The controller only reads Secrets that are relevant to Ingress.

We read Secrets with labels that identify a Secret for use by this application. These include: - Secrets for the remote administration of Varnish and haproxy (to authorize use of the Varnish CLI and the dataplane API for haproxy). - Secrets for applications like Basic and Proxy Auth. - The Secret in which PEM files for haproxy are created, and is projected into a volume that haproxy reads. This is how we create TLS material for use by haproxy (which requires that crt and key are concatenated into one file). We also read Secrets with the type field set to "kubernetes.io/tls". These contain the TLS material, and are the Secrets named in an Ingress spec. This has necessitated adding two new informers to the controller, for which the filters are defined.

The controller only reads Secrets that are relevant to Ingress.
We read Secrets with labels that identify a Secret for use by this application. These include: - Secrets for the remote administration of Varnish and haproxy (to authorize use of the Varnish CLI and the dataplane API for haproxy). - Secrets for applications like Basic and Proxy Auth. - The Secret in which PEM files for haproxy are created, and is projected into a volume that haproxy reads. This is how we create TLS material for use by haproxy (which requires that crt and key are concatenated into one file). We also read Secrets with the type field set to "kubernetes.io/tls". These contain the TLS material, and are the Secrets named in an Ingress spec. This has necessitated adding two new informers to the controller, for which the filters are defined.
5f489cc1 · Geoff Simmons · 88722df1 · 5f489cc1 · 5f489cc1 · 5f489cc1
Commit 5f489cc1 authored May 15, 2020 by Geoff Simmons
6 changed files
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -50,6 +50,7 @@ import (
 	api_v1 "k8s.io/api/core/v1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
@@ -98,10 +99,25 @@ var (
 	informerStop = make(chan struct{})
 )
-// Satisifes type TweakListOptionsFunc in
+const vikingSecretSelector = "app=varnish-ingress"
-// k8s.io/client-go/informers/internalinterfaces, for use in
-// NewFilteredSharedInformerFactory below.
+// The next two functions satisify type TweakListOptionsFunc in
-func noop(opts *meta_v1.ListOptions) {}
+// k8s.io/client-go/informers/internalinterfaces, for use in the
+// creation of SharedInformerFactories below. These are used to filter
+// Secret informers, so that we only read Secrets that are relevant to
+// the Ingress application.
+// Filters Secrets with labels that identify this Ingress.
+func vikingSecrets(opts *meta_v1.ListOptions) {
+	opts.LabelSelector = vikingSecretSelector
+}
+// Filters Secrets with the type field that identify a Secret to be
+// used for TLS certificates, and named in an Ingress resource.
+func ingressTLSSecrets(opts *meta_v1.ListOptions) {
+	opts.FieldSelector = fields.OneTermEqualSelector("type",
+		string(api_v1.SecretTypeTLS)).String()
+}
 func main() {
 	flag.Parse()
@@ -192,10 +208,19 @@ func main() {
 			kubeClient, *resyncPeriodF,
 			informers.WithNamespace(*namespaceF))
 	}
+	vsecrInformerFactory := informers.NewSharedInformerFactoryWithOptions(
+		kubeClient, *resyncPeriodF,
+		informers.WithNamespace(*namespaceF),
+		informers.WithTweakListOptions(vikingSecrets))
+	tsecrInformerFactory := informers.NewSharedInformerFactoryWithOptions(
+		kubeClient, *resyncPeriodF,
+		informers.WithNamespace(*namespaceF),
+		informers.WithTweakListOptions(ingressTLSSecrets))
 	ingController, err := controller.NewIngressController(log,
 		*ingressClassF, kubeClient, vController, hController,
-		informerFactory, vcrInformerFactory)
+		informerFactory, vcrInformerFactory, vsecrInformerFactory,
+		tsecrInformerFactory)
 	if err != nil {
 		log.Fatalf("Could not initialize controller: %v")
 		os.Exit(-1)

--- a/pkg/controller/controller.go
+++ b/pkg/controller/controller.go
@@ -60,12 +60,13 @@ import (
 )
 type infrmrs struct {
-	ing  cache.SharedIndexInformer
+	ing   cache.SharedIndexInformer
-	svc  cache.SharedIndexInformer
+	svc   cache.SharedIndexInformer
-	endp cache.SharedIndexInformer
+	endp  cache.SharedIndexInformer
-	secr cache.SharedIndexInformer
+	vsecr cache.SharedIndexInformer
-	vcfg cache.SharedIndexInformer
+	tsecr cache.SharedIndexInformer
-	bcfg cache.SharedIndexInformer
+	vcfg  cache.SharedIndexInformer
+	bcfg  cache.SharedIndexInformer
 }
 // SyncType classifies the sync event, passed through to workers.
@@ -106,12 +107,13 @@ type SyncObj struct {
 // IngressController, and handed off to NamespaceWorker workers to
 // read data from the client-go cache.
 type Listers struct {
-	ing  ext_listers.IngressLister
+	ing   ext_listers.IngressLister
-	svc  core_v1_listers.ServiceLister
+	svc   core_v1_listers.ServiceLister
-	endp core_v1_listers.EndpointsLister
+	endp  core_v1_listers.EndpointsLister
-	secr core_v1_listers.SecretLister
+	tsecr core_v1_listers.SecretLister
-	vcfg vcr_listers.VarnishConfigLister
+	vsecr core_v1_listers.SecretLister
-	bcfg vcr_listers.BackendConfigLister
+	vcfg  vcr_listers.VarnishConfigLister
+	bcfg  vcr_listers.BackendConfigLister
 }
 // IngressController watches Kubernetes API and reconfigures Varnish
@@ -145,6 +147,8 @@ func NewIngressController(
 	hc *haproxy.Controller,
 	infFactory informers.SharedInformerFactory,
 	vcrInfFactory vcr_informers.SharedInformerFactory,
+	vsecrInfFactory informers.SharedInformerFactory,
+	tsecrInfFactory informers.SharedInformerFactory,
 ) (*IngressController, error) {
 	ingc := IngressController{
@@ -173,10 +177,11 @@ func NewIngressController(
 		api_v1.EventSource{Component: "varnish-ingress-controller"})
 	ingc.informers = &infrmrs{
-		ing:  infFactory.Extensions().V1beta1().Ingresses().Informer(),
+		ing:   infFactory.Extensions().V1beta1().Ingresses().Informer(),
-		svc:  infFactory.Core().V1().Services().Informer(),
+		svc:   infFactory.Core().V1().Services().Informer(),
-		endp: infFactory.Core().V1().Endpoints().Informer(),
+		endp:  infFactory.Core().V1().Endpoints().Informer(),
-		secr: infFactory.Core().V1().Secrets().Informer(),
+		vsecr: vsecrInfFactory.Core().V1().Secrets().Informer(),
+		tsecr: tsecrInfFactory.Core().V1().Secrets().Informer(),
 		vcfg: vcrInfFactory.Ingress().V1alpha1().VarnishConfigs().
 			Informer(),
 		bcfg: vcrInfFactory.Ingress().V1alpha1().BackendConfigs().
@@ -192,15 +197,17 @@ func NewIngressController(
 	ingc.informers.ing.AddEventHandler(evtFuncs)
 	ingc.informers.svc.AddEventHandler(evtFuncs)
 	ingc.informers.endp.AddEventHandler(evtFuncs)
-	ingc.informers.secr.AddEventHandler(evtFuncs)
+	ingc.informers.tsecr.AddEventHandler(evtFuncs)
+	ingc.informers.vsecr.AddEventHandler(evtFuncs)
 	ingc.informers.vcfg.AddEventHandler(evtFuncs)
 	ingc.informers.bcfg.AddEventHandler(evtFuncs)
 	ingc.listers = &Listers{
-		ing:  infFactory.Extensions().V1beta1().Ingresses().Lister(),
+		ing:   infFactory.Extensions().V1beta1().Ingresses().Lister(),
-		svc:  infFactory.Core().V1().Services().Lister(),
+		svc:   infFactory.Core().V1().Services().Lister(),
-		endp: infFactory.Core().V1().Endpoints().Lister(),
+		endp:  infFactory.Core().V1().Endpoints().Lister(),
-		secr: infFactory.Core().V1().Secrets().Lister(),
+		vsecr: vsecrInfFactory.Core().V1().Secrets().Lister(),
+		tsecr: tsecrInfFactory.Core().V1().Secrets().Lister(),
 		vcfg: vcrInfFactory.Ingress().V1alpha1().VarnishConfigs().
 			Lister(),
 		bcfg: vcrInfFactory.Ingress().V1alpha1().BackendConfigs().
@@ -361,7 +368,8 @@ func (ingc *IngressController) Run(readyFile string, metricsPort uint16) {
 	go ingc.informers.ing.Run(ingc.ctx.Done())
 	go ingc.informers.svc.Run(ingc.ctx.Done())
 	go ingc.informers.endp.Run(ingc.ctx.Done())
-	go ingc.informers.secr.Run(ingc.ctx.Done())
+	go ingc.informers.tsecr.Run(ingc.ctx.Done())
+	go ingc.informers.vsecr.Run(ingc.ctx.Done())
 	go ingc.informers.vcfg.Run(ingc.ctx.Done())
 	go ingc.informers.bcfg.Run(ingc.ctx.Done())
@@ -391,7 +399,8 @@ func (ingc *IngressController) Run(readyFile string, metricsPort uint16) {
 		ingc.informers.ing.HasSynced,
 		ingc.informers.svc.HasSynced,
 		ingc.informers.endp.HasSynced,
-		ingc.informers.secr.HasSynced,
+		ingc.informers.tsecr.HasSynced,
+		ingc.informers.vsecr.HasSynced,
 		ingc.informers.vcfg.HasSynced,
 		ingc.informers.bcfg.HasSynced); !ok {

--- a/pkg/controller/ingress.go
+++ b/pkg/controller/ingress.go
@@ -551,7 +551,7 @@ func (worker *NamespaceWorker) configAuth(spec *vcl.Spec,
 	for _, auth := range vcfg.Spec.Auth {
 		worker.log.Tracef("VarnishConfig %s/%s configuring VCL auth "+
 			"from: %+v", vcfg.Namespace, vcfg.Name, auth)
-		secret, err := worker.secr.Get(auth.SecretName)
+		secret, err := worker.vsecr.Get(auth.SecretName)
 		if err != nil {
 			return err
 		}

--- a/pkg/controller/secret.go
+++ b/pkg/controller/secret.go
@@ -51,7 +51,7 @@ const (
 // XXX client...Update(secret) returns Secret
 // XXX client...Create(secret) if it's new?
 func (worker *NamespaceWorker) updateCertSecret(spec *haproxy.SecretSpec) error {
-	nsLister := worker.listers.secr.Secrets(spec.Namespace)
+	nsLister := worker.listers.tsecr.Secrets(spec.Namespace)
 	tlsSecret, err := nsLister.Get(spec.Name)
 	if err != nil {
 		return err
@@ -76,6 +76,7 @@ func (worker *NamespaceWorker) updateCertSecret(spec *haproxy.SecretSpec) error
 			tlsSecret.ObjectMeta.Name)
 	}
+	nsLister = worker.listers.vsecr.Secrets(spec.Namespace)
 	certSecret, err := nsLister.Get(certSecretName)
 	if err != nil {
 		return err
@@ -106,7 +107,7 @@ func (worker *NamespaceWorker) updateCertSecret(spec *haproxy.SecretSpec) error
 }
 func (worker *NamespaceWorker) deleteTLSSecret(secret *api_v1.Secret) error {
-	certSecret, err := worker.secr.Get(certSecretName)
+	certSecret, err := worker.vsecr.Get(certSecretName)
 	if err != nil {
 		return err
 	}
@@ -242,7 +243,7 @@ func (worker *NamespaceWorker) enqueueIngsForTLSSecret(
 }
 func (worker *NamespaceWorker) getDplaneSecret() (string, []byte, error) {
-	secrets, err := worker.secr.List(varnishIngressSelector)
+	secrets, err := worker.vsecr.List(varnishIngressSelector)
 	if err != nil {
 		return "", nil, err
 	}
@@ -277,9 +278,11 @@ func (worker *NamespaceWorker) setSecret(secret *api_v1.Secret) error {
 func (worker *NamespaceWorker) syncSecret(key string) error {
 	worker.log.Infof("Syncing Secret: %s/%s", worker.namespace, key)
-	secret, err := worker.secr.Get(key)
+	secret, err := worker.vsecr.Get(key)
 	if err != nil {
-		return err
+		if secret, err = worker.tsecr.Get(key); err != nil {
+			return err
+		}
 	}
 	if secret.Type == tlsSecretType {

--- a/pkg/controller/service.go
+++ b/pkg/controller/service.go
@@ -270,7 +270,7 @@ func (worker *NamespaceWorker) syncSvc(key string) error {
 		worker.log.Infof("Found secret name %s/%s for Service %s/%s",
 			worker.namespace, secrName, svc.Namespace, svc.Name)
-		if secret, err := worker.secr.Get(secrName); err == nil {
+		if secret, err := worker.vsecr.Get(secrName); err == nil {
 			err = worker.setSecret(secret)
 			if err != nil {
 				return err

--- a/pkg/controller/worker.go
+++ b/pkg/controller/worker.go
@@ -74,7 +74,8 @@ type NamespaceWorker struct {
 	ing         ext_listers.IngressNamespaceLister
 	svc         core_v1_listers.ServiceNamespaceLister
 	endp        core_v1_listers.EndpointsNamespaceLister
-	secr        core_v1_listers.SecretNamespaceLister
+	tsecr       core_v1_listers.SecretNamespaceLister
+	vsecr       core_v1_listers.SecretNamespaceLister
 	vcfg        vcr_listers.VarnishConfigNamespaceLister
 	bcfg        vcr_listers.BackendConfigNamespaceLister
 	client      kubernetes.Interface
@@ -359,7 +360,8 @@ func (qs *NamespaceQueues) next() {
 			ing:         qs.listers.ing.Ingresses(ns),
 			svc:         qs.listers.svc.Services(ns),
 			endp:        qs.listers.endp.Endpoints(ns),
-			secr:        qs.listers.secr.Secrets(ns),
+			vsecr:       qs.listers.vsecr.Secrets(ns),
+			tsecr:       qs.listers.tsecr.Secrets(ns),
 			vcfg:        qs.listers.vcfg.VarnishConfigs(ns),
 			bcfg:        qs.listers.bcfg.BackendConfigs(ns),
 			client:      qs.client,