Skip to content

Commit c569289

Browse files
pdabelf5pdabelf5
committed
when mgmt configmap changes update secrets
1 parent 24685fc commit c569289

File tree

1 file changed

+32
-4
lines changed

1 file changed

+32
-4
lines changed

internal/k8s/controller.go

Lines changed: 32 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -883,6 +883,7 @@ func (lbc *LoadBalancerController) updateAllConfigs() {
883883
var isNGINXConfigValid bool
884884
var mgmtConfigHasWarnings bool
885885
var mgmtErr error
886+
reloadNginx := false
886887

887888
if lbc.configMap != nil {
888889
cfgParams, isNGINXConfigValid = configs.ParseConfigMap(ctx, lbc.configMap, lbc.isNginxPlus, lbc.appProtectEnabled, lbc.appProtectDosEnabled, lbc.configuration.isTLSPassthroughEnabled, lbc.recorder)
@@ -892,6 +893,15 @@ func (lbc *LoadBalancerController) updateAllConfigs() {
892893
if mgmtErr != nil {
893894
nl.Errorf(lbc.Logger, "configmap %s/%s: %v", lbc.mgmtConfigMap.GetNamespace(), lbc.mgmtConfigMap.GetName(), mgmtErr)
894895
}
896+
// update special license secret in mgmtConfigParams
897+
if mgmtCfgParams.Secrets.License != "" {
898+
secret, err := lbc.client.CoreV1().Secrets(lbc.mgmtConfigMap.GetNamespace()).Get(context.TODO(), mgmtCfgParams.Secrets.License, meta_v1.GetOptions{})
899+
if err != nil {
900+
nl.Errorf(lbc.Logger, "secret %s/%s: %v", lbc.mgmtConfigMap.GetNamespace(), mgmtCfgParams.Secrets.License, err)
901+
}
902+
lbc.specialSecrets.licenseSecret = fmt.Sprintf("%s/%s", secret.Namespace, secret.Name)
903+
lbc.handleSpecialSecretUpdate(secret, reloadNginx)
904+
}
895905
// update special CA secret in mgmtConfigParams
896906
if mgmtCfgParams.Secrets.TrustedCert != "" {
897907
secret, err := lbc.client.CoreV1().Secrets(lbc.mgmtConfigMap.GetNamespace()).Get(context.TODO(), mgmtCfgParams.Secrets.TrustedCert, meta_v1.GetOptions{})
@@ -901,6 +911,17 @@ func (lbc *LoadBalancerController) updateAllConfigs() {
901911
if _, hasCRL := secret.Data[configs.CACrlKey]; hasCRL {
902912
mgmtCfgParams.Secrets.TrustedCRL = secret.Name
903913
}
914+
lbc.specialSecrets.trustedCertSecret = fmt.Sprintf("%s/%s", secret.Namespace, secret.Name)
915+
lbc.handleSpecialSecretUpdate(secret, reloadNginx)
916+
}
917+
// update special ClientAuth secret in mgmtConfigParams
918+
if mgmtCfgParams.Secrets.ClientAuth != "" {
919+
secret, err := lbc.client.CoreV1().Secrets(lbc.mgmtConfigMap.GetNamespace()).Get(context.TODO(), mgmtCfgParams.Secrets.ClientAuth, meta_v1.GetOptions{})
920+
if err != nil {
921+
nl.Errorf(lbc.Logger, "secret %s/%s: %v", lbc.mgmtConfigMap.GetNamespace(), mgmtCfgParams.Secrets.ClientAuth, err)
922+
}
923+
lbc.specialSecrets.clientAuthSecret = fmt.Sprintf("%s/%s", secret.Namespace, secret.Name)
924+
lbc.handleSpecialSecretUpdate(secret, reloadNginx)
904925
}
905926
}
906927

@@ -910,7 +931,7 @@ func (lbc *LoadBalancerController) updateAllConfigs() {
910931

911932
resourceExes := lbc.createExtendedResources(resources)
912933

913-
warnings, updateErr := lbc.configurator.UpdateConfig(cfgParams, mgmtCfgParams, resourceExes)
934+
warnings, updateErr := lbc.configurator.UpdateConfig(cfgParams, mgmtCfgParams, resourceExes) // reload happens here
914935
eventTitle := "Updated"
915936
eventType := api_v1.EventTypeNormal
916937
eventWarningMessage := ""
@@ -1769,7 +1790,8 @@ func (lbc *LoadBalancerController) syncSecret(task task) {
17691790
lbc.secretStore.AddOrUpdateSecret(secret)
17701791

17711792
if lbc.isSpecialSecret(key) {
1772-
lbc.handleSpecialSecretUpdate(secret)
1793+
reloadNginx := true
1794+
lbc.handleSpecialSecretUpdate(secret, reloadNginx)
17731795
// we don't return here in case the special secret is also used in resources.
17741796
}
17751797

@@ -1846,7 +1868,7 @@ func (lbc *LoadBalancerController) validationTLSSpecialSecret(secret *api_v1.Sec
18461868
*secretList = append(*secretList, secretName)
18471869
}
18481870

1849-
func (lbc *LoadBalancerController) handleSpecialSecretUpdate(secret *api_v1.Secret) {
1871+
func (lbc *LoadBalancerController) handleSpecialSecretUpdate(secret *api_v1.Secret, reload bool) {
18501872
var specialTLSSecretsToUpdate []string
18511873
secretNsName := generateSecretNSName(secret)
18521874

@@ -1860,6 +1882,12 @@ func (lbc *LoadBalancerController) handleSpecialSecretUpdate(secret *api_v1.Secr
18601882
return
18611883
}
18621884

1885+
// When the MGMT Configmap updates, we don't need to reload here, we are reloading in updateAllConfigs().
1886+
if !reload {
1887+
lbc.recorder.Eventf(lbc.metadata.pod, api_v1.EventTypeNormal, "SecretUpdated", "the special Secret %v was updated", secretNsName)
1888+
return
1889+
}
1890+
18631891
// reload nginx when the TLS special secrets are updated
18641892
switch secretNsName {
18651893
case lbc.specialSecrets.licenseSecret:
@@ -1881,7 +1909,7 @@ func (lbc *LoadBalancerController) handleSpecialSecretUpdate(secret *api_v1.Secr
18811909
}
18821910
}
18831911

1884-
lbc.recorder.Eventf(secret, api_v1.EventTypeNormal, "Updated", "the special Secret %v was updated", secretNsName)
1912+
lbc.recorder.Eventf(lbc.metadata.pod, api_v1.EventTypeNormal, "SecretUpdated", "the special Secret %v was updated", secretNsName)
18851913
}
18861914

18871915
// writeSpecialSecrets generates content and writes the secret to disk

0 commit comments

Comments
 (0)