added a flag to blacklist certificate ARNs, that will not be consider…

…ed from the controller (#208) Signed-off-by: Sandor Szücs <[email protected]>
zalando-incubator · Aug 31, 2018 · 7a0c4ff · 7a0c4ff
1 parent 74a1efc
commit 7a0c4ff
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 6 deletions.
diff --git a/certs/caching.go b/certs/caching.go
@@ -9,8 +9,9 @@ import (
 
 type cachingProvider struct {
 	sync.Mutex
-	providers   []CertificatesProvider
-	certDetails []*CertificateSummary
+	providers         []CertificatesProvider
+	certDetails       []*CertificateSummary
+	blacklistedArnMap map[string]bool
 }
 
 type certProviderWrapper struct {
@@ -23,10 +24,11 @@ type certProviderWrapper struct {
 // certificates it will continue to refresh the cache every
 // certUpdateInterval in the background. If the background refresh
 // fails the last known cached values are considered current.
-func NewCachingProvider(certUpdateInterval time.Duration, providers ...CertificatesProvider) (CertificatesProvider, error) {
+func NewCachingProvider(certUpdateInterval time.Duration, blacklistedArnMap map[string]bool, providers ...CertificatesProvider) (CertificatesProvider, error) {
 	provider := &cachingProvider{
-		providers:   providers,
-		certDetails: make([]*CertificateSummary, 0),
+		providers:         providers,
+		blacklistedArnMap: blacklistedArnMap,
+		certDetails:       make([]*CertificateSummary, 0),
 	}
 	if err := provider.updateCertCache(); err != nil {
 		return nil, fmt.Errorf("initial load of certificates failed: %v", err)
@@ -54,6 +56,7 @@ func (cc *cachingProvider) updateCertCache() error {
 	for _, cp := range cc.providers {
 		go func(provider CertificatesProvider) {
 			res, err := provider.GetCertificates()
+
 			ch <- certProviderWrapper{certs: res, err: err}
 			wg.Done()
 		}(cp)
@@ -65,7 +68,15 @@ func (cc *cachingProvider) updateCertCache() error {
 		if providerResponse.err != nil {
 			return providerResponse.err
 		}
-		newList = append(newList, providerResponse.certs...)
+
+		provisionCerts := make([]*CertificateSummary, 0)
+		for _, certSummary := range providerResponse.certs {
+			if _, ok := cc.blacklistedArnMap[certSummary.ID()]; !ok {
+				provisionCerts = append(provisionCerts, certSummary)
+			}
+		}
+
+		newList = append(newList, provisionCerts...)
 	}
 	cc.Lock()
 	cc.certDetails = newList

diff --git a/controller.go b/controller.go
@@ -51,6 +51,8 @@ var (
 	controllerID               string
 	maxCertsPerALB             int
 	sslPolicy                  string
+	blacklistCertARN           string
+	blacklistCertArnMap        map[string]bool
 )
 
 func loadSettings() error {
@@ -89,9 +91,15 @@ func loadSettings() error {
 	flag.IntVar(&maxCertsPerALB, "max-certs-alb", aws.DefaultMaxCertsPerALB,
 		fmt.Sprintf("sets the maximum number of certificates to be attached to an ALB. Cannot be higher than %d", aws.DefaultMaxCertsPerALB))
 	flag.StringVar(&sslPolicy, "ssl-policy", aws.DefaultSslPolicy, "Security policy that will define the protocols/ciphers accepts by the SSL listener")
+	flag.StringVar(&blacklistCertARN, "blacklist-certificate-arns", "", "Certificate ARNs to not consider by the controller: arn1,arn2,..")
 
 	flag.Parse()
 
+	blacklistCertArnMap = make(map[string]bool)
+	for _, s := range strings.Split(blacklistCertARN, ",") {
+		blacklistCertArnMap[s] = true
+	}
+
 	if tmp, defined := os.LookupEnv("API_SERVER_BASE_URL"); defined {
 		apiServerBaseURL = tmp
 	}
@@ -192,6 +200,7 @@ func main() {
 
 	certificatesProvider, err := certs.NewCachingProvider(
 		certPollingInterval,
+		blacklistCertArnMap,
 		awsAdapter.NewACMCertificateProvider(),
 		awsAdapter.NewIAMCertificateProvider(),
 	)
@@ -233,6 +242,7 @@ func main() {
 	log.Printf("\tPublic subnet IDs: %s", awsAdapter.FindLBSubnets(elbv2.LoadBalancerSchemeEnumInternetFacing))
 	log.Printf("\tEC2 filters: %s", awsAdapter.FiltersString())
 	log.Printf("\tCertificates per ALB: %d (SNI: %t)", certificatesPerALB, certificatesPerALB > 1)
+	log.Printf("\tBlacklisted Certificate ARNs (%d): %s", len(blacklistCertArnMap), blacklistCertARN)
 	log.Printf("\tIngress class filters: %s", kubeAdapter.IngressFiltersString())
 
 	ctx, cancel := context.WithCancel(context.Background())