Update offloader endpoints when an Ingress is updated.

The Ingress update may have followed an update for Endpoints.

pkg/controller/ingress.go

@@ -1010,10 +1010,18 @@ func (worker *NamespaceWorker) addOrUpdateIng(ing *extensions.Ingress) error {
 			}
 		}
 	}
+
+	_, offldAddrs, err := worker.svc2Addrs(svc)
+	if err != nil {
+		return err
+	}
+
 	if len(offldrSpec.Secrets) == 0 {
 		worker.log.Infof("Service %s: no TLS certificates specified",
 			svcKey)
-	} else if err = worker.hController.Update(svcKey, offldrSpec); err != nil {
+	} else if err = worker.hController.Update(svcKey, offldAddrs,
+		offldrSpec); err != nil {
+
 		return err
 	}
 

pkg/controller/service.go

@@ -174,10 +174,57 @@ func epAddrs2OffldAddrs(
 	return offldAddrs
 }
 
-func (worker *NamespaceWorker) syncSvc(key string) error {
-	var addrs []vcl.Address
-	var offldAddrs []haproxy.OffldAddr
+func (worker *NamespaceWorker) svc2Addrs(
+	svc *api_v1.Service,
+) (vaddrs []vcl.Address, offldAddrs []haproxy.OffldAddr, err error) {
+	endps, err := worker.getServiceEndpoints(svc)
+	if err != nil {
+		return
+	}
+	worker.log.Tracef("Varnish service %s/%s endpoints: %+v", svc.Namespace,
+		svc.Name, endps)
+	if endps == nil {
+		return vaddrs, offldAddrs, fmt.Errorf("could not find "+
+			"endpoints for service: %s/%s", svc.Namespace, svc.Name)
+	}
+
+	// XXX hard-wired Port names
+	for _, subset := range endps.Subsets {
+		admPort, dplanePort, faccessPort := int32(0), int32(0), int32(0)
+		hasTLS := false
+		for _, port := range subset.Ports {
+			switch port.Name {
+			case admPortName:
+				admPort = port.Port
+			case dplanePortName:
+				hasTLS = true
+				dplanePort = port.Port
+			case faccessPortName:
+				hasTLS = true
+				faccessPort = port.Port
+			}
+		}
+		if admPort == 0 {
+			return vaddrs, offldAddrs,
+				fmt.Errorf("No Varnish admin port %s found "+
+					"for Service %s/%s endpoint",
+					admPortName, svc.Namespace, svc.Name)
+		}
+		vaddrs = epAddrs2VCLAddrs(subset.Addresses, vaddrs, admPort)
+		vaddrs = epAddrs2VCLAddrs(subset.NotReadyAddresses, vaddrs,
+			admPort)
+		if hasTLS {
+			offldAddrs = epAddrs2OffldAddrs(subset.Addresses,
+				offldAddrs, dplanePort, faccessPort)
+			offldAddrs = epAddrs2OffldAddrs(
+				subset.NotReadyAddresses, offldAddrs,
+				dplanePort, faccessPort)
+		}
+	}
+	return
+}
 
+func (worker *NamespaceWorker) syncSvc(key string) error {
 	worker.log.Infof("Syncing Service: %s/%s", worker.namespace, key)
 	svc, err := worker.svc.Get(key)
 	if err != nil {
@@ -233,20 +280,11 @@ func (worker *NamespaceWorker) syncSvc(key string) error {
 			"service %s/%s", svc.Namespace, svc.Name)
 	}
 
-	endps, err := worker.getServiceEndpoints(svc)
+	addrs, offldAddrs, err := worker.svc2Addrs(svc)
 	if err != nil {
 		return err
 	}
-	worker.log.Tracef("Varnish service %s/%s endpoints: %+v", svc.Namespace,
-		svc.Name, endps)
-	if endps == nil {
-		return fmt.Errorf("could not find endpoints for service: %s/%s",
-			svc.Namespace, svc.Name)
-	}
 
-	// Get the secret name and admin port for the service. We have
-	// to retrieve a Pod spec for the service, then look for the
-	// SecretVolumeSource, and the port matching admPortName.
 	secrName := ""
 	worker.log.Tracef("Searching Pods for the secret for %s/%s",
 		svc.Namespace, svc.Name)
@@ -284,38 +322,6 @@ func (worker *NamespaceWorker) syncSvc(key string) error {
 			svc.Namespace, svc.Name)
 	}
 
-	// XXX hard-wired Port names
-	for _, subset := range endps.Subsets {
-		admPort, dplanePort, faccessPort := int32(0), int32(0), int32(0)
-		hasTLS := false
-		for _, port := range subset.Ports {
-			switch port.Name {
-			case admPortName:
-				admPort = port.Port
-			case dplanePortName:
-				hasTLS = true
-				dplanePort = port.Port
-			case faccessPortName:
-				hasTLS = true
-				faccessPort = port.Port
-			}
-		}
-		if admPort == 0 {
-			return fmt.Errorf("No Varnish admin port %s found for "+
-				"Service %s/%s endpoint", admPortName,
-				svc.Namespace, svc.Name)
-		}
-		addrs = epAddrs2VCLAddrs(subset.Addresses, addrs, admPort)
-		addrs = epAddrs2VCLAddrs(subset.NotReadyAddresses, addrs,
-			admPort)
-		if hasTLS {
-			offldAddrs = epAddrs2OffldAddrs(subset.Addresses,
-				offldAddrs, dplanePort, faccessPort)
-			offldAddrs = epAddrs2OffldAddrs(
-				subset.NotReadyAddresses, offldAddrs,
-				dplanePort, faccessPort)
-		}
-	}
 	if len(offldAddrs) > 0 {
 		worker.log.Tracef("Varnish service %s/%s offloader addresses: "+
 			"%+v", svc.Namespace, svc.Name, offldAddrs)

pkg/haproxy/haproxy.go

@@ -715,10 +715,10 @@ func (hc *Controller) DeleteOffldSvc(svcKey string) error {
 
 // Update the TLS offloader designated by svcKey to the configuration
 // given by spec.
-func (hc *Controller) Update(svcKey string, spec Spec) error {
+func (hc *Controller) Update(svcKey string, addrs []OffldAddr, spec Spec) error {
 	svc, exists := hc.svcs[svcKey]
 	if !exists {
-		svc = &offldrSvc{instances: make([]*haproxyInst, 0)}
+		svc = &offldrSvc{instances: make([]*haproxyInst, len(addrs))}
 		hc.svcs[svcKey] = svc
 		// svcsGauge.Inc()
 		hc.log.Infof("Added offloader service definition %s", svcKey)
@@ -728,7 +728,11 @@ func (hc *Controller) Update(svcKey string, spec Spec) error {
 		return fmt.Errorf("Currently no known offloader endpoints for "+
 			"Service %s", svcKey)
 	}
-	return hc.updateOffldSvc(svcKey)
+	passwdPtr := hc.secrets[svc.secrName]
+	for _, inst := range svc.instances {
+		inst.dplanePasswd = passwdPtr
+	}
+	return hc.updateOffldrAddrs(svcKey, addrs, passwdPtr)
 }
 
 // SetDataplaneSecret stores the secret to be used as the Basic Auth