Skip to content

Refactor special secret input and validation #6808

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Nov 14, 2024
Merged

Refactor special secret input and validation #6808

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
85a1db4
refactor special secret input and validation
pdabelf5 Nov 14, 2024
90a69c6
use list of secrets to update
pdabelf5 Nov 14, 2024
cf76ab8
Merge branch 'main' into special-secrets
pdabelf5 Nov 14, 2024
831bf34
use list of secrets to update
pdabelf5 Nov 14, 2024
eb14d5c
change switch case
pdabelf5 Nov 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions internal/configs/configurator.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -925,6 +925,7 @@
// AddOrUpdateSpecialTLSSecrets adds or updates a file with a TLS cert and a key from a Special TLS Secret (eg. DefaultServerSecret, WildcardTLSSecret).
func (cnf *Configurator) AddOrUpdateSpecialTLSSecrets(secret *api_v1.Secret, secretNames []string) error {
l := nl.LoggerFromContext(cnf.CfgParams.Context)
nl.Debugf(l, "AddOrUpdateSpecialTLSSecrets: secrets [%v]", secretNames)

Check warning on line 928 in internal/configs/configurator.go

View check run for this annotation

Codecov / codecov/patch

internal/configs/configurator.go#L928 

Added line #L928 was not covered by tests
data := GenerateCertAndKeyFileContent(secret)

for _, secretName := range secretNames {
Expand Down
50 changes: 35 additions & 15 deletions internal/k8s/controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,11 @@
configs.MeshPodOwner
}

type specialSecrets struct {
defaultServerSecret string
wildcardTLSSecret string
}

// LoadBalancerController watches Kubernetes API and
// reconfigures NGINX via NginxController when needed
type LoadBalancerController struct {
Expand Down Expand Up @@ -131,7 +136,7 @@
appProtectEnabled bool
appProtectDosEnabled bool
recorder record.EventRecorder
defaultServerSecret string
specialSecrets specialSecrets
ingressClass string
statusUpdater *statusUpdater
leaderElector *leaderelection.LeaderElector
Expand All @@ -142,7 +147,6 @@
namespaceList []string
secretNamespaceList []string
controllerNamespace string
wildcardTLSSecret string
areCustomResourcesEnabled bool
enableOIDC bool
metricsCollector collectors.ControllerCollector
Expand Down Expand Up @@ -226,14 +230,18 @@

// NewLoadBalancerController creates a controller
func NewLoadBalancerController(input NewLoadBalancerControllerInput) *LoadBalancerController {
specialSecrets := specialSecrets{
defaultServerSecret: input.DefaultServerSecret,
wildcardTLSSecret: input.WildcardTLSSecret,
}
lbc := &LoadBalancerController{
client: input.KubeClient,
confClient: input.ConfClient,
dynClient: input.DynClient,
restConfig: input.RestConfig,
Logger: nl.LoggerFromContext(input.LoggerContext),
configurator: input.NginxConfigurator,
defaultServerSecret: input.DefaultServerSecret,
specialSecrets: specialSecrets,
appProtectEnabled: input.AppProtectEnabled,
appProtectDosEnabled: input.AppProtectDosEnabled,
isNginxPlus: input.IsNginxPlus,
Expand All @@ -245,7 +253,6 @@
namespaceList: input.Namespace,
secretNamespaceList: input.SecretNamespace,
controllerNamespace: input.ControllerNamespace,
wildcardTLSSecret: input.WildcardTLSSecret,
areCustomResourcesEnabled: input.AreCustomResourcesEnabled,
enableOIDC: input.EnableOIDC,
metricsCollector: input.MetricsCollector,
Expand Down Expand Up @@ -1726,7 +1733,14 @@
}

func (lbc *LoadBalancerController) isSpecialSecret(secretName string) bool {
return secretName == lbc.defaultServerSecret || secretName == lbc.wildcardTLSSecret
switch secretName {
case lbc.specialSecrets.defaultServerSecret:
return true
case lbc.specialSecrets.wildcardTLSSecret:
return true
default:
return false

Check warning on line 1742 in internal/k8s/controller.go

View check run for this annotation

Codecov / codecov/patch

internal/k8s/controller.go#L1736-L1742 

Added lines #L1736 - L1742 were not covered by tests
}
}

func (lbc *LoadBalancerController) handleRegularSecretDeletion(resources []Resource) {
Expand Down Expand Up @@ -1754,30 +1768,36 @@
lbc.updateResourcesStatusAndEvents(resources, warnings, addOrUpdateErr)
}

func (lbc *LoadBalancerController) handleSpecialSecretUpdate(secret *api_v1.Secret) {
var specialSecretsToUpdate []string
func (lbc *LoadBalancerController) validationTLSSpecialSecret(secret *api_v1.Secret, secretName string, secretList *[]string) {

Check warning on line 1771 in internal/k8s/controller.go

View check run for this annotation

Codecov / codecov/patch

internal/k8s/controller.go#L1771 

Added line #L1771 was not covered by tests
secretNsName := secret.Namespace + "/" + secret.Name

Check warning on line 1773 in internal/k8s/controller.go

View check run for this annotation

Codecov / codecov/patch

internal/k8s/controller.go#L1773 

Added line #L1773 was not covered by tests
err := secrets.ValidateTLSSecret(secret)
if err != nil {
nl.Errorf(lbc.Logger, "Couldn't validate the special Secret %v: %v", secretNsName, err)
lbc.recorder.Eventf(secret, api_v1.EventTypeWarning, "Rejected", "the special Secret %v was rejected, using the previous version: %v", secretNsName, err)
return
}
*secretList = append(*secretList, secretName)

Check warning on line 1780 in internal/k8s/controller.go

View check run for this annotation

Codecov / codecov/patch

internal/k8s/controller.go#L1780 

Added line #L1780 was not covered by tests
}

if secretNsName == lbc.defaultServerSecret {
specialSecretsToUpdate = append(specialSecretsToUpdate, configs.DefaultServerSecretName)
}
if secretNsName == lbc.wildcardTLSSecret {
specialSecretsToUpdate = append(specialSecretsToUpdate, configs.WildcardSecretName)
func (lbc *LoadBalancerController) handleSpecialSecretUpdate(secret *api_v1.Secret) {
var specialTLSSecretsToUpdate []string
secretNsName := secret.Namespace + "/" + secret.Name
switch secretNsName {
case lbc.specialSecrets.defaultServerSecret:
lbc.validationTLSSpecialSecret(secret, configs.DefaultServerSecretName, &specialTLSSecretsToUpdate)
case lbc.specialSecrets.wildcardTLSSecret:
lbc.validationTLSSpecialSecret(secret, configs.WildcardSecretName, &specialTLSSecretsToUpdate)
default:
nl.Warnf(lbc.Logger, "special secret not found")
return

Check warning on line 1793 in internal/k8s/controller.go

View check run for this annotation

Codecov / codecov/patch

internal/k8s/controller.go#L1783-L1793 

Added lines #L1783 - L1793 were not covered by tests
}

err = lbc.configurator.AddOrUpdateSpecialTLSSecrets(secret, specialSecretsToUpdate)
err := lbc.configurator.AddOrUpdateSpecialTLSSecrets(secret, specialTLSSecretsToUpdate)

Check warning on line 1795 in internal/k8s/controller.go

View check run for this annotation

Codecov / codecov/patch

internal/k8s/controller.go#L1795 

Added line #L1795 was not covered by tests
if err != nil {
nl.Errorf(lbc.Logger, "Error when updating the special Secret %v: %v", secretNsName, err)
lbc.recorder.Eventf(secret, api_v1.EventTypeWarning, "UpdatedWithError", "the special Secret %v was updated, but not applied: %v", secretNsName, err)
return
}

lbc.recorder.Eventf(secret, api_v1.EventTypeNormal, "Updated", "the special Secret %v was updated", secretNsName)
}

Expand Down
Loading