refactor special secret input and validation

pdabelf5 · pdabelf5 · commit 85a1db4c4b63 · 2024-11-14T10:32:43.000Z
diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go
@@ -103,6 +103,11 @@ type podEndpoint struct {
 	configs.MeshPodOwner
 }
 
+type specialSecrets struct {
+	defaultServerSecret string
+	wildcardTLSSecret   string
+}
+
 // LoadBalancerController watches Kubernetes API and
 // reconfigures NGINX via NginxController when needed
 type LoadBalancerController struct {
@@ -131,7 +136,7 @@ type LoadBalancerController struct {
 	appProtectEnabled             bool
 	appProtectDosEnabled          bool
 	recorder                      record.EventRecorder
-	defaultServerSecret           string
+	specialSecrets                specialSecrets
 	ingressClass                  string
 	statusUpdater                 *statusUpdater
 	leaderElector                 *leaderelection.LeaderElector
@@ -142,7 +147,6 @@ type LoadBalancerController struct {
 	namespaceList                 []string
 	secretNamespaceList           []string
 	controllerNamespace           string
-	wildcardTLSSecret             string
 	areCustomResourcesEnabled     bool
 	enableOIDC                    bool
 	metricsCollector              collectors.ControllerCollector
@@ -226,14 +230,18 @@ type NewLoadBalancerControllerInput struct {
 
 // NewLoadBalancerController creates a controller
 func NewLoadBalancerController(input NewLoadBalancerControllerInput) *LoadBalancerController {
+	specialSecrets := specialSecrets{
+		defaultServerSecret: input.DefaultServerSecret,
+		wildcardTLSSecret:   input.WildcardTLSSecret,
+	}
 	lbc := &LoadBalancerController{
 		client:                       input.KubeClient,
 		confClient:                   input.ConfClient,
 		dynClient:                    input.DynClient,
 		restConfig:                   input.RestConfig,
 		Logger:                       nl.LoggerFromContext(input.LoggerContext),
 		configurator:                 input.NginxConfigurator,
-		defaultServerSecret:          input.DefaultServerSecret,
+		specialSecrets:               specialSecrets,
 		appProtectEnabled:            input.AppProtectEnabled,
 		appProtectDosEnabled:         input.AppProtectDosEnabled,
 		isNginxPlus:                  input.IsNginxPlus,
@@ -245,7 +253,6 @@ func NewLoadBalancerController(input NewLoadBalancerControllerInput) *LoadBalanc
 		namespaceList:                input.Namespace,
 		secretNamespaceList:          input.SecretNamespace,
 		controllerNamespace:          input.ControllerNamespace,
-		wildcardTLSSecret:            input.WildcardTLSSecret,
 		areCustomResourcesEnabled:    input.AreCustomResourcesEnabled,
 		enableOIDC:                   input.EnableOIDC,
 		metricsCollector:             input.MetricsCollector,
@@ -1726,7 +1733,14 @@ func removeDuplicateResources(resources []Resource) []Resource {
 }
 
 func (lbc *LoadBalancerController) isSpecialSecret(secretName string) bool {
-	return secretName == lbc.defaultServerSecret || secretName == lbc.wildcardTLSSecret
+	switch secretName {
+	case lbc.specialSecrets.defaultServerSecret:
+		return true
+	case lbc.specialSecrets.wildcardTLSSecret:
+		return true
+	default:
+		return false
+	}
 }
 
 func (lbc *LoadBalancerController) handleRegularSecretDeletion(resources []Resource) {
@@ -1754,31 +1768,35 @@ func (lbc *LoadBalancerController) handleSecretUpdate(secret *api_v1.Secret, res
 	lbc.updateResourcesStatusAndEvents(resources, warnings, addOrUpdateErr)
 }
 
-func (lbc *LoadBalancerController) handleSpecialSecretUpdate(secret *api_v1.Secret) {
+func (lbc *LoadBalancerController) validationTLSSpecialSecret(secret *api_v1.Secret, secretName string) {
 	var specialSecretsToUpdate []string
 	secretNsName := secret.Namespace + "/" + secret.Name
+
 	err := secrets.ValidateTLSSecret(secret)
 	if err != nil {
 		nl.Errorf(lbc.Logger, "Couldn't validate the special Secret %v: %v", secretNsName, err)
 		lbc.recorder.Eventf(secret, api_v1.EventTypeWarning, "Rejected", "the special Secret %v was rejected, using the previous version: %v", secretNsName, err)
 		return
 	}
-
-	if secretNsName == lbc.defaultServerSecret {
-		specialSecretsToUpdate = append(specialSecretsToUpdate, configs.DefaultServerSecretName)
-	}
-	if secretNsName == lbc.wildcardTLSSecret {
-		specialSecretsToUpdate = append(specialSecretsToUpdate, configs.WildcardSecretName)
-	}
+	specialSecretsToUpdate = append(specialSecretsToUpdate, secretName)
 
 	err = lbc.configurator.AddOrUpdateSpecialTLSSecrets(secret, specialSecretsToUpdate)
 	if err != nil {
 		nl.Errorf(lbc.Logger, "Error when updating the special Secret %v: %v", secretNsName, err)
 		lbc.recorder.Eventf(secret, api_v1.EventTypeWarning, "UpdatedWithError", "the special Secret %v was updated, but not applied: %v", secretNsName, err)
 		return
 	}
+}
+
+func (lbc *LoadBalancerController) handleSpecialSecretUpdate(secret *api_v1.Secret) {
+	switch secret.Name {
+	case lbc.specialSecrets.defaultServerSecret:
+		lbc.validationTLSSpecialSecret(secret, configs.DefaultServerSecretName)
+	case lbc.specialSecrets.wildcardTLSSecret:
+		lbc.validationTLSSpecialSecret(secret, configs.WildcardSecretName)
+	}
 
-	lbc.recorder.Eventf(secret, api_v1.EventTypeNormal, "Updated", "the special Secret %v was updated", secretNsName)
+	lbc.recorder.Eventf(secret, api_v1.EventTypeNormal, "Updated", "the special Secret %v was updated", secret.Namespace+"/"+secret.Name)
 }
 
 func getStatusFromEventTitle(eventTitle string) string {
