Exemplo n.º 1
0
func (ic *GenericController) getPemCertificate(secretName string) (*ingress.SSLCert, error) {
	secretInterface, exists, err := ic.secrLister.Store.GetByKey(secretName)
	if err != nil {
		return nil, fmt.Errorf("error retriveing secret %v: %v", secretName, err)
	}
	if !exists {
		return nil, fmt.Errorf("secret named %v does not exists", secretName)
	}

	secret := secretInterface.(*api.Secret)
	cert, ok := secret.Data[api.TLSCertKey]
	if !ok {
		return nil, fmt.Errorf("secret named %v has no private key", secretName)
	}
	key, ok := secret.Data[api.TLSPrivateKeyKey]
	if !ok {
		return nil, fmt.Errorf("secret named %v has no cert", secretName)
	}

	ca := secret.Data["ca.crt"]

	nsSecName := strings.Replace(secretName, "/", "-", -1)
	s, err := ssl.AddOrUpdateCertAndKey(nsSecName, cert, key, ca)
	if err != nil {
		return nil, err
	}

	s.Name = secret.Name
	s.Namespace = secret.Namespace
	return s, nil
}
Exemplo n.º 2
0
// syncSecret keeps in sync Secrets used by Ingress rules with the files on
// disk to allow being used in controllers.
func (ic *GenericController) syncSecret(k interface{}) error {
	if ic.secretQueue.IsShuttingDown() {
		return nil
	}
	if !ic.controllersInSync() {
		time.Sleep(podStoreSyncedPollPeriod)
		return fmt.Errorf("deferring sync till endpoints controller has synced")
	}

	// check if the default certificate is configured
	key := fmt.Sprintf("default/%v", defServerName)
	_, exists := ic.sslCertTracker.Get(key)
	var cert *ingress.SSLCert
	var err error
	if !exists {
		if ic.cfg.DefaultSSLCertificate != "" {
			cert, err = ic.getPemCertificate(ic.cfg.DefaultSSLCertificate)
			if err != nil {
				return err
			}
		} else {
			defCert, defKey := ssl.GetFakeSSLCert()
			cert, err = ssl.AddOrUpdateCertAndKey("system-snake-oil-certificate", defCert, defKey, []byte{})
			if err != nil {
				return nil
			}
		}
		cert.Name = defServerName
		cert.Namespace = api.NamespaceDefault
		ic.sslCertTracker.Add(key, cert)
	}

	key = k.(string)

	secObj, exists, err := ic.secrLister.Store.GetByKey(key)
	if err != nil {
		return fmt.Errorf("error getting secret %v: %v", key, err)
	}
	if !exists {
		return fmt.Errorf("secret %v was not found", key)
	}
	sec := secObj.(*api.Secret)
	if !ic.secrReferenced(sec.Name, sec.Namespace) {
		glog.V(3).Infof("secret %v/%v is not used in Ingress rules. skipping ", sec.Namespace, sec.Name)
		return nil
	}

	cert, err = ic.getPemCertificate(key)
	if err != nil {
		return err
	}

	// create certificates and add or update the item in the store
	_, exists = ic.sslCertTracker.Get(key)
	if exists {
		glog.V(3).Infof("updating secret %v/%v in the store ", sec.Namespace, sec.Name)
		ic.sslCertTracker.Update(key, cert)
		return nil
	}
	glog.V(3).Infof("adding secret %v/%v to the store ", sec.Namespace, sec.Name)
	ic.sslCertTracker.Add(key, cert)
	return nil
}