Merge pull request #1198 from spencerhance/tls-translator

Refactor tls package into translator
kubernetes · Aug 5, 2020 · 311b19c · 311b19c
2 parents c96b1d8 + 0c77c28
commit 311b19c
Show file tree

Hide file tree

Showing 8 changed files with 122 additions and 176 deletions.
diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go
@@ -40,7 +40,7 @@ import (
 	"k8s.io/ingress-gce/pkg/backends"
 	"k8s.io/ingress-gce/pkg/common/operator"
 	"k8s.io/ingress-gce/pkg/context"
-	"k8s.io/ingress-gce/pkg/controller/translator"
+	legacytranslator "k8s.io/ingress-gce/pkg/controller/translator"
 	"k8s.io/ingress-gce/pkg/events"
 	"k8s.io/ingress-gce/pkg/flags"
 	"k8s.io/ingress-gce/pkg/frontendconfig"
@@ -50,7 +50,7 @@ import (
 	"k8s.io/ingress-gce/pkg/metrics"
 	negtypes "k8s.io/ingress-gce/pkg/neg/types"
 	ingsync "k8s.io/ingress-gce/pkg/sync"
-	"k8s.io/ingress-gce/pkg/tls"
+	"k8s.io/ingress-gce/pkg/translator"
 	"k8s.io/ingress-gce/pkg/utils"
 	"k8s.io/ingress-gce/pkg/utils/common"
 	"k8s.io/ingress-gce/pkg/utils/namer"
@@ -67,15 +67,13 @@ type LoadBalancerController struct {
 
 	// TODO: Watch secrets
 	ingQueue   utils.TaskQueue
-	Translator *translator.Translator
+	Translator *legacytranslator.Translator
 	stopCh     chan struct{}
 	// stopLock is used to enforce only a single call to Stop is active.
 	// Needed because we allow stopping through an http endpoint and
 	// allowing concurrent stoppers leads to stack traces.
 	stopLock sync.Mutex
 	shutdown bool
-	// tlsLoader loads secrets from the Kubernetes apiserver for Ingresses.
-	tlsLoader tls.TlsLoader
 	// hasSynced returns true if all associated sub-controllers have synced.
 	// Abstracted into a func for testing.
 	hasSynced func() bool
@@ -115,8 +113,7 @@ func NewLoadBalancerController(
 	lbc := LoadBalancerController{
 		ctx:           ctx,
 		nodeLister:    ctx.NodeInformer.GetIndexer(),
-		Translator:    translator.NewTranslator(ctx),
-		tlsLoader:     &tls.TLSCertsFromSecretsLoader{Client: ctx.KubeClient},
+		Translator:    legacytranslator.NewTranslator(ctx),
 		stopCh:        stopCh,
 		hasSynced:     ctx.HasSynced,
 		nodes:         NewNodeController(ctx, instancePool),
@@ -654,7 +651,12 @@ func (lbc *LoadBalancerController) updateIngressStatus(l7 *loadbalancers.L7, ing
 // toRuntimeInfo returns L7RuntimeInfo for the given ingress.
 func (lbc *LoadBalancerController) toRuntimeInfo(ing *v1beta1.Ingress, urlMap *utils.GCEURLMap) (*loadbalancers.L7RuntimeInfo, error) {
 	annotations := annotations.FromIngress(ing)
-	tls, err := lbc.tlsLoader.Load(ing)
+	env, err := translator.NewEnv(ing, lbc.ctx.KubeClient, "", "", "")
+	if err != nil {
+		return nil, fmt.Errorf("error initializing translator env: %v", err)
+	}
+
+	tls, err := translator.ToTLSCerts(env)
 	if err != nil {
 		if apierrors.IsNotFound(err) {
 			// TODO: this path should be removed when external certificate managers migrate to a better solution.

diff --git a/pkg/controller/controller_test.go b/pkg/controller/controller_test.go
@@ -45,7 +45,7 @@ import (
 	"k8s.io/ingress-gce/pkg/instances"
 	"k8s.io/ingress-gce/pkg/loadbalancers"
 	"k8s.io/ingress-gce/pkg/test"
-	"k8s.io/ingress-gce/pkg/tls"
+	"k8s.io/ingress-gce/pkg/translator"
 	"k8s.io/ingress-gce/pkg/utils"
 	"k8s.io/ingress-gce/pkg/utils/common"
 	namer_util "k8s.io/ingress-gce/pkg/utils/namer"
@@ -675,9 +675,23 @@ func TestMCIngressIG(t *testing.T) {
 // are included in the RuntimeInfo.
 func TestToRuntimeInfoCerts(t *testing.T) {
 	lbc := newLoadBalancerController()
-	tlsCerts := []*loadbalancers.TLSCerts{{Key: "key", Cert: "cert", Name: "tlsCert"}}
-	fakeLoader := &tls.FakeTLSSecretLoader{FakeCerts: map[string]*loadbalancers.TLSCerts{"tlsCert": tlsCerts[0]}}
-	lbc.tlsLoader = fakeLoader
+	secretsMap := map[string]*api_v1.Secret{
+		"tlsCert": &api_v1.Secret{
+			ObjectMeta: meta_v1.ObjectMeta{
+				Name: "tlsCert",
+			},
+			Data: map[string][]byte{
+				api_v1.TLSCertKey:       []byte("cert"),
+				api_v1.TLSPrivateKeyKey: []byte("key"),
+			},
+		},
+	}
+	tlsCerts := []*translator.TLSCerts{{Key: "key", Cert: "cert", Name: "tlsCert", CertHash: translator.GetCertHash("cert")}}
+
+	for _, v := range secretsMap {
+		lbc.ctx.KubeClient.CoreV1().Secrets("").Create(context2.TODO(), v, meta_v1.CreateOptions{})
+	}
+
 	presharedCertName := "preSharedCert"
 	ing := &v1beta1.Ingress{
 		ObjectMeta: meta_v1.ObjectMeta{
@@ -699,8 +713,10 @@ func TestToRuntimeInfoCerts(t *testing.T) {
 	if lbInfo.TLSName != presharedCertName {
 		t.Errorf("lbInfo.TLSName = %v, want %v", lbInfo.TLSName, presharedCertName)
 	}
-	if len(lbInfo.TLS) != 1 || lbInfo.TLS[0] != tlsCerts[0] {
-		t.Errorf("lbInfo.TLS = %v, want %v", lbInfo.TLS, tlsCerts)
+
+	diff := cmp.Diff(tlsCerts[0], lbInfo.TLS[0])
+	if len(lbInfo.TLS) != 1 || diff != "" {
+		t.Errorf("got diff comparing tls certs (-want, +got) %v", diff)
 	}
 }
 

diff --git a/pkg/loadbalancers/certificates.go b/pkg/loadbalancers/certificates.go
@@ -17,13 +17,12 @@ limitations under the License.
 package loadbalancers
 
 import (
-	"crypto/sha256"
 	"fmt"
-	"k8s.io/ingress-gce/pkg/composite"
 	"net/http"
 	"strings"
 
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/ingress-gce/pkg/composite"
 	"k8s.io/ingress-gce/pkg/utils"
 	"k8s.io/klog"
 )
@@ -300,10 +299,6 @@ func (l *L7) compareCerts(certLinks []string) bool {
 	return true
 }
 
-func GetCertHash(contents string) string {
-	return fmt.Sprintf("%x", sha256.Sum256([]byte(contents)))[:16]
-}
-
 func toCertNames(certs []*composite.SslCertificate) (names []string) {
 	for _, v := range certs {
 		names = append(names, v.Name)

diff --git a/pkg/loadbalancers/l7.go b/pkg/loadbalancers/l7.go
@@ -22,6 +22,7 @@ import (
 	"strings"
 
 	"k8s.io/ingress-gce/pkg/flags"
+	"k8s.io/ingress-gce/pkg/translator"
 
 	"github.com/GoogleCloudPlatform/k8s-cloud-provider/pkg/cloud/meta"
 	corev1 "k8s.io/api/core/v1"
@@ -48,7 +49,7 @@ type L7RuntimeInfo struct {
 	// IP is the desired ip of the loadbalancer, eg from a staticIP.
 	IP string
 	// TLS are the tls certs to use in termination.
-	TLS []*TLSCerts
+	TLS []*translator.TLSCerts
 	// TLSName is the name of the preshared cert to use. Multiple certs can be specified as a comma-separated string
 	TLSName string
 	// Ingress is the processed Ingress API object.
@@ -66,19 +67,6 @@ type L7RuntimeInfo struct {
 	FrontendConfig *frontendconfigv1beta1.FrontendConfig
 }
 
-// TLSCerts encapsulates .pem encoded TLS information.
-type TLSCerts struct {
-	// Key is private key.
-	Key string
-	// Cert is a public key.
-	Cert string
-	// Chain is a certificate chain.
-	Chain string
-	Name  string
-	// md5 hash(first 8 bytes) of the cert contents
-	CertHash string
-}
-
 // L7 represents a single L7 loadbalancer.
 type L7 struct {
 	// runtimeInfo is non-cloudprovider information passed from the controller.