From b3baf9f97c17aff9fd2d700ae7b2a94ede068691 Mon Sep 17 00:00:00 2001
From: shaun-nx <s.odonovan@f5.com>
Date: Thu, 2 Mar 2023 15:02:28 +0000
Subject: [PATCH 1/6] Update path to store prometheus secrets

---
 internal/metrics/listener.go | 7 ++++++-
 internal/nginx/manager.go    | 1 +
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/internal/metrics/listener.go b/internal/metrics/listener.go
index 932ac23234..386c4f5875 100644
--- a/internal/metrics/listener.go
+++ b/internal/metrics/listener.go
@@ -74,7 +74,12 @@ func runServer(port string, registry prometheus.Gatherer, prometheusSecret *api_
 }
 
 func writeTempFile(data []byte, name string) (*os.File, error) {
-	f, err := os.CreateTemp("", name)
+	_, err := os.Stat(nginx.NginxSecretPath)
+	if err != nil {
+		return nil, fmt.Errorf("Directory %s does not exist %w\n", nginx.NginxSecretPath, err)
+	}
+
+	f, err := os.CreateTemp(nginx.NginxSecretPath, name)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create temp file: %w", err)
 	}
diff --git a/internal/nginx/manager.go b/internal/nginx/manager.go
index 561a7c2f75..e9f2be5aa6 100644
--- a/internal/nginx/manager.go
+++ b/internal/nginx/manager.go
@@ -28,6 +28,7 @@ const (
 	JWKSecretFileMode = 0o644
 	// HtpasswdSecretFileMode defines the default filemode for HTTP basic auth user files.
 	HtpasswdSecretFileMode = 0o644
+	NginxSecretPath        = "/etc/nginx/secrets"
 
 	configFileMode               = 0o644
 	jsonFileForOpenTracingTracer = "/var/lib/nginx/tracer-config.json"

From 2c44c8c0fd07607741520eb28c92908f8ffcd8c4 Mon Sep 17 00:00:00 2001
From: shaun-nx <s.odonovan@f5.com>
Date: Thu, 2 Mar 2023 17:22:03 +0000
Subject: [PATCH 2/6] Move DefaultSecretPath const to configurator and add
 nosec G101

---
 internal/configs/configurator.go |  3 +++
 internal/metrics/listener.go     | 13 +++++++------
 internal/nginx/manager.go        |  1 -
 3 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/internal/configs/configurator.go b/internal/configs/configurator.go
index 236c78e649..09a952c947 100644
--- a/internal/configs/configurator.go
+++ b/internal/configs/configurator.go
@@ -44,6 +44,9 @@ const (
 // DefaultServerSecretPath is the full path to the Secret with a TLS cert and a key for the default server. #nosec G101
 const DefaultServerSecretPath = "/etc/nginx/secrets/default"
 
+// DefaultSecretPath is the full default path to where secrets are stored and accessed. #nosec G101
+const DefaultSecretPath = "/etc/nginx/secrets"
+
 // DefaultServerSecretName is the filename of the Secret with a TLS cert and a key for the default server.
 const DefaultServerSecretName = "default"
 
diff --git a/internal/metrics/listener.go b/internal/metrics/listener.go
index 386c4f5875..1070b17962 100644
--- a/internal/metrics/listener.go
+++ b/internal/metrics/listener.go
@@ -7,6 +7,7 @@ import (
 	"strconv"
 
 	"github.com/golang/glog"
+	config "github.com/nginxinc/kubernetes-ingress/internal/configs"
 	"github.com/nginxinc/kubernetes-ingress/internal/nginx"
 	prometheusClient "github.com/nginxinc/nginx-prometheus-exporter/client"
 	nginxCollector "github.com/nginxinc/nginx-prometheus-exporter/collector"
@@ -59,12 +60,12 @@ func runServer(port string, registry prometheus.Gatherer, prometheusSecret *api_
 		// Write the cert and key to a temporary file. We create a unique file name to prevent collisions.
 		certFileName := "nginx-prometheus.cert"
 		keyFileName := "nginx-prometheus.key"
-		certFile, err := writeTempFile(prometheusSecret.Data[api_v1.TLSCertKey], certFileName)
+		certFile, err := writeToSecretsPath(prometheusSecret.Data[api_v1.TLSCertKey], certFileName)
 		if err != nil {
 			glog.Fatal("failed to create cert file for prometheus: %w", err)
 		}
 
-		keyFile, err := writeTempFile(prometheusSecret.Data[api_v1.TLSPrivateKeyKey], keyFileName)
+		keyFile, err := writeToSecretsPath(prometheusSecret.Data[api_v1.TLSPrivateKeyKey], keyFileName)
 		if err != nil {
 			glog.Fatal("failed to create key file for prometheus: %w", err)
 		}
@@ -73,13 +74,13 @@ func runServer(port string, registry prometheus.Gatherer, prometheusSecret *api_
 	}
 }
 
-func writeTempFile(data []byte, name string) (*os.File, error) {
-	_, err := os.Stat(nginx.NginxSecretPath)
+func writeToSecretsPath(data []byte, name string) (*os.File, error) {
+	_, err := os.Stat(config.DefaultSecretPath)
 	if err != nil {
-		return nil, fmt.Errorf("Directory %s does not exist %w\n", nginx.NginxSecretPath, err)
+		return nil, fmt.Errorf("directory %s does not exist %w", config.DefaultSecretPath, err)
 	}
 
-	f, err := os.CreateTemp(nginx.NginxSecretPath, name)
+	f, err := os.CreateTemp(config.DefaultSecretPath, name)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create temp file: %w", err)
 	}
diff --git a/internal/nginx/manager.go b/internal/nginx/manager.go
index e9f2be5aa6..561a7c2f75 100644
--- a/internal/nginx/manager.go
+++ b/internal/nginx/manager.go
@@ -28,7 +28,6 @@ const (
 	JWKSecretFileMode = 0o644
 	// HtpasswdSecretFileMode defines the default filemode for HTTP basic auth user files.
 	HtpasswdSecretFileMode = 0o644
-	NginxSecretPath        = "/etc/nginx/secrets"
 
 	configFileMode               = 0o644
 	jsonFileForOpenTracingTracer = "/var/lib/nginx/tracer-config.json"

From 0a937c307ab85e4001fcfb402f18f9fc9567e9d2 Mon Sep 17 00:00:00 2001
From: shaun-nx <s.odonovan@f5.com>
Date: Tue, 7 Mar 2023 09:12:48 +0000
Subject: [PATCH 3/6] Fix lint error

---
 internal/configs/configurator.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/internal/configs/configurator.go b/internal/configs/configurator.go
index 09a952c947..2e5478e3b3 100644
--- a/internal/configs/configurator.go
+++ b/internal/configs/configurator.go
@@ -44,8 +44,8 @@ const (
 // DefaultServerSecretPath is the full path to the Secret with a TLS cert and a key for the default server. #nosec G101
 const DefaultServerSecretPath = "/etc/nginx/secrets/default"
 
-// DefaultSecretPath is the full default path to where secrets are stored and accessed. #nosec G101
-const DefaultSecretPath = "/etc/nginx/secrets"
+// DefaultSecretPath is the full default path to where secrets are stored and accessed.
+const DefaultSecretPath = "/etc/nginx/secrets" // #nosec G101
 
 // DefaultServerSecretName is the filename of the Secret with a TLS cert and a key for the default server.
 const DefaultServerSecretName = "default"

From 814b608ac9d4b2a903ea6081b64f9e8bf8640986 Mon Sep 17 00:00:00 2001
From: shaun-nx <s.odonovan@f5.com>
Date: Tue, 7 Mar 2023 11:13:11 +0000
Subject: [PATCH 4/6] Update error check

---
 internal/metrics/listener.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/metrics/listener.go b/internal/metrics/listener.go
index 1070b17962..7040516777 100644
--- a/internal/metrics/listener.go
+++ b/internal/metrics/listener.go
@@ -76,7 +76,7 @@ func runServer(port string, registry prometheus.Gatherer, prometheusSecret *api_
 
 func writeToSecretsPath(data []byte, name string) (*os.File, error) {
 	_, err := os.Stat(config.DefaultSecretPath)
-	if err != nil {
+	if os.IsNotExist(err) {
 		return nil, fmt.Errorf("directory %s does not exist %w", config.DefaultSecretPath, err)
 	}
 

From 6c067de1d002fbc898318cbcf10300f5a1420a62 Mon Sep 17 00:00:00 2001
From: shaun-nx <s.odonovan@f5.com>
Date: Wed, 8 Mar 2023 10:57:51 +0000
Subject: [PATCH 5/6] Update error message

---
 internal/metrics/listener.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/internal/metrics/listener.go b/internal/metrics/listener.go
index 7040516777..38c03be3f0 100644
--- a/internal/metrics/listener.go
+++ b/internal/metrics/listener.go
@@ -76,8 +76,8 @@ func runServer(port string, registry prometheus.Gatherer, prometheusSecret *api_
 
 func writeToSecretsPath(data []byte, name string) (*os.File, error) {
 	_, err := os.Stat(config.DefaultSecretPath)
-	if os.IsNotExist(err) {
-		return nil, fmt.Errorf("directory %s does not exist %w", config.DefaultSecretPath, err)
+	if err != nil {
+		return nil, fmt.Errorf("got error %w when attempting access %s", err, config.DefaultSecretPath)
 	}
 
 	f, err := os.CreateTemp(config.DefaultSecretPath, name)

From 0868508b9bd0f7747b563d9b7e5432a886e03e70 Mon Sep 17 00:00:00 2001
From: shaun-nx <s.odonovan@f5.com>
Date: Wed, 8 Mar 2023 11:43:15 +0000
Subject: [PATCH 6/6] Change function name

---
 internal/metrics/listener.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/internal/metrics/listener.go b/internal/metrics/listener.go
index 38c03be3f0..cbc2ecd583 100644
--- a/internal/metrics/listener.go
+++ b/internal/metrics/listener.go
@@ -60,12 +60,12 @@ func runServer(port string, registry prometheus.Gatherer, prometheusSecret *api_
 		// Write the cert and key to a temporary file. We create a unique file name to prevent collisions.
 		certFileName := "nginx-prometheus.cert"
 		keyFileName := "nginx-prometheus.key"
-		certFile, err := writeToSecretsPath(prometheusSecret.Data[api_v1.TLSCertKey], certFileName)
+		certFile, err := createTLSFile(prometheusSecret.Data[api_v1.TLSCertKey], certFileName)
 		if err != nil {
 			glog.Fatal("failed to create cert file for prometheus: %w", err)
 		}
 
-		keyFile, err := writeToSecretsPath(prometheusSecret.Data[api_v1.TLSPrivateKeyKey], keyFileName)
+		keyFile, err := createTLSFile(prometheusSecret.Data[api_v1.TLSPrivateKeyKey], keyFileName)
 		if err != nil {
 			glog.Fatal("failed to create key file for prometheus: %w", err)
 		}
@@ -74,7 +74,7 @@ func runServer(port string, registry prometheus.Gatherer, prometheusSecret *api_
 	}
 }
 
-func writeToSecretsPath(data []byte, name string) (*os.File, error) {
+func createTLSFile(data []byte, name string) (*os.File, error) {
 	_, err := os.Stat(config.DefaultSecretPath)
 	if err != nil {
 		return nil, fmt.Errorf("got error %w when attempting access %s", err, config.DefaultSecretPath)