Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Wildcard certificate to ingress resources #496

Merged
merged 1 commit into from
Feb 22, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 37 additions & 12 deletions cmd/nginx-ingress/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,11 @@ The external address of the service is used when reporting the status of Ingress

nginxDebug = flag.Bool("nginx-debug", false,
"Enable debugging for NGINX. Uses the nginx-debug binary. Requires 'error-log-level: debug' in the ConfigMap.")

wildcardTLSSecret = flag.String("wildcard-tls-secret", "",
`A Secret with a TLS certificate and key for TLS termination of every Ingress host for which TLS termination is enabled but the Secret is not specified.
Format: <namespace>/<name>. If the argument is not set, for such Ingress hosts NGINX will break any attempt to establish a TLS connection.
If the argument is set, but the Ingress controller is not able to fetch the Secret from Kubernetes API, the Ingress controller will fail to start.`)
)

func main() {
Expand Down Expand Up @@ -168,17 +173,9 @@ func main() {
ngxc := nginx.NewNginxController("/etc/nginx/", nginxBinaryPath, local)

if *defaultServerSecret != "" {
ns, name, err := utils.ParseNamespaceName(*defaultServerSecret)
if err != nil {
glog.Fatalf("Error parsing the default-server-tls-secret argument: %v", err)
}
secret, err := kubeClient.CoreV1().Secrets(ns).Get(name, meta_v1.GetOptions{})
if err != nil {
glog.Fatalf("Error when getting %v: %v", *defaultServerSecret, err)
}
err = nginx.ValidateTLSSecret(secret)
secret, err := getAndValidateSecret(kubeClient, *defaultServerSecret)
if err != nil {
glog.Fatalf("%v is invalid: %v", *defaultServerSecret, err)
glog.Fatalf("Error trying to get the default server TLS secret %v: %v", *defaultServerSecret, err)
}

bytes := nginx.GenerateCertAndKeyFileContent(secret)
Expand All @@ -190,6 +187,16 @@ func main() {
}
}

if *wildcardTLSSecret != "" {
secret, err := getAndValidateSecret(kubeClient, *wildcardTLSSecret)
if err != nil {
glog.Fatalf("Error trying to get the wildcard TLS secret %v: %v", *wildcardTLSSecret, err)
}

bytes := nginx.GenerateCertAndKeyFileContent(secret)
ngxc.AddOrUpdateSecretFile(nginx.WildcardSecretName, bytes, nginx.TLSSecretFileMode)
}

cfg := nginx.NewDefaultConfig()
if *nginxConfigMaps != "" {
ns, name, err := utils.ParseNamespaceName(*nginxConfigMaps)
Expand Down Expand Up @@ -242,8 +249,8 @@ func main() {
glog.Fatalf("Failed to create NginxAPIController: %v", err)
}
}

cnf := nginx.NewConfigurator(ngxc, cfg, nginxAPI, templateExecutor)
isWildcardEnabled := *wildcardTLSSecret != ""
cnf := nginx.NewConfigurator(ngxc, cfg, nginxAPI, templateExecutor, isWildcardEnabled)
controllerNamespace := os.Getenv("POD_NAMESPACE")

lbcInput := controller.NewLoadBalancerControllerInput{
Expand All @@ -259,6 +266,7 @@ func main() {
ControllerNamespace: controllerNamespace,
ReportIngressStatus: *reportIngressStatus,
IsLeaderElectionEnabled: *leaderElectionEnabled,
WildcardTLSSecret: *wildcardTLSSecret,
}

lbc := controller.NewLoadBalancerController(lbcInput)
Expand Down Expand Up @@ -381,3 +389,20 @@ func validateCIDRorIP(cidr string) error {
}
return nil
}

// getAndValidateSecret gets and validates a secret.
func getAndValidateSecret(kubeClient *kubernetes.Clientset, secretNsName string) (secret *api_v1.Secret, err error) {
ns, name, err := utils.ParseNamespaceName(secretNsName)
if err != nil {
return nil, fmt.Errorf("could not parse the %v argument: %v", secretNsName, err)
}
secret, err = kubeClient.CoreV1().Secrets(ns).Get(name, meta_v1.GetOptions{})
if err != nil {
return nil, fmt.Errorf("could not get %v: %v", secretNsName, err)
}
err = nginx.ValidateTLSSecret(secret)
if err != nil {
return nil, fmt.Errorf("%v is invalid: %v", secretNsName, err)
}
return secret, nil
}
2 changes: 1 addition & 1 deletion deployments/helm-chart/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: nginx-ingress
version: 0.3.2
version: 0.3.3
appVersion: edge
description: NGINX Ingress Controller
sources:
Expand Down
3 changes: 3 additions & 0 deletions deployments/helm-chart/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,9 @@ Parameter | Description | Default
`controller.defaultTLS.cert` | The base64-encoded TLS certificate for the default HTTPS server. If not specified, a pre-generated self-signed certificate is used. **Note:** It is recommended that you specify your own certificate. | A pre-generated self-signed certificate.
`controller.defaultTLS.key` | The base64-encoded TLS key for the default HTTPS server. **Note:** If not specified, a pre-generated key is used. It is recommended that you specify your own key. | A pre-generated key.
`controller.defaultTLS.secret` | The secret with a TLS certificate and key for the default HTTPS server. The value must follow the following format: `<namespace>/<name>`. Used as an alternative to specifiying a certifcate and key using `controller.defaultTLS.cert` and `controller.defaultTLS.key` parameters. | None
`controller.wildcardTLS.cert` | The base64-encoded TLS certificate for every Ingress host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress hosts NGINX will break any attempt to establish a TLS connection. | None
`controller.wildcardTLS.key` | The base64-encoded TLS key for every Ingress host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress hosts NGINX will break any attempt to establish a TLS connection. | None
`controller.wildcardTLS.secret` | The secret with a TLS certificate and key for every Ingress host that has TLS enabled but no secret specified. The value must follow the following format: `<namespace>/<name>`. Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. | None
`controller.nodeSelector` | The node selector for pod assignment for the Ingress controller pods. | { }
`controller.terminationGracePeriodSeconds` | The termination grace period of the Ingress controller pod. | 30
`controller.tolerations` | The tolerations of the Ingress controller pods. | []
Expand Down
5 changes: 5 additions & 0 deletions deployments/helm-chart/templates/controller-daemonset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,11 @@ spec:
- -external-service={{ .Values.controller.reportIngressStatus.externalService }}
- -enable-leader-election={{ .Values.controller.reportIngressStatus.enableLeaderElection }}
{{- end }}
{{- if .Values.controller.wildcardTLS.secret }}
- -wildcard-tls-secret={{ .Values.controller.wildcardTLS.secret }}
{{- else if and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key }}
- -wildcard-tls-secret=$(POD_NAMESPACE)/wildcard-tls-secret
{{- end }}
{{- if and .Values.prometheus.create .Values.controller.nginxStatus.enable }}
- image: "{{ .Values.prometheus.image.repository }}:{{ .Values.prometheus.image.tag }}"
name: nginx-prometheus-exporter
Expand Down
5 changes: 5 additions & 0 deletions deployments/helm-chart/templates/controller-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,11 @@ spec:
- -external-service={{ .Values.controller.reportIngressStatus.externalService }}
- -enable-leader-election={{ .Values.controller.reportIngressStatus.enableLeaderElection }}
{{- end }}
{{- if .Values.controller.wildcardTLS.secret }}
- -wildcard-tls-secret={{ .Values.controller.wildcardTLS.secret }}
{{- else if and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key }}
- -wildcard-tls-secret=$(POD_NAMESPACE)/wildcard-tls-secret
{{- end }}
{{- if and .Values.prometheus.create .Values.controller.nginxStatus.enable }}
- image: "{{ .Values.prometheus.image.repository }}:{{ .Values.prometheus.image.tag }}"
name: nginx-prometheus-exporter
Expand Down
15 changes: 15 additions & 0 deletions deployments/helm-chart/templates/controller-wildcard-secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{{ if and (not .Values.controller.wildcardTLS.secret) (and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key) }}
apiVersion: v1
kind: Secret
metadata:
name: wildcard-tls-secret
labels:
app: {{ .Values.controller.name | trunc 63 }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
type: Opaque
data:
tls.crt: {{ .Values.controller.wildcardTLS.cert }}
tls.key: {{ .Values.controller.wildcardTLS.key }}
{{- end }}
6 changes: 5 additions & 1 deletion deployments/helm-chart/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,15 @@ controller:
pullPolicy: IfNotPresent
config:
entries: {}
# It is recommended to use your own TLS certificate and key
# It is recommended to use your own TLS certificates and keys
defaultTLS:
cert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN2akNDQWFZQ0NRREFPRjl0THNhWFhEQU5CZ2txaGtpRzl3MEJBUXNGQURBaE1SOHdIUVlEVlFRRERCWk8KUjBsT1dFbHVaM0psYzNORGIyNTBjbTlzYkdWeU1CNFhEVEU0TURreE1qRTRNRE16TlZvWERUSXpNRGt4TVRFNApNRE16TlZvd0lURWZNQjBHQTFVRUF3d1dUa2RKVGxoSmJtZHlaWE56UTI5dWRISnZiR3hsY2pDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUwvN2hIUEtFWGRMdjNyaUM3QlBrMTNpWkt5eTlyQ08KR2xZUXYyK2EzUDF0azIrS3YwVGF5aGRCbDRrcnNUcTZzZm8vWUk1Y2Vhbkw4WGM3U1pyQkVRYm9EN2REbWs1Qgo4eDZLS2xHWU5IWlg0Rm5UZ0VPaStlM2ptTFFxRlBSY1kzVnNPazFFeUZBL0JnWlJVbkNHZUtGeERSN0tQdGhyCmtqSXVuektURXUyaDU4Tlp0S21ScUJHdDEwcTNRYzhZT3ExM2FnbmovUWRjc0ZYYTJnMjB1K1lYZDdoZ3krZksKWk4vVUkxQUQ0YzZyM1lma1ZWUmVHd1lxQVp1WXN2V0RKbW1GNWRwdEMzN011cDBPRUxVTExSakZJOTZXNXIwSAo1TmdPc25NWFJNV1hYVlpiNWRxT3R0SmRtS3FhZ25TZ1JQQVpQN2MwQjFQU2FqYzZjNGZRVXpNQ0F3RUFBVEFOCkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWpLb2tRdGRPcEsrTzhibWVPc3lySmdJSXJycVFVY2ZOUitjb0hZVUoKdGhrYnhITFMzR3VBTWI5dm15VExPY2xxeC9aYzJPblEwMEJCLzlTb0swcitFZ1U2UlVrRWtWcitTTFA3NTdUWgozZWI4dmdPdEduMS9ienM3bzNBaS9kclkrcUI5Q2k1S3lPc3FHTG1US2xFaUtOYkcyR1ZyTWxjS0ZYQU80YTY3Cklnc1hzYktNbTQwV1U3cG9mcGltU1ZmaXFSdkV5YmN3N0NYODF6cFErUyt1eHRYK2VBZ3V0NHh3VlI5d2IyVXYKelhuZk9HbWhWNThDd1dIQnNKa0kxNXhaa2VUWXdSN0diaEFMSkZUUkk3dkhvQXprTWIzbjAxQjQyWjNrN3RXNQpJUDFmTlpIOFUvOWxiUHNoT21FRFZkdjF5ZytVRVJxbStGSis2R0oxeFJGcGZnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdi91RWM4b1JkMHUvZXVJTHNFK1RYZUprckxMMnNJNGFWaEMvYjVyYy9XMlRiNHEvClJOcktGMEdYaVN1eE9ycXgrajlnamx4NXFjdnhkenRKbXNFUkJ1Z1B0ME9hVGtIekhvb3FVWmcwZGxmZ1dkT0EKUTZMNTdlT1l0Q29VOUZ4amRXdzZUVVRJVUQ4R0JsRlNjSVo0b1hFTkhzbysyR3VTTWk2Zk1wTVM3YUhudzFtMApxWkdvRWEzWFNyZEJ6eGc2clhkcUNlUDlCMXl3VmRyYURiUzc1aGQzdUdETDU4cGszOVFqVUFQaHpxdmRoK1JWClZGNGJCaW9CbTVpeTlZTW1hWVhsMm0wTGZzeTZuUTRRdFFzdEdNVWozcGJtdlFmazJBNnljeGRFeFpkZFZsdmwKMm82MjBsMllxcHFDZEtCRThCay90elFIVTlKcU56cHpoOUJUTXdJREFRQUJBb0lCQVFDZklHbXowOHhRVmorNwpLZnZJUXQwQ0YzR2MxNld6eDhVNml4MHg4Mm15d1kxUUNlL3BzWE9LZlRxT1h1SENyUlp5TnUvZ2IvUUQ4bUFOCmxOMjRZTWl0TWRJODg5TEZoTkp3QU5OODJDeTczckM5bzVvUDlkazAvYzRIbjAzSkVYNzZ5QjgzQm9rR1FvYksKMjhMNk0rdHUzUmFqNjd6Vmc2d2szaEhrU0pXSzBwV1YrSjdrUkRWYmhDYUZhNk5nMUZNRWxhTlozVDhhUUtyQgpDUDNDeEFTdjYxWTk5TEI4KzNXWVFIK3NYaTVGM01pYVNBZ1BkQUk3WEh1dXFET1lvMU5PL0JoSGt1aVg2QnRtCnorNTZud2pZMy8yUytSRmNBc3JMTnIwMDJZZi9oY0IraVlDNzVWYmcydVd6WTY3TWdOTGQ5VW9RU3BDRkYrVm4KM0cyUnhybnhBb0dCQU40U3M0ZVlPU2huMVpQQjdhTUZsY0k2RHR2S2ErTGZTTXFyY2pOZjJlSEpZNnhubmxKdgpGenpGL2RiVWVTbWxSekR0WkdlcXZXaHFISy9iTjIyeWJhOU1WMDlRQ0JFTk5jNmtWajJTVHpUWkJVbEx4QzYrCk93Z0wyZHhKendWelU0VC84ajdHalRUN05BZVpFS2FvRHFyRG5BYWkyaW5oZU1JVWZHRXFGKzJyQW9HQkFOMVAKK0tZL0lsS3RWRzRKSklQNzBjUis3RmpyeXJpY05iWCtQVzUvOXFHaWxnY2grZ3l4b25BWlBpd2NpeDN3QVpGdwpaZC96ZFB2aTBkWEppc1BSZjRMazg5b2pCUmpiRmRmc2l5UmJYbyt3TFU4NUhRU2NGMnN5aUFPaTVBRHdVU0FkCm45YWFweUNweEFkREtERHdObit3ZFhtaTZ0OHRpSFRkK3RoVDhkaVpBb0dCQUt6Wis1bG9OOTBtYlF4VVh5YUwKMjFSUm9tMGJjcndsTmVCaWNFSmlzaEhYa2xpSVVxZ3hSZklNM2hhUVRUcklKZENFaHFsV01aV0xPb2I2NTNyZgo3aFlMSXM1ZUtka3o0aFRVdnpldm9TMHVXcm9CV2xOVHlGanIrSWhKZnZUc0hpOGdsU3FkbXgySkJhZUFVWUNXCndNdlQ4NmNLclNyNkQrZG8wS05FZzFsL0FvR0FlMkFVdHVFbFNqLzBmRzgrV3hHc1RFV1JqclRNUzRSUjhRWXQKeXdjdFA4aDZxTGxKUTRCWGxQU05rMXZLTmtOUkxIb2pZT2pCQTViYjhibXNVU1BlV09NNENoaFJ4QnlHbmR2eAphYkJDRkFwY0IvbEg4d1R0alVZYlN5T294ZGt5OEp0ek90ajJhS0FiZHd6NlArWDZDODhjZmxYVFo5MWpYL3RMCjF3TmRKS2tDZ1lCbyt0UzB5TzJ2SWFmK2UwSkN5TGhzVDQ5cTN3Zis2QWVqWGx2WDJ1VnRYejN5QTZnbXo5aCsKcDNlK2JMRUxwb3B0WFhNdUFRR0xhUkcrYlNNcjR5dERYbE5ZSndUeThXczNKY3dlSTdqZVp2b0ZpbmNvVlVIMwphdmxoTUVCRGYxSjltSDB5cDBwWUNaS2ROdHNvZEZtQktzVEtQMjJhTmtsVVhCS3gyZzR6cFE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
# secret: <namespace>/<secret_name>
wildcardTLS:
cert: ""
key: ""
# secret: <namespace>/<secret_name>
nodeSelector: {}
terminationGracePeriodSeconds: 30
tolerations: []
Expand Down
4 changes: 4 additions & 0 deletions docs/cli-arguments.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ Usage of ./nginx-ingress:
If not set, certificate and key in the file "/etc/nginx/secrets/default" are used. If a secret is set,
but the Ingress controller is not able to fetch it from Kubernetes API or a secret is not set and
the file "/etc/nginx/secrets/default" does not exist, the Ingress controller will fail to start
-wildcard-tls-secret string
A Secret with a TLS certificate and key for TLS termination of every Ingress host for which TLS termination is enabled but the Secret is not specified.
Format: <namespace>/<name>. If the argument is not set, for such Ingress hosts NGINX will break any attempt to establish a TLS connection.
If the argument is set, but the Ingress controller is not able to fetch the Secret from Kubernetes API, the Ingress controller will fail to start.
-enable-leader-election
Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources -- only one replica will report status. See -report-ingress-status flag.
-external-service string
Expand Down
80 changes: 49 additions & 31 deletions internal/controller/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@ type LoadBalancerController struct {
resync time.Duration
namespace string
controllerNamespace string
wildcardTLSSecret string
}

var keyFunc = cache.DeletionHandlingMetaNamespaceKeyFunc
Expand All @@ -97,6 +98,7 @@ type NewLoadBalancerControllerInput struct {
ControllerNamespace string
ReportIngressStatus bool
IsLeaderElectionEnabled bool
WildcardTLSSecret string
}

// NewLoadBalancerController creates a controller
Expand All @@ -113,6 +115,7 @@ func NewLoadBalancerController(input NewLoadBalancerControllerInput) *LoadBalanc
resync: input.ResyncPeriod,
namespace: input.Namespace,
controllerNamespace: input.ControllerNamespace,
wildcardTLSSecret: input.WildcardTLSSecret,
}

eventBroadcaster := record.NewBroadcaster()
Expand Down Expand Up @@ -647,10 +650,9 @@ func (lbc *LoadBalancerController) syncSecret(task queue.Task) {
if !secrExists {
glog.V(2).Infof("Deleting Secret: %v\n", key)

lbc.handleSecretDeletion(key, ings)

if key == lbc.defaultServerSecret {
glog.Warningf("The default server Secret %v was removed. Retaining the Secret.", key)
lbc.handleRegularSecretDeletion(key, ings)
if lbc.isSpecialSecret(key) {
glog.Warningf("A special TLS Secret %v was removed. Retaining the Secret.", key)
}
return
}
Expand All @@ -659,17 +661,21 @@ func (lbc *LoadBalancerController) syncSecret(task queue.Task) {

secret := obj.(*api_v1.Secret)

if key == lbc.defaultServerSecret {
lbc.handleDefaultSecretUpdate(secret)
// we don't return here in case the default secret is also used in Ingress resources
if lbc.isSpecialSecret(key) {
lbc.handleSpecialSecretUpdate(secret)
// we don't return here in case the special secret is also used in Ingress resources
}

if len(ings) > 0 {
lbc.handleSecretUpdate(secret, ings)
}
}

func (lbc *LoadBalancerController) handleSecretDeletion(key string, ings []extensions.Ingress) {
func (lbc *LoadBalancerController) isSpecialSecret(secretName string) bool {
return secretName == lbc.defaultServerSecret || secretName == lbc.wildcardTLSSecret
}

func (lbc *LoadBalancerController) handleRegularSecretDeletion(key string, ings []extensions.Ingress) {
eventType := api_v1.EventTypeWarning
title := "Missing Secret"
message := fmt.Sprintf("Secret %v was removed", key)
Expand Down Expand Up @@ -702,7 +708,7 @@ func (lbc *LoadBalancerController) handleSecretUpdate(secret *api_v1.Secret, ing
glog.Errorf("Couldn't validate secret %v: %v", secretNsName, err)
glog.Errorf("Removing invalid secret %v", secretNsName)

lbc.handleSecretDeletion(secretNsName, ings)
lbc.handleRegularSecretDeletion(secretNsName, ings)

lbc.recorder.Eventf(secret, api_v1.EventTypeWarning, "Rejected", "%v was rejected: %v", secretNsName, err)
return
Expand All @@ -726,24 +732,31 @@ func (lbc *LoadBalancerController) handleSecretUpdate(secret *api_v1.Secret, ing
lbc.emitEventForIngresses(eventType, title, message, ings)
}

func (lbc *LoadBalancerController) handleDefaultSecretUpdate(secret *api_v1.Secret) {
func (lbc *LoadBalancerController) handleSpecialSecretUpdate(secret *api_v1.Secret) {
var specialSecretsToUpdate []string
secretNsName := secret.Namespace + "/" + secret.Name

err := nginx.ValidateTLSSecret(secret)
if err != nil {
glog.Errorf("Couldn't validate the default server Secret %v: %v", secretNsName, err)
lbc.recorder.Eventf(secret, api_v1.EventTypeWarning, "Rejected", "the default server Secret %v was rejected, using the previous version: %v", secretNsName, err)
glog.Errorf("Couldn't validate the special Secret %v: %v", secretNsName, err)
lbc.recorder.Eventf(secret, api_v1.EventTypeWarning, "Rejected", "the special Secret %v was rejected, using the previous version: %v", secretNsName, err)
return
}

err = lbc.configurator.AddOrUpdateDefaultServerTLSSecret(secret)
if secretNsName == lbc.defaultServerSecret {
specialSecretsToUpdate = append(specialSecretsToUpdate, nginx.DefaultServerSecretName)
}
if secretNsName == lbc.wildcardTLSSecret {
specialSecretsToUpdate = append(specialSecretsToUpdate, nginx.WildcardSecretName)
}

err = lbc.configurator.AddOrUpdateSpecialSecrets(secret, specialSecretsToUpdate)
if err != nil {
glog.Errorf("Error when updating the default server Secret %v: %v", secretNsName, err)
lbc.recorder.Eventf(secret, api_v1.EventTypeWarning, "UpdatedWithError", "the default server Secret %v was updated, but not applied: %v", secretNsName, err)
glog.Errorf("Error when updating the special Secret %v: %v", secretNsName, err)
lbc.recorder.Eventf(secret, api_v1.EventTypeWarning, "UpdatedWithError", "the special Secret %v was updated, but not applied: %v", secretNsName, err)
return
}

lbc.recorder.Eventf(secret, api_v1.EventTypeNormal, "Updated", "the default server Secret %v was updated", secretNsName)
lbc.recorder.Eventf(secret, api_v1.EventTypeNormal, "Updated", "the special Secret %v was updated", secretNsName)
}

func (lbc *LoadBalancerController) emitEventForIngresses(eventType string, title string, message string, ings []extensions.Ingress) {
Expand Down Expand Up @@ -906,6 +919,23 @@ func (lbc *LoadBalancerController) getIngressForEndpoints(obj interface{}) []ext
return ings
}

func (lbc *LoadBalancerController) getAndValidateSecret(secretKey string) (*api_v1.Secret, error) {
secretObject, secretExists, err := lbc.secretLister.GetByKey(secretKey)
if err != nil {
return nil, fmt.Errorf("error retrieving secret %v", secretKey)
}
if !secretExists {
return nil, fmt.Errorf("secret %v not found", secretKey)
}
secret := secretObject.(*api_v1.Secret)

err = nginx.ValidateTLSSecret(secret)
if err != nil {
return nil, fmt.Errorf("error validating secret %v", secretKey)
}
return secret, nil
}

func (lbc *LoadBalancerController) createIngress(ing *extensions.Ingress) (*nginx.IngressEx, error) {
ingEx := &nginx.IngressEx{
Ingress: ing,
Expand All @@ -915,21 +945,9 @@ func (lbc *LoadBalancerController) createIngress(ing *extensions.Ingress) (*ngin
for _, tls := range ing.Spec.TLS {
secretName := tls.SecretName
secretKey := ing.Namespace + "/" + secretName

secretObject, secretExists, err := lbc.secretLister.GetByKey(secretKey)
if err != nil {
glog.Warningf("Error retrieving secret %v for Ingress %v: %v", secretName, ing.Name, err)
continue
}
if !secretExists {
glog.Warningf("secret %v not found for Ingress %v", secretKey, ing.Name)
continue
}
secret := secretObject.(*api_v1.Secret)

err = nginx.ValidateTLSSecret(secret)
secret, err := lbc.getAndValidateSecret(secretKey)
if err != nil {
glog.Warningf("Error validating secret %v for Ingress %v: %v", secretName, ing.Name, err)
glog.Warningf("Error trying to get the secret %v for Ingress %v: %v", secretName, ing.Name, err)
continue
}
ingEx.TLSSecrets[secretName] = secret
Expand Down
Loading