Merge pull request #125 from cloudflare/issue-indexer-bypasses-ingress-class

mattalberts · web-flow · commit e6c0197eadb6 · 2018-11-29T13:48:42.000-08:00
Only index ingress objects matching ingress.class
diff --git a/internal/argotunnel/informer.go b/internal/argotunnel/informer.go
@@ -58,8 +58,8 @@ func newEndpointInformer(client kubernetes.Interface, opts options, rs ...cache.
 func newIngressInformer(client kubernetes.Interface, opts options, rs ...cache.ResourceEventHandler) cache.SharedIndexInformer {
 	i := newInformer(client.ExtensionsV1beta1().RESTClient(), "ingresses", new(v1beta1.Ingress), opts.resyncPeriod, rs...)
 	i.AddIndexers(cache.Indexers{
-		secretKind:  ingressSecretIndexFunc(opts.secret),
-		serviceKind: ingressServiceIndexFunc(),
+		secretKind:  ingressSecretIndexFunc(opts.ingressClass, opts.secret),
+		serviceKind: ingressServiceIndexFunc(opts.ingressClass),
 	})
 	return i
 }
@@ -83,27 +83,29 @@ func newInformer(c cache.Getter, resource string, objType runtime.Object, resync
 	return sw
 }
 
-func ingressSecretIndexFunc(secret *resource) func(obj interface{}) ([]string, error) {
+func ingressSecretIndexFunc(ingressClass string, secret *resource) func(obj interface{}) ([]string, error) {
 	return func(obj interface{}) ([]string, error) {
 		if ing, ok := obj.(*v1beta1.Ingress); ok {
-			hostsecret := make(map[string]*resource)
-			for _, tls := range ing.Spec.TLS {
-				for _, host := range tls.Hosts {
-					if len(tls.SecretName) > 0 {
-						hostsecret[host] = &resource{
-							name:      tls.SecretName,
-							namespace: ing.Namespace,
+			var idx []string
+			if objIngClass, ok := parseIngressClass(ing); ok && ingressClass == objIngClass {
+				hostsecret := make(map[string]*resource)
+				for _, tls := range ing.Spec.TLS {
+					for _, host := range tls.Hosts {
+						if len(tls.SecretName) > 0 {
+							hostsecret[host] = &resource{
+								name:      tls.SecretName,
+								namespace: ing.Namespace,
+							}
 						}
 					}
 				}
-			}
-			var idx []string
-			for _, rule := range ing.Spec.Rules {
-				if rule.HTTP != nil && len(rule.Host) > 0 {
-					if r, ok := hostsecret[rule.Host]; ok {
-						idx = append(idx, itemKeyFunc(r.namespace, r.name))
-					} else if secret != nil {
-						idx = append(idx, itemKeyFunc(secret.namespace, secret.name))
+				for _, rule := range ing.Spec.Rules {
+					if rule.HTTP != nil && len(rule.Host) > 0 {
+						if r, ok := hostsecret[rule.Host]; ok {
+							idx = append(idx, itemKeyFunc(r.namespace, r.name))
+						} else if secret != nil {
+							idx = append(idx, itemKeyFunc(secret.namespace, secret.name))
+						}
 					}
 				}
 			}
@@ -113,15 +115,17 @@ func ingressSecretIndexFunc(secret *resource) func(obj interface{}) ([]string, e
 	}
 }
 
-func ingressServiceIndexFunc() func(obj interface{}) ([]string, error) {
+func ingressServiceIndexFunc(ingressClass string) func(obj interface{}) ([]string, error) {
 	return func(obj interface{}) ([]string, error) {
 		if ing, ok := obj.(*v1beta1.Ingress); ok {
 			var idx []string
-			for _, rule := range ing.Spec.Rules {
-				if rule.HTTP != nil && len(rule.Host) > 0 {
-					for _, path := range rule.HTTP.Paths {
-						if len(path.Backend.ServiceName) > 0 {
-							idx = append(idx, itemKeyFunc(ing.Namespace, path.Backend.ServiceName))
+			if objIngClass, ok := parseIngressClass(ing); ok && ingressClass == objIngClass {
+				for _, rule := range ing.Spec.Rules {
+					if rule.HTTP != nil && len(rule.Host) > 0 {
+						for _, path := range rule.HTTP.Paths {
+							if len(path.Backend.ServiceName) > 0 {
+								idx = append(idx, itemKeyFunc(ing.Namespace, path.Backend.ServiceName))
+							}
 						}
 					}
 				}
diff --git a/internal/argotunnel/informer_test.go b/internal/argotunnel/informer_test.go
@@ -35,11 +35,49 @@ func TestIngressSecretIndexFunc(t *testing.T) {
 			out: []string{},
 			err: fmt.Errorf("index unexpected obj type: %T", &unit{}),
 		},
+		"obj-ing-class-mismatch": {
+			obj: &v1beta1.Ingress{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "unit",
+					Namespace: "unit",
+					Annotations: map[string]string{
+						"kubernetes.io/ingress.class": "not-unit",
+					},
+				},
+				TypeMeta: metav1.TypeMeta{
+					Kind:       "Ingress",
+					APIVersion: "v1beta1",
+				},
+				Spec: v1beta1.IngressSpec{
+					TLS: []v1beta1.IngressTLS{
+						{
+							Hosts: []string{
+								"a.unit.com",
+							},
+							SecretName: "sec-a",
+						},
+					},
+					Rules: []v1beta1.IngressRule{
+						{
+							Host: "a.unit.com",
+							IngressRuleValue: v1beta1.IngressRuleValue{
+								HTTP: &v1beta1.HTTPIngressRuleValue{},
+							},
+						},
+					},
+				},
+			},
+			out: nil,
+			err: nil,
+		},
 		"obj-ing-secs": {
 			obj: &v1beta1.Ingress{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "unit",
 					Namespace: "unit",
+					Annotations: map[string]string{
+						"kubernetes.io/ingress.class": "unit",
+					},
 				},
 				TypeMeta: metav1.TypeMeta{
 					Kind:       "Ingress",
@@ -101,7 +139,7 @@ func TestIngressSecretIndexFunc(t *testing.T) {
 			err: nil,
 		},
 	} {
-		indexFunc := ingressSecretIndexFunc(nil)
+		indexFunc := ingressSecretIndexFunc("unit", nil)
 		out, err := indexFunc(test.obj)
 		assert.Equalf(t, test.out, out, "test '%s' index mismatch", name)
 		assert.Equalf(t, test.err, err, "test '%s' error mismatch", name)
@@ -130,11 +168,50 @@ func TestIngressServiceIndexFunc(t *testing.T) {
 			out: []string{},
 			err: fmt.Errorf("index unexpected obj type: %T", &unit{}),
 		},
+		"obj-ing-class-mismatch": {
+			obj: &v1beta1.Ingress{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "unit",
+					Namespace: "unit",
+					Annotations: map[string]string{
+						"kubernetes.io/ingress.class": "not-unit",
+					},
+				},
+				TypeMeta: metav1.TypeMeta{
+					Kind:       "Ingress",
+					APIVersion: "v1beta1",
+				},
+				Spec: v1beta1.IngressSpec{
+					Rules: []v1beta1.IngressRule{
+						{
+							Host: "a.unit.com",
+							IngressRuleValue: v1beta1.IngressRuleValue{
+								HTTP: &v1beta1.HTTPIngressRuleValue{
+									Paths: []v1beta1.HTTPIngressPath{
+										{
+											Backend: v1beta1.IngressBackend{
+												ServiceName: "svc-a",
+												ServicePort: intstr.FromString("http"),
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			out: nil,
+			err: nil,
+		},
 		"obj-ing-svcs": {
 			obj: &v1beta1.Ingress{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "unit",
 					Namespace: "unit",
+					Annotations: map[string]string{
+						"kubernetes.io/ingress.class": "unit",
+					},
 				},
 				TypeMeta: metav1.TypeMeta{
 					Kind:       "Ingress",
@@ -208,7 +285,7 @@ func TestIngressServiceIndexFunc(t *testing.T) {
 			err: nil,
 		},
 	} {
-		indexFunc := ingressServiceIndexFunc()
+		indexFunc := ingressServiceIndexFunc("unit")
 		out, err := indexFunc(test.obj)
 		assert.Equalf(t, test.out, out, "test '%s' index mismatch", name)
 		assert.Equalf(t, test.err, err, "test '%s' error mismatch", name)
