Commit 5f489cc1 authored by Geoff Simmons's avatar Geoff Simmons

The controller only reads Secrets that are relevant to Ingress.

We read Secrets with labels that identify a Secret for use by this
application. These include:

- Secrets for the remote administration of Varnish and haproxy
  (to authorize use of the Varnish CLI and the dataplane API for
  haproxy).

- Secrets for applications like Basic and Proxy Auth.

- The Secret in which PEM files for haproxy are created, and
  is projected into a volume that haproxy reads. This is how we
  create TLS material for use by haproxy (which requires that
  crt and key are concatenated into one file).

We also read Secrets with the type field set to "kubernetes.io/tls".
These contain the TLS material, and are the Secrets named in an
Ingress spec.

This has necessitated adding two new informers to the controller,
for which the filters are defined.
parent 88722df1
......@@ -50,6 +50,7 @@ import (
api_v1 "k8s.io/api/core/v1"
meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/fields"
"k8s.io/client-go/informers"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/tools/clientcmd"
......@@ -98,10 +99,25 @@ var (
informerStop = make(chan struct{})
)
// Satisifes type TweakListOptionsFunc in
// k8s.io/client-go/informers/internalinterfaces, for use in
// NewFilteredSharedInformerFactory below.
func noop(opts *meta_v1.ListOptions) {}
const vikingSecretSelector = "app=varnish-ingress"
// The next two functions satisify type TweakListOptionsFunc in
// k8s.io/client-go/informers/internalinterfaces, for use in the
// creation of SharedInformerFactories below. These are used to filter
// Secret informers, so that we only read Secrets that are relevant to
// the Ingress application.
// Filters Secrets with labels that identify this Ingress.
func vikingSecrets(opts *meta_v1.ListOptions) {
opts.LabelSelector = vikingSecretSelector
}
// Filters Secrets with the type field that identify a Secret to be
// used for TLS certificates, and named in an Ingress resource.
func ingressTLSSecrets(opts *meta_v1.ListOptions) {
opts.FieldSelector = fields.OneTermEqualSelector("type",
string(api_v1.SecretTypeTLS)).String()
}
func main() {
flag.Parse()
......@@ -192,10 +208,19 @@ func main() {
kubeClient, *resyncPeriodF,
informers.WithNamespace(*namespaceF))
}
vsecrInformerFactory := informers.NewSharedInformerFactoryWithOptions(
kubeClient, *resyncPeriodF,
informers.WithNamespace(*namespaceF),
informers.WithTweakListOptions(vikingSecrets))
tsecrInformerFactory := informers.NewSharedInformerFactoryWithOptions(
kubeClient, *resyncPeriodF,
informers.WithNamespace(*namespaceF),
informers.WithTweakListOptions(ingressTLSSecrets))
ingController, err := controller.NewIngressController(log,
*ingressClassF, kubeClient, vController, hController,
informerFactory, vcrInformerFactory)
informerFactory, vcrInformerFactory, vsecrInformerFactory,
tsecrInformerFactory)
if err != nil {
log.Fatalf("Could not initialize controller: %v")
os.Exit(-1)
......
......@@ -63,7 +63,8 @@ type infrmrs struct {
ing cache.SharedIndexInformer
svc cache.SharedIndexInformer
endp cache.SharedIndexInformer
secr cache.SharedIndexInformer
vsecr cache.SharedIndexInformer
tsecr cache.SharedIndexInformer
vcfg cache.SharedIndexInformer
bcfg cache.SharedIndexInformer
}
......@@ -109,7 +110,8 @@ type Listers struct {
ing ext_listers.IngressLister
svc core_v1_listers.ServiceLister
endp core_v1_listers.EndpointsLister
secr core_v1_listers.SecretLister
tsecr core_v1_listers.SecretLister
vsecr core_v1_listers.SecretLister
vcfg vcr_listers.VarnishConfigLister
bcfg vcr_listers.BackendConfigLister
}
......@@ -145,6 +147,8 @@ func NewIngressController(
hc *haproxy.Controller,
infFactory informers.SharedInformerFactory,
vcrInfFactory vcr_informers.SharedInformerFactory,
vsecrInfFactory informers.SharedInformerFactory,
tsecrInfFactory informers.SharedInformerFactory,
) (*IngressController, error) {
ingc := IngressController{
......@@ -176,7 +180,8 @@ func NewIngressController(
ing: infFactory.Extensions().V1beta1().Ingresses().Informer(),
svc: infFactory.Core().V1().Services().Informer(),
endp: infFactory.Core().V1().Endpoints().Informer(),
secr: infFactory.Core().V1().Secrets().Informer(),
vsecr: vsecrInfFactory.Core().V1().Secrets().Informer(),
tsecr: tsecrInfFactory.Core().V1().Secrets().Informer(),
vcfg: vcrInfFactory.Ingress().V1alpha1().VarnishConfigs().
Informer(),
bcfg: vcrInfFactory.Ingress().V1alpha1().BackendConfigs().
......@@ -192,7 +197,8 @@ func NewIngressController(
ingc.informers.ing.AddEventHandler(evtFuncs)
ingc.informers.svc.AddEventHandler(evtFuncs)
ingc.informers.endp.AddEventHandler(evtFuncs)
ingc.informers.secr.AddEventHandler(evtFuncs)
ingc.informers.tsecr.AddEventHandler(evtFuncs)
ingc.informers.vsecr.AddEventHandler(evtFuncs)
ingc.informers.vcfg.AddEventHandler(evtFuncs)
ingc.informers.bcfg.AddEventHandler(evtFuncs)
......@@ -200,7 +206,8 @@ func NewIngressController(
ing: infFactory.Extensions().V1beta1().Ingresses().Lister(),
svc: infFactory.Core().V1().Services().Lister(),
endp: infFactory.Core().V1().Endpoints().Lister(),
secr: infFactory.Core().V1().Secrets().Lister(),
vsecr: vsecrInfFactory.Core().V1().Secrets().Lister(),
tsecr: tsecrInfFactory.Core().V1().Secrets().Lister(),
vcfg: vcrInfFactory.Ingress().V1alpha1().VarnishConfigs().
Lister(),
bcfg: vcrInfFactory.Ingress().V1alpha1().BackendConfigs().
......@@ -361,7 +368,8 @@ func (ingc *IngressController) Run(readyFile string, metricsPort uint16) {
go ingc.informers.ing.Run(ingc.ctx.Done())
go ingc.informers.svc.Run(ingc.ctx.Done())
go ingc.informers.endp.Run(ingc.ctx.Done())
go ingc.informers.secr.Run(ingc.ctx.Done())
go ingc.informers.tsecr.Run(ingc.ctx.Done())
go ingc.informers.vsecr.Run(ingc.ctx.Done())
go ingc.informers.vcfg.Run(ingc.ctx.Done())
go ingc.informers.bcfg.Run(ingc.ctx.Done())
......@@ -391,7 +399,8 @@ func (ingc *IngressController) Run(readyFile string, metricsPort uint16) {
ingc.informers.ing.HasSynced,
ingc.informers.svc.HasSynced,
ingc.informers.endp.HasSynced,
ingc.informers.secr.HasSynced,
ingc.informers.tsecr.HasSynced,
ingc.informers.vsecr.HasSynced,
ingc.informers.vcfg.HasSynced,
ingc.informers.bcfg.HasSynced); !ok {
......
......@@ -551,7 +551,7 @@ func (worker *NamespaceWorker) configAuth(spec *vcl.Spec,
for _, auth := range vcfg.Spec.Auth {
worker.log.Tracef("VarnishConfig %s/%s configuring VCL auth "+
"from: %+v", vcfg.Namespace, vcfg.Name, auth)
secret, err := worker.secr.Get(auth.SecretName)
secret, err := worker.vsecr.Get(auth.SecretName)
if err != nil {
return err
}
......
......@@ -51,7 +51,7 @@ const (
// XXX client...Update(secret) returns Secret
// XXX client...Create(secret) if it's new?
func (worker *NamespaceWorker) updateCertSecret(spec *haproxy.SecretSpec) error {
nsLister := worker.listers.secr.Secrets(spec.Namespace)
nsLister := worker.listers.tsecr.Secrets(spec.Namespace)
tlsSecret, err := nsLister.Get(spec.Name)
if err != nil {
return err
......@@ -76,6 +76,7 @@ func (worker *NamespaceWorker) updateCertSecret(spec *haproxy.SecretSpec) error
tlsSecret.ObjectMeta.Name)
}
nsLister = worker.listers.vsecr.Secrets(spec.Namespace)
certSecret, err := nsLister.Get(certSecretName)
if err != nil {
return err
......@@ -106,7 +107,7 @@ func (worker *NamespaceWorker) updateCertSecret(spec *haproxy.SecretSpec) error
}
func (worker *NamespaceWorker) deleteTLSSecret(secret *api_v1.Secret) error {
certSecret, err := worker.secr.Get(certSecretName)
certSecret, err := worker.vsecr.Get(certSecretName)
if err != nil {
return err
}
......@@ -242,7 +243,7 @@ func (worker *NamespaceWorker) enqueueIngsForTLSSecret(
}
func (worker *NamespaceWorker) getDplaneSecret() (string, []byte, error) {
secrets, err := worker.secr.List(varnishIngressSelector)
secrets, err := worker.vsecr.List(varnishIngressSelector)
if err != nil {
return "", nil, err
}
......@@ -277,10 +278,12 @@ func (worker *NamespaceWorker) setSecret(secret *api_v1.Secret) error {
func (worker *NamespaceWorker) syncSecret(key string) error {
worker.log.Infof("Syncing Secret: %s/%s", worker.namespace, key)
secret, err := worker.secr.Get(key)
secret, err := worker.vsecr.Get(key)
if err != nil {
if secret, err = worker.tsecr.Get(key); err != nil {
return err
}
}
if secret.Type == tlsSecretType {
return worker.enqueueIngsForTLSSecret(secret)
......
......@@ -270,7 +270,7 @@ func (worker *NamespaceWorker) syncSvc(key string) error {
worker.log.Infof("Found secret name %s/%s for Service %s/%s",
worker.namespace, secrName, svc.Namespace, svc.Name)
if secret, err := worker.secr.Get(secrName); err == nil {
if secret, err := worker.vsecr.Get(secrName); err == nil {
err = worker.setSecret(secret)
if err != nil {
return err
......
......@@ -74,7 +74,8 @@ type NamespaceWorker struct {
ing ext_listers.IngressNamespaceLister
svc core_v1_listers.ServiceNamespaceLister
endp core_v1_listers.EndpointsNamespaceLister
secr core_v1_listers.SecretNamespaceLister
tsecr core_v1_listers.SecretNamespaceLister
vsecr core_v1_listers.SecretNamespaceLister
vcfg vcr_listers.VarnishConfigNamespaceLister
bcfg vcr_listers.BackendConfigNamespaceLister
client kubernetes.Interface
......@@ -359,7 +360,8 @@ func (qs *NamespaceQueues) next() {
ing: qs.listers.ing.Ingresses(ns),
svc: qs.listers.svc.Services(ns),
endp: qs.listers.endp.Endpoints(ns),
secr: qs.listers.secr.Secrets(ns),
vsecr: qs.listers.vsecr.Secrets(ns),
tsecr: qs.listers.tsecr.Secrets(ns),
vcfg: qs.listers.vcfg.VarnishConfigs(ns),
bcfg: qs.listers.bcfg.BackendConfigs(ns),
client: qs.client,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment