Fix missing vault secret condition (kubernetes#5)

Alvaro-Campesino · Aug 17, 2022 · c5bff1a · c5bff1a
1 parent be6145e
commit c5bff1a
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 14 deletions.
diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md
@@ -105,7 +105,7 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz
 |[nginx.ingress.kubernetes.io/session-cookie-conditional-samesite-none](#cookie-affinity)|"true" or "false"|
 |[nginx.ingress.kubernetes.io/ssl-redirect](#server-side-https-enforcement-through-redirect)|"true" or "false"|
 |[nginx.ingress.kubernetes.io/ssl-passthrough](#ssl-passthrough)|"true" or "false"|
-|[nginx.ingress.kubernetes.io/tls-cert-vault](#tls-cert-vault)|string|
+|[nginx.ingress.kubernetes.io/default-ssl-certificate-vault](#default-ssl-certificate-vault)|string|
 |[nginx.ingress.kubernetes.io/stream-snippet](#stream-snippet)|string|
 |[nginx.ingress.kubernetes.io/upstream-hash-by](#custom-nginx-upstream-hashing)|string|
 |[nginx.ingress.kubernetes.io/x-forwarded-prefix](#x-forwarded-prefix-header)|string|
@@ -973,7 +973,7 @@ For more information on the mirror module see [ngx_http_mirror_module](https://n
 
 ### TLS Certificate stored in vault
 
- Stratio custom nginx-ingress-controller supports fetching certificates to be used in TLS communications with the annotation: `nginx.ingress.kubernetes.io/tls-cert-vault`
+ Stratio custom nginx-ingress-controller supports fetching certificates to be used in TLS communications with the annotation: `nginx.ingress.kubernetes.io/default-ssl-certificate-vault`
 SecretName field from the TLS area will be ignored if this annotation is provided, instead the certificate stored in the vault path will be used.
 The path must be in the form `/<path>/<to>/<secret>/<CN>`
 

diff --git a/internal/ingress/annotations/vaultcertificate/main.go b/internal/ingress/annotations/vaultcertificate/main.go
@@ -42,15 +42,15 @@ func (a backendCertVaultPath) Parse(ing *networking.Ingress) (interface{}, error
 		return EmptyVaultPath, nil
 	}
 
-	VaultCertificate, err := parser.GetStringAnnotation("tls-cert-vault", ing)
+	VaultCertificate, err := parser.GetStringAnnotation("default-ssl-certificate-vault", ing)
 	if err != nil {
 		return EmptyVaultPath, nil
 	}
 
 	VaultCertificate = strings.TrimSpace(VaultCertificate)
 	if !validVaultUrl.MatchString(VaultCertificate) {
-		klog.Errorf("URL %v is not a valid value for the tls-cert-vault annotation. Regex rule is: %v", VaultCertificate, validVaultUrl)
-		err := errors.New("not a valid value for the tls-cert-vault annotation")
+		klog.Errorf("URL %v is not a valid value for the default-ssl-certificate-vault annotation. Regex rule is: %v", VaultCertificate, validVaultUrl)
+		err := errors.New("not a valid value for the default-ssl-certificate-vault annotation")
 		return EmptyVaultPath, err
 	}
 

diff --git a/internal/ingress/annotations/vaultcertificate/main_test.go b/internal/ingress/annotations/vaultcertificate/main_test.go
@@ -48,7 +48,7 @@ func TestParseInvalidAnnotations(t *testing.T) {
 	// Test no annotations set
 	i, err := NewParser(&resolver.Mock{}).Parse(ing)
 	if err != nil {
-		t.Errorf("unexpected error parsing ingress with tls-cert-vault")
+		t.Errorf("unexpected error parsing ingress with default-ssl-certificate-vault")
 	}
 	_, ok := i.(string)
 	if !ok {
@@ -61,15 +61,15 @@ func TestParseInvalidAnnotations(t *testing.T) {
 	// Test with empty annotations
 	i, err = NewParser(&resolver.Mock{}).Parse(ing)
 	if err != nil {
-		t.Errorf("unexpected error parsing ingress with tls-cert-vault")
+		t.Errorf("unexpected error parsing ingress with default-ssl-certificate-vault")
 	}
 	_, ok = i.(string)
 	if !ok {
 		t.Errorf("expected a string type")
 	}
 
 	// Test invalid annotation set
-	data[parser.GetAnnotationWithPrefix("tls-cert-vault")] = "INVALID&data"
+	data[parser.GetAnnotationWithPrefix("default-ssl-certificate-vault")] = "INVALID&data"
 	ing.SetAnnotations(data)
 
 	_, err = NewParser(&resolver.Mock{}).Parse(ing)
@@ -83,12 +83,12 @@ func TestParseAnnotations(t *testing.T) {
 	ing := buildIngress()
 
 	data := map[string]string{}
-	data[parser.GetAnnotationWithPrefix("tls-cert-vault")] = "userland/certificates/mycertificado"
+	data[parser.GetAnnotationWithPrefix("default-ssl-certificate-vault")] = "userland/certificates/mycertificado"
 	ing.SetAnnotations(data)
 
 	i, err := NewParser(&resolver.Mock{}).Parse(ing)
 	if err != nil {
-		t.Errorf("unexpected error parsing ingress with tls-cert-vault")
+		t.Errorf("unexpected error parsing ingress with default-ssl-certificate-vault")
 	}
 	_, ok := i.(string)
 	if !ok {

diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
@@ -1335,7 +1335,7 @@ func (n *NGINXController) createServers(data []*ingress.Ingress,
 			//The certificate is retrieved for storing it in the ingress storage and being able to use it later
 			tlsSecretName := extractTLSSecretName(host, ing, n.store.GetLocalSSLCert)
 
-			klog.V(3).Info("Reading TLS certificates in secretName or in tls-cert-vaul annotation")
+			klog.V(3).Info("Reading TLS certificates in secretName or in default-ssl-certificate-vault annotation")
 			// If no certificate stored in Vault is defined in annotations and no secretname stored in k8s, we use default
 			if (anns.VaultPathTLS == "") && (tlsSecretName == "") {
 				klog.V(3).Infof("Host %q is listed in the TLS section but secretName is empty. Using default certificate", host)

diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go
@@ -582,6 +582,11 @@ func New(
 			sec := obj.(*corev1.Secret)
 			key := k8s.MetaNamespaceKey(sec)
 
+			// If the default SSL certificate is stored in vault, synch it
+			if store.defaultVaultSSLCertificate != "" {
+				store.syncSecret(store.defaultVaultSSLCertificate, true)
+			}
+
 			if store.defaultSSLCertificate == key {
 				store.syncSecret(store.defaultSSLCertificate, false)
 			}
@@ -616,7 +621,14 @@ func New(
 					return
 				}
 
+  			   // If the default SSL certificate is stored in vault, synch it
+				if store.defaultVaultSSLCertificate != "" {
+					store.syncSecret(store.defaultVaultSSLCertificate, true)
+				}
+
+
 				if store.defaultSSLCertificate == key {
+					klog.Infof("Second place of check of default %v, equal to key %v", store.defaultSSLCertificate, key)
 					store.syncSecret(store.defaultSSLCertificate, false)
 				}
 
@@ -914,7 +926,7 @@ func (s *k8sStore) updateSecretIngressMap(ing *networkingv1.Ingress) {
 		"proxy-ssl-secret",
 		"proxy-ssl-vault",
 		"secure-verify-ca-secret",
-		"tls-cert-vault",
+		"default-ssl-certificate-vault",
 	}
 	for _, ann := range secretAnnotations {
 		klog.V(3).InfoS("Checking annotation for updating Secrets Ingress Map", "annotation", ann)
@@ -939,7 +951,7 @@ func objectRefAnnotationNsKey(ann string, ing *networkingv1.Ingress) (string, er
 	vaultAnnotations := []string{
 		"auth-tls-vault",
 		"proxy-ssl-vault",
-		"tls-cert-vault",
+		"default-ssl-certificate-vault",
 	}
 
 	klog.V(3).InfoS("Getting the annotation", "annotation", ann)
@@ -1142,7 +1154,7 @@ func (s *k8sStore) GetDefaultBackend() defaults.Backend {
 }
 
 func (s *k8sStore) GetVaultAnnotation(ing *networkingv1.Ingress) (bool, string) {
-	klog.Info("Getting annotation tls-cert-vaul status by checking the annotation field")
+	klog.Info("Getting annotation default-ssl-certificate-vault status by checking the annotation field")
 	vaultCertificatePath := annotations.NewAnnotationExtractor(s).Extract(ing).VaultPathTLS
 	if vaultCertificatePath != "" {
 		return true, vaultCertificatePath