2022-05-11 10:05:13 +02:00
|
|
|
package tls
|
|
|
|
|
|
|
|
import (
|
2022-05-11 16:58:14 +02:00
|
|
|
"crypto/rsa"
|
|
|
|
"crypto/x509"
|
|
|
|
"encoding/pem"
|
|
|
|
|
2022-05-11 10:05:13 +02:00
|
|
|
"github.com/go-logr/logr"
|
2022-05-11 16:58:14 +02:00
|
|
|
"github.com/kyverno/kyverno/pkg/config"
|
2022-05-11 10:05:13 +02:00
|
|
|
appsv1 "k8s.io/api/apps/v1"
|
|
|
|
v1 "k8s.io/api/core/v1"
|
|
|
|
)
|
|
|
|
|
2022-05-11 16:58:14 +02:00
|
|
|
// PrivateKeyToPem Creates PEM block from private key object
|
|
|
|
func PrivateKeyToPem(rsaKey *rsa.PrivateKey) []byte {
|
|
|
|
privateKey := &pem.Block{
|
|
|
|
Type: "PRIVATE KEY",
|
|
|
|
Bytes: x509.MarshalPKCS1PrivateKey(rsaKey),
|
|
|
|
}
|
|
|
|
return pem.EncodeToMemory(privateKey)
|
|
|
|
}
|
|
|
|
|
|
|
|
// CertificateToPem Creates PEM block from certificate object
|
|
|
|
func CertificateToPem(cert *x509.Certificate) []byte {
|
|
|
|
certificate := &pem.Block{
|
|
|
|
Type: "CERTIFICATE",
|
|
|
|
Bytes: cert.Raw,
|
|
|
|
}
|
|
|
|
return pem.EncodeToMemory(certificate)
|
|
|
|
}
|
|
|
|
|
2022-05-11 10:05:13 +02:00
|
|
|
// IsKyvernoInRollingUpdate returns true if Kyverno is in rolling update
|
|
|
|
func IsKyvernoInRollingUpdate(deploy *appsv1.Deployment, logger logr.Logger) bool {
|
|
|
|
var replicas int32 = 1
|
|
|
|
if deploy.Spec.Replicas != nil {
|
|
|
|
replicas = *deploy.Spec.Replicas
|
|
|
|
}
|
|
|
|
nonTerminatedReplicas := deploy.Status.Replicas
|
|
|
|
if nonTerminatedReplicas > replicas {
|
|
|
|
logger.Info("detect Kyverno is in rolling update, won't trigger the update again")
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2022-05-11 16:58:14 +02:00
|
|
|
func IsSecretManagedByKyverno(secret *v1.Secret) bool {
|
|
|
|
if secret != nil {
|
|
|
|
labels := secret.GetLabels()
|
|
|
|
if labels == nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
if labels[ManagedByLabel] != "kyverno" {
|
|
|
|
return false
|
|
|
|
}
|
2022-05-11 10:05:13 +02:00
|
|
|
}
|
2022-05-11 16:58:14 +02:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
// InClusterServiceName The generated service name should be the common name for TLS certificate
|
|
|
|
func InClusterServiceName() string {
|
|
|
|
return config.KyvernoServiceName() + "." + config.KyvernoNamespace() + ".svc"
|
|
|
|
}
|
|
|
|
|
|
|
|
func GenerateTLSPairSecretName() string {
|
|
|
|
return InClusterServiceName() + ".kyverno-tls-pair"
|
|
|
|
}
|
2022-05-11 10:05:13 +02:00
|
|
|
|
2022-05-11 16:58:14 +02:00
|
|
|
func GenerateRootCASecretName() string {
|
|
|
|
return InClusterServiceName() + ".kyverno-tls-ca"
|
2022-05-11 10:05:13 +02:00
|
|
|
}
|