Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add events when special secrets update #6878

Merged
merged 5 commits into from
Nov 28, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 33 additions & 13 deletions cmd/nginx-ingress/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
"github.com/prometheus/client_golang/prometheus"
api_v1 "k8s.io/api/core/v1"
meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
pkg_runtime "k8s.io/apimachinery/pkg/runtime"
util_version "k8s.io/apimachinery/pkg/util/version"
"k8s.io/client-go/dynamic"
"k8s.io/client-go/kubernetes"
Expand Down Expand Up @@ -75,6 +76,8 @@
appProtectVersionPath = "/opt/app_protect/RELEASE"
appProtectv4BundleFolder = "/etc/nginx/waf/bundles/"
appProtectv5BundleFolder = "/etc/app_protect/bundles/"
fatalEventFlushTime = 200 * time.Millisecond
secretErrorReason = "SecretError"
)

func main() {
Expand All @@ -89,9 +92,14 @@

buildOS := os.Getenv("BUILD_OS")
controllerNamespace := os.Getenv("POD_NAMESPACE")
podName := os.Getenv("POD_NAME")

Check warning on line 95 in cmd/nginx-ingress/main.go

View check run for this annotation

Codecov / codecov/patch

cmd/nginx-ingress/main.go#L95

Added line #L95 was not covered by tests

config, kubeClient := mustCreateConfigAndKubeClient(ctx)
mustValidateKubernetesVersionInfo(ctx, kubeClient)
pod, err := kubeClient.CoreV1().Pods(controllerNamespace).Get(context.TODO(), podName, meta_v1.GetOptions{})
if err != nil {
nl.Fatalf(l, "Failed to get pod: %v", err)
}

Check warning on line 102 in cmd/nginx-ingress/main.go

View check run for this annotation

Codecov / codecov/patch

cmd/nginx-ingress/main.go#L99-L102

Added lines #L99 - L102 were not covered by tests
eventBroadcaster := record.NewBroadcaster()
eventBroadcaster.StartLogging(func(format string, args ...interface{}) {
nl.Infof(l, format, args...)
Expand All @@ -101,6 +109,7 @@
})
eventRecorder := eventBroadcaster.NewRecorder(scheme.Scheme,
api_v1.EventSource{Component: "nginx-ingress-controller"})
defer eventBroadcaster.Shutdown()

Check warning on line 112 in cmd/nginx-ingress/main.go

View check run for this annotation

Codecov / codecov/patch

cmd/nginx-ingress/main.go#L112

Added line #L112 was not covered by tests
mustValidateIngressClass(ctx, kubeClient)

checkNamespaces(ctx, kubeClient)
Expand Down Expand Up @@ -143,12 +152,17 @@

templateExecutor, templateExecutorV2 := createTemplateExecutors(ctx)

sslRejectHandshake := processDefaultServerSecret(ctx, kubeClient, nginxManager)

isWildcardEnabled := processWildcardSecret(ctx, kubeClient, nginxManager)
sslRejectHandshake, err := processDefaultServerSecret(kubeClient, nginxManager)
if err != nil {
logEventAndExit(ctx, eventRecorder, pod, secretErrorReason, err)
}

Check warning on line 158 in cmd/nginx-ingress/main.go

View check run for this annotation

Codecov / codecov/patch

cmd/nginx-ingress/main.go#L155-L158

Added lines #L155 - L158 were not covered by tests

staticSSLPath := nginxManager.GetSecretsDir()

isWildcardEnabled, err := processWildcardSecret(kubeClient, nginxManager)
if err != nil {
logEventAndExit(ctx, eventRecorder, pod, secretErrorReason, err)
}

Check warning on line 165 in cmd/nginx-ingress/main.go

View check run for this annotation

Codecov / codecov/patch

cmd/nginx-ingress/main.go#L162-L165

Added lines #L162 - L165 were not covered by tests
globalConfigurationValidator := createGlobalConfigurationValidator()

mustProcessGlobalConfiguration(ctx)
Expand Down Expand Up @@ -562,14 +576,13 @@
}
}

func processDefaultServerSecret(ctx context.Context, kubeClient *kubernetes.Clientset, nginxManager nginx.Manager) bool {
l := nl.LoggerFromContext(ctx)
func processDefaultServerSecret(kubeClient *kubernetes.Clientset, nginxManager nginx.Manager) (bool, error) {

Check warning on line 579 in cmd/nginx-ingress/main.go

View check run for this annotation

Codecov / codecov/patch

cmd/nginx-ingress/main.go#L579

Added line #L579 was not covered by tests
var sslRejectHandshake bool

if *defaultServerSecret != "" {
secret, err := getAndValidateSecret(kubeClient, *defaultServerSecret, api_v1.SecretTypeTLS)
if err != nil {
nl.Fatalf(l, "Error trying to get the default server TLS secret %v: %v", *defaultServerSecret, err)
return sslRejectHandshake, fmt.Errorf("error trying to get the default server TLS secret %v: %w", *defaultServerSecret, err)

Check warning on line 585 in cmd/nginx-ingress/main.go

View check run for this annotation

Codecov / codecov/patch

cmd/nginx-ingress/main.go#L585

Added line #L585 was not covered by tests
}

bytes := configs.GenerateCertAndKeyFileContent(secret)
Expand All @@ -581,25 +594,25 @@
// file doesn't exist - it is OK! we will reject TLS connections in the default server
sslRejectHandshake = true
} else {
nl.Fatalf(l, "Error checking the default server TLS cert and key in %s: %v", configs.DefaultServerSecretPath, err)
return sslRejectHandshake, fmt.Errorf("error checking the default server TLS cert and key in %s: %w", configs.DefaultServerSecretPath, err)

Check warning on line 597 in cmd/nginx-ingress/main.go

View check run for this annotation

Codecov / codecov/patch

cmd/nginx-ingress/main.go#L597

Added line #L597 was not covered by tests
}
}
}
return sslRejectHandshake
return sslRejectHandshake, nil

Check warning on line 601 in cmd/nginx-ingress/main.go

View check run for this annotation

Codecov / codecov/patch

cmd/nginx-ingress/main.go#L601

Added line #L601 was not covered by tests
}

func processWildcardSecret(ctx context.Context, kubeClient *kubernetes.Clientset, nginxManager nginx.Manager) bool {
l := nl.LoggerFromContext(ctx)
if *wildcardTLSSecret != "" {
func processWildcardSecret(kubeClient *kubernetes.Clientset, nginxManager nginx.Manager) (bool, error) {
isWildcardEnabled := *wildcardTLSSecret != ""
if isWildcardEnabled {

Check warning on line 606 in cmd/nginx-ingress/main.go

View check run for this annotation

Codecov / codecov/patch

cmd/nginx-ingress/main.go#L604-L606

Added lines #L604 - L606 were not covered by tests
secret, err := getAndValidateSecret(kubeClient, *wildcardTLSSecret, api_v1.SecretTypeTLS)
if err != nil {
nl.Fatalf(l, "Error trying to get the wildcard TLS secret %v: %v", *wildcardTLSSecret, err)
return false, fmt.Errorf("error trying to get the wildcard TLS secret %v: %w", *wildcardTLSSecret, err)

Check warning on line 609 in cmd/nginx-ingress/main.go

View check run for this annotation

Codecov / codecov/patch

cmd/nginx-ingress/main.go#L609

Added line #L609 was not covered by tests
}

bytes := configs.GenerateCertAndKeyFileContent(secret)
nginxManager.CreateSecret(configs.WildcardSecretFileName, bytes, nginx.ReadWriteOnlyFileMode)
}
return *wildcardTLSSecret != ""
return isWildcardEnabled, nil

Check warning on line 615 in cmd/nginx-ingress/main.go

View check run for this annotation

Codecov / codecov/patch

cmd/nginx-ingress/main.go#L615

Added line #L615 was not covered by tests
}

func createGlobalConfigurationValidator() *cr_validation.GlobalConfigurationValidator {
Expand Down Expand Up @@ -946,6 +959,13 @@
}
}

func logEventAndExit(ctx context.Context, eventLog record.EventRecorder, obj pkg_runtime.Object, reason string, err error) {
l := nl.LoggerFromContext(ctx)
eventLog.Eventf(obj, api_v1.EventTypeWarning, reason, err.Error())
time.Sleep(fatalEventFlushTime) // wait for the event to be flushed
nl.Fatal(l, err.Error())

Check warning on line 966 in cmd/nginx-ingress/main.go

View check run for this annotation

Codecov / codecov/patch

cmd/nginx-ingress/main.go#L962-L966

Added lines #L962 - L966 were not covered by tests
}

func initLogger(logFormat string, level slog.Level, out io.Writer) context.Context {
programLevel := new(slog.LevelVar) // Info by default
var h slog.Handler
Expand Down
Loading