@@ -49,9 +49,13 @@ func (ssr noopSSLSecretReader) readSSLSecret(ns, name string) (sslSecret *certif
4949
5050// SSLConfig is a description of a SSL certificate.
5151type SSLConfig struct {
52- Ports sets.Int
53- ListenerSSLSecretName string
54- BackendSetSSLSecretName string
52+ Ports sets.Int
53+
54+ ListenerSSLSecretName string
55+ ListenerSSLSecretNamespace string
56+
57+ BackendSetSSLSecretName string
58+ BackendSetSSLSecretNamespace string
5559
5660 sslSecretReader
5761}
@@ -62,15 +66,21 @@ func requiresCertificate(svc *v1.Service) bool {
6266}
6367
6468// NewSSLConfig constructs a new SSLConfig.
65- func NewSSLConfig (listenerSecretName , backendSetSecretName string , ports []int , ssr sslSecretReader ) * SSLConfig {
69+ func NewSSLConfig (secretListenerString string , secretBackendSetString string , service * v1. Service , ports []int , ssr sslSecretReader ) * SSLConfig {
6670 if ssr == nil {
6771 ssr = noopSSLSecretReader {}
6872 }
73+
74+ listenerSecretName , listenerSecretNamespace := getSecretParts (secretListenerString , service )
75+ backendSecretName , backendSecretNamespace := getSecretParts (secretBackendSetString , service )
76+
6977 return & SSLConfig {
70- Ports : sets .NewInt (ports ... ),
71- ListenerSSLSecretName : listenerSecretName ,
72- BackendSetSSLSecretName : backendSetSecretName ,
73- sslSecretReader : ssr ,
78+ Ports : sets .NewInt (ports ... ),
79+ ListenerSSLSecretName : listenerSecretName ,
80+ ListenerSSLSecretNamespace : listenerSecretNamespace ,
81+ BackendSetSSLSecretName : backendSecretName ,
82+ BackendSetSSLSecretNamespace : backendSecretNamespace ,
83+ sslSecretReader : ssr ,
7484 }
7585}
7686
@@ -95,12 +105,6 @@ type LBSpec struct {
95105
96106// NewLBSpec creates a LB Spec from a Kubernetes service and a slice of nodes.
97107func NewLBSpec (svc * v1.Service , nodes []* v1.Node , defaultSubnets []string , sslConfig * SSLConfig , secListFactory securityListManagerFactory ) (* LBSpec , error ) {
98- // Disable check for whether there are two subnets, rely on OCI to decide whether the number of subnets is correct
99- // This allows LoadBalancers to be created in single AD regions
100- // if len(defaultSubnets) != 2 {
101- // return nil, errors.New("default subnets incorrectly configured")
102- // }
103-
104108 if err := validateService (svc ); err != nil {
105109 return nil , errors .Wrap (err , "invalid service" )
106110 }
@@ -137,13 +141,6 @@ func NewLBSpec(svc *v1.Service, nodes []*v1.Node, defaultSubnets []string, sslCo
137141 }
138142 subnets = subnets [:1 ]
139143 }
140- // Disable check for whether there are two subnets, rely on OCI to decide whether the number of subnets is correct
141- // This allows LoadBalancers to be created in single AD regions
142- // else {
143- // if subnets[0] == "" || subnets[1] == "" {
144- // return nil, errors.Errorf("a configuration for both subnets must be specified")
145- // }
146- // }
147144
148145 listeners , err := getListeners (svc , sslConfig )
149146 if err != nil {
@@ -172,25 +169,32 @@ func NewLBSpec(svc *v1.Service, nodes []*v1.Node, defaultSubnets []string, sslCo
172169// Certificates builds a map of required SSL certificates.
173170func (s * LBSpec ) Certificates () (map [string ]loadbalancer.CertificateDetails , error ) {
174171 certs := make (map [string ]loadbalancer.CertificateDetails )
172+
175173 if s .SSLConfig == nil {
176174 return certs , nil
177175 }
178- secrets := make ([] string , 0 , 2 )
176+
179177 if s .SSLConfig .ListenerSSLSecretName != "" {
180- secrets = append (secrets , s .SSLConfig .ListenerSSLSecretName )
181- }
182- if s .SSLConfig .BackendSetSSLSecretName != "" {
183- secrets = append (secrets , s .SSLConfig .BackendSetSSLSecretName )
178+ cert , err := s .SSLConfig .readSSLSecret (s .SSLConfig .ListenerSSLSecretNamespace , s .SSLConfig .ListenerSSLSecretName )
179+ if err != nil {
180+ return nil , errors .Wrap (err , "reading SSL Listener Secret" )
181+ }
182+ certs [s .SSLConfig .ListenerSSLSecretName ] = loadbalancer.CertificateDetails {
183+ CertificateName : & s .SSLConfig .ListenerSSLSecretName ,
184+ CaCertificate : common .String (string (cert .CACert )),
185+ PublicCertificate : common .String (string (cert .PublicCert )),
186+ PrivateKey : common .String (string (cert .PrivateKey )),
187+ Passphrase : common .String (string (cert .Passphrase )),
188+ }
184189 }
185190
186- for idx , name := range secrets {
187- cert , err := s .SSLConfig .readSSLSecret (s .service . Namespace , name )
191+ if s . SSLConfig . BackendSetSSLSecretName != "" {
192+ cert , err := s .SSLConfig .readSSLSecret (s .SSLConfig . BackendSetSSLSecretNamespace , s . SSLConfig . BackendSetSSLSecretName )
188193 if err != nil {
189- return nil , errors .Wrap (err , "reading SSL BackendSet Secret" )
194+ return nil , errors .Wrap (err , "reading SSL Backend Secret" )
190195 }
191-
192- certs [name ] = loadbalancer.CertificateDetails {
193- CertificateName : & secrets [idx ],
196+ certs [s .SSLConfig .BackendSetSSLSecretName ] = loadbalancer.CertificateDetails {
197+ CertificateName : & s .SSLConfig .BackendSetSSLSecretName ,
194198 CaCertificate : common .String (string (cert .CACert )),
195199 PublicCertificate : common .String (string (cert .PublicCert )),
196200 PrivateKey : common .String (string (cert .PrivateKey )),
@@ -374,3 +378,14 @@ func getListeners(svc *v1.Service, sslCfg *SSLConfig) (map[string]loadbalancer.L
374378
375379 return listeners , nil
376380}
381+
382+ func getSecretParts (secretString string , service * v1.Service ) (name string , namespace string ) {
383+ if secretString == "" {
384+ return "" , ""
385+ }
386+ if ! strings .Contains (secretString , "/" ) {
387+ return secretString , service .Namespace
388+ }
389+ parts := strings .Split (secretString , "/" )
390+ return parts [1 ], parts [0 ]
391+ }
0 commit comments