Bugfix: update TLS offload certificate when its Secret contents change.

pkg/controller/ingress.go

@@ -1257,6 +1257,15 @@ func (worker *NamespaceWorker) addOrUpdateIng(
 	}
 
 	if len(offldrSpec.Secrets) != 0 || len(onlds) != 0 {
+		for sidx, tlsSecr := range offldrSpec.Secrets {
+			var s *api_v1.Secret
+			if s, err = worker.tsecr.Get(tlsSecr.Name); err != nil {
+				return IncompleteIfNotFound(err, "%v", err)
+			}
+			offldrSpec.Secrets[sidx].UID = string(s.UID)
+			offldrSpec.Secrets[sidx].ResourceVersion =
+				s.ResourceVersion
+		}
 		if status := worker.hController.Update(svcKey, offldAddrs,
 			offldrSpec); status.IsError() {
 			return status

test/e2e.sh

@@ -166,6 +166,10 @@ echo Ignore deletion of TLS Secrets for non-viking Ingresses
 cd ${MYPATH}/e2e/deleteTLSsecret
 make deploy verify undeploy
 
+echo Update TLS Secrets when their contents are changed
+cd ${MYPATH}/e2e/updateTLSsecret
+make deploy verify undeploy
+
 echo Examples for devmode and the TemplateConfig CRD
 cd ${MYPATH}/e2e/tmplcfg
 make deploy verify undeploy

test/e2e/updateTLSsecret/Makefile

+../../../examples/tls/hello/Makefile
\ No newline at end of file

test/e2e/updateTLSsecret/cafe.vtc

+../../../examples/tls/hello/cafe.vtc
\ No newline at end of file

test/e2e/updateTLSsecret/clinic.crt

+-----BEGIN CERTIFICATE-----
+MIIFzTCCA7WgAwIBAgIUPfywhjnYtoJK7bLu3XKiOYOv1lYwDQYJKoZIhvcNAQEL
+BQAwdjELMAkGA1UEBhMCREUxEDAOBgNVBAgMB0hhbWJ1cmcxEDAOBgNVBAcMB0hh
+bWJ1cmcxGDAWBgNVBAoMD0FyZ3VtZW50IENsaW5pYzEOMAwGA1UECwwFQWJ1c2Ux
+GTAXBgNVBAMMEGNhZmUuZXhhbXBsZS5jb20wHhcNMjIwNjA5MTAxNDUyWhcNMzIw
+NjA2MTAxNDUyWjB2MQswCQYDVQQGEwJERTEQMA4GA1UECAwHSGFtYnVyZzEQMA4G
+A1UEBwwHSGFtYnVyZzEYMBYGA1UECgwPQXJndW1lbnQgQ2xpbmljMQ4wDAYDVQQL
+DAVBYnVzZTEZMBcGA1UEAwwQY2FmZS5leGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBALCmXrWrUsjXAd1lcpYIsqIbwvleXgMvS32VY5Rq
+VTMx/S8ZdpAzXiVvuMxZaT8G3YT0RN4KyrOrjeaP8E7VbShNBNYTrWVqo2lkiPak
+TbY5ZPdSQNd5G/Na76jQZ4cMqQihhdvmndc35ACTJTUpQCQm9Nw0SqJ/BhBWp6rd
+f196qavkP/7h+a0/0dyzjJ6e98+mYrRxZ6VqDhniz2Cm/fywkDB8nuFE9TxBGxKG
+vzgBfT80t2foZSACmfTvsnus+X3v0Hq0eFGich2Lr3afNkKNC8AebrqeK+1YNdHZ
+D2Kayztrhu9SXR0CEqkqgB/diYwtVS2REAwyfnNX999XKwjX+agGF5eqcb61cAT2
+cHhsA4ak3UD4E/8VvhKeq0z2Es8ROlfRjz45G+cAH0c7Pkba0Vx9jfAP9inlDtDt
+vgG0HF5IV8BstV4qfnH4LT/xYcXFVxj5DazN8bu70nQ962ToM2tiNKPuRVXc/Mju
+SYJyYsPiD3S7s9xzvBj4mgwljAsG//T6H0DueX/Lapu5HHyxYtRrBKukTC0qxdKz
+JRl0TkeQLNaGU+/q9qtb1JheuziTozraF/6QAVFIU3eDByZ3yHfnCDJLGLf7RzvR
+c2JWScDLr8HB/HWGEOjcXm17d/fqd7o6HS4TAV0FFq6q7OPWjemN5xacD8r6jDRc
+mIvdAgMBAAGjUzBRMB0GA1UdDgQWBBQKW0Q01k6NllDuTd1pFAjLfVxBjzAfBgNV
+HSMEGDAWgBQKW0Q01k6NllDuTd1pFAjLfVxBjzAPBgNVHRMBAf8EBTADAQH/MA0G
+CSqGSIb3DQEBCwUAA4ICAQCkPRs0lvexoV2lOB8huAsX0gSZOz/hkVJkimv8ugWy
+XEJW9I5ayuBA4UN0qkUbb2QKyBIfrZqqFRHt4s387eD3xk+f4Qyq20/PTM8rrAtC
+UjCIAC/jDVLiqNwOVHn8s/LsOGP2dEIpRMhGzBHZpfmKJFGbuDK2+Zq9CG+3Z49O
+PTtGqUNbDhM8w6k6wDVFGmEd1LqUJDTYgkdDc9p11JpgqzRUOzUfl5diFazvymrs
+gFCjRIGY3ypaDjYaBfCBmA1cSXXRX9oo7LD9Xc5Wm9gcx6B9X4L5ov96jKumx7om
+MPr+E3QlpkBt72KWSB+G6REvBy9dA0UdS3wNllfCKHF+J0kIphq8TCWGd0Dj3Fks
+Ka2sd4hcmXenu4J0q9nRtgElm02vW7SV10YYxFxRPp+wgZqkGxhhDLMTkTAcqZpb
+se6q6Y/8nTyu8n0QHXIrS4uxARyOrwxDY7vwaFAkzrl50ivvvtrTTl74p5yaRvhH
+WmnjOrNZyR/DRC82GmzVkDZhiYZvlxjHVX4EmthGbMny8Hl9B9IHtsjDRPg3IuEy
+Yb+XObMGSj7jUxxgQdpLcwaKg1uRBaoRYpDk7komjov2Wf3x4jkWmHn6nel+xJpI
+3oSdHuVbVHGtXQxcXOTqra3IgNe8QCWCtvntW8agkfb8VujFcQf+XsLkIPSzHwdt
+6g==
+-----END CERTIFICATE-----

test/e2e/updateTLSsecret/clinic.key

+-----BEGIN PRIVATE KEY-----
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQCwpl61q1LI1wHd
+ZXKWCLKiG8L5Xl4DL0t9lWOUalUzMf0vGXaQM14lb7jMWWk/Bt2E9ETeCsqzq43m
+j/BO1W0oTQTWE61laqNpZIj2pE22OWT3UkDXeRvzWu+o0GeHDKkIoYXb5p3XN+QA
+kyU1KUAkJvTcNEqifwYQVqeq3X9feqmr5D/+4fmtP9Hcs4yenvfPpmK0cWelag4Z
+4s9gpv38sJAwfJ7hRPU8QRsShr84AX0/NLdn6GUgApn077J7rPl979B6tHhRonId
+i692nzZCjQvAHm66nivtWDXR2Q9imss7a4bvUl0dAhKpKoAf3YmMLVUtkRAMMn5z
+V/ffVysI1/moBheXqnG+tXAE9nB4bAOGpN1A+BP/Fb4SnqtM9hLPETpX0Y8+ORvn
+AB9HOz5G2tFcfY3wD/Yp5Q7Q7b4BtBxeSFfAbLVeKn5x+C0/8WHFxVcY+Q2szfG7
+u9J0Petk6DNrYjSj7kVV3PzI7kmCcmLD4g90u7Pcc7wY+JoMJYwLBv/0+h9A7nl/
+y2qbuRx8sWLUawSrpEwtKsXSsyUZdE5HkCzWhlPv6varW9SYXrs4k6M62hf+kAFR
+SFN3gwcmd8h35wgySxi3+0c70XNiVknAy6/Bwfx1hhDo3F5te3f36ne6Oh0uEwFd
+BRauquzj1o3pjecWnA/K+ow0XJiL3QIDAQABAoICAQCXl951BrY/VovqI/IGoSYz
+CaHzgDEriH2/IuFW7z14drCwp6hgrURg2hR7gUtZZBnbzAgBiL9VGqbmsqVl8bAA
+QsAgurg17SKZAkaramqqM2za9YJhpzP+Tg6XD2mYspuopXyLLshLdlI60AvBKEo7
+/BZrlpBqDJn2kXbHodd553kN4w2sPN6X98mwHYFSald9omrYMO3iPTYmrsaKSiRy
+ok7K3Vc3OIc/kxuZdXtJo7WI9UNjb0LBCpp2YPEJQ3LDyXZeptsOK1rE0ifco1rc
+F9B6qWMa0TwfLXDaSezzEKXRs0ATxtnTWAENnURglCxC2HBdbzyXSwnLEDXOOy7Y
+tgAoCFq1VDjmHa3Y2HK5g4ne7Y+UsioPgN9IlLf+itBC4sRQtb1zRGwPPpZfq8y9
+xia4I+CfCnbaYfe1ys+h2z6anQYhV/hxZYWZjVzqoiWy8mPiR42SRRlhHXSXqrtr
+KXXdvYs8ebIKkjslZIC0TYLDsoRfoN+rw0ckA/1SL04YDQok8bNeGqSDPpE6grdO
+irQlbs/ABoUl1KykoOg+9CZpyx5ebrrShgjNvkXZxxjrvUYHOg2cyBrOch8/JXV/
+v22AL73itZ8YWdWbKesGekgu4vFVvv4YHTu8ntFsryGWz83OPMesvpFvXTIK/3sj
+S8L5Ppfsmxy/w9tXmSDJwQKCAQEA18QknjkaYMesJB+mXG5r3aegMsdcUYsBCmAP
+FfhXNJ11OGhAFjlhQhUmz3vE9eLZt6p+gLZW+T4qrHniS7c1/XHTKSgEJyi6zAhB
+D4QXtciXFfHLRPErk+w/QYOC32LTvx/WkMmf2M33HIo0sXaN+6x7LUjN6ABBTwdS
+q9htgyeLcxvbSGD3xUoSiOPhXPDMpfcEGwQ1zBjSGkLp7fMKLwtz6M1iOS82YfZZ
+4FiIGIvkquZaPj+ntu5bW9IcxiXEhUOKG+DGpx96OTB0pb66+HJpL+sF1IDFhQAu
+IXKHW0TiCnyLVIaSg7DC+E2emCfA94qp9mzJZ4A59F4gDAiu0QKCAQEA0Zb2psSB
+IBGPxb8rA6YoHJoqzsk1CFnIPfGWQN9691W55Ss9AaybhhNWjXF/I3LXyZLtLdIw
+15XQNwnME9kQn9iBBwyaSFqxls8VZc6RmTbr33IZqjm1z51bfchip2rI6p7d34m2
+pfUgi4nMuRRoHtRSFhI7+wKJXTe5otIrWy2CsMfY4HdtndPwnKe0qCaaIvXLAoKs
+8FMW7J0H6CwlvuhDfXVzacz5JdQuHBNLLNnH/5R6PyN0VzGZ4s+vkmB/D61dWCpD
+aLf4+JjybKoDqtigBMBIp8gUnv8kSzzCk/ObEthdsQ5RkrgD6xYWj9X1+OXUcFcb
+GTde4NmRXYBHTQKCAQEAuPDIqk4ry/SaGkR+pg+HqW/6oku7V7Gb7La1d5Frvg+Q
+4A6LkAES2j+jCoj+I/yTvRgIYm7oUa71iOzYCSo6vsiHxGkmViJVKnmQuqnwYMJU
+rlyYbLmDLsF63r7IuIzPDq1NjsEjoAO64d2cmNgTjzsiQYh75XYChKi0NdPG2npU
+zw97f6iN968r/+XDz5Qe9cqq3DVZn11PCW99b5W4juZ0LYGNxZIwPPuZwfBghxmx
+oMLdaynIqcXYzPVl8HmC3u8rPAYIgEs8yjQ8Z6z6OeZnPslmL+VIaF3lLIosdxCt
+52slSggnIXWrSIXPgH/iqMtUL4LDh1GjW1Aqi+YNYQKCAQEAnZBla2gtPuOU92/J
+MZwXabFI316KXPXKQS8+6xRXSFwNPcjsuzZ9USV2my0pDIhIy4SGhD0RdPFusAHQ
+h1dXVSQZlCgYUK7F9X9HMdtCwDF2z+vieYObODKvVndwGzZ/R0sZt/S6+Da5Oc3l
+t3os8IhkEa2xo/n7NLYw+8QOziP/rVEArXd7U/zCVbMKcKNcm023SfLdemqswEMp
+b5TI56WLH2VN18s9vv+tjnO+v0AWSADiilboHqjubIIAFwYuX6XQl/hl5vLv3Ex3
+a9PAoA7s9cVsmZ4kSoe7TEioazvnaBp7DSGbl7Z5U6GuYoHSwkReGfqSJ7nlvRoz
+W1yVvQKCAQB8Xt7h3bRAd6bfTrDnHEgI5nQszACJ46g0H6ciG5jwy7yb2XWknRRm
+LbrtbBBZKXcktC+/oX9WQe8WmQrpEf2+rZaBCWStyM/9WG4fu+8xgtvtlnzmmGJs
+6eEZ0qpni+zjGxc39sbwEwVFIkbujI2rgR4FZwVXPhsHOU1SaF597guo7QYjbodT
+xrmkE4rTZimpiIHIKADLb1dl8jwg/rKHx5Z07qzCV4SZybwuwY68LC9fuqu3KHzv
+dFQJ1AXd6Ti8m94Zq1XSabGgPvrPMSLRQ0CEkOBzZfK4SMqes0zvY5alXiME0Ql/
+rwKnyz/preCSl5JMW/yEabg4Wg5SCTKm
+-----END PRIVATE KEY-----

test/e2e/updateTLSsecret/values.yaml

+../../../examples/tls/hello/values.yaml
\ No newline at end of file

test/e2e/updateTLSsecret/verify.sh

+#! /bin/bash -ex
+
+MYDIR=$(dirname ${BASH_SOURCE[0]})
+source ${MYDIR}/../../utils.sh
+
+LOCALPORT=${LOCALPORT:-4443}
+
+# Initially the same test as in examples/tls/hello
+
+wait_until_ready app=varnish-ingress
+
+wait_until_configured app=varnish-ingress default 600
+
+kubectl port-forward svc/varnish-ingress ${LOCALPORT}:443 >/dev/null &
+ret=$?
+if [ $ret -ne 0 ]; then
+    exit $ret
+fi
+trap 'kill $(jobs -p)' EXIT
+
+wait_for_port ${LOCALPORT}
+set +e
+
+sleep 1
+varnishtest ${TESTOPTS} -Dlocalport=${LOCALPORT} cafe.vtc
+ret=$?
+if [ $ret -eq 77 ]; then
+    exit 0
+elif [ $ret -ne 0 ]; then
+    exit $ret
+fi
+
+# Verify the TLS cert
+
+CONNECT=cafe.example.com:443:localhost:4443
+URI=https://cafe.example.com/coffee/foo/bar
+curl --stderr - -s --connect-to ${CONNECT} -v -k ${URI} | grep -E 'issuer:.+CN=cafe.example.com'
+curl --stderr - -s --connect-to ${CONNECT} -v -k ${URI} | grep -E 'issuer:.+O=Green Midget Cafe'
+
+# Change the TLS key
+kubectl create secret tls cafe-tls-secret --save-config --dry-run=client --key=./clinic.key --cert=./clinic.crt -o yaml | kubectl apply -f -
+
+# Wait for the Secret and Ingress config to update
+set +e
+N=0
+while true; do
+    sleep 1
+    kubectl get event --sort-by=.lastTimestamp --field-selector involvedObject.name=cafe-tls-secret | tail -1 | grep -q -E 'SyncSuccess.+update default/cafe-tls-secret.+requeued Ingress'
+    if [ $? -eq 0 ]; then
+        break
+    fi
+    if [ $N -ge 120 ]; then
+        echo "Timed out waiting for Secret to update"
+        exit 1
+    fi
+    N=$(( N + 1))
+done
+
+sleep 10
+
+N=0
+while true; do
+    sleep 1
+    kubectl get event --sort-by=.lastTimestamp --field-selector involvedObject.name=cafe-ingress | tail -1 | grep -q -E 'SyncSuccess.+update default/cafe-ingress'
+    if [ $? -eq 0 ]; then
+        break
+    fi
+    if [ $N -ge 120 ]; then
+        echo "Timed out waiting for Ingress to update"
+        exit 1
+    fi
+    N=$(( N + 1))
+done
+set -e
+
+# Test again
+sleep 1
+varnishtest ${TESTOPTS} -Dlocalport=${LOCALPORT} cafe.vtc
+ret=$?
+if [ $ret -eq 77 ]; then
+    exit 0
+elif [ $ret -ne 0 ]; then
+    exit $ret
+fi
+
+# Verify that the new TLS cert is being used
+
+CONNECT=cafe.example.com:443:localhost:4443
+URI=https://cafe.example.com/coffee/foo/bar
+curl --stderr - -s --connect-to ${CONNECT} -v -k ${URI} | grep -E 'issuer:.+CN=cafe.example.com'
+curl --stderr - -s --connect-to ${CONNECT} -v -k ${URI} | grep -E 'issuer:.+O=Argument Clinic'
+curl --stderr - -s --connect-to ${CONNECT} -v -k ${URI} | grep -E 'issuer:.+OU=Abuse'
+
+exit 0