Don't prematurely abort add/update Ingress on admin Secret errors.

We try to set the admin Secret prior to the update operation, but
Incomplete or Recoverable errors setting the Secret may be resolved
by the full update. So only fail the update on Fatal errors.

Encapsulate setting the admin Secret for a viking Service in a
common function.

pkg/controller/ingress.go

@@ -1284,6 +1284,20 @@ func (worker *NamespaceWorker) addOrUpdateIng(
 		}
 	}
 
+	secret, err := worker.setAdmSecretForSvc(svc)
+	if err != nil {
+		return IncompleteIfNotFound(err, "%v", err)
+	}
+	secretKey := secret.Namespace + "/" + secret.Name
+	status = worker.vController.UpdateSvcForSecret(svcKey, secretKey)
+	if status.Type == update.Fatal {
+		// Only abort on fatal errors.
+		// Recoverable or Incomplete status may be
+		// resolved by the upcoming update.
+		return status
+	}
+	worker.hController.SetOffldSecret(svcKey, secretKey)
+
 	ingsMeta := make(map[string]varnish.Meta)
 	for _, ing := range ings {
 		metaDatum := varnish.Meta{

pkg/controller/service.go

@@ -29,6 +29,7 @@
 package controller
 
 import (
+	"fmt"
 	"reflect"
 
 	"code.uplex.de/uplex-varnish/k8s-ingress/pkg/haproxy"
@@ -256,6 +257,34 @@ func (worker *NamespaceWorker) svc2Addrs(
 	return
 }
 
+func (worker *NamespaceWorker) setAdmSecretForSvc(
+	svc *api_v1.Service,
+) (*api_v1.Secret, error) {
+	worker.log.Tracef("Searching annotations for the secret for %s/%s",
+		svc.Namespace, svc.Name)
+	secrName, ok := svc.Annotations[vikingAdmSecretKey]
+	if !ok {
+		return nil, fmt.Errorf(
+			"Service %s/%s: missing required annotation %s",
+			svc.Namespace, svc.Name, vikingAdmSecretKey)
+	}
+	worker.log.Infof("Found secret name %s for Service %s/%s", secrName,
+		svc.Namespace, svc.Name)
+
+	nsLister := worker.listers.vsecr.Secrets(svc.Namespace)
+	secret, err := nsLister.Get(secrName)
+	if err == nil {
+		err = worker.setSecret(secret)
+		if err != nil {
+			return nil, err
+		}
+		return secret, nil
+	}
+	worker.log.Warnf("Cannot get Secret %s/%s: %v", svc.Namespace, secrName,
+		err)
+	return nil, err
+}
+
 func (worker *NamespaceWorker) syncSvc(key string) update.Status {
 	worker.log.Infof("Syncing Service: %s/%s", worker.namespace, key)
 	svc, err := worker.svc.Get(key)
@@ -365,24 +394,9 @@ func (worker *NamespaceWorker) syncSvc(key string) update.Status {
 		return status
 	}
 
-	worker.log.Tracef("Searching annotations for the secret for %s/%s",
-		svc.Namespace, svc.Name)
-	secrName, ok := svc.Annotations[vikingAdmSecretKey]
-	if !ok {
-		return update.MakeFatal(
-			"Service %s/%s: missing required annotation %s",
-			svc.Namespace, svc.Name, vikingAdmSecretKey)
-	}
-	worker.log.Infof("Found secret name %s for Service %s/%s", secrName,
-		svc.Namespace, svc.Name)
-
-	if secret, err := worker.vsecr.Get(secrName); err == nil {
-		err = worker.setSecret(secret)
-		if err != nil {
-			return update.MakeIncomplete("%v", err)
-		}
-	} else {
-		worker.log.Warnf("Cannot get Secret %s: %v", secrName, err)
+	secret, err := worker.setAdmSecretForSvc(svc)
+	if err != nil {
+		return IncompleteIfNotFound(err, "%v", err)
 	}
 
 	if len(offldAddrs) > 0 {
@@ -390,7 +404,7 @@ func (worker *NamespaceWorker) syncSvc(key string) update.Status {
 			"%+v", svc.Namespace, svc.Name, offldAddrs)
 		status := worker.hController.AddOrUpdateOffloader(
 			svc.Namespace+"/"+svc.Name, offldAddrs,
-			svc.Namespace+"/"+secrName)
+			svc.Namespace+"/"+secret.Name)
 		if status.IsError() {
 			return status
 		}
@@ -399,7 +413,7 @@ func (worker *NamespaceWorker) syncSvc(key string) update.Status {
 		svc.Name, addrs)
 	return worker.vController.AddOrUpdateVarnishSvc(
 		svc.Namespace+"/"+svc.Name, addrs,
-		svc.Namespace+"/"+secrName, !updateVCL)
+		svc.Namespace+"/"+secret.Name, !updateVCL)
 }
 
 func (worker *NamespaceWorker) addSvc(key string) update.Status {