Removes wrong secret enqueing and improve the Fake Cert generation

kubernetes · Mar 6, 2017 · 51235a3 · 51235a3
1 parent 6c1b45a
commit 51235a3
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 27 deletions.
diff --git a/core/pkg/ingress/controller/backend_ssl.go b/core/pkg/ingress/controller/backend_ssl.go
@@ -43,28 +43,9 @@ func (ic *GenericController) syncSecret(k interface{}) error {
 		return fmt.Errorf("deferring sync till endpoints controller has synced")
 	}
 
-	// check if the default certificate is configured
-	key := fmt.Sprintf("default/%v", defServerName)
-	_, exists := ic.sslCertTracker.Get(key)
+	var key string
 	var cert *ingress.SSLCert
 	var err error
-	if !exists {
-		if ic.cfg.DefaultSSLCertificate != "" {
-			cert, err = ic.getPemCertificate(ic.cfg.DefaultSSLCertificate)
-			if err != nil {
-				return err
-			}
-		} else {
-			defCert, defKey := ssl.GetFakeSSLCert()
-			cert, err = ssl.AddOrUpdateCertAndKey("default-fake-certificate", defCert, defKey, []byte{})
-			if err != nil {
-				return nil
-			}
-		}
-		cert.Name = defServerName
-		cert.Namespace = api.NamespaceDefault
-		ic.sslCertTracker.Add(key, cert)
-	}
 
 	key = k.(string)
 

diff --git a/core/pkg/ingress/controller/controller.go b/core/pkg/ingress/controller/controller.go
@@ -838,26 +838,27 @@ func (ic *GenericController) createServers(data []interface{},
 		CookiePath:     bdef.ProxyCookiePath,
 	}
 
-	// This adds the Default Certificate to Default Backend and also for vhosts missing the secret
+	// This adds the Default Certificate to Default Backend (or generates a new self signed one)
 	var defaultPemFileName, defaultPemSHA string
+
+	// Tries to fetch the default Certificate. If it does not exists, generate a new self signed one.
 	defaultCertificate, err := ic.getPemCertificate(ic.cfg.DefaultSSLCertificate)
-	// If no default Certificate was supplied, tries to generate a new dumb one
 	if err != nil {
-		var cert *ingress.SSLCert
-
+		// This means the Default Secret does not exists, so we will create a new one.
 		fakeCertificate := "default-fake-certificate"
 		fakeCertificatePath := fmt.Sprintf("%v/%v.pem", ingress.DefaultSSLDirectory, fakeCertificate)
 
 		// Only generates a new certificate if it doesn't exists physically
 		_, err := os.Stat(fakeCertificatePath)
 		if err != nil {
+			glog.V(3).Infof("No Default SSL Certificate found. Generating a new one")
 			defCert, defKey := ssl.GetFakeSSLCert()
-			cert, err = ssl.AddOrUpdateCertAndKey(fakeCertificate, defCert, defKey, []byte{})
+			defaultCertificate, err = ssl.AddOrUpdateCertAndKey(fakeCertificate, defCert, defKey, []byte{})
 			if err != nil {
 				glog.Fatalf("Error generating self signed certificate: %v", err)
 			}
-			defaultPemFileName = cert.PemFileName
-			defaultPemSHA = cert.PemSHA
+			defaultPemFileName = defaultCertificate.PemFileName
+			defaultPemSHA = defaultCertificate.PemSHA
 		} else {
 			defaultPemFileName = fakeCertificatePath
 			defaultPemSHA = ssl.PemSHA1(fakeCertificatePath)

diff --git a/core/pkg/net/ssl/ssl.go b/core/pkg/net/ssl/ssl.go
@@ -78,6 +78,7 @@ func AddOrUpdateCertAndKey(name string, cert, key, ca []byte) (*ingress.SSLCert,
 
 	// If the file does not start with 'BEGIN CERTIFICATE' it's invalid and must not be used.
 	if pemBlock.Type != "CERTIFICATE" {
+		_ = os.Remove(tempPemFile.Name())
 		return nil, fmt.Errorf("Certificate %v contains invalid data, and must be created with 'kubectl create secret tls'", name)
 	}