Merge pull request #3886 from ElvinEfendi/fix-dynamic-cert-mode

Clean up ssl package and fix dynamic cert mode
kubernetes · Mar 11, 2019 · 7342247 · 7342247
2 parents 3c83d22 + c934509
commit 7342247
Show file tree

Hide file tree

Showing 4 changed files with 198 additions and 224 deletions.
diff --git a/cmd/nginx/main.go b/cmd/nginx/main.go
@@ -110,14 +110,19 @@ func main() {
 	}
 
 	// create the default SSL certificate (dummy)
+	// TODO(elvinefendi) do this in a single function in ssl package
 	defCert, defKey := ssl.GetFakeSSLCert()
-	c, err := ssl.AddOrUpdateCertAndKey(fakeCertificate, defCert, defKey, []byte{}, fs)
+	sslCert, err := ssl.CreateSSLCert(defCert, defKey)
 	if err != nil {
-		klog.Fatalf("Error generating self-signed certificate: %v", err)
+		klog.Fatalf("unexpected error creating fake SSL Cert: %v", err)
 	}
-
-	conf.FakeCertificatePath = c.PemFileName
-	conf.FakeCertificateSHA = c.PemSHA
+	err = ssl.StoreSSLCertOnDisk(fs, fakeCertificate, sslCert)
+	if err != nil {
+		klog.Fatalf("unexpected error storing fake SSL Cert: %v", err)
+	}
+	conf.FakeCertificatePath = sslCert.PemFileName
+	conf.FakeCertificateSHA = sslCert.PemSHA
+	// end create default fake SSL certificates
 
 	conf.Client = kubeClient
 

diff --git a/internal/ingress/controller/store/backend_ssl.go b/internal/ingress/controller/store/backend_ssl.go
@@ -98,17 +98,22 @@ func (s *k8sStore) getPemCertificate(secretName string) (*ingress.SSLCert, error
 			return nil, fmt.Errorf("key 'tls.key' missing from Secret %q", secretName)
 		}
 
-		if s.isDynamicCertificatesEnabled {
-			sslCert, err = ssl.CreateSSLCert(nsSecName, cert, key, ca)
+		sslCert, err = ssl.CreateSSLCert(cert, key)
+		if err != nil {
+			return nil, fmt.Errorf("unexpected error creating SSL Cert: %v", err)
+		}
+
+		if !s.isDynamicCertificatesEnabled || len(ca) > 0 {
+			err = ssl.StoreSSLCertOnDisk(s.filesystem, nsSecName, sslCert)
 			if err != nil {
-				return nil, fmt.Errorf("unexpected error creating SSL Cert: %v", err)
+				return nil, fmt.Errorf("error while storing certificate and key: %v", err)
 			}
-		} else {
-			// If 'ca.crt' is also present, it will allow this secret to be used in the
-			// 'nginx.ingress.kubernetes.io/auth-tls-secret' annotation
-			sslCert, err = ssl.AddOrUpdateCertAndKey(nsSecName, cert, key, ca, s.filesystem)
+		}
+
+		if len(ca) > 0 {
+			err = ssl.ConfigureCACertWithCertAndKey(s.filesystem, nsSecName, ca, sslCert)
 			if err != nil {
-				return nil, fmt.Errorf("unexpected error creating pem file: %v", err)
+				return nil, fmt.Errorf("error configuring CA certificate: %v", err)
 			}
 		}
 
@@ -118,11 +123,15 @@ func (s *k8sStore) getPemCertificate(secretName string) (*ingress.SSLCert, error
 		}
 		klog.V(3).Info(msg)
 
-	} else if ca != nil {
-		sslCert, err = ssl.AddCertAuth(nsSecName, ca, s.filesystem)
+	} else if ca != nil && len(ca) > 0 {
+		sslCert, err = ssl.CreateCACert(ca)
+		if err != nil {
+			return nil, fmt.Errorf("unexpected error creating SSL Cert: %v", err)
+		}
 
+		err = ssl.ConfigureCACert(s.filesystem, nsSecName, ca, sslCert)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("error configuring CA certificate: %v", err)
 		}
 
 		// makes this secret in 'syncSecret' to be used for Certificate Authentication