REORG/MINOR: Use an interface in haproxy.certs package

ivanmatmati · Mo3m3n · commit 6379e341a32b · 2022-05-06T00:00:41.000+02:00
diff --git a/pkg/annotations/annotations.go b/pkg/annotations/annotations.go
@@ -26,7 +26,7 @@ type Annotations interface {
 	GlobalCfgSnipp() []Annotation
 	Global(g *models.Global, l *models.LogTargets) []Annotation
 	Defaults(d *models.Defaults) []Annotation
-	Backend(b *models.Backend, s store.K8s, c *certs.Certificates) []Annotation
+	Backend(b *models.Backend, s store.K8s, c certs.Certificates) []Annotation
 	Frontend(i *store.Ingress, r *rules.List, m maps.MapFiles) []Annotation
 	Secret(name, defaultNs string, k store.K8s, annotations ...map[string]string) (secret *store.Secret, err error)
 	Timeout(name string, annotations ...map[string]string) (out *int64, err error)
@@ -129,7 +129,7 @@ func (a annImpl) Frontend(i *store.Ingress, r *rules.List, m maps.MapFiles) []An
 	}
 }
 
-func (a annImpl) Backend(b *models.Backend, s store.K8s, c *certs.Certificates) []Annotation {
+func (a annImpl) Backend(b *models.Backend, s store.K8s, c certs.Certificates) []Annotation {
 	annotations := []Annotation{
 		service.NewAbortOnClose("abortonclose", b),
 		service.NewTimeoutCheck("timeout-check", b),
diff --git a/pkg/annotations/service/ca.go b/pkg/annotations/service/ca.go
@@ -10,11 +10,11 @@ import (
 
 type CA struct {
 	name         string
-	haproxyCerts *certs.Certificates
+	haproxyCerts certs.Certificates
 	backend      *models.Backend
 }
 
-func NewCA(n string, c *certs.Certificates, b *models.Backend) *CA {
+func NewCA(n string, c certs.Certificates, b *models.Backend) *CA {
 	return &CA{
 		name:         n,
 		haproxyCerts: c,
@@ -41,7 +41,7 @@ func (a *CA) Process(k store.K8s, annotations ...map[string]string) error {
 		}
 		return nil
 	}
-	caFile, err = a.haproxyCerts.HandleTLSSecret(secret, certs.CA_CERT)
+	caFile, err = a.haproxyCerts.AddSecret(secret, certs.CA_CERT)
 	if err != nil {
 		return err
 	}
diff --git a/pkg/annotations/service/crt.go b/pkg/annotations/service/crt.go
@@ -10,11 +10,11 @@ import (
 
 type Crt struct {
 	name         string
-	haproxyCerts *certs.Certificates
+	haproxyCerts certs.Certificates
 	backend      *models.Backend
 }
 
-func NewCrt(n string, c *certs.Certificates, b *models.Backend) *Crt {
+func NewCrt(n string, c certs.Certificates, b *models.Backend) *Crt {
 	return &Crt{
 		name:         n,
 		haproxyCerts: c,
@@ -41,7 +41,7 @@ func (a *Crt) Process(k store.K8s, annotations ...map[string]string) error {
 		}
 		return nil
 	}
-	crtFile, err = a.haproxyCerts.HandleTLSSecret(secret, certs.BD_CERT)
+	crtFile, err = a.haproxyCerts.AddSecret(secret, certs.BD_CERT)
 	if err != nil {
 		return err
 	}
diff --git a/pkg/controller/global.go b/pkg/controller/global.go
@@ -174,6 +174,6 @@ func (c *HAProxyController) handleDefaultCert() {
 	if secret == nil {
 		return
 	}
-	_, err = c.haproxy.Certificates.HandleTLSSecret(secret, certs.FT_DEFAULT_CERT)
+	_, err = c.haproxy.AddSecret(secret, certs.FT_DEFAULT_CERT)
 	logger.Error(err)
 }
diff --git a/pkg/handler/https.go b/pkg/handler/https.go
@@ -89,7 +89,7 @@ func (handler HTTPS) handleClientTLSAuth(k store.K8s, h haproxy.HAProxy) (reload
 		}
 	}
 	if secret != nil {
-		caFile, err = h.Certificates.HandleTLSSecret(secret, certs.CA_CERT)
+		caFile, err = h.Certificates.AddSecret(secret, certs.CA_CERT)
 		if err != nil {
 			err = fmt.Errorf("client TLS Auth: %w", err)
 			return
@@ -153,7 +153,7 @@ func (handler HTTPS) Update(k store.K8s, h haproxy.HAProxy, a annotations.Annota
 	logger.Error(err)
 
 	// ssl-offload
-	if h.Certificates.FrontendCertsEnabled() {
+	if h.FrontCertsInUse() {
 		if !h.HTTPS {
 			logger.Panic(h.FrontendEnableSSLOffload(h.FrontHTTPS, handler.CertDir, handler.alpn, handler.strictSNI))
 			h.HTTPS = true
@@ -187,7 +187,7 @@ func (handler HTTPS) Update(k store.K8s, h haproxy.HAProxy, a annotations.Annota
 		reload = true
 		logger.Debug("SSLPassthrough disabled, reload required")
 	}
-	if h.Certificates.Updated() {
+	if h.CertsUpdated() {
 		reload = true
 	}
 
diff --git a/pkg/haproxy/certs/main.go b/pkg/haproxy/certs/main.go
@@ -12,12 +12,26 @@ import (
 	"github.com/haproxytech/kubernetes-ingress/pkg/utils"
 )
 
-type Certificates struct {
+type certs struct {
 	frontend map[string]*cert
 	backend  map[string]*cert
 	ca       map[string]*cert
 }
 
+type Certificates interface {
+	// Add takes a secret and its type and creats or updates the corresponding certificate
+	AddSecret(secret *store.Secret, secretType SecretType) (certPath string, err error)
+	// FrontCertsInuse returns true if a frontend certificate is configured.
+	FrontCertsInUse() bool
+	// Updated returns true if there is any updadted/created certificate
+	CertsUpdated() bool
+	// Refresh removes unused certs from HAProxyCertDir and returns false if
+	// no certificates were removed, otherwise returns true
+	RefreshCerts() bool
+	// Clean cleans certificates state
+	CleanCerts()
+}
+
 type cert struct {
 	name    string
 	path    string
@@ -54,7 +68,7 @@ type SecretCtx struct {
 	SecretType SecretType
 }
 
-func New(envParam Env) (*Certificates, error) {
+func New(envParam Env) (Certificates, error) {
 	env = envParam
 	if env.FrontendDir == "" {
 		return nil, fmt.Errorf("empty name for Frontend Cert Directory")
@@ -65,14 +79,14 @@ func New(envParam Env) (*Certificates, error) {
 	if env.CaDir == "" {
 		return nil, fmt.Errorf("empty name for CA Cert Directory")
 	}
-	return &Certificates{
+	return &certs{
 		frontend: make(map[string]*cert),
 		backend:  make(map[string]*cert),
 		ca:       make(map[string]*cert),
 	}, nil
 }
 
-func (c *Certificates) HandleTLSSecret(secret *store.Secret, secretType SecretType) (certPath string, err error) {
+func (c *certs) AddSecret(secret *store.Secret, secretType SecretType) (certPath string, err error) {
 	if secret == nil {
 		err = errors.New("nil secret")
 		return
@@ -125,7 +139,7 @@ func (c *Certificates) HandleTLSSecret(secret *store.Secret, secretType SecretTy
 	return crt.path, nil
 }
 
-func (c *Certificates) Clean() {
+func (c *certs) CleanCerts() {
 	for i := range c.frontend {
 		c.frontend[i].inUse = false
 		c.frontend[i].updated = false
@@ -140,7 +154,7 @@ func (c *Certificates) Clean() {
 	}
 }
 
-func (c *Certificates) FrontendCertsEnabled() bool {
+func (c *certs) FrontCertsInUse() bool {
 	for _, cert := range c.frontend {
 		if cert.inUse {
 			return true
@@ -149,15 +163,14 @@ func (c *Certificates) FrontendCertsEnabled() bool {
 	return false
 }
 
-// Refresh removes unused certs from HAProxyCertDir
-func (c *Certificates) Refresh() (reload bool) {
-	reload = refreshCerts(c.frontend, env.FrontendDir)
-	reload = refreshCerts(c.backend, env.BackendDir) || reload
-	reload = refreshCerts(c.ca, env.CaDir) || reload
+func (c *certs) RefreshCerts() (removed bool) {
+	removed = refreshCerts(c.frontend, env.FrontendDir)
+	removed = refreshCerts(c.backend, env.BackendDir) || removed
+	removed = refreshCerts(c.ca, env.CaDir) || removed
 	return
 }
 
-func (c *Certificates) Updated() (reload bool) {
+func (c *certs) CertsUpdated() (reload bool) {
 	for _, certs := range []map[string]*cert{c.frontend, c.backend, c.ca} {
 		for _, crt := range certs {
 			if crt.updated {
@@ -169,7 +182,7 @@ func (c *Certificates) Updated() (reload bool) {
 	return reload
 }
 
-func refreshCerts(certs map[string]*cert, certDir string) (reload bool) {
+func refreshCerts(certs map[string]*cert, certDir string) (removed bool) {
 	files, err := ioutil.ReadDir(certDir)
 	if err != nil {
 		logger.Error(err)
@@ -186,7 +199,7 @@ func refreshCerts(certs map[string]*cert, certDir string) (reload bool) {
 		if !crtOk || !crt.inUse {
 			logger.Error(os.Remove(path.Join(certDir, filename)))
 			delete(certs, certName)
-			reload = true
+			removed = true
 			logger.Debugf("secret %s removed, reload required", crt.name)
 		}
 	}
diff --git a/pkg/haproxy/config/main.go b/pkg/haproxy/config/main.go
@@ -11,7 +11,7 @@ import (
 type Config struct {
 	*maps.MapFiles
 	rules.Rules
-	*certs.Certificates
+	certs.Certificates
 	ActiveBackends  map[string]struct{}
 	RateLimitTables []string
 	HTTPS           bool
@@ -46,6 +46,6 @@ func (cfg *Config) Clean() {
 	cfg.RateLimitTables = []string{}
 	cfg.ActiveBackends = make(map[string]struct{})
 	cfg.MapFiles.Clean()
-	cfg.Certificates.Clean()
+	cfg.CleanCerts()
 	cfg.CleanRules()
 }
diff --git a/pkg/haproxy/main.go b/pkg/haproxy/main.go
@@ -63,7 +63,7 @@ func New(osArgs utils.OSArgs, env config.Env, cfgFile []byte, p process.Process,
 func (h *HAProxy) Refresh(cleanCrts bool) (reload bool, err error) {
 	// Certs
 	if cleanCrts {
-		reload = h.Certificates.Refresh()
+		reload = h.RefreshCerts()
 	}
 	// Rules
 	reload = h.RefreshRules(h.HAProxyClient) || reload
diff --git a/pkg/ingress/ingress.go b/pkg/ingress/ingress.go
@@ -216,7 +216,7 @@ func (i *Ingress) Update(k store.K8s, h haproxy.HAProxy, a annotations.Annotatio
 			logger.Warningf("Ingress '%s/%s': %s", i.resource.Namespace, i.resource.Name, secErr)
 			continue
 		}
-		_, err := h.Certificates.HandleTLSSecret(secret, certs.FT_CERT)
+		_, err := h.AddSecret(secret, certs.FT_CERT)
 		logger.Error(err)
 	}
 	// Ingress annotations
diff --git a/pkg/service/service.go b/pkg/service/service.go
@@ -38,15 +38,15 @@ type Service struct {
 	path        *store.IngressPath
 	resource    *store.Service
 	backend     *models.Backend
-	certs       *certs.Certificates
+	certs       certs.Certificates
 	annotations []map[string]string
 	modeTCP     bool
 	newBackend  bool
 }
 
 // New returns a Service instance to handle the k8s IngressPath resource given in params.
 // An error will be returned if there is no k8s Service resource corresponding to the service description in IngressPath.
-func New(k store.K8s, path *store.IngressPath, certs *certs.Certificates, tcpService bool, annList ...map[string]string) (*Service, error) {
+func New(k store.K8s, path *store.IngressPath, certs certs.Certificates, tcpService bool, annList ...map[string]string) (*Service, error) {
 	service, err := k.GetService(path.SvcNamespace, path.SvcName)
 	if err != nil {
 		return nil, err

Original file line number	Diff line number	Diff line change
`@@ -10,11 +10,11 @@ import (`
`10`	`10`
`11`	`11`	`type CA struct {`
`12`	`12`	`name string`
`13`		`- haproxyCerts *certs.Certificates`
	`13`	`+ haproxyCerts certs.Certificates`
`14`	`14`	`backend *models.Backend`
`15`	`15`	`}`
`16`	`16`
`17`		`-func NewCA(n string, c certs.Certificates, b models.Backend) *CA {`
	`17`	`+func NewCA(n string, c certs.Certificates, b models.Backend) CA {`
`18`	`18`	`return &CA{`
`19`	`19`	`name: n,`
`20`	`20`	`haproxyCerts: c,`
`@@ -41,7 +41,7 @@ func (a *CA) Process(k store.K8s, annotations ...map[string]string) error {`
`41`	`41`	`}`
`42`	`42`	`return nil`
`43`	`43`	`}`
`44`		`- caFile, err = a.haproxyCerts.HandleTLSSecret(secret, certs.CA_CERT)`
	`44`	`+ caFile, err = a.haproxyCerts.AddSecret(secret, certs.CA_CERT)`
`45`	`45`	`if err != nil {`
`46`	`46`	`return err`
`47`	`47`	`}`
Original file line number	Diff line number	Diff line change
`@@ -174,6 +174,6 @@ func (c *HAProxyController) handleDefaultCert() {`
`174`	`174`	`if secret == nil {`
`175`	`175`	`return`
`176`	`176`	`}`
`177`		`- _, err = c.haproxy.Certificates.HandleTLSSecret(secret, certs.FT_DEFAULT_CERT)`
	`177`	`+ _, err = c.haproxy.AddSecret(secret, certs.FT_DEFAULT_CERT)`
`178`	`178`	`logger.Error(err)`
`179`	`179`	`}`
Original file line number	Diff line number	Diff line change
`@@ -89,7 +89,7 @@ func (handler HTTPS) handleClientTLSAuth(k store.K8s, h haproxy.HAProxy) (reload`
`89`	`89`	`}`
`90`	`90`	`}`
`91`	`91`	`if secret != nil {`
`92`		`- caFile, err = h.Certificates.HandleTLSSecret(secret, certs.CA_CERT)`
	`92`	`+ caFile, err = h.Certificates.AddSecret(secret, certs.CA_CERT)`
`93`	`93`	`if err != nil {`
`94`	`94`	`err = fmt.Errorf("client TLS Auth: %w", err)`
`95`	`95`	`return`
`@@ -153,7 +153,7 @@ func (handler HTTPS) Update(k store.K8s, h haproxy.HAProxy, a annotations.Annota`
`153`	`153`	`logger.Error(err)`
`154`	`154`
`155`	`155`	`// ssl-offload`
`156`		`- if h.Certificates.FrontendCertsEnabled() {`
	`156`	`+ if h.FrontCertsInUse() {`
`157`	`157`	`if !h.HTTPS {`
`158`	`158`	`logger.Panic(h.FrontendEnableSSLOffload(h.FrontHTTPS, handler.CertDir, handler.alpn, handler.strictSNI))`
`159`	`159`	`h.HTTPS = true`
`@@ -187,7 +187,7 @@ func (handler HTTPS) Update(k store.K8s, h haproxy.HAProxy, a annotations.Annota`
`187`	`187`	`reload = true`
`188`	`188`	`logger.Debug("SSLPassthrough disabled, reload required")`
`189`	`189`	`}`
`190`		`- if h.Certificates.Updated() {`
	`190`	`+ if h.CertsUpdated() {`
`191`	`191`	`reload = true`
`192`	`192`	`}`
`193`	`193`
Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ func New(osArgs utils.OSArgs, env config.Env, cfgFile []byte, p process.Process,`
`63`	`63`	`func (h *HAProxy) Refresh(cleanCrts bool) (reload bool, err error) {`
`64`	`64`	`// Certs`
`65`	`65`	`if cleanCrts {`
`66`		`- reload = h.Certificates.Refresh()`
	`66`	`+ reload = h.RefreshCerts()`
`67`	`67`	`}`
`68`	`68`	`// Rules`
`69`	`69`	`reload = h.RefreshRules(h.HAProxyClient) \|\| reload`
Original file line number	Diff line number	Diff line change
`@@ -216,7 +216,7 @@ func (i *Ingress) Update(k store.K8s, h haproxy.HAProxy, a annotations.Annotatio`
`216`	`216`	`logger.Warningf("Ingress '%s/%s': %s", i.resource.Namespace, i.resource.Name, secErr)`
`217`	`217`	`continue`
`218`	`218`	`}`
`219`		`- _, err := h.Certificates.HandleTLSSecret(secret, certs.FT_CERT)`
	`219`	`+ _, err := h.AddSecret(secret, certs.FT_CERT)`
`220`	`220`	`logger.Error(err)`
`221`	`221`	`}`
`222`	`222`	`// Ingress annotations`