nginx · pleshakov · Dec 4, 2020 · Dec 2, 2020
diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go
@@ -18,6 +18,7 @@ import (
 	"github.com/nginxinc/kubernetes-ingress/internal/configs/version1"
 	"github.com/nginxinc/kubernetes-ingress/internal/configs/version2"
 	"github.com/nginxinc/kubernetes-ingress/internal/k8s"
+	"github.com/nginxinc/kubernetes-ingress/internal/k8s/secrets"
 	"github.com/nginxinc/kubernetes-ingress/internal/metrics"
 	"github.com/nginxinc/kubernetes-ingress/internal/metrics/collectors"
 	"github.com/nginxinc/kubernetes-ingress/internal/nginx"
@@ -757,7 +758,7 @@ func getAndValidateSecret(kubeClient *kubernetes.Clientset, secretNsName string)
 	if err != nil {
 		return nil, fmt.Errorf("could not get %v: %v", secretNsName, err)
 	}
-	err = k8s.ValidateTLSSecret(secret)
+	err = secrets.ValidateTLSSecret(secret)
 	if err != nil {
 		return nil, fmt.Errorf("%v is invalid: %v", secretNsName, err)
 	}

diff --git a/internal/configs/configurator.go b/internal/configs/configurator.go
@@ -11,6 +11,7 @@ import (
 	"sort"
 	"strings"
 
+	"github.com/nginxinc/kubernetes-ingress/internal/k8s/secrets"
 	"github.com/nginxinc/nginx-prometheus-exporter/collector"
 	"github.com/spiffe/go-spiffe/workload"
 
@@ -1283,9 +1284,9 @@ func (cnf *Configurator) AddInternalRouteConfig() error {
 // AddOrUpdateSecret adds or updates a secret.
 func (cnf *Configurator) AddOrUpdateSecret(secret *api_v1.Secret) string {
 	switch secret.Type {
-	case SecretTypeCA:
+	case secrets.SecretTypeCA:
 		return cnf.addOrUpdateCASecret(secret)
-	case SecretTypeJWK:
+	case secrets.SecretTypeJWK:
 		return cnf.addOrUpdateJWKSecret(secret)
 	default:
 		return cnf.addOrUpdateTLSSecret(secret)

diff --git a/internal/configs/ingress.go b/internal/configs/ingress.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 
 	"github.com/golang/glog"
+	"github.com/nginxinc/kubernetes-ingress/internal/k8s/secrets"
 	api_v1 "k8s.io/api/core/v1"
 	networking "k8s.io/api/networking/v1beta1"
 
@@ -30,7 +31,7 @@ type IngressEx struct {
 	AppProtectPolicy  *unstructured.Unstructured
 	AppProtectLogConf *unstructured.Unstructured
 	AppProtectLogDst  string
-	SecretRefs        map[string]*SecretReference
+	SecretRefs        map[string]*secrets.SecretReference
 }
 
 // JWTKey represents a secret that holds JSON Web Key.
@@ -248,12 +249,12 @@ func generateNginxCfg(ingEx *IngressEx, apResources map[string]string, isMinion
 	}
 }
 
-func generateJWTConfig(secretRefs map[string]*SecretReference, cfgParams *ConfigParams, redirectLocationName string) (*version1.JWTAuth, *version1.JWTRedirectLocation) {
+func generateJWTConfig(secretRefs map[string]*secrets.SecretReference, cfgParams *ConfigParams, redirectLocationName string) (*version1.JWTAuth, *version1.JWTRedirectLocation) {
 	secret := secretRefs[cfgParams.JWTKey]
 
 	if secret.Error != nil {
 		// TO-DO: add a warning
-	} else if secret.Type != SecretTypeJWK {
+	} else if secret.Type != secrets.SecretTypeJWK {
 		// TO-DO: add a warning
 	}
 
@@ -278,7 +279,7 @@ func generateJWTConfig(secretRefs map[string]*SecretReference, cfgParams *Config
 	return jwtAuth, redirectLocation
 }
 
-func addSSLConfig(server *version1.Server, host string, ingressTLS []networking.IngressTLS, secretRefs map[string]*SecretReference, isWildcardEnabled bool) {
+func addSSLConfig(server *version1.Server, host string, ingressTLS []networking.IngressTLS, secretRefs map[string]*secrets.SecretReference, isWildcardEnabled bool) {
 	var tlsEnabled bool
 	var tlsSecret string
 

diff --git a/internal/configs/ingress_test.go b/internal/configs/ingress_test.go
@@ -7,6 +7,7 @@ import (
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
+	"github.com/nginxinc/kubernetes-ingress/internal/k8s/secrets"
 	v1 "k8s.io/api/core/v1"
 	networking "k8s.io/api/networking/v1beta1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -35,7 +36,7 @@ func TestGenerateNginxCfgForJWT(t *testing.T) {
 	cafeIngressEx.Ingress.Annotations["nginx.com/jwt-realm"] = "Cafe App"
 	cafeIngressEx.Ingress.Annotations["nginx.com/jwt-token"] = "$cookie_auth_token"
 	cafeIngressEx.Ingress.Annotations["nginx.com/jwt-login-url"] = "https://login.example.com"
-	cafeIngressEx.SecretRefs["cafe-jwk"] = &SecretReference{
+	cafeIngressEx.SecretRefs["cafe-jwk"] = &secrets.SecretReference{
 		Type: "nginx.org/jwk",
 		Path: "/etc/nginx/secrets/default-cafe-jwk",
 	}
@@ -289,7 +290,7 @@ func createCafeIngressEx() IngressEx {
 		ValidHosts: map[string]bool{
 			"cafe.example.com": true,
 		},
-		SecretRefs: map[string]*SecretReference{
+		SecretRefs: map[string]*secrets.SecretReference{
 			"cafe-secret": {
 				Type: v1.SecretTypeTLS,
 				Path: "/etc/nginx/secrets/default-cafe-secret",
@@ -341,17 +342,17 @@ func TestGenerateNginxCfgForMergeableIngressesForJWT(t *testing.T) {
 	mergeableIngresses.Master.Ingress.Annotations["nginx.com/jwt-realm"] = "Cafe"
 	mergeableIngresses.Master.Ingress.Annotations["nginx.com/jwt-token"] = "$cookie_auth_token"
 	mergeableIngresses.Master.Ingress.Annotations["nginx.com/jwt-login-url"] = "https://login.example.com"
-	mergeableIngresses.Master.SecretRefs["cafe-jwk"] = &SecretReference{
-		Type: SecretTypeJWK,
+	mergeableIngresses.Master.SecretRefs["cafe-jwk"] = &secrets.SecretReference{
+		Type: secrets.SecretTypeJWK,
 		Path: "/etc/nginx/secrets/default-cafe-jwk",
 	}
 
 	mergeableIngresses.Minions[0].Ingress.Annotations["nginx.com/jwt-key"] = "coffee-jwk"
 	mergeableIngresses.Minions[0].Ingress.Annotations["nginx.com/jwt-realm"] = "Coffee"
 	mergeableIngresses.Minions[0].Ingress.Annotations["nginx.com/jwt-token"] = "$cookie_auth_token_coffee"
 	mergeableIngresses.Minions[0].Ingress.Annotations["nginx.com/jwt-login-url"] = "https://login.cofee.example.com"
-	mergeableIngresses.Minions[0].SecretRefs["coffee-jwk"] = &SecretReference{
-		Type: SecretTypeJWK,
+	mergeableIngresses.Minions[0].SecretRefs["coffee-jwk"] = &secrets.SecretReference{
+		Type: secrets.SecretTypeJWK,
 		Path: "/etc/nginx/secrets/default-coffee-jwk",
 	}
 
@@ -500,7 +501,7 @@ func createMergeableCafeIngress() *MergeableIngresses {
 			ValidHosts: map[string]bool{
 				"cafe.example.com": true,
 			},
-			SecretRefs: map[string]*SecretReference{
+			SecretRefs: map[string]*secrets.SecretReference{
 				"cafe-secret": {
 					Type:  v1.SecretTypeTLS,
 					Path:  "/etc/nginx/secrets/default-cafe-secret",
@@ -520,7 +521,7 @@ func createMergeableCafeIngress() *MergeableIngresses {
 				ValidMinionPaths: map[string]bool{
 					"/coffee": true,
 				},
-				SecretRefs: map[string]*SecretReference{},
+				SecretRefs: map[string]*secrets.SecretReference{},
 			},
 			{
 				Ingress: &teaMinion,
@@ -533,7 +534,7 @@ func createMergeableCafeIngress() *MergeableIngresses {
 				ValidMinionPaths: map[string]bool{
 					"/tea": true,
 				},
-				SecretRefs: map[string]*SecretReference{},
+				SecretRefs: map[string]*secrets.SecretReference{},
 			}},
 	}
 
@@ -851,7 +852,7 @@ func TestAddSSLConfig(t *testing.T) {
 	tests := []struct {
 		host              string
 		tls               []networking.IngressTLS
-		secretRefs        map[string]*SecretReference
+		secretRefs        map[string]*secrets.SecretReference
 		isWildcardEnabled bool
 		expected          version1.Server
 		msg               string
@@ -864,7 +865,7 @@ func TestAddSSLConfig(t *testing.T) {
 					SecretName: "cafe-secret",
 				},
 			},
-			secretRefs: map[string]*SecretReference{
+			secretRefs: map[string]*secrets.SecretReference{
 				"cafe-secret": {
 					Type: v1.SecretTypeTLS,
 					Path: "/etc/nginx/secrets/default-cafe-secret",
@@ -882,7 +883,7 @@ func TestAddSSLConfig(t *testing.T) {
 					SecretName: "cafe-secret",
 				},
 			},
-			secretRefs: map[string]*SecretReference{
+			secretRefs: map[string]*secrets.SecretReference{
 				"cafe-secret": {
 					Type: v1.SecretTypeTLS,
 					Path: "/etc/nginx/secrets/default-cafe-secret",
@@ -904,7 +905,7 @@ func TestAddSSLConfig(t *testing.T) {
 					SecretName: "cafe-secret",
 				},
 			},
-			secretRefs: map[string]*SecretReference{
+			secretRefs: map[string]*secrets.SecretReference{
 				"cafe-secret": {
 					Error: errors.New("invalid secret"),
 				},
@@ -926,9 +927,9 @@ func TestAddSSLConfig(t *testing.T) {
 					SecretName: "cafe-secret",
 				},
 			},
-			secretRefs: map[string]*SecretReference{
+			secretRefs: map[string]*secrets.SecretReference{
 				"cafe-secret": {
-					Type: SecretTypeCA,
+					Type: secrets.SecretTypeCA,
 					Path: "/etc/nginx/secrets/default-cafe-secret",
 				},
 			},
@@ -989,17 +990,17 @@ func TestAddSSLConfig(t *testing.T) {
 
 func TestGenerateJWTConfig(t *testing.T) {
 	tests := []struct {
-		secretRefs               map[string]*SecretReference
+		secretRefs               map[string]*secrets.SecretReference
 		cfgParams                *ConfigParams
 		redirectLocationName     string
 		expectedJWTAuth          *version1.JWTAuth
 		expectedRedirectLocation *version1.JWTRedirectLocation
 		msg                      string
 	}{
 		{
-			secretRefs: map[string]*SecretReference{
+			secretRefs: map[string]*secrets.SecretReference{
 				"cafe-jwk": {
-					Type: SecretTypeJWK,
+					Type: secrets.SecretTypeJWK,
 					Path: "/etc/nginx/secrets/default-cafe-jwk",
 				},
 			},
@@ -1018,9 +1019,9 @@ func TestGenerateJWTConfig(t *testing.T) {
 			msg:                      "normal case",
 		},
 		{
-			secretRefs: map[string]*SecretReference{
+			secretRefs: map[string]*secrets.SecretReference{
 				"cafe-jwk": {
-					Type: SecretTypeJWK,
+					Type: secrets.SecretTypeJWK,
 					Path: "/etc/nginx/secrets/default-cafe-jwk",
 				},
 			},
@@ -1044,7 +1045,7 @@ func TestGenerateJWTConfig(t *testing.T) {
 			msg: "normal case with login url",
 		},
 		{
-			secretRefs: map[string]*SecretReference{
+			secretRefs: map[string]*secrets.SecretReference{
 				"cafe-jwk": {
 					Path:  "/etc/nginx/secrets/default-cafe-jwk",
 					Error: errors.New("invalid secret"),
@@ -1065,9 +1066,9 @@ func TestGenerateJWTConfig(t *testing.T) {
 			msg:                      "invalid secret",
 		},
 		{
-			secretRefs: map[string]*SecretReference{
+			secretRefs: map[string]*secrets.SecretReference{
 				"cafe-jwk": {
-					Type: SecretTypeCA,
+					Type: secrets.SecretTypeCA,
 					Path: "/etc/nginx/secrets/default-cafe-jwk",
 				},
 			},

diff --git a/internal/configs/secret.go b/internal/configs/secret.go
diff --git a/internal/configs/virtualserver.go b/internal/configs/virtualserver.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 
 	"github.com/golang/glog"
+	"github.com/nginxinc/kubernetes-ingress/internal/k8s/secrets"
 	"github.com/nginxinc/kubernetes-ingress/internal/nginx"
 	conf_v1alpha1 "github.com/nginxinc/kubernetes-ingress/pkg/apis/configuration/v1alpha1"
 	api_v1 "k8s.io/api/core/v1"
@@ -59,7 +60,7 @@ type VirtualServerEx struct {
 	ExternalNameSvcs    map[string]bool
 	Policies            map[string]*conf_v1alpha1.Policy
 	PodsByIP            map[string]PodInfo
-	SecretRefs          map[string]*SecretReference
+	SecretRefs          map[string]*secrets.SecretReference
 }
 
 func (vsx *VirtualServerEx) String() string {
@@ -612,7 +613,7 @@ type policyOwnerDetails struct {
 
 type policyOptions struct {
 	tls        bool
-	secretRefs map[string]*SecretReference
+	secretRefs map[string]*secrets.SecretReference
 }
 
 type validationResults struct {
@@ -673,7 +674,7 @@ func (p *policiesCfg) addJWTAuthConfig(
 	jwtAuth *conf_v1alpha1.JWTAuth,
 	polKey string,
 	polNamespace string,
-	secretRefs map[string]*SecretReference,
+	secretRefs map[string]*secrets.SecretReference,
 ) *validationResults {
 	res := newValidationResults()
 	if p.JWTAuth != nil {
@@ -687,7 +688,7 @@ func (p *policiesCfg) addJWTAuthConfig(
 		res.addWarningf("JWT policy %q references an invalid Secret: %v", polKey, secret.Error)
 		res.isError = true
 		return res
-	} else if secret.Type != SecretTypeJWK {
+	} else if secret.Type != secrets.SecretTypeJWK {
 		res.addWarningf("JWT policy %q references a Secret of an incorrect type %q", polKey, secret.Type)
 		res.isError = true
 		return res
@@ -707,7 +708,7 @@ func (p *policiesCfg) addIngressMTLSConfig(
 	polNamespace string,
 	context string,
 	tls bool,
-	secretRefs map[string]*SecretReference,
+	secretRefs map[string]*secrets.SecretReference,
 ) *validationResults {
 	res := newValidationResults()
 	if !tls {
@@ -731,7 +732,7 @@ func (p *policiesCfg) addIngressMTLSConfig(
 		res.addWarningf("IngressMTLS policy %q references an invalid Secret: %v", polKey, secret.Error)
 		res.isError = true
 		return res
-	} else if secret.Type != SecretTypeCA {
+	} else if secret.Type != secrets.SecretTypeCA {
 		res.addWarningf("IngressMTLS policy %q references a Secret of an incorrect type %q", polKey, secret.Type)
 		res.isError = true
 		return res
@@ -758,7 +759,7 @@ func (p *policiesCfg) addEgressMTLSConfig(
 	egressMTLS *conf_v1alpha1.EgressMTLS,
 	polKey string,
 	polNamespace string,
-	secretRefs map[string]*SecretReference,
+	secretRefs map[string]*secrets.SecretReference,
 ) *validationResults {
 	res := newValidationResults()
 	if p.EgressMTLS != nil {
@@ -798,7 +799,7 @@ func (p *policiesCfg) addEgressMTLSConfig(
 			res.addWarningf("EgressMTLS policy %q references an invalid Secret: %v", polKey, trustedSecret.Error)
 			res.isError = true
 			return res
-		} else if trustedSecret.Type != SecretTypeCA {
+		} else if trustedSecret.Type != secrets.SecretTypeCA {
 			res.addWarningf("EgressMTLS policy %q references a Secret of an incorrect type %q", polKey, trustedSecret.Type)
 			res.isError = true
 			return res
@@ -1780,7 +1781,7 @@ func getNameForSourceForMatchesRouteMapFromCondition(condition conf_v1.Condition
 	return condition.Variable
 }
 
-func generateSSLConfig(tls *conf_v1.TLS, namespace string, secretRefs map[string]*SecretReference, cfgParams *ConfigParams) *version2.SSL {
+func generateSSLConfig(tls *conf_v1.TLS, namespace string, secretRefs map[string]*secrets.SecretReference, cfgParams *ConfigParams) *version2.SSL {
 	if tls == nil {
 		return nil
 	}