any PEM Secret (to remove the certificate from the haproxy Secret volume).

Bugfix: only act on delete TLS Secret if it's relevant to viking.
For that, the Secret must be named as the TLS Secret by an Ingress in the same namespace that identifies out ingress.class. This means that the controller doesn't need to try delete an element from any PEM Secret (to remove the certificate from the haproxy Secret volume).
2bf40a90 · Geoff Simmons · 2165e1e5 · 2bf40a90 · 2bf40a90 · 2bf40a90
Commit 2bf40a90 authored Jun 04, 2020 by Geoff Simmons
Hide whitespace changes
Inline Side-by-side

Showing with 299 additions and 14 deletions

go.sum go.sum +1 -0

secret.go pkg/controller/secret.go +47 -14

secret_test.go pkg/controller/secret_test.go +251 -0

No files found.
--- a/go.sum
+++ b/go.sum
@@ -260,6 +260,7 @@ honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 k8s.io/api v0.16.4 h1:O06Ed/hgLiCrzW1SHp6HAhqcTnYHtK80bP5rXoHakpM=
 k8s.io/api v0.16.4/go.mod h1:AtzMnsR45tccQss5q8RnF+W8L81DH6XwXwo/joEx9u0=
+k8s.io/api v0.18.3 h1:2AJaUQdgUZLoDZHrun21PW2Nx9+ll6cUzvn3IKhSIn0=
 k8s.io/apimachinery v0.16.4 h1:+VNiyTcctUvBBRUxfulwL2I6TGratkR1oAoULuas/HI=
 k8s.io/apimachinery v0.16.4/go.mod h1:llRdnznGEAqC3DcNm6yEj472xaFVfLM7hnYofMb12tQ=
 k8s.io/client-go v0.16.4 h1:sf+FEZXYhJNjpTZapQDLvvN+0kBeUTxCYxlXcVdhv2E=

--- a/pkg/controller/secret.go
+++ b/pkg/controller/secret.go
@@ -35,6 +35,7 @@ import (
 	api_v1 "k8s.io/api/core/v1"
 	extensions "k8s.io/api/extensions/v1beta1"

+	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"

 	"code.uplex.de/uplex-varnish/k8s-ingress/pkg/haproxy"
@@ -143,6 +144,43 @@ func (worker *NamespaceWorker) updateCertSecret(spec *haproxy.SecretSpec) error
 	return nil
 }

+func (worker *NamespaceWorker) getIngsForTLSSecret(
+	secret *api_v1.Secret) (ings []*extensions.Ingress, err error) {
+
+	nsIngs, err := worker.ing.List(labels.Everything())
+	if err != nil {
+		if errors.IsNotFound(err) {
+			worker.log.Infof("No Ingresses found in namespace %s",
+				worker.namespace)
+			return ings, nil
+		}
+		return nil, err
+	}
+
+	for _, ing := range nsIngs {
+		if !worker.isVarnishIngress(ing) {
+			continue
+		}
+		for _, tls := range ing.Spec.TLS {
+			if tls.SecretName == secret.Name {
+				ings = append(ings, ing)
+			}
+		}
+	}
+	return ings, nil
+}
+
+func (worker *NamespaceWorker) isVikingIngressTLSSecret(
+	secret *api_v1.Secret) (bool, error) {
+
+	if ings, err := worker.getIngsForTLSSecret(secret); err != nil {
+		return false, err
+	} else if ings == nil || len(ings) == 0 {
+		return false, nil
+	}
+	return true, nil
+}
+
 func (worker *NamespaceWorker) deleteTLSSecret(secret *api_v1.Secret) error {
 	certSecret, err := worker.vsecr.Get(certSecretName)
 	if err != nil {
@@ -245,23 +283,10 @@ func (worker *NamespaceWorker) updateVarnishSvcsForSecret(
 func (worker *NamespaceWorker) enqueueIngsForTLSSecret(
 	secret *api_v1.Secret) error {

-	var ings []*extensions.Ingress
-	nsIngs, err := worker.ing.List(varnishIngressSelector)
+	ings, err := worker.getIngsForTLSSecret(secret)
 	if err != nil {
 		return err
 	}
-
-	for _, ing := range nsIngs {
-		if !worker.isVarnishIngress(ing) {
-			continue
-		}
-		for _, tls := range ing.Spec.TLS {
-			if tls.SecretName == secret.Name {
-				ings = append(ings, ing)
-			}
-		}
-	}
-
 	if len(ings) == 0 {
 		worker.log.Infof("No Varnish Ingresses defined for TLS Secret "+
 			"%s/%s", secret.Namespace, secret.Name)
@@ -387,6 +412,14 @@ func (worker *NamespaceWorker) deleteSecret(obj interface{}) error {
 	}

 	if secr.Type == api_v1.SecretTypeTLS {
+		if is, err := worker.isVikingIngressTLSSecret(secr); err != nil {
+			return err
+		} else if !is {
+			worker.log.Infof("TLS Secret %s/%s not specified by "+
+				"any Ingress for Varnish, ignoring",
+				secr.Namespace, secr.Name)
+			return nil
+		}
 		worker.log.Infof("Deleting TLS Secret: %s/%s", secr.Namespace,
 			secr.Name)
 		return worker.deleteTLSSecret(secr)

--- a/pkg/controller/secret_test.go
+++ b/pkg/controller/secret_test.go
+/*
+ * Copyright (c) 2019 UPLEX Nils Goroll Systemoptimierung
+ * All rights reserved
+ *
+ * Author: Geoffrey Simmons <geoffrey.simmons@uplex.de>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+package controller
+
+import (
+	"context"
+	"io/ioutil"
+	"testing"
+
+	api_v1 "k8s.io/api/core/v1"
+	extensions "k8s.io/api/extensions/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes/fake"
+	ext_listers "k8s.io/client-go/listers/extensions/v1beta1"
+	"k8s.io/client-go/tools/cache"
+
+	"github.com/sirupsen/logrus"
+)
+
+func setupIngLister(
+	client *fake.Clientset, ns string) ext_listers.IngressNamespaceLister {
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	infFactory := informers.NewSharedInformerFactory(client, 0)
+	ingInformer := infFactory.Extensions().V1beta1().Ingresses().Informer()
+	ingLister := infFactory.Extensions().V1beta1().Ingresses().Lister()
+	ingNsLister := ingLister.Ingresses(ns)
+
+	infFactory.Start(ctx.Done())
+	cache.WaitForCacheSync(ctx.Done(), ingInformer.HasSynced)
+	return ingNsLister
+}
+
+func TestIngsForTLSSecret(t *testing.T) {
+	ns := "test-ns"
+	ingClass := "viking"
+	ingName := "viking-tls-ingress"
+	secretName := "viking-tls-secret"
+	wrongIngClassSecret := "wrong-ing-class-secret"
+	noIngClassSecret := "no-ing-class-secret"
+
+	client := fake.NewSimpleClientset(
+		&extensions.Ingress{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: ns,
+				Name:      ingName,
+				Annotations: map[string]string{
+					ingressClassKey: ingClass,
+				},
+			},
+			Spec: extensions.IngressSpec{
+				TLS: []extensions.IngressTLS{{
+					SecretName: secretName,
+				}},
+			},
+		},
+		&extensions.Ingress{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: ns,
+				Name:      "wrong-ing-class",
+				Annotations: map[string]string{
+					ingressClassKey: "wrong-ing-class",
+				},
+			},
+			Spec: extensions.IngressSpec{
+				TLS: []extensions.IngressTLS{{
+					SecretName: wrongIngClassSecret,
+				}},
+			},
+		},
+		&extensions.Ingress{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: ns,
+				Name:      "no-ing-class",
+			},
+			Spec: extensions.IngressSpec{
+				TLS: []extensions.IngressTLS{{
+					SecretName: noIngClassSecret,
+				}},
+			},
+		},
+		&extensions.Ingress{
+			ObjectMeta: metav1.ObjectMeta{
+				Namespace: ns,
+				Name:      "different-secret-name",
+				Annotations: map[string]string{
+					ingressClassKey: ingClass,
+				},
+			},
+			Spec: extensions.IngressSpec{
+				TLS: []extensions.IngressTLS{{
+					SecretName: "different-secret-name",
+				}},
+			},
+		},
+	)
+
+	ingNsLister := setupIngLister(client, ns)
+	worker := &NamespaceWorker{
+		log:      &logrus.Logger{Out: ioutil.Discard},
+		ing:      ingNsLister,
+		ingClass: ingClass,
+	}
+
+	secret := &api_v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: ns,
+			Name:      secretName,
+		},
+		Type: api_v1.SecretTypeTLS,
+	}
+	ings, err := worker.getIngsForTLSSecret(secret)
+	if err != nil {
+		t.Fatal("getIngsForTLSSecret(): ", err)
+	}
+	if len(ings) != 1 {
+		t.Errorf("getIngsForTLSSecret(): wanted 1 Ingress, got %d",
+			len(ings))
+	}
+	if ings[0].Name != ingName {
+		t.Errorf("getIngsForTLSSecret(): Ingress name wanted %s, "+
+			"got %s", ingName, ings[0].Name)
+	}
+	if is, err := worker.isVikingIngressTLSSecret(secret); err != nil {
+		t.Fatal("isVikingIngressTLSSecret(): ", err)
+	} else if !is {
+		t.Error("isVikingIngressTLSSecret(): wanted true, got false")
+	}
+
+	secret = &api_v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: ns,
+			Name:      "no-ing-for-secret",
+		},
+		Type: api_v1.SecretTypeTLS,
+	}
+	ings, err = worker.getIngsForTLSSecret(secret)
+	if err != nil {
+		t.Fatal("getIngsForTLSSecret(): ", err)
+	}
+	if ings != nil || len(ings) != 0 {
+		t.Error("getIngsForTLSSecret(): wanted no Ingresses, got >0")
+	}
+	if is, err := worker.isVikingIngressTLSSecret(secret); err != nil {
+		t.Fatal("isVikingIngressTLSSecret(): ", err)
+	} else if is {
+		t.Error("isVikingIngressTLSSecret(): wanted false, got true")
+	}
+
+	secret = &api_v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: ns,
+			Name:      wrongIngClassSecret,
+		},
+		Type: api_v1.SecretTypeTLS,
+	}
+	ings, err = worker.getIngsForTLSSecret(secret)
+	if err != nil {
+		t.Fatal("getIngsForTLSSecret(): ", err)
+	}
+	if ings != nil || len(ings) != 0 {
+		t.Error("getIngsForTLSSecret(): wanted no Ingresses, got >0")
+	}
+	if is, err := worker.isVikingIngressTLSSecret(secret); err != nil {
+		t.Fatal("isVikingIngressTLSSecret(): ", err)
+	} else if is {
+		t.Error("isVikingIngressTLSSecret(): wanted false, got true")
+	}
+
+	secret = &api_v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: ns,
+			Name:      noIngClassSecret,
+		},
+		Type: api_v1.SecretTypeTLS,
+	}
+	ings, err = worker.getIngsForTLSSecret(secret)
+	if err != nil {
+		t.Fatal("getIngsForTLSSecret(): ", err)
+	}
+	if ings != nil || len(ings) != 0 {
+		t.Error("getIngsForTLSSecret(): wanted no Ingresses, got >0")
+	}
+	if is, err := worker.isVikingIngressTLSSecret(secret); err != nil {
+		t.Fatal("isVikingIngressTLSSecret(): ", err)
+	} else if is {
+		t.Error("isVikingIngressTLSSecret(): wanted false, got true")
+	}
+}
+
+func TestNoIngsForTLSSecret(t *testing.T) {
+	ns := "test-ns"
+	ingClass := "viking"
+
+	client := fake.NewSimpleClientset()
+	ingNsLister := setupIngLister(client, ns)
+	worker := &NamespaceWorker{
+		log:      &logrus.Logger{Out: ioutil.Discard},
+		ing:      ingNsLister,
+		ingClass: ingClass,
+	}
+	secret := &api_v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: ns,
+			Name:      "test-secret",
+		},
+		Type: api_v1.SecretTypeTLS,
+	}
+	ings, err := worker.getIngsForTLSSecret(secret)
+	if err != nil {
+		t.Fatal("getIngsForTLSSecret(): ", err)
+	}
+	if len(ings) != 0 {
+		t.Errorf("getIngsForTLSSecret(): wanted 0 Ingresses, got %d",
+			len(ings))
+	}
+	if is, err := worker.isVikingIngressTLSSecret(secret); err != nil {
+		t.Fatal("isVikingIngressTLSSecret(): ", err)
+	} else if is {
+		t.Error("isVikingIngressTLSSecret(): wanted false, got true")
+	}
+}