Merge branch 'master' into check-lb-state-before-ingress-update

Author: Thilina Madumal

aws/acm.go

@@ -33,7 +33,7 @@ func (p *acmCertificateProvider) GetCertificates(ctx context.Context) ([]*certs.
 	if err != nil {
 		return nil, err
 	}
-	result := make([]*certs.CertificateSummary, 0)
+	result := make([]*certs.CertificateSummary, 0, len(acmSummaries))
 	for _, o := range acmSummaries {
 		summary, err := getCertificateSummaryFromACM(ctx, p.api, o.CertificateArn)
 		if err != nil {

certs/fake/certificate.go

@@ -8,100 +8,97 @@ import (
 	"crypto/x509/pkix"
 	"fmt"
 	"math/big"
-	"sync"
 	"time"
 
 	"github.com/zalando-incubator/kube-ingress-aws-controller/certs"
 )
 
-type caSingleton struct {
-	once      sync.Once
-	err       error
+type CA struct {
 	chainKey  *rsa.PrivateKey
 	roots     *x509.CertPool
 	chainCert *x509.Certificate
 }
 
-type CertificateProvider struct {
-	ca caSingleton
-}
+func NewCA() (*CA, error) {
+	const tenYears = time.Hour * 24 * 365 * 10
 
-func (m *CertificateProvider) GetCertificates(ctx context.Context) ([]*certs.CertificateSummary, error) {
-	tenYears := time.Hour * 24 * 365 * 10
-	altNames := []string{"foo.bar.org"}
-	arn := "DUMMY"
-	notBefore := time.Now()
-	notAfter := time.Now().Add(time.Hour * 24)
+	caKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, fmt.Errorf("unable to generate CA key: %w", err)
+	}
 
-	m.ca.once.Do(func() {
-		caKey, err := rsa.GenerateKey(rand.Reader, 2048)
-		if err != nil {
-			m.ca.err = fmt.Errorf("unable to generate CA key: %w", err)
-			return
-		}
+	caCert := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			Organization: []string{"Testing CA"},
+		},
+		NotBefore: time.Time{},
+		NotAfter:  time.Now().Add(tenYears),
 
-		caCert := x509.Certificate{
-			SerialNumber: big.NewInt(1),
-			Subject: pkix.Name{
-				Organization: []string{"Testing CA"},
-			},
-			NotBefore: time.Time{},
-			NotAfter:  time.Now().Add(tenYears),
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		BasicConstraintsValid: true,
 
-			KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
-			BasicConstraintsValid: true,
+		IsCA: true,
+	}
 
-			IsCA: true,
-		}
-		caBody, err := x509.CreateCertificate(rand.Reader, &caCert, &caCert, caKey.Public(), caKey)
-		if err != nil {
-			m.ca.err = fmt.Errorf("unable to generate CA certificate: %w", err)
-			return
-		}
-		caReparsed, err := x509.ParseCertificate(caBody)
-		if err != nil {
-			m.ca.err = fmt.Errorf("unable to parse CA certificate: %w", err)
-			return
-		}
-		m.ca.roots = x509.NewCertPool()
-		m.ca.roots.AddCert(caReparsed)
+	caBody, err := x509.CreateCertificate(rand.Reader, &caCert, &caCert, caKey.Public(), caKey)
+	if err != nil {
+		return nil, fmt.Errorf("unable to generate CA certificate: %w", err)
+	}
 
-		chainKey, err := rsa.GenerateKey(rand.Reader, 2048)
-		if err != nil {
-			m.ca.err = fmt.Errorf("unable to generate sub-CA key: %w", err)
-			return
-		}
-		chainCert := x509.Certificate{
-			SerialNumber: big.NewInt(2),
-			Subject: pkix.Name{
-				Organization: []string{"Testing Sub-CA"},
-			},
-			NotBefore: time.Time{},
-			NotAfter:  time.Now().Add(tenYears),
-
-			KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
-			BasicConstraintsValid: true,
-
-			IsCA: true,
-		}
-		chainBody, err := x509.CreateCertificate(rand.Reader, &chainCert, caReparsed, chainKey.Public(), caKey)
-		if err != nil {
-			m.ca.err = fmt.Errorf("unable to generate sub-CA certificate: %w", err)
-		}
-		chainReparsed, err := x509.ParseCertificate(chainBody)
-		if err != nil {
-			m.ca.err = fmt.Errorf("unable to parse sub-CA certificate: %w", err)
-			return
-		}
+	caReparsed, err := x509.ParseCertificate(caBody)
+	if err != nil {
+		return nil, fmt.Errorf("unable to parse CA certificate: %w", err)
+	}
+
+	chainKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, fmt.Errorf("unable to generate sub-CA key: %w", err)
+	}
+	chainCert := x509.Certificate{
+		SerialNumber: big.NewInt(2),
+		Subject: pkix.Name{
+			Organization: []string{"Testing Sub-CA"},
+		},
+		NotBefore: time.Time{},
+		NotAfter:  time.Now().Add(tenYears),
+
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		BasicConstraintsValid: true,
+
+		IsCA: true,
+	}
+
+	chainBody, err := x509.CreateCertificate(rand.Reader, &chainCert, caReparsed, chainKey.Public(), caKey)
+	if err != nil {
+		return nil, fmt.Errorf("unable to generate sub-CA certificate: %w", err)
+	}
+
+	chainReparsed, err := x509.ParseCertificate(chainBody)
+	if err != nil {
+		return nil, fmt.Errorf("unable to parse sub-CA certificate: %w", err)
+	}
+
+	ca := new(CA)
+	ca.roots = x509.NewCertPool()
+	ca.roots.AddCert(caReparsed)
+	ca.chainKey = chainKey
+	ca.chainCert = chainReparsed
+
+	return ca, nil
+}
 
-		m.ca.chainKey = chainKey
-		m.ca.chainCert = chainReparsed
-	})
+func (ca *CA) NewCertificateSummary() (*certs.CertificateSummary, error) {
+	altNames := []string{"foo.bar.org"}
+	arn := "DUMMY"
+	notBefore := time.Now()
+	notAfter := time.Now().Add(time.Hour * 24)
 
 	certKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		return nil, fmt.Errorf("unable to generate certificate key: %w", err)
 	}
+
 	cert := x509.Certificate{
 		SerialNumber: big.NewInt(3),
 		DNSNames:     altNames,
@@ -113,17 +110,27 @@ func (m *CertificateProvider) GetCertificates(ctx context.Context) ([]*certs.Cer
 		BasicConstraintsValid: true,
 	}
 
-	body, err := x509.CreateCertificate(rand.Reader, &cert, m.ca.chainCert, certKey.Public(), m.ca.chainKey)
+	body, err := x509.CreateCertificate(rand.Reader, &cert, ca.chainCert, certKey.Public(), ca.chainKey)
 	if err != nil {
 		return nil, err
 	}
+
 	reparsed, err := x509.ParseCertificate(body)
 	if err != nil {
 		return nil, err
 	}
 
-	c := certs.NewCertificate(arn, reparsed, []*x509.Certificate{m.ca.chainCert})
-	return []*certs.CertificateSummary{c.WithRoots(m.ca.roots)}, nil
+	c := certs.NewCertificate(arn, reparsed, []*x509.Certificate{ca.chainCert})
+	return c.WithRoots(ca.roots), nil
+}
+
+type CertificateProvider struct {
+	Summaries []*certs.CertificateSummary
+	Error     error
+}
+
+func (m *CertificateProvider) GetCertificates(_ context.Context) ([]*certs.CertificateSummary, error) {
+	return m.Summaries, m.Error
 }
 
 // certmock implements CertificatesFinder for testing, without validating

testdata/no_certificates/input/k8s/ing.yaml

@@ -0,0 +1,16 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: no_certificates
+spec:
+  rules:
+  - host: foo.bar.org
+    http:
+      paths:
+      - backend:
+          service:
+            name: foo-bar-service
+            port:
+              name: main-port
+        path: /
+        pathType: ImplementationSpecific

worker.go

@@ -318,6 +318,10 @@ func doWork(
 		return problems.Add("failed to get certificates: %w", err)
 	}
 
+	if len(certificateSummaries) == 0 {
+		return problems.Add("no certificates found")
+	}
+
 	cwAlarms, err := getCloudWatchAlarms(kubeAdapter, cwAlarmConfigMapLocation)
 	if err != nil {
 		return problems.Add("failed to retrieve cloudwatch alarm configuration: %w", err)