Fix sync of secrets (kube lego)

kubernetes · Sep 30, 2017 · dfc7205 · dfc7205
1 parent cbb703c
commit dfc7205
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 1 deletion.
diff --git a/core/pkg/ingress/controller/backend_ssl.go b/core/pkg/ingress/controller/backend_ssl.go
@@ -24,9 +24,12 @@ import (
 	"github.com/golang/glog"
 
 	apiv1 "k8s.io/api/core/v1"
+	extensions "k8s.io/api/extensions/v1beta1"
 	"k8s.io/client-go/tools/cache"
 
 	"k8s.io/ingress/core/pkg/ingress"
+	"k8s.io/ingress/core/pkg/ingress/annotations/class"
+	"k8s.io/ingress/core/pkg/ingress/annotations/parser"
 	"k8s.io/ingress/core/pkg/net/ssl"
 )
 
@@ -120,6 +123,41 @@ func (ic *GenericController) getPemCertificate(secretName string) (*ingress.SSLC
 	return s, nil
 }
 
+// checkMissingSecrets verify if one or more ingress rules contains a reference
+// to a secret that is not present in the local secret store.
+// In this case we call syncSecret to force a sync.
+func (ic *GenericController) checkMissingSecrets() {
+	for _, key := range ic.listers.Ingress.ListKeys() {
+		if obj, exists, _ := ic.listers.Ingress.GetByKey(key); exists {
+			ing := obj.(*extensions.Ingress)
+
+			if !class.IsValid(ing, ic.cfg.IngressClass, ic.cfg.DefaultIngressClass) {
+				continue
+			}
+
+			for _, tls := range ing.Spec.TLS {
+				if tls.SecretName == "" {
+					continue
+				}
+
+				key := fmt.Sprintf("%v/%v", ing.Namespace, tls.SecretName)
+				if _, ok := ic.sslCertTracker.Get(key); !ok {
+					ic.syncSecret(key)
+				}
+			}
+
+			key, _ := parser.GetStringAnnotation("ingress.kubernetes.io/auth-tls-secret", ing)
+			if key == "" {
+				continue
+			}
+
+			if _, ok := ic.sslCertTracker.Get(key); !ok {
+				ic.syncSecret(key)
+			}
+		}
+	}
+}
+
 // sslCertTracker holds a store of referenced Secrets in Ingress rules
 type sslCertTracker struct {
 	cache.ThreadSafeStore

diff --git a/core/pkg/ingress/controller/controller.go b/core/pkg/ingress/controller/controller.go
@@ -36,6 +36,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/wait"
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/scheme"
 	v1core "k8s.io/client-go/kubernetes/typed/core/v1"
@@ -682,7 +683,6 @@ func (ic *GenericController) getBackendServers(ingresses []*extensions.Ingress)
 	return aUpstreams, aServers
 }
 
-
 // GetAuthCertificate is used by the auth-tls annotations to get a cert from a secret
 func (ic GenericController) GetAuthCertificate(secretName string) (*resolver.AuthSSLCert, error) {
 	if _, exists := ic.sslCertTracker.Get(secretName); !exists {
@@ -1220,6 +1220,8 @@ func (ic *GenericController) Start() {
 	go ic.secrController.Run(ic.stopCh)
 	go ic.mapController.Run(ic.stopCh)
 
+	go wait.Until(ic.checkMissingSecrets, 30*time.Second, ic.stopCh)
+
 	// Wait for all involved caches to be synced, before processing items from the queue is started
 	if !cache.WaitForCacheSync(ic.stopCh,
 		ic.ingController.HasSynced,

diff --git a/core/pkg/ingress/controller/listers.go b/core/pkg/ingress/controller/listers.go
@@ -113,6 +113,7 @@ func (ic *GenericController) createListers(disableNodeLister bool) {
 			}
 			key := fmt.Sprintf("%v/%v", sec.Namespace, sec.Name)
 			ic.sslCertTracker.DeleteAll(key)
+			ic.syncQueue.Enqueue(key)
 		},
 	}