-
Notifications
You must be signed in to change notification settings - Fork 591
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
WIP add indexer for secret reference
- Loading branch information
1 parent
76b8b80
commit d5f2d54
Showing
10 changed files
with
669 additions
and
87 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
267 changes: 267 additions & 0 deletions
267
internal/controllers/configuration/object_references.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,267 @@ | ||
package configuration | ||
|
||
import ( | ||
"context" | ||
|
||
corev1 "k8s.io/api/core/v1" | ||
extv1beta1 "k8s.io/api/extensions/v1beta1" | ||
netv1 "k8s.io/api/networking/v1" | ||
netv1beta1 "k8s.io/api/networking/v1beta1" | ||
k8serrors "k8s.io/apimachinery/pkg/api/errors" | ||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
"k8s.io/apimachinery/pkg/runtime" | ||
"k8s.io/apimachinery/pkg/types" | ||
"sigs.k8s.io/controller-runtime/pkg/client" | ||
|
||
"github.com/kong/kubernetes-ingress-controller/v2/internal/annotations" | ||
"github.com/kong/kubernetes-ingress-controller/v2/internal/dataplane" | ||
kongv1 "github.com/kong/kubernetes-ingress-controller/v2/pkg/apis/configuration/v1" | ||
kongv1beta1 "github.com/kong/kubernetes-ingress-controller/v2/pkg/apis/configuration/v1beta1" | ||
) | ||
|
||
func updateReferredObjects( | ||
ctx context.Context, client client.Client, dataplaneClient *dataplane.KongClient, obj runtime.Object) error { | ||
switch obj := obj.(type) { | ||
case *corev1.Service: | ||
return updateCoreV1ServiceReferredSecrets(ctx, client, dataplaneClient, obj) | ||
case *netv1.Ingress: | ||
return updateNetV1IngressReferredSecrets(ctx, client, dataplaneClient, obj) | ||
case *netv1beta1.Ingress: | ||
return updateNetV1beta1IngressReferredSecrets(ctx, client, dataplaneClient, obj) | ||
case *extv1beta1.Ingress: | ||
return updateExtensionV1beta1IngressReferredSecrets(ctx, client, dataplaneClient, obj) | ||
case *kongv1.KongPlugin: | ||
return updateKongPluginReferredSecrets(ctx, client, dataplaneClient, obj) | ||
case *kongv1.KongClusterPlugin: | ||
return updateKongClusterPluginReferredSecrets(ctx, client, dataplaneClient, obj) | ||
case *kongv1.KongConsumer: | ||
return updateKongConsumerReferredSecrets(ctx, client, dataplaneClient, obj) | ||
case *kongv1beta1.TCPIngress: | ||
return updateTCPIngressReferredSecrets(ctx, client, dataplaneClient, obj) | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func updateSecretInStore(ctx context.Context, client client.Client, dataplaneClient *dataplane.KongClient, secret *corev1.Secret) error { | ||
err := client.Get(ctx, types.NamespacedName{ | ||
Namespace: secret.Namespace, | ||
Name: secret.Name, | ||
}, secret) | ||
|
||
if err != nil && !k8serrors.IsNotFound(err) { | ||
return err | ||
} | ||
|
||
return dataplaneClient.UpdateObject(secret) | ||
} | ||
|
||
func updateCoreV1ServiceReferredSecrets( | ||
ctx context.Context, client client.Client, dataplaneClient *dataplane.KongClient, service *corev1.Service, | ||
) error { | ||
if service.Annotations == nil { | ||
return nil | ||
} | ||
secretName := annotations.ExtractClientCertificate(service.Annotations) | ||
if secretName != "" { | ||
secret := &corev1.Secret{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Namespace: service.Namespace, | ||
Name: secretName, | ||
}, | ||
} | ||
err := dataplaneClient.SetObjectReference(service.DeepCopy(), secret.DeepCopy()) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
if err := updateSecretInStore(ctx, client, dataplaneClient, secret); err != nil { | ||
return err | ||
} | ||
} | ||
// TODO: remove outdated reference records. | ||
|
||
return nil | ||
} | ||
|
||
func updateNetV1IngressReferredSecrets( | ||
ctx context.Context, client client.Client, dataplaneClient *dataplane.KongClient, ingress *netv1.Ingress, | ||
) error { | ||
for _, tls := range ingress.Spec.TLS { | ||
secret := &corev1.Secret{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Namespace: ingress.Namespace, | ||
Name: tls.SecretName, | ||
}, | ||
} | ||
|
||
err := dataplaneClient.SetObjectReference(ingress.DeepCopy(), secret.DeepCopy()) | ||
if err != nil { | ||
return err | ||
} | ||
// REVIEW: do we allow to refer to a secret which does not exist yet? | ||
err = client.Get(ctx, types.NamespacedName{ | ||
Namespace: ingress.Namespace, | ||
Name: tls.SecretName, | ||
}, secret) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
if err := updateSecretInStore(ctx, client, dataplaneClient, secret); err != nil { | ||
return err | ||
} | ||
|
||
} | ||
|
||
return nil | ||
} | ||
|
||
func updateNetV1beta1IngressReferredSecrets( | ||
ctx context.Context, client client.Client, dataplaneClient *dataplane.KongClient, ingress *netv1beta1.Ingress, | ||
) error { | ||
|
||
for _, tls := range ingress.Spec.TLS { | ||
secret := &corev1.Secret{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Namespace: ingress.Namespace, | ||
Name: tls.SecretName, | ||
}, | ||
} | ||
|
||
err := dataplaneClient.SetObjectReference(ingress.DeepCopy(), secret.DeepCopy()) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
if err := updateSecretInStore(ctx, client, dataplaneClient, secret); err != nil { | ||
return err | ||
} | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func updateExtensionV1beta1IngressReferredSecrets( | ||
ctx context.Context, client client.Client, dataplaneClient *dataplane.KongClient, ingress *extv1beta1.Ingress, | ||
) error { | ||
|
||
for _, tls := range ingress.Spec.TLS { | ||
secret := &corev1.Secret{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Namespace: ingress.Namespace, | ||
Name: tls.SecretName, | ||
}, | ||
} | ||
|
||
err := dataplaneClient.SetObjectReference(ingress.DeepCopy(), secret.DeepCopy()) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
if err := updateSecretInStore(ctx, client, dataplaneClient, secret); err != nil { | ||
return err | ||
} | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func updateKongPluginReferredSecrets( | ||
ctx context.Context, client client.Client, dataplaneClient *dataplane.KongClient, plugin *kongv1.KongPlugin, | ||
) error { | ||
if plugin.ConfigFrom != nil { | ||
secretName := plugin.ConfigFrom.SecretValue.Secret | ||
secret := &corev1.Secret{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Namespace: plugin.Namespace, | ||
Name: secretName, | ||
}, | ||
} | ||
|
||
err := dataplaneClient.SetObjectReference(plugin.DeepCopy(), secret.DeepCopy()) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
if err := updateSecretInStore(ctx, client, dataplaneClient, secret); err != nil { | ||
return err | ||
} | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func updateKongClusterPluginReferredSecrets( | ||
ctx context.Context, client client.Client, dataplaneClient *dataplane.KongClient, plugin *kongv1.KongClusterPlugin, | ||
) error { | ||
if plugin.ConfigFrom != nil { | ||
secretNamespace := plugin.ConfigFrom.SecretValue.Namespace | ||
secretName := plugin.ConfigFrom.SecretValue.Secret | ||
secret := &corev1.Secret{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Namespace: secretNamespace, | ||
Name: secretName, | ||
}, | ||
} | ||
|
||
err := dataplaneClient.SetObjectReference(plugin.DeepCopy(), secret.DeepCopy()) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
if err := updateSecretInStore(ctx, client, dataplaneClient, secret); err != nil { | ||
return err | ||
} | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func updateKongConsumerReferredSecrets( | ||
ctx context.Context, client client.Client, dataplaneClient *dataplane.KongClient, consumer *kongv1.KongConsumer, | ||
) error { | ||
for _, secretName := range consumer.Credentials { | ||
secret := &corev1.Secret{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Namespace: consumer.Namespace, | ||
Name: secretName, | ||
}, | ||
} | ||
|
||
err := dataplaneClient.SetObjectReference(consumer.DeepCopy(), secret.DeepCopy()) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
if err := updateSecretInStore(ctx, client, dataplaneClient, secret); err != nil { | ||
return err | ||
} | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func updateTCPIngressReferredSecrets( | ||
ctx context.Context, client client.Client, dataplaneClient *dataplane.KongClient, tcpIngress *kongv1beta1.TCPIngress, | ||
) error { | ||
for _, tls := range tcpIngress.Spec.TLS { | ||
secret := &corev1.Secret{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Namespace: tcpIngress.Namespace, | ||
Name: tls.SecretName, | ||
}, | ||
} | ||
|
||
err := dataplaneClient.SetObjectReference(tcpIngress.DeepCopy(), secret.DeepCopy()) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
if err := updateSecretInStore(ctx, client, dataplaneClient, secret); err != nil { | ||
return err | ||
} | ||
} | ||
|
||
return nil | ||
} |
Oops, something went wrong.