Skip to content

Commit 3cd030b

Browse files
Mo3m3nMo3m3n
committed
OPTIM/MINOR: Ignore "Status" in TLS authentication annotations
1 parent 844a74f commit 3cd030b

File tree

1 file changed

+29
-27
lines changed

1 file changed

+29
-27
lines changed

controller/handler/https.go

Lines changed: 29 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -75,57 +75,59 @@ func (h HTTPS) handleClientTLSAuth(k store.K8s, cfg *config.ControllerCfg, api a
7575
annTLSAuth, _ := k.GetValueFromAnnotations("client-ca", k.ConfigMaps.Main.Annotations)
7676
annTLSVerify, _ := k.GetValueFromAnnotations("client-crt-optional", k.ConfigMaps.Main.Annotations)
7777
if annTLSAuth == nil {
78-
return false, nil
78+
return
7979
}
8080
binds, err := api.FrontendBindsGet(cfg.FrontHTTPS)
8181
if err != nil {
82-
return false, err
82+
return
8383
}
84-
caFile, secretErr := cfg.Certificates.HandleTLSSecret(k, haproxy.SecretCtx{
84+
// Parsing annotations
85+
var caFile string
86+
caFile, err = cfg.Certificates.HandleTLSSecret(k, haproxy.SecretCtx{
8587
DefaultNS: "",
8688
SecretPath: annTLSAuth.Value,
8789
SecretType: haproxy.CA_CERT,
8890
})
89-
// Annotation or secret DELETED
90-
if binds[0].SslCafile != "" && (annTLSAuth.Status == store.DELETED || caFile == "") {
91-
logger.Infof("removing client TLS authentication")
92-
for i := range binds {
93-
binds[i].SslCafile = ""
94-
binds[i].Verify = ""
95-
if err = api.FrontendBindEdit(cfg.FrontHTTPS, *binds[i]); err != nil {
96-
return false, err
97-
}
98-
}
99-
return true, nil
100-
}
101-
// Handle secret errors
102-
if secretErr != nil {
103-
if errors.Is(secretErr, haproxy.ErrCertNotFound) {
91+
if err != nil {
92+
if errors.Is(err, haproxy.ErrCertNotFound) {
10493
logger.Warning("unable to configure TLS authentication secret '%s' not found", annTLSAuth.Value)
105-
return false, nil
94+
err = nil
10695
}
107-
return false, secretErr
108-
}
109-
// No changes
110-
if annTLSAuth.Status == store.EMPTY {
111-
return false, nil
11296
}
11397
verify := "required"
11498
enabled, annErr := utils.GetBoolValue("client-crt-optional", annTLSVerify.Value)
11599
logger.Error(annErr)
116100
if enabled {
117101
verify = "optional"
118102
}
119-
// Configure TLS Authentication
120-
logger.Infof("enabling client TLS authentication")
103+
// No changes
104+
if binds[0].SslCafile == caFile && binds[0].Verify == verify {
105+
return
106+
}
107+
// Removing config
108+
if caFile == "" {
109+
logger.Infof("removing client TLS authentication")
110+
for i := range binds {
111+
binds[i].SslCafile = ""
112+
binds[i].Verify = ""
113+
if err = api.FrontendBindEdit(cfg.FrontHTTPS, *binds[i]); err != nil {
114+
return false, err
115+
}
116+
}
117+
reload = true
118+
return
119+
}
120+
// Updating config
121+
logger.Infof("configuring client TLS authentication")
121122
for i := range binds {
122123
binds[i].SslCafile = caFile
123124
binds[i].Verify = verify
124125
if err = api.FrontendBindEdit(cfg.FrontHTTPS, *binds[i]); err != nil {
125126
return false, err
126127
}
127128
}
128-
return true, nil
129+
reload = true
130+
return
129131
}
130132

131133
func (h HTTPS) Update(k store.K8s, cfg *config.ControllerCfg, api api.HAProxyClient) (reload bool, err error) {

0 commit comments

Comments
 (0)