Skip to content

Commit 7e7c824

Browse files
shaun-nxshaun-nx
authored
Prometheus tls path (#3615)
* Update path to store prometheus secrets * Move DefaultSecretPath const to configurator and add nosec G101 * Fix lint error * Update error check * Update error message * Change function name
1 parent c26677c commit 7e7c824

File tree

2 files changed

+13
-4
lines changed

2 files changed

+13
-4
lines changed

internal/configs/configurator.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,9 @@ const (
4444
// DefaultServerSecretPath is the full path to the Secret with a TLS cert and a key for the default server. #nosec G101
4545
const DefaultServerSecretPath = "/etc/nginx/secrets/default"
4646

47+
// DefaultSecretPath is the full default path to where secrets are stored and accessed.
48+
const DefaultSecretPath = "/etc/nginx/secrets" // #nosec G101
49+
4750
// DefaultServerSecretName is the filename of the Secret with a TLS cert and a key for the default server.
4851
const DefaultServerSecretName = "default"
4952

internal/metrics/listener.go

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ import (
77
"strconv"
88

99
"github.com/golang/glog"
10+
config "github.com/nginxinc/kubernetes-ingress/internal/configs"
1011
"github.com/nginxinc/kubernetes-ingress/internal/nginx"
1112
prometheusClient "github.com/nginxinc/nginx-prometheus-exporter/client"
1213
nginxCollector "github.com/nginxinc/nginx-prometheus-exporter/collector"
@@ -59,12 +60,12 @@ func runServer(port string, registry prometheus.Gatherer, prometheusSecret *api_
5960
// Write the cert and key to a temporary file. We create a unique file name to prevent collisions.
6061
certFileName := "nginx-prometheus.cert"
6162
keyFileName := "nginx-prometheus.key"
62-
certFile, err := writeTempFile(prometheusSecret.Data[api_v1.TLSCertKey], certFileName)
63+
certFile, err := createTLSFile(prometheusSecret.Data[api_v1.TLSCertKey], certFileName)
6364
if err != nil {
6465
glog.Fatal("failed to create cert file for prometheus: %w", err)
6566
}
6667

67-
keyFile, err := writeTempFile(prometheusSecret.Data[api_v1.TLSPrivateKeyKey], keyFileName)
68+
keyFile, err := createTLSFile(prometheusSecret.Data[api_v1.TLSPrivateKeyKey], keyFileName)
6869
if err != nil {
6970
glog.Fatal("failed to create key file for prometheus: %w", err)
7071
}
@@ -73,8 +74,13 @@ func runServer(port string, registry prometheus.Gatherer, prometheusSecret *api_
7374
}
7475
}
7576

76-
func writeTempFile(data []byte, name string) (*os.File, error) {
77-
f, err := os.CreateTemp("", name)
77+
func createTLSFile(data []byte, name string) (*os.File, error) {
78+
_, err := os.Stat(config.DefaultSecretPath)
79+
if err != nil {
80+
return nil, fmt.Errorf("got error %w when attempting access %s", err, config.DefaultSecretPath)
81+
}
82+
83+
f, err := os.CreateTemp(config.DefaultSecretPath, name)
7884
if err != nil {
7985
return nil, fmt.Errorf("failed to create temp file: %w", err)
8086
}

0 commit comments

Comments
 (0)