Namespace can be specified within TLS secret annotations

Jeff Bornemann · Jeff Bornemann · commit a5f63775c4c5 · 2019-05-01T15:47:25.000-04:00
diff --git a/pkg/cloudprovider/providers/oci/load_balancer.go b/pkg/cloudprovider/providers/oci/load_balancer.go
@@ -321,7 +321,7 @@ func (cp *CloudProvider) EnsureLoadBalancer(ctx context.Context, clusterName str
 		}
 		secretListenerString := service.Annotations[ServiceAnnotationLoadBalancerTLSSecret]
 		secretBackendSetString := service.Annotations[ServiceAnnotationLoadBalancerTLSBackendSetSecret]
-		sslConfig = NewSSLConfig(secretListenerString, secretBackendSetString, ports, cp)
+		sslConfig = NewSSLConfig(secretListenerString, secretBackendSetString, service, ports, cp)
 	}
 	var subnets []string
 	if cp.config.LoadBalancer.Subnet2 != "" {
diff --git a/pkg/cloudprovider/providers/oci/load_balancer_spec.go b/pkg/cloudprovider/providers/oci/load_balancer_spec.go
@@ -49,9 +49,13 @@ func (ssr noopSSLSecretReader) readSSLSecret(ns, name string) (sslSecret *certif
 
 // SSLConfig is a description of a SSL certificate.
 type SSLConfig struct {
-	Ports                   sets.Int
-	ListenerSSLSecretName   string
-	BackendSetSSLSecretName string
+	Ports sets.Int
+
+	ListenerSSLSecretName      string
+	ListenerSSLSecretNamespace string
+
+	BackendSetSSLSecretName      string
+	BackendSetSSLSecretNamespace string
 
 	sslSecretReader
 }
@@ -62,15 +66,21 @@ func requiresCertificate(svc *v1.Service) bool {
 }
 
 // NewSSLConfig constructs a new SSLConfig.
-func NewSSLConfig(listenerSecretName, backendSetSecretName string, ports []int, ssr sslSecretReader) *SSLConfig {
+func NewSSLConfig(secretListenerString string, secretBackendSetString string, service *v1.Service, ports []int, ssr sslSecretReader) *SSLConfig {
 	if ssr == nil {
 		ssr = noopSSLSecretReader{}
 	}
+
+	listenerSecretName, listenerSecretNamespace := getSecretParts(secretListenerString, service)
+	backendSecretName, backendSecretNamespace := getSecretParts(secretBackendSetString, service)
+
 	return &SSLConfig{
-		Ports:                   sets.NewInt(ports...),
-		ListenerSSLSecretName:   listenerSecretName,
-		BackendSetSSLSecretName: backendSetSecretName,
-		sslSecretReader:         ssr,
+		Ports:                        sets.NewInt(ports...),
+		ListenerSSLSecretName:        listenerSecretName,
+		ListenerSSLSecretNamespace:   listenerSecretNamespace,
+		BackendSetSSLSecretName:      backendSecretName,
+		BackendSetSSLSecretNamespace: backendSecretNamespace,
+		sslSecretReader:              ssr,
 	}
 }
 
@@ -172,25 +182,32 @@ func NewLBSpec(svc *v1.Service, nodes []*v1.Node, defaultSubnets []string, sslCo
 // Certificates builds a map of required SSL certificates.
 func (s *LBSpec) Certificates() (map[string]loadbalancer.CertificateDetails, error) {
 	certs := make(map[string]loadbalancer.CertificateDetails)
+
 	if s.SSLConfig == nil {
 		return certs, nil
 	}
-	secrets := make([]string, 0, 2)
+
 	if s.SSLConfig.ListenerSSLSecretName != "" {
-		secrets = append(secrets, s.SSLConfig.ListenerSSLSecretName)
-	}
-	if s.SSLConfig.BackendSetSSLSecretName != "" {
-		secrets = append(secrets, s.SSLConfig.BackendSetSSLSecretName)
+		cert, err := s.SSLConfig.readSSLSecret(s.SSLConfig.ListenerSSLSecretNamespace, s.SSLConfig.ListenerSSLSecretName)
+		if err != nil {
+			return nil, errors.Wrap(err, "reading SSL Listener Secret")
+		}
+		certs[s.SSLConfig.ListenerSSLSecretName] = loadbalancer.CertificateDetails{
+			CertificateName:   &s.SSLConfig.ListenerSSLSecretName,
+			CaCertificate:     common.String(string(cert.CACert)),
+			PublicCertificate: common.String(string(cert.PublicCert)),
+			PrivateKey:        common.String(string(cert.PrivateKey)),
+			Passphrase:        common.String(string(cert.Passphrase)),
+		}
 	}
 
-	for idx, name := range secrets {
-		cert, err := s.SSLConfig.readSSLSecret(s.service.Namespace, name)
+	if s.SSLConfig.BackendSetSSLSecretName != "" {
+		cert, err := s.SSLConfig.readSSLSecret(s.SSLConfig.BackendSetSSLSecretNamespace, s.SSLConfig.BackendSetSSLSecretName)
 		if err != nil {
-			return nil, errors.Wrap(err, "reading SSL BackendSet Secret")
+			return nil, errors.Wrap(err, "reading SSL Backend Secret")
 		}
-
-		certs[name] = loadbalancer.CertificateDetails{
-			CertificateName:   &secrets[idx],
+		certs[s.SSLConfig.BackendSetSSLSecretName] = loadbalancer.CertificateDetails{
+			CertificateName:   &s.SSLConfig.BackendSetSSLSecretName,
 			CaCertificate:     common.String(string(cert.CACert)),
 			PublicCertificate: common.String(string(cert.PublicCert)),
 			PrivateKey:        common.String(string(cert.PrivateKey)),
@@ -374,3 +391,14 @@ func getListeners(svc *v1.Service, sslCfg *SSLConfig) (map[string]loadbalancer.L
 
 	return listeners, nil
 }
+
+func getSecretParts(secretString string, service *v1.Service) (name string, namespace string) {
+	if secretString == "" {
+		return "", ""
+	}
+	if !strings.Contains(secretString, "/") {
+		return secretString, service.Namespace
+	}
+	parts := strings.Split(secretString, "/")
+	return parts[1], parts[0]
+}
diff --git a/pkg/cloudprovider/providers/oci/load_balancer_spec_test.go b/pkg/cloudprovider/providers/oci/load_balancer_spec_test.go
@@ -790,44 +790,92 @@ func TestNewLBSpecFailure(t *testing.T) {
 
 func TestNewSSLConfig(t *testing.T) {
 	testCases := map[string]struct {
-		listenerSecretName   string
-		backendSetSecretName string
-		ports                []int
-		ssr                  sslSecretReader
+		secretListenerString   string
+		secretBackendSetString string
+		service                *v1.Service
+		ports                  []int
+		ssr                    sslSecretReader
 
 		expectedResult *SSLConfig
 	}{
-		"noopSSLSecretReader if ssr is nil": {
-			listenerSecretName:   "listenerSecretName",
-			backendSetSecretName: "backendSetSecretName",
-			ports:                []int{8080},
-			ssr:                  nil,
+		"noopSSLSecretReader if ssr is nil and uses the default service namespace": {
+			secretListenerString:   "listenerSecretName",
+			secretBackendSetString: "backendSetSecretName",
+			service: &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "default",
+				},
+			},
+			ports: []int{8080},
+			ssr:   nil,
 
 			expectedResult: &SSLConfig{
-				Ports:                   sets.NewInt(8080),
-				ListenerSSLSecretName:   "listenerSecretName",
-				BackendSetSSLSecretName: "backendSetSecretName",
-				sslSecretReader:         noopSSLSecretReader{},
+				Ports:                        sets.NewInt(8080),
+				ListenerSSLSecretName:        "listenerSecretName",
+				ListenerSSLSecretNamespace:   "default",
+				BackendSetSSLSecretName:      "backendSetSecretName",
+				BackendSetSSLSecretNamespace: "default",
+				sslSecretReader:              noopSSLSecretReader{},
 			},
 		},
-		"ssr is assigned if provided": {
-			listenerSecretName:   "listenerSecretName",
-			backendSetSecretName: "backendSetSecretName",
-			ports:                []int{8080},
-			ssr:                  &mockSSLSecretReader{},
+		"ssr is assigned if provided and uses the default service namespace": {
+			secretListenerString:   "listenerSecretName",
+			secretBackendSetString: "backendSetSecretName",
+			service: &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "default",
+				},
+			},
+			ports: []int{8080},
+			ssr:   &mockSSLSecretReader{},
 
 			expectedResult: &SSLConfig{
-				Ports:                   sets.NewInt(8080),
-				ListenerSSLSecretName:   "listenerSecretName",
-				BackendSetSSLSecretName: "backendSetSecretName",
-				sslSecretReader:         &mockSSLSecretReader{},
+				Ports:                        sets.NewInt(8080),
+				ListenerSSLSecretName:        "listenerSecretName",
+				ListenerSSLSecretNamespace:   "default",
+				BackendSetSSLSecretName:      "backendSetSecretName",
+				BackendSetSSLSecretNamespace: "default",
+				sslSecretReader:              &mockSSLSecretReader{},
+			},
+		},
+		"If namespace is specified in secret string, use it": {
+			secretListenerString:   "namespaceone/listenerSecretName",
+			secretBackendSetString: "namespacetwo/backendSetSecretName",
+			service: &v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "default",
+				},
+			},
+			ports: []int{8080},
+			ssr:   &mockSSLSecretReader{},
+
+			expectedResult: &SSLConfig{
+				Ports:                        sets.NewInt(8080),
+				ListenerSSLSecretName:        "listenerSecretName",
+				ListenerSSLSecretNamespace:   "namespaceone",
+				BackendSetSSLSecretName:      "backendSetSecretName",
+				BackendSetSSLSecretNamespace: "namespacetwo",
+				sslSecretReader:              &mockSSLSecretReader{},
+			},
+		},
+		"Empty secret string results in empty name and namespace": {
+			ports: []int{8080},
+			ssr:   &mockSSLSecretReader{},
+
+			expectedResult: &SSLConfig{
+				Ports:                        sets.NewInt(8080),
+				ListenerSSLSecretName:        "",
+				ListenerSSLSecretNamespace:   "",
+				BackendSetSSLSecretName:      "",
+				BackendSetSSLSecretNamespace: "",
+				sslSecretReader:              &mockSSLSecretReader{},
 			},
 		},
 	}
 
 	for name, tc := range testCases {
 		t.Run(name, func(t *testing.T) {
-			result := NewSSLConfig(tc.listenerSecretName, tc.backendSetSecretName, tc.ports, tc.ssr)
+			result := NewSSLConfig(tc.secretListenerString, tc.secretBackendSetString, tc.service, tc.ports, tc.ssr)
 			if !reflect.DeepEqual(result, tc.expectedResult) {
 				t.Errorf("Expected SSlConfig \n%+v\nbut got\n%+v", tc.expectedResult, result)
 			}
@@ -866,14 +914,15 @@ func TestCertificates(t *testing.T) {
 					},
 				},
 				SSLConfig: &SSLConfig{
-					BackendSetSSLSecretName: backendSecret,
+					BackendSetSSLSecretName:      backendSecret,
+					BackendSetSSLSecretNamespace: "backendnamespace",
 					sslSecretReader: &mockSSLSecretReader{
 						returnError: false,
 						returnMap: map[struct {
 							namespaceArg string
 							nameArg      string
 						}]*certificateData{
-							{namespaceArg: "testnamespace", nameArg: backendSecret}: {
+							{namespaceArg: "backendnamespace", nameArg: backendSecret}: {
 								Name:       "certificatename",
 								CACert:     []byte(backendSecretCaCert),
 								PublicCert: []byte(backendSecretPublicCert),
@@ -903,22 +952,24 @@ func TestCertificates(t *testing.T) {
 					},
 				},
 				SSLConfig: &SSLConfig{
-					BackendSetSSLSecretName: backendSecret,
-					ListenerSSLSecretName:   listenerSecret,
+					BackendSetSSLSecretName:      backendSecret,
+					BackendSetSSLSecretNamespace: "backendnamespace",
+					ListenerSSLSecretName:        listenerSecret,
+					ListenerSSLSecretNamespace:   "listenernamespace",
 					sslSecretReader: &mockSSLSecretReader{
 						returnError: false,
 						returnMap: map[struct {
 							namespaceArg string
 							nameArg      string
 						}]*certificateData{
-							{namespaceArg: "testnamespace", nameArg: backendSecret}: {
+							{namespaceArg: "backendnamespace", nameArg: backendSecret}: {
 								Name:       "backendcertificatename",
 								CACert:     []byte(backendSecretCaCert),
 								PublicCert: []byte(backendSecretPublicCert),
 								PrivateKey: []byte(backendSecretPrivateKey),
 								Passphrase: []byte(backendSecretPassphrase),
 							},
-							{namespaceArg: "testnamespace", nameArg: listenerSecret}: {
+							{namespaceArg: "listenernamespace", nameArg: listenerSecret}: {
 								Name:       "listenercertificatename",
 								CACert:     []byte(listenerSecretCaCert),
 								PublicCert: []byte(listenerSecretPublicCert),

Original file line number	Diff line number	Diff line change
`@@ -321,7 +321,7 @@ func (cp *CloudProvider) EnsureLoadBalancer(ctx context.Context, clusterName str`
`321`	`321`	`}`
`322`	`322`	`secretListenerString := service.Annotations[ServiceAnnotationLoadBalancerTLSSecret]`
`323`	`323`	`secretBackendSetString := service.Annotations[ServiceAnnotationLoadBalancerTLSBackendSetSecret]`
`324`		`- sslConfig = NewSSLConfig(secretListenerString, secretBackendSetString, ports, cp)`
	`324`	`+ sslConfig = NewSSLConfig(secretListenerString, secretBackendSetString, service, ports, cp)`
`325`	`325`	`}`
`326`	`326`	`var subnets []string`
`327`	`327`	`if cp.config.LoadBalancer.Subnet2 != "" {`