-
Notifications
You must be signed in to change notification settings - Fork 303
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Split L7.go into specific resource files
- Loading branch information
Nick Sardo
committed
Jun 5, 2018
1 parent
c38f63d
commit db96b94
Showing
6 changed files
with
832 additions
and
699 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
/* | ||
Copyright 2018 The Kubernetes Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package loadbalancers | ||
|
||
import ( | ||
"fmt" | ||
"net/http" | ||
|
||
"github.com/golang/glog" | ||
compute "google.golang.org/api/compute/v1" | ||
"k8s.io/ingress-gce/pkg/utils" | ||
) | ||
|
||
// checkStaticIP reserves a static IP allocated to the Forwarding Rule. | ||
func (l *L7) checkStaticIP() (err error) { | ||
if l.fw == nil || l.fw.IPAddress == "" { | ||
return fmt.Errorf("will not create static IP without a forwarding rule") | ||
} | ||
// Don't manage staticIPs if the user has specified an IP. | ||
if address, manageStaticIP := l.getEffectiveIP(); !manageStaticIP { | ||
glog.V(3).Infof("Not managing user specified static IP %v", address) | ||
return nil | ||
} | ||
staticIPName := l.namer.ForwardingRule(l.Name, utils.HTTPProtocol) | ||
ip, _ := l.cloud.GetGlobalAddress(staticIPName) | ||
if ip == nil { | ||
glog.V(3).Infof("Creating static ip %v", staticIPName) | ||
err = l.cloud.ReserveGlobalAddress(&compute.Address{Name: staticIPName, Address: l.fw.IPAddress}) | ||
if err != nil { | ||
if utils.IsHTTPErrorCode(err, http.StatusConflict) || | ||
utils.IsHTTPErrorCode(err, http.StatusBadRequest) { | ||
glog.V(3).Infof("IP %v(%v) is already reserved, assuming it is OK to use.", | ||
l.fw.IPAddress, staticIPName) | ||
return nil | ||
} | ||
return err | ||
} | ||
ip, err = l.cloud.GetGlobalAddress(staticIPName) | ||
if err != nil { | ||
return err | ||
} | ||
} | ||
l.ip = ip | ||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,231 @@ | ||
/* | ||
Copyright 2018 The Kubernetes Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package loadbalancers | ||
|
||
import ( | ||
"crypto/sha256" | ||
"fmt" | ||
"strings" | ||
|
||
"github.com/golang/glog" | ||
compute "google.golang.org/api/compute/v1" | ||
"k8s.io/ingress-gce/pkg/utils" | ||
) | ||
|
||
func (l *L7) checkSSLCert() error { | ||
// Handle Pre-Shared cert and early return if used | ||
if used, err := l.usePreSharedCert(); used { | ||
return err | ||
} | ||
|
||
// Get updated value of certificate for comparison | ||
if err := l.populateSSLCert(); err != nil { | ||
return err | ||
} | ||
|
||
existingCertsMap := getMapfromCertList(l.sslCerts) | ||
l.oldSSLCerts = l.sslCerts | ||
l.sslCerts = make([]*compute.SslCertificate, 0) | ||
|
||
// mapping of currently configured certs | ||
visitedCertMap := make(map[string]string) | ||
var failedCerts []string | ||
|
||
for _, tlsCert := range l.runtimeInfo.TLS { | ||
ingCert := tlsCert.Cert | ||
ingKey := tlsCert.Key | ||
gcpCertName := l.namer.SSLCertName(l.Name, tlsCert.CertHash) | ||
|
||
if addedBy, exists := visitedCertMap[gcpCertName]; exists { | ||
glog.V(3).Infof("Secret %q has a certificate already used by %v", tlsCert.Name, addedBy) | ||
continue | ||
} | ||
|
||
// PrivateKey is write only, so compare certs alone. We're assuming that | ||
// no one will change just the key. We can remember the key and compare, | ||
// but a bug could end up leaking it, which feels worse. | ||
// If the cert contents have changed, its hash would be different, so would be the cert name. So it is enough | ||
// to check if this cert name exists in the map. | ||
if existingCertsMap != nil { | ||
if cert, ok := existingCertsMap[gcpCertName]; ok { | ||
glog.V(3).Infof("Secret %q already exists as certificate %q", tlsCert.Name, gcpCertName) | ||
visitedCertMap[gcpCertName] = fmt.Sprintf("certificate:%q", gcpCertName) | ||
l.sslCerts = append(l.sslCerts, cert) | ||
continue | ||
} | ||
} | ||
// Controller needs to create the certificate, no need to check if it exists and delete. If it did exist, it | ||
// would have been listed in the populateSSLCert function and matched in the check above. | ||
glog.V(2).Infof("Creating new sslCertificate %q for LB %q", gcpCertName, l.Name) | ||
cert, err := l.cloud.CreateSslCertificate(&compute.SslCertificate{ | ||
Name: gcpCertName, | ||
Certificate: ingCert, | ||
PrivateKey: ingKey, | ||
}) | ||
if err != nil { | ||
glog.Errorf("Failed to create new sslCertificate %q for %q - %v", gcpCertName, l.Name, err) | ||
failedCerts = append(failedCerts, gcpCertName+" Error:"+err.Error()) | ||
continue | ||
} | ||
visitedCertMap[gcpCertName] = fmt.Sprintf("secret:%q", tlsCert.Name) | ||
l.sslCerts = append(l.sslCerts, cert) | ||
} | ||
|
||
// Save the old certs for cleanup after we update the target proxy. | ||
if len(failedCerts) > 0 { | ||
return fmt.Errorf("Cert creation failures - %s", strings.Join(failedCerts, ",")) | ||
} | ||
return nil | ||
} | ||
|
||
func (l *L7) usePreSharedCert() (bool, error) { | ||
// Use the named GCE cert when it is specified by the annotation. | ||
preSharedCertName := l.runtimeInfo.TLSName | ||
if preSharedCertName == "" { | ||
return false, nil | ||
} | ||
preSharedCerts := strings.Split(preSharedCertName, ",") | ||
if len(preSharedCerts) > TargetProxyCertLimit { | ||
glog.Warningf("Specified %d preshared certs, limit is %d, rest will be ignored", | ||
len(preSharedCerts), TargetProxyCertLimit) | ||
preSharedCerts = preSharedCerts[:TargetProxyCertLimit] | ||
} | ||
|
||
l.sslCerts = make([]*compute.SslCertificate, 0, len(preSharedCerts)) | ||
var failedCerts []string | ||
|
||
for _, sharedCert := range preSharedCerts { | ||
// Ask GCE for the cert, checking for problems and existence. | ||
sharedCert = strings.TrimSpace(sharedCert) | ||
cert, err := l.cloud.GetSslCertificate(sharedCert) | ||
if err != nil { | ||
failedCerts = append(failedCerts, sharedCert+" Error: "+err.Error()) | ||
continue | ||
} | ||
if cert == nil { | ||
failedCerts = append(failedCerts, sharedCert+" Error: unable to find existing sslCertificate") | ||
continue | ||
} | ||
|
||
glog.V(2).Infof("Using existing sslCertificate %v for %v", sharedCert, l.Name) | ||
l.sslCerts = append(l.sslCerts, cert) | ||
} | ||
if len(failedCerts) != 0 { | ||
return true, fmt.Errorf("PreSharedCert errors - %s", strings.Join(failedCerts, ",")) | ||
} | ||
return true, nil | ||
} | ||
|
||
func getMapfromCertList(certs []*compute.SslCertificate) map[string]*compute.SslCertificate { | ||
if len(certs) == 0 { | ||
return nil | ||
} | ||
certMap := make(map[string]*compute.SslCertificate) | ||
for _, cert := range certs { | ||
certMap[cert.Name] = cert | ||
} | ||
return certMap | ||
} | ||
|
||
func (l *L7) populateSSLCert() error { | ||
l.sslCerts = make([]*compute.SslCertificate, 0) | ||
// Currently we list all certs available in gcloud and filter the ones managed by this loadbalancer instance. This is | ||
// to make sure we garbage collect any old certs that this instance might have lost track of due to crashes. | ||
// Can be a performance issue if there are too many global certs, default quota is only 10. | ||
certs, err := l.cloud.ListSslCertificates() | ||
if err != nil { | ||
return utils.IgnoreHTTPNotFound(err) | ||
} | ||
for _, c := range certs { | ||
if l.namer.IsCertUsedForLB(l.Name, c.Name) { | ||
glog.V(4).Infof("Populating ssl cert %s for l7 %s", c.Name, l.Name) | ||
l.sslCerts = append(l.sslCerts, c) | ||
} | ||
} | ||
if len(l.sslCerts) == 0 { | ||
// Check for legacy cert since that follows a different naming convention | ||
glog.V(4).Infof("Looking for legacy ssl certs") | ||
expectedCertNames := l.getSslCertLinkInUse() | ||
for _, link := range expectedCertNames { | ||
// Retrieve the certificate and ignore error if certificate wasn't found | ||
name := getResourceNameFromLink(link) | ||
if !l.namer.IsLegacySSLCert(l.Name, name) { | ||
continue | ||
} | ||
cert, _ := l.cloud.GetSslCertificate(getResourceNameFromLink(name)) | ||
if cert != nil { | ||
glog.V(4).Infof("Populating legacy ssl cert %s for l7 %s", cert.Name, l.Name) | ||
l.sslCerts = append(l.sslCerts, cert) | ||
} | ||
} | ||
} | ||
return nil | ||
} | ||
|
||
func (l *L7) deleteOldSSLCerts() { | ||
if len(l.oldSSLCerts) == 0 { | ||
return | ||
} | ||
certsMap := getMapfromCertList(l.sslCerts) | ||
for _, cert := range l.oldSSLCerts { | ||
if !l.namer.IsCertUsedForLB(l.Name, cert.Name) && !l.namer.IsLegacySSLCert(l.Name, cert.Name) { | ||
// retain cert if it is managed by GCE(non-ingress) | ||
continue | ||
} | ||
if _, ok := certsMap[cert.Name]; ok { | ||
// cert found in current map | ||
continue | ||
} | ||
glog.V(3).Infof("Cleaning up old SSL Certificate %s", cert.Name) | ||
if certErr := utils.IgnoreHTTPNotFound(l.cloud.DeleteSslCertificate(cert.Name)); certErr != nil { | ||
glog.Errorf("Old cert delete failed - %v", certErr) | ||
} | ||
} | ||
} | ||
|
||
// Returns true if the input array of certs is identical to the certs in the L7 config. | ||
// Returns false if there is any mismatch | ||
func (l *L7) compareCerts(certLinks []string) bool { | ||
certsMap := getMapfromCertList(l.sslCerts) | ||
if len(certLinks) != len(certsMap) { | ||
glog.V(4).Infof("Loadbalancer has %d certs, target proxy has %d certs", len(certsMap), len(certLinks)) | ||
return false | ||
} | ||
var certName string | ||
for _, linkName := range certLinks { | ||
certName = getResourceNameFromLink(linkName) | ||
if cert, ok := certsMap[certName]; !ok { | ||
glog.V(4).Infof("Cannot find cert with name %s in certsMap %+v", certName, certsMap) | ||
return false | ||
} else if ok && !utils.CompareLinks(linkName, cert.SelfLink) { | ||
glog.V(4).Infof("Selflink compare failed for certs - %s in loadbalancer, %s in targetproxy", cert.SelfLink, linkName) | ||
return false | ||
} | ||
} | ||
return true | ||
} | ||
|
||
func GetCertHash(contents string) string { | ||
return fmt.Sprintf("%x", sha256.Sum256([]byte(contents)))[:16] | ||
} | ||
|
||
func toCertNames(certs []*compute.SslCertificate) (names []string) { | ||
for _, v := range certs { | ||
names = append(names, v.Name) | ||
} | ||
return names | ||
} |
Oops, something went wrong.