Merge branch 'main' into add-events-to-special-secrets

Signed-off-by: Paul Abel <[email protected]>
nginx · Nov 28, 2024 · 1c2b044 · 1c2b044
2 parents c60d1ca + 5b5e052
commit 1c2b044
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 19 deletions.
diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go
@@ -160,6 +160,9 @@ func main() {
 	if err != nil {
 		logEventAndExit(ctx, eventRecorder, pod, secretErrorReason, err)
 	}
+
+	staticSSLPath := nginxManager.GetSecretsDir()
+
 	globalConfigurationValidator := createGlobalConfigurationValidator()
 
 	mustProcessGlobalConfiguration(ctx)
@@ -191,7 +194,7 @@ func main() {
 		EnableCertManager:              *enableCertManager,
 		DynamicSSLReload:               *enableDynamicSSLReload,
 		DynamicWeightChangesReload:     *enableDynamicWeightChangesReload,
-		StaticSSLPath:                  nginxManager.GetSecretsDir(),
+		StaticSSLPath:                  staticSSLPath,
 		NginxVersion:                   nginxVersion,
 		AppProtectBundlePath:           appProtectBundlePath,
 	}
@@ -577,7 +580,7 @@ func processDefaultServerSecret(kubeClient *kubernetes.Clientset, nginxManager n
 	var sslRejectHandshake bool
 
 	if *defaultServerSecret != "" {
-		secret, err := getAndValidateSecret(kubeClient, *defaultServerSecret)
+		secret, err := getAndValidateSecret(kubeClient, *defaultServerSecret, api_v1.SecretTypeTLS)
 		if err != nil {
 			return sslRejectHandshake, fmt.Errorf("error trying to get the default server TLS secret %v: %w", *defaultServerSecret, err)
 		}
@@ -601,7 +604,7 @@ func processDefaultServerSecret(kubeClient *kubernetes.Clientset, nginxManager n
 func processWildcardSecret(kubeClient *kubernetes.Clientset, nginxManager nginx.Manager) (bool, error) {
 	isWildcardEnabled := *wildcardTLSSecret != ""
 	if isWildcardEnabled {
-		secret, err := getAndValidateSecret(kubeClient, *wildcardTLSSecret)
+		secret, err := getAndValidateSecret(kubeClient, *wildcardTLSSecret, api_v1.SecretTypeTLS)
 		if err != nil {
 			return false, fmt.Errorf("error trying to get the wildcard TLS secret %v: %w", *wildcardTLSSecret, err)
 		}
@@ -671,7 +674,8 @@ func getSocketClient(sockPath string) *http.Client {
 }
 
 // getAndValidateSecret gets and validates a secret.
-func getAndValidateSecret(kubeClient *kubernetes.Clientset, secretNsName string) (secret *api_v1.Secret, err error) {
+// nolint:unparam
+func getAndValidateSecret(kubeClient *kubernetes.Clientset, secretNsName string, secretType api_v1.SecretType) (secret *api_v1.Secret, err error) {
 	ns, name, err := k8s.ParseNamespaceName(secretNsName)
 	if err != nil {
 		return nil, fmt.Errorf("could not parse the %v argument: %w", secretNsName, err)
@@ -680,9 +684,12 @@ func getAndValidateSecret(kubeClient *kubernetes.Clientset, secretNsName string)
 	if err != nil {
 		return nil, fmt.Errorf("could not get %v: %w", secretNsName, err)
 	}
-	err = secrets.ValidateTLSSecret(secret)
-	if err != nil {
-		return nil, fmt.Errorf("%v is invalid: %w", secretNsName, err)
+	switch secretType {
+	case api_v1.SecretTypeTLS:
+		err = secrets.ValidateTLSSecret(secret)
+		if err != nil {
+			return nil, fmt.Errorf("%v is invalid: %w", secretNsName, err)
+		}
 	}
 	return secret, nil
 }
@@ -789,7 +796,7 @@ func createPlusAndLatencyCollectors(
 	syslogListener = metrics.NewSyslogFakeServer()
 
 	if *prometheusTLSSecretName != "" {
-		prometheusSecret, err = getAndValidateSecret(kubeClient, *prometheusTLSSecretName)
+		prometheusSecret, err = getAndValidateSecret(kubeClient, *prometheusTLSSecretName, api_v1.SecretTypeTLS)
 		if err != nil {
 			nl.Fatalf(l, "Error trying to get the prometheus TLS secret %v: %v", *prometheusTLSSecretName, err)
 		}
@@ -841,7 +848,7 @@ func createHealthProbeEndpoint(kubeClient *kubernetes.Clientset, plusClient *cli
 	var err error
 
 	if *serviceInsightTLSSecretName != "" {
-		serviceInsightSecret, err = getAndValidateSecret(kubeClient, *serviceInsightTLSSecretName)
+		serviceInsightSecret, err = getAndValidateSecret(kubeClient, *serviceInsightTLSSecretName, api_v1.SecretTypeTLS)
 		if err != nil {
 			nl.Fatalf(l, "Error trying to get the service insight TLS secret %v: %v", *serviceInsightTLSSecretName, err)
 		}

diff --git a/internal/configs/version1/template_test.go b/internal/configs/version1/template_test.go
@@ -12,6 +12,8 @@ import (
 	"github.com/nginxinc/kubernetes-ingress/internal/nginx"
 )
 
+var fakeManager = nginx.NewFakeManager("/etc/nginx")
+
 func TestMain(m *testing.M) {
 	v := m.Run()
 
@@ -2017,6 +2019,7 @@ var (
 	}
 
 	mainCfg = MainConfig{
+		StaticSSLPath:                      fakeManager.GetSecretsDir(),
 		DefaultHTTPListenerPort:            80,
 		DefaultHTTPSListenerPort:           443,
 		ServerNamesHashMaxSize:             "512",
@@ -2061,6 +2064,7 @@ var (
 	}
 
 	mainCfgR31 = MainConfig{
+		StaticSSLPath:            fakeManager.GetSecretsDir(),
 		DefaultHTTPListenerPort:  80,
 		DefaultHTTPSListenerPort: 443,
 		ServerNamesHashMaxSize:   "512",
@@ -2090,6 +2094,7 @@ var (
 	}
 
 	mainCfgHTTP2On = MainConfig{
+		StaticSSLPath:                      fakeManager.GetSecretsDir(),
 		DefaultHTTPListenerPort:            80,
 		DefaultHTTPSListenerPort:           443,
 		HTTP2:                              true,
@@ -2130,6 +2135,7 @@ var (
 	}
 
 	mainCfgCustomTLSPassthroughPort = MainConfig{
+		StaticSSLPath:           fakeManager.GetSecretsDir(),
 		ServerNamesHashMaxSize:  "512",
 		ServerTokens:            "off",
 		WorkerProcesses:         "auto",
@@ -2157,6 +2163,7 @@ var (
 	}
 
 	mainCfgWithoutTLSPassthrough = MainConfig{
+		StaticSSLPath:           fakeManager.GetSecretsDir(),
 		ServerNamesHashMaxSize:  "512",
 		ServerTokens:            "off",
 		WorkerProcesses:         "auto",
@@ -2184,6 +2191,7 @@ var (
 	}
 
 	mainCfgDefaultTLSPassthroughPort = MainConfig{
+		StaticSSLPath:           fakeManager.GetSecretsDir(),
 		ServerNamesHashMaxSize:  "512",
 		ServerTokens:            "off",
 		WorkerProcesses:         "auto",
@@ -2211,6 +2219,7 @@ var (
 	}
 
 	mainCfgCustomDefaultHTTPAndHTTPSListenerPorts = MainConfig{
+		StaticSSLPath:            fakeManager.GetSecretsDir(),
 		DefaultHTTPListenerPort:  8083,
 		DefaultHTTPSListenerPort: 8443,
 		ServerNamesHashMaxSize:   "512",
@@ -2238,6 +2247,7 @@ var (
 	}
 
 	mainCfgCustomDefaultHTTPListenerPort = MainConfig{
+		StaticSSLPath:            fakeManager.GetSecretsDir(),
 		DefaultHTTPListenerPort:  8083,
 		DefaultHTTPSListenerPort: 443,
 		ServerNamesHashMaxSize:   "512",
@@ -2265,6 +2275,7 @@ var (
 	}
 
 	mainCfgCustomDefaultHTTPSListenerPort = MainConfig{
+		StaticSSLPath:            fakeManager.GetSecretsDir(),
 		DefaultHTTPListenerPort:  80,
 		DefaultHTTPSListenerPort: 8443,
 		ServerNamesHashMaxSize:   "512",

diff --git a/internal/k8s/configmap.go b/internal/k8s/configmap.go
@@ -50,9 +50,8 @@ func createConfigMapHandlers(lbc *LoadBalancerController, name string) cache.Res
 	}
 }
 
-// addConfigMapHandler adds the handler for config maps to the controller
-func (lbc *LoadBalancerController) addConfigMapHandler(handlers cache.ResourceEventHandlerFuncs, namespace string) {
-	options := cache.InformerOptions{
+func (lbc *LoadBalancerController) getConfigMapHandlerOptions(handlers cache.ResourceEventHandlerFuncs, namespace string) cache.InformerOptions {
+	return cache.InformerOptions{
 		ListerWatcher: cache.NewListWatchFromClient(
 			lbc.client.CoreV1().RESTClient(),
 			"configmaps",
@@ -62,6 +61,12 @@ func (lbc *LoadBalancerController) addConfigMapHandler(handlers cache.ResourceEv
 		ResyncPeriod: lbc.resync,
 		Handler:      handlers,
 	}
+}
+
+// addConfigMapHandler adds the handler for config maps to the controller
+func (lbc *LoadBalancerController) addConfigMapHandler(handlers cache.ResourceEventHandlerFuncs, namespace string) {
+	options := lbc.getConfigMapHandlerOptions(handlers, namespace)
+
 	lbc.configMapLister.Store, lbc.configMapController = cache.NewInformerWithOptions(options)
 	lbc.cacheSyncs = append(lbc.cacheSyncs, lbc.configMapController.HasSynced)
 }
@@ -75,14 +80,17 @@ func (lbc *LoadBalancerController) syncConfigMap(task task) {
 		lbc.syncQueue.Requeue(task, err)
 		return
 	}
-	if configExists {
-		lbc.configMap = obj.(*v1.ConfigMap)
-		externalStatusAddress, exists := lbc.configMap.Data["external-status-address"]
-		if exists {
-			lbc.statusUpdater.SaveStatusFromExternalStatus(externalStatusAddress)
+	switch key {
+	case lbc.nginxConfigMapName:
+		if configExists {
+			lbc.configMap = obj.(*v1.ConfigMap)
+			externalStatusAddress, exists := lbc.configMap.Data["external-status-address"]
+			if exists {
+				lbc.statusUpdater.SaveStatusFromExternalStatus(externalStatusAddress)
+			}
+		} else {
+			lbc.configMap = nil
 		}
-	} else {
-		lbc.configMap = nil
 	}
 
 	if !lbc.isNginxReady {

diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go
@@ -171,6 +171,7 @@ type LoadBalancerController struct {
 	telemetryCollector            *telemetry.Collector
 	telemetryChan                 chan struct{}
 	weightChangesDynamicReload    bool
+	nginxConfigMapName            string
 }
 
 var keyFunc = cache.DeletionHandlingMetaNamespaceKeyFunc
@@ -263,6 +264,7 @@ func NewLoadBalancerController(input NewLoadBalancerControllerInput) *LoadBalanc
 		isLatencyMetricsEnabled:      input.IsLatencyMetricsEnabled,
 		isIPV6Disabled:               input.IsIPV6Disabled,
 		weightChangesDynamicReload:   input.DynamicWeightChangesReload,
+		nginxConfigMapName:           input.ConfigMaps,
 	}
 
 	lbc.syncQueue = newTaskQueue(lbc.Logger, lbc.sync)