Skip to content

Commit

Permalink
add events to special secrets
Browse files Browse the repository at this point in the history
  • Loading branch information
@AlexFenlon @pdabelf5
AlexFenlon authored and pdabelf5 committed Nov 28, 2024
1 parent 8b8fc52 commit e18dd3f
Showing 1 changed file with 32 additions and 13 deletions.
45 changes: 32 additions & 13 deletions cmd/nginx-ingress/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ import (
"github.com/prometheus/client_golang/prometheus"
api_v1 "k8s.io/api/core/v1"
meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
pkg_runtime "k8s.io/apimachinery/pkg/runtime"
util_version "k8s.io/apimachinery/pkg/util/version"
"k8s.io/client-go/dynamic"
"k8s.io/client-go/kubernetes"
Expand Down Expand Up @@ -75,6 +76,8 @@ const (
appProtectVersionPath = "/opt/app_protect/RELEASE"
appProtectv4BundleFolder = "/etc/nginx/waf/bundles/"
appProtectv5BundleFolder = "/etc/app_protect/bundles/"
fatalEventFlushTime = 200 * time.Millisecond
secretErrorReason = "SecretError"
)

func main() {
Expand All @@ -89,9 +92,14 @@ func main() {

buildOS := os.Getenv("BUILD_OS")
controllerNamespace := os.Getenv("POD_NAMESPACE")
podName := os.Getenv("POD_NAME")

config, kubeClient := mustCreateConfigAndKubeClient(ctx)
mustValidateKubernetesVersionInfo(ctx, kubeClient)
pod, err := kubeClient.CoreV1().Pods(controllerNamespace).Get(context.TODO(), podName, meta_v1.GetOptions{})
if err != nil {
nl.Fatalf(l, "Failed to get pod: %v", err)
}
eventBroadcaster := record.NewBroadcaster()
eventBroadcaster.StartLogging(func(format string, args ...interface{}) {
nl.Infof(l, format, args...)
Expand Down Expand Up @@ -143,12 +151,17 @@ func main() {

templateExecutor, templateExecutorV2 := createTemplateExecutors(ctx)

sslRejectHandshake := processDefaultServerSecret(ctx, kubeClient, nginxManager)

isWildcardEnabled := processWildcardSecret(ctx, kubeClient, nginxManager)
sslRejectHandshake, err := processDefaultServerSecret(kubeClient, nginxManager)
if err != nil {
logEventAndExit(ctx, eventRecorder, pod, secretErrorReason, err)
}

staticSSLPath := nginxManager.GetSecretsDir()

isWildcardEnabled, err := processWildcardSecret(kubeClient, nginxManager)
if err != nil {
logEventAndExit(ctx, eventRecorder, pod, secretErrorReason, err)
}
globalConfigurationValidator := createGlobalConfigurationValidator()

mustProcessGlobalConfiguration(ctx)
Expand Down Expand Up @@ -562,14 +575,13 @@ func startChildProcesses(nginxManager nginx.Manager, appProtectV5 bool) childPro
}
}

func processDefaultServerSecret(ctx context.Context, kubeClient *kubernetes.Clientset, nginxManager nginx.Manager) bool {
l := nl.LoggerFromContext(ctx)
func processDefaultServerSecret(kubeClient *kubernetes.Clientset, nginxManager nginx.Manager) (bool, error) {
var sslRejectHandshake bool

if *defaultServerSecret != "" {
secret, err := getAndValidateSecret(kubeClient, *defaultServerSecret)
if err != nil {
nl.Fatalf(l, "Error trying to get the default server TLS secret %v: %v", *defaultServerSecret, err)
return sslRejectHandshake, fmt.Errorf("error trying to get the default server TLS secret %v: %w", *defaultServerSecret, err)
}

bytes := configs.GenerateCertAndKeyFileContent(secret)
Expand All @@ -581,25 +593,25 @@ func processDefaultServerSecret(ctx context.Context, kubeClient *kubernetes.Clie
// file doesn't exist - it is OK! we will reject TLS connections in the default server
sslRejectHandshake = true
} else {
nl.Fatalf(l, "Error checking the default server TLS cert and key in %s: %v", configs.DefaultServerSecretPath, err)
return sslRejectHandshake, fmt.Errorf("error checking the default server TLS cert and key in %s: %w", configs.DefaultServerSecretPath, err)
}
}
}
return sslRejectHandshake
return sslRejectHandshake, nil
}

func processWildcardSecret(ctx context.Context, kubeClient *kubernetes.Clientset, nginxManager nginx.Manager) bool {
l := nl.LoggerFromContext(ctx)
if *wildcardTLSSecret != "" {
func processWildcardSecret(kubeClient *kubernetes.Clientset, nginxManager nginx.Manager) (bool, error) {
isWildcardEnabled := *wildcardTLSSecret != ""
if isWildcardEnabled {
secret, err := getAndValidateSecret(kubeClient, *wildcardTLSSecret)
if err != nil {
nl.Fatalf(l, "Error trying to get the wildcard TLS secret %v: %v", *wildcardTLSSecret, err)
return false, fmt.Errorf("error trying to get the wildcard TLS secret %v: %w", *wildcardTLSSecret, err)
}

bytes := configs.GenerateCertAndKeyFileContent(secret)
nginxManager.CreateSecret(configs.WildcardSecretFileName, bytes, nginx.ReadWriteOnlyFileMode)
}
return *wildcardTLSSecret != ""
return isWildcardEnabled, nil
}

func createGlobalConfigurationValidator() *cr_validation.GlobalConfigurationValidator {
Expand Down Expand Up @@ -942,6 +954,13 @@ func updateSelfWithVersionInfo(ctx context.Context, eventLog record.EventRecorde
}
}

func logEventAndExit(ctx context.Context, eventLog record.EventRecorder, obj pkg_runtime.Object, reason string, err error) {
l := nl.LoggerFromContext(ctx)
eventLog.Eventf(obj, api_v1.EventTypeWarning, reason, err.Error())
time.Sleep(fatalEventFlushTime) // wait for the event to be flushed
nl.Fatal(l, err.Error())
}

func initLogger(logFormat string, level slog.Level, out io.Writer) context.Context {
programLevel := new(slog.LevelVar) // Info by default
var h slog.Handler
Expand Down

0 comments on commit e18dd3f

Please sign in to comment.