Merge pull request #4356 from aledbf/only-dynamic-mode

Only support SSL dynamic mode
kubernetes · Aug 15, 2019 · 0d690fb · 0d690fb
2 parents e5b766e + 80bd481
commit 0d690fb
Show file tree

Hide file tree

Showing 40 changed files with 413 additions and 707 deletions.
diff --git a/.gitignore b/.gitignore
@@ -25,27 +25,25 @@
 Session.vim
 .netrwhist
 
-# coverage artifacts
-.coverprofile
-/gover.coverprofile
-
-e2e-tests
-
-coverage.txt
-test/e2e/e2e\.test
-
 # mkdocs
 site
 
 # temporal github pages
 gh-pages
 
 # Docker-based builds
-/test/binaries
-/.env
-/.gocache/
-/bin/
+test/binaries
 
-test/e2e-image/wait-for-nginx\.sh
+# coverage artifacts
+.coverprofile
+gover.coverprofile
 
+e2e-tests
+coverage.txt
+test/e2e/e2e\.test
+.env
+.gocache/
+bin
+test/e2e-image/wait-for-nginx.sh
 .cache
+cover.out
diff --git a/build/run-e2e-suite.sh b/build/run-e2e-suite.sh
@@ -63,7 +63,8 @@ kubectl create clusterrolebinding permissive-binding \
   --user=kubelet \
   --serviceaccount=default:ingress-nginx-e2e || true
 
-until kubectl get secret | grep -q ^ingress-nginx-e2e-token; do \
+echo -e "${BGREEN}Waiting service account...${NC}"; \
+until kubectl get secret | grep -q -e ^ingress-nginx-e2e-token; do \
   echo -e "waiting for api token"; \
   sleep 3; \
 done

diff --git a/cmd/nginx/flags.go b/cmd/nginx/flags.go
@@ -141,7 +141,7 @@ extension for this to succeed.`)
 			`Customized address to set as the load-balancer status of Ingress objects this controller satisfies.
 Requires the update-status parameter.`)
 
-		enableDynamicCertificates = flags.Bool("enable-dynamic-certificates", true,
+		_ = flags.Bool("enable-dynamic-certificates", true,
 			`Dynamically update SSL certificates instead of reloading NGINX. Feature backed by OpenResty Lua libraries.`)
 
 		enableMetrics = flags.Bool("enable-metrics", true,
@@ -171,6 +171,8 @@ Takes the form "<host>:port". If not provided, no admission controller is starte
 	flags.MarkDeprecated("status-port", `The status port is a unix socket now.`)
 	flags.MarkDeprecated("force-namespace-isolation", `This flag doesn't do anything.`)
 
+	flags.MarkDeprecated("enable-dynamic-certificates", `Only dynamic mode is supported`)
+
 	flag.Set("logtostderr", "true")
 
 	flags.AddGoFlagSet(flag.CommandLine)
@@ -232,7 +234,6 @@ Takes the form "<host>:port". If not provided, no admission controller is starte
 	}
 
 	ngx_config.EnableSSLChainCompletion = *enableSSLChainCompletion
-	ngx_config.EnableDynamicCertificates = *enableDynamicCertificates
 
 	config := &controller.Configuration{
 		APIServerHost:          *apiserverHost,

diff --git a/cmd/nginx/main.go b/cmd/nginx/main.go
@@ -39,7 +39,6 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/klog"
 
-	"k8s.io/ingress-nginx/internal/file"
 	"k8s.io/ingress-nginx/internal/ingress/controller"
 	"k8s.io/ingress-nginx/internal/ingress/metric"
 	"k8s.io/ingress-nginx/internal/k8s"
@@ -63,13 +62,6 @@ func main() {
 		klog.Fatal(err)
 	}
 
-	nginxVersion()
-
-	fs, err := file.NewLocalFS()
-	if err != nil {
-		klog.Fatal(err)
-	}
-
 	kubeClient, err := createApiserverClient(conf.APIServerHost, conf.KubeConfigFile)
 	if err != nil {
 		handleFatalInitError(err)
@@ -98,8 +90,8 @@ func main() {
 		}
 	}
 
-	conf.FakeCertificate = ssl.GetFakeSSLCert(fs)
-	klog.Infof("Created fake certificate with PemFileName: %v", conf.FakeCertificate.PemFileName)
+	conf.FakeCertificate = ssl.GetFakeSSLCert()
+	klog.Infof("SSL fake certificate created %v", conf.FakeCertificate.PemFileName)
 
 	k8s.IsNetworkingIngressAvailable = k8s.NetworkingIngressAvailable(kubeClient)
 	if !k8s.IsNetworkingIngressAvailable {
@@ -125,7 +117,7 @@ func main() {
 	}
 	mc.Start()
 
-	ngx := controller.NewNGINXController(conf, mc, fs)
+	ngx := controller.NewNGINXController(conf, mc)
 	go handleSigterm(ngx, func(code int) {
 		os.Exit(code)
 	})

diff --git a/cmd/nginx/main_test.go b/cmd/nginx/main_test.go
@@ -19,6 +19,7 @@ package main
 import (
 	"fmt"
 	"os"
+	"path/filepath"
 	"syscall"
 	"testing"
 	"time"
@@ -28,8 +29,8 @@ import (
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/fake"
 
-	"k8s.io/ingress-nginx/internal/file"
 	"k8s.io/ingress-nginx/internal/ingress/controller"
+	"k8s.io/ingress-nginx/internal/nginx"
 )
 
 func TestCreateApiserverClient(t *testing.T) {
@@ -39,6 +40,15 @@ func TestCreateApiserverClient(t *testing.T) {
 	}
 }
 
+func init() {
+	// the default value of nginx.TemplatePath assumes the template exists in
+	// the root filesystem and not in the rootfs directory
+	path, err := filepath.Abs(filepath.Join("../../rootfs/", nginx.TemplatePath))
+	if err == nil {
+		nginx.TemplatePath = path
+	}
+}
+
 func TestHandleSigterm(t *testing.T) {
 	clientSet := fake.NewSimpleClientset()
 
@@ -77,12 +87,7 @@ func TestHandleSigterm(t *testing.T) {
 	}
 	conf.Client = clientSet
 
-	fs, err := file.NewFakeFS()
-	if err != nil {
-		t.Fatalf("Unexpected error: %v", err)
-	}
-
-	ngx := controller.NewNGINXController(conf, nil, fs)
+	ngx := controller.NewNGINXController(conf, nil)
 
 	go handleSigterm(ngx, func(code int) {
 		if code != 1 {

diff --git a/cmd/nginx/nginx.go b/cmd/nginx/nginx.go
diff --git a/docs/kubectl-plugin.md b/docs/kubectl-plugin.md
@@ -120,7 +120,7 @@ $ kubectl ingress-nginx backends -n ingress-nginx
     "secureCACert": {
       "secret": "",
       "caFilename": "",
-      "pemSha": ""
+      "caSha": ""
     },
     "sslPassthrough": false,
     "endpoints": [

diff --git a/internal/file/filesystem.go b/internal/file/filesystem.go
@@ -16,92 +16,5 @@ limitations under the License.
 
 package file
 
-import (
-	"fmt"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"k8s.io/kubernetes/pkg/util/filesystem"
-)
-
 // ReadWriteByUser defines linux permission to read and write files for the owner user
 const ReadWriteByUser = 0660
-
-// ReadByUserGroup defines linux permission to read files by the user and group owner/s
-const ReadByUserGroup = 0640
-
-// Filesystem is an interface that we can use to mock various filesystem operations
-type Filesystem interface {
-	filesystem.Filesystem
-}
-
-// NewLocalFS implements Filesystem using same-named functions from "os" and "io/ioutil".
-func NewLocalFS() (Filesystem, error) {
-	fs := filesystem.DefaultFs{}
-
-	for _, directory := range directories {
-		err := fs.MkdirAll(directory, ReadWriteByUser)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	return fs, nil
-}
-
-// NewFakeFS creates an in-memory filesystem with all the required
-// paths used by the ingress controller.
-// This allows running test without polluting the local machine.
-func NewFakeFS() (Filesystem, error) {
-	osFs := filesystem.DefaultFs{}
-	fakeFs := filesystem.NewFakeFs()
-
-	//TODO: find another way to do this
-	rootFS := filepath.Clean(fmt.Sprintf("%v/%v", os.Getenv("GOPATH"), "src/k8s.io/ingress-nginx/rootfs"))
-
-	var fileList []string
-	err := filepath.Walk(rootFS, func(path string, f os.FileInfo, err error) error {
-		if err != nil {
-			return err
-		}
-
-		if f.IsDir() {
-			return nil
-		}
-
-		file := strings.TrimPrefix(path, rootFS)
-		if file == "" {
-			return nil
-		}
-
-		fileList = append(fileList, file)
-
-		return nil
-	})
-
-	if err != nil {
-		return nil, err
-	}
-
-	for _, file := range fileList {
-		realPath := fmt.Sprintf("%v%v", rootFS, file)
-
-		data, err := osFs.ReadFile(realPath)
-		if err != nil {
-			return nil, err
-		}
-
-		fakeFile, err := fakeFs.Create(file)
-		if err != nil {
-			return nil, err
-		}
-
-		_, err = fakeFile.Write(data)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	return fakeFs, nil
-}
diff --git a/internal/file/filesystem_test.go b/internal/file/filesystem_test.go
diff --git a/internal/ingress/annotations/annotations_test.go b/internal/ingress/annotations/annotations_test.go
@@ -68,7 +68,7 @@ func (m mockCfg) GetAuthCertificate(name string) (*resolver.AuthSSLCert, error)
 		return &resolver.AuthSSLCert{
 			Secret:     name,
 			CAFileName: "/opt/ca.pem",
-			PemSHA:     "123",
+			CASHA:      "123",
 		}, nil
 	}
 	return nil, nil

diff --git a/internal/ingress/annotations/authtls/main_test.go b/internal/ingress/annotations/authtls/main_test.go
@@ -77,7 +77,7 @@ func (m mockSecret) GetAuthCertificate(name string) (*resolver.AuthSSLCert, erro
 	return &resolver.AuthSSLCert{
 		Secret:     "default/demo-secret",
 		CAFileName: "/ssl/ca.crt",
-		PemSHA:     "abc",
+		CASHA:      "abc",
 	}, nil
 
 }
@@ -202,12 +202,12 @@ func TestEquals(t *testing.T) {
 	sslCert1 := resolver.AuthSSLCert{
 		Secret:     "default/demo-secret",
 		CAFileName: "/ssl/ca.crt",
-		PemSHA:     "abc",
+		CASHA:      "abc",
 	}
 	sslCert2 := resolver.AuthSSLCert{
 		Secret:     "default/other-demo-secret",
 		CAFileName: "/ssl/ca.crt",
-		PemSHA:     "abc",
+		CASHA:      "abc",
 	}
 	cfg1.AuthSSLCert = sslCert1
 	cfg2.AuthSSLCert = sslCert2

diff --git a/internal/ingress/controller/checker.go b/internal/ingress/controller/checker.go
@@ -18,6 +18,7 @@ package controller
 
 import (
 	"fmt"
+	"io/ioutil"
 	"net/http"
 	"strconv"
 	"strings"
@@ -63,7 +64,7 @@ func (n *NGINXController) Check(_ *http.Request) error {
 	if err != nil {
 		return errors.Wrap(err, "unexpected error reading /proc directory")
 	}
-	f, err := n.fileSystem.ReadFile(nginx.PID)
+	f, err := ioutil.ReadFile(nginx.PID)
 	if err != nil {
 		return errors.Wrapf(err, "unexpected error reading %v", nginx.PID)
 	}