From 3feeec3e76e0f22b05bb224f517ea4ccfe2b48c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20=C5=81owicki?= <lowicki@google.com>
Date: Fri, 15 Mar 2019 14:45:58 +0100
Subject: [PATCH] Fix supporting secret-based and pre-shared certs at the same
 time

---
 pkg/controller/controller.go      | 22 ++++++++-----------
 pkg/controller/controller_test.go | 35 +++++++++++++++++++++++++++++++
 pkg/loadbalancers/certificates.go |  1 +
 3 files changed, 45 insertions(+), 13 deletions(-)

diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go
index b1bd1b9ae1..56b5de067b 100644
--- a/pkg/controller/controller.go
+++ b/pkg/controller/controller.go
@@ -556,19 +556,15 @@ func (lbc *LoadBalancerController) toRuntimeInfo(ing *extensions.Ingress, urlMap
 	var tls []*loadbalancers.TLSCerts
 
 	annotations := annotations.FromIngress(ing)
-	// Load the TLS cert from the API Spec if it is not specified in the annotation.
-	// TODO: enforce this with validation.
-	if annotations.UseNamedTLS() == "" {
-		tls, err = lbc.tlsLoader.Load(ing)
-		if err != nil {
-			if apierrors.IsNotFound(err) {
-				// TODO: this path should be removed when external certificate managers migrate to a better solution.
-				const msg = "Could not find TLS certificates. Continuing setup for the load balancer to serve HTTP. Note: this behavior is deprecated and will be removed in a future version of ingress-gce"
-				lbc.ctx.Recorder(ing.Namespace).Eventf(ing, apiv1.EventTypeWarning, "Sync", msg)
-			} else {
-				glog.Errorf("Could not get certificates for ingress %s/%s: %v", ing.Namespace, ing.Name, err)
-				return nil, err
-			}
+	tls, err = lbc.tlsLoader.Load(ing)
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			// TODO: this path should be removed when external certificate managers migrate to a better solution.
+			const msg = "Could not find TLS certificates. Continuing setup for the load balancer to serve HTTP. Note: this behavior is deprecated and will be removed in a future version of ingress-gce"
+			lbc.ctx.Recorder(ing.Namespace).Eventf(ing, apiv1.EventTypeWarning, "Sync", msg)
+		} else {
+			glog.Errorf("Could not get certificates for ingress %s/%s: %v", ing.Namespace, ing.Name, err)
+			return nil, err
 		}
 	}
 
diff --git a/pkg/controller/controller_test.go b/pkg/controller/controller_test.go
index aeef6d5652..bdd42ac21f 100644
--- a/pkg/controller/controller_test.go
+++ b/pkg/controller/controller_test.go
@@ -28,11 +28,13 @@ import (
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/kubernetes/fake"
+	"k8s.io/ingress-gce/pkg/annotations"
 	backendconfigclient "k8s.io/ingress-gce/pkg/backendconfig/client/clientset/versioned/fake"
 	"k8s.io/ingress-gce/pkg/events"
 	"k8s.io/ingress-gce/pkg/instances"
 	"k8s.io/ingress-gce/pkg/loadbalancers"
 	"k8s.io/ingress-gce/pkg/test"
+	"k8s.io/ingress-gce/pkg/tls"
 	"k8s.io/ingress-gce/pkg/utils"
 	"k8s.io/kubernetes/pkg/cloudprovider/providers/gce"
 
@@ -350,3 +352,36 @@ func TestEnsureMCIngress(t *testing.T) {
 		t.Errorf("Ingress.Annotation %q = %q, want %q", igAnnotationKey, val, wantVal)
 	}
 }
+
+// TestToRuntimeInfoCerts asserts that both pre-shared and secret-based certs
+// are included in the RuntimeInfo.
+func TestToRuntimeInfoCerts(t *testing.T) {
+	lbc := newLoadBalancerController()
+	tlsCerts := []*loadbalancers.TLSCerts{&loadbalancers.TLSCerts{Key: "key", Cert: "cert", Name: "tlsCert"}}
+	fakeLoader := &tls.FakeTLSSecretLoader{FakeCerts: map[string]*loadbalancers.TLSCerts{"tlsCert": tlsCerts[0]}}
+	lbc.tlsLoader = fakeLoader
+	presharedCertName := "preSharedCert"
+	ing := &extensions.Ingress{
+		ObjectMeta: meta_v1.ObjectMeta{
+			Annotations: map[string]string{annotations.PreSharedCertKey: presharedCertName},
+		},
+		Spec: extensions.IngressSpec{
+			TLS: []extensions.IngressTLS{
+				extensions.IngressTLS{
+					SecretName: tlsCerts[0].Name,
+				},
+			},
+		},
+	}
+	urlMap := &utils.GCEURLMap{}
+	lbInfo, err := lbc.toRuntimeInfo(ing, urlMap)
+	if err != nil {
+		t.Fatalf("lbc.toRuntimeInfo() = err %v", err)
+	}
+	if lbInfo.TLSName != presharedCertName {
+		t.Errorf("lbInfo.TLSName = %v, want %v", lbInfo.TLSName, presharedCertName)
+	}
+	if len(lbInfo.TLS) != 1 || lbInfo.TLS[0] != tlsCerts[0] {
+		t.Errorf("lbInfo.TLS = %v, want %v", lbInfo.TLS, tlsCerts)
+	}
+}
diff --git a/pkg/loadbalancers/certificates.go b/pkg/loadbalancers/certificates.go
index 0c4a285a9b..a2403c70fd 100644
--- a/pkg/loadbalancers/certificates.go
+++ b/pkg/loadbalancers/certificates.go
@@ -55,6 +55,7 @@ func (l *L7) checkSSLCert() error {
 		errs = append(errs, err)
 	}
 	l.sslCerts = append(l.sslCerts, secretsSslCerts...)
+	glog.V(2).Infof("Using %v pre-shared certificates and %v certificates from secrets", len(preSharedSslCerts), len(secretsSslCerts))
 	if len(errs) > 0 {
 		return utils.JoinErrs(errs)
 	}