Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secret retry #84

Merged
merged 3 commits into from
Dec 2, 2016
Merged

Secret retry #84

merged 3 commits into from
Dec 2, 2016

Conversation

thetechnick
Copy link
Contributor

If a certificate secret referenced in an ingress object is not found,
the ingress controller will reject the ingress object. but retries every 5s.
This fixes #78.

I have tested this with success on my private cluster merged together with #77 and #81 and kube-lego.

This is a quite simple approach to the issue, next steps to improve this feature are:

  • add a error event to the rejected ingress object
  • only reject ingress rules referencing a host, that should be secured by the secret, when it can't be found

I think we can cover point 1 when we implement the event logging system also improving #77,
point 2 is more difficult, but I think most users will use only one host per ingress object, so this is not an issue in most cases.

@pleshakov
Copy link
Contributor

@thetechnick thx! I've added few comments.

It doesn't fix #78 though, but it's an important step towards it.

add a error event to the rejected ingress object

I'll create a separate issue for the task of adding error events.

only reject ingress rules referencing a host, that should be secured by the secret, when it can't be found... point 2 is more difficult, but I think most users will use only one host per ingress object, so this is not an issue in most cases.

Not sure if it's necessary, since if there is a missing secret, its gets caught by this PR.

@pleshakov pleshakov added this to the v0.7.0 milestone Nov 28, 2016
@thetechnick
Copy link
Contributor Author

@pleshakov
What do you think is still needed for #78?
At least for my use case (kube-lego) it works as expected, if the secrets are manually added afterwards the nginx controller will also pick up the change.

pleshakov
pleshakov reviewed Nov 29, 2016
View reviewed changes
Copy link
Contributor

@pleshakov pleshakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added few comments.

nginx-controller/controller/controller.go
ingEx := lbc.createIngress(&ing)
ingEx, err := lbc.createIngress(&ing)
if err != nil {
lbc.ingQueue.requeueAfter(key, err, 5*time.Second)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it's necessary to requeue the Ingress when endpoints change. Better to ignore such an Ingress with an error.

nginx-controller/controller/controller.go
@@ -464,8 +472,7 @@ func (lbc *LoadBalancerController) createIngress(ing *extensions.Ingress) nginx.
secretName := tls.SecretName
secret, err := lbc.client.Secrets(ing.Namespace).Get(secretName)
if err != nil {
glog.Warningf("Error retrieving secret %v for Ingress %v: %v", secretName, ing.Name, err)
continue
return ingEx, fmt.Errorf("Error retrieving secret %v for Ingress %v: %v", secretName, ing.Name, err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Better to return nil instead of ingEx

@pleshakov
Copy link
Contributor

@thetechnick

What do you think is still needed for #78?
At least for my use case (kube-lego) it works as expected, if the secrets are manually added afterwards the nginx controller will also pick up the change.

Agree, It covers #78. I misunderstood the issue a little bit. There is a separate problem of updating a certificate: if a secret changes, the controller won't update the certificate.

pleshakov
pleshakov suggested changes Dec 2, 2016
View reviewed changes
nginx-controller/controller/controller.go
ingEx, err := lbc.createIngress(&ing)
if err != nil {
glog.Warningf("Error updating endpoints for %v/%v: %v, skipping", ing.Namespace, ing.Name, err)
return
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a small bug. must be continue instead of return. This leads to Ignoring the rest of the Ingresses.

@pleshakov pleshakov merged commit 3b59ab2 into nginx:master Dec 2, 2016
@pleshakov
Copy link
Contributor

@thetechnick thx!

Please make changes related to a review in a separate commit, instead of changing the last commit. This way it's easier to review it and also get notified about it. I will squash the commits before the merging (forgot to do it for this pull request)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pleshakov pleshakov pleshakov requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.7.0
Development

Successfully merging this pull request may close these issues.

Watch for secret after ingress creation
2 participants
@thetechnick @pleshakov