Prometheus tls path (#3615)

* Update path to store prometheus secrets * Move DefaultSecretPath const to configurator and add nosec G101 * Fix lint error * Update error check * Update error message * Change function name
nginx · Mar 8, 2023 · 7e7c824 · 7e7c824
1 parent c26677c
commit 7e7c824
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 4 deletions.
diff --git a/internal/configs/configurator.go b/internal/configs/configurator.go
@@ -44,6 +44,9 @@ const (
 // DefaultServerSecretPath is the full path to the Secret with a TLS cert and a key for the default server. #nosec G101
 const DefaultServerSecretPath = "/etc/nginx/secrets/default"
 
+// DefaultSecretPath is the full default path to where secrets are stored and accessed.
+const DefaultSecretPath = "/etc/nginx/secrets" // #nosec G101
+
 // DefaultServerSecretName is the filename of the Secret with a TLS cert and a key for the default server.
 const DefaultServerSecretName = "default"
 

diff --git a/internal/metrics/listener.go b/internal/metrics/listener.go
@@ -7,6 +7,7 @@ import (
 	"strconv"
 
 	"github.com/golang/glog"
+	config "github.com/nginxinc/kubernetes-ingress/internal/configs"
 	"github.com/nginxinc/kubernetes-ingress/internal/nginx"
 	prometheusClient "github.com/nginxinc/nginx-prometheus-exporter/client"
 	nginxCollector "github.com/nginxinc/nginx-prometheus-exporter/collector"
@@ -59,12 +60,12 @@ func runServer(port string, registry prometheus.Gatherer, prometheusSecret *api_
 		// Write the cert and key to a temporary file. We create a unique file name to prevent collisions.
 		certFileName := "nginx-prometheus.cert"
 		keyFileName := "nginx-prometheus.key"
-		certFile, err := writeTempFile(prometheusSecret.Data[api_v1.TLSCertKey], certFileName)
+		certFile, err := createTLSFile(prometheusSecret.Data[api_v1.TLSCertKey], certFileName)
 		if err != nil {
 			glog.Fatal("failed to create cert file for prometheus: %w", err)
 		}
 
-		keyFile, err := writeTempFile(prometheusSecret.Data[api_v1.TLSPrivateKeyKey], keyFileName)
+		keyFile, err := createTLSFile(prometheusSecret.Data[api_v1.TLSPrivateKeyKey], keyFileName)
 		if err != nil {
 			glog.Fatal("failed to create key file for prometheus: %w", err)
 		}
@@ -73,8 +74,13 @@ func runServer(port string, registry prometheus.Gatherer, prometheusSecret *api_
 	}
 }
 
-func writeTempFile(data []byte, name string) (*os.File, error) {
-	f, err := os.CreateTemp("", name)
+func createTLSFile(data []byte, name string) (*os.File, error) {
+	_, err := os.Stat(config.DefaultSecretPath)
+	if err != nil {
+		return nil, fmt.Errorf("got error %w when attempting access %s", err, config.DefaultSecretPath)
+	}
+
+	f, err := os.CreateTemp(config.DefaultSecretPath, name)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create temp file: %w", err)
 	}