From 06d942f462f5c7f81ed87acf6d43dede8c282394 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Tue, 29 Aug 2023 12:31:56 +0200 Subject: [PATCH] refactor: remove logger from tls package (#8157) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- pkg/tls/keypair.go | 5 ++-- pkg/tls/log.go | 5 ---- pkg/tls/renewer.go | 70 +++++++++++----------------------------------- pkg/tls/utils.go | 2 -- 4 files changed, 18 insertions(+), 64 deletions(-) delete mode 100644 pkg/tls/log.go diff --git a/pkg/tls/keypair.go b/pkg/tls/keypair.go index e9c1caf684..8b35d45a7b 100644 --- a/pkg/tls/keypair.go +++ b/pkg/tls/keypair.go @@ -5,6 +5,7 @@ import ( "crypto/rsa" "crypto/x509" "crypto/x509/pkix" + "fmt" "math/big" "net" "strings" @@ -56,7 +57,7 @@ func generateTLS(server string, caCert *x509.Certificate, caKey *rsa.PrivateKey, if strings.Contains(serverHost, ":") { host, _, err := net.SplitHostPort(serverHost) if err != nil { - logger.Error(err, "failed to split server host/port", "server", serverHost) + return nil, nil, fmt.Errorf("failed to split server host/port (%w)", err) } serverHost = host } @@ -86,12 +87,10 @@ func generateTLS(server string, caCert *x509.Certificate, caKey *rsa.PrivateKey, } der, err := x509.CreateCertificate(rand.Reader, templ, caCert, key.Public(), caKey) if err != nil { - logger.Error(err, "create certificate failed") return nil, nil, err } cert, err := x509.ParseCertificate(der) if err != nil { - logger.Error(err, "parse certificate failed") return nil, nil, err } return key, cert, nil diff --git a/pkg/tls/log.go b/pkg/tls/log.go deleted file mode 100644 index aa125ac405..0000000000 --- a/pkg/tls/log.go +++ /dev/null @@ -1,5 +0,0 @@ -package tls - -import "github.com/kyverno/kyverno/pkg/logging" - -var logger = logging.WithName("tls") diff --git a/pkg/tls/renewer.go b/pkg/tls/renewer.go index 31dc4371c9..6be070335a 100644 --- a/pkg/tls/renewer.go +++ b/pkg/tls/renewer.go @@ -91,50 +91,34 @@ func NewCertRenewer( func (c *certRenewer) RenewCA(ctx context.Context) error { secret, key, certs, err := c.decodeCASecret(ctx) if err != nil && !apierrors.IsNotFound(err) { - logger.Error(err, "failed to read CA") - return err + return fmt.Errorf("failed to read CA (%w)", err) } now := time.Now() certs = removeExpiredCertificates(now, certs...) if !allCertificatesExpired(now.Add(5*c.certRenewalInterval), certs...) { - logger.V(4).Info("CA certificate does not need to be renewed") return nil } if !isSecretManagedByKyverno(secret) { - err := fmt.Errorf("tls is not valid but certificates are not managed by kyverno, we can't renew them") - logger.Error(err, "tls is not valid but certificates are not managed by kyverno, we can't renew them") - return err + return fmt.Errorf("tls is not valid but certificates are not managed by kyverno, we can't renew them") } if secret != nil && secret.Type != corev1.SecretTypeTLS { - logger.Info("CA secret type is not TLS, we're going to delete it and regenrate one") - err := c.client.Delete(ctx, secret.Name, metav1.DeleteOptions{}) - if err != nil { - logger.Error(err, "failed to delete CA secret") - } - return err + return c.client.Delete(ctx, secret.Name, metav1.DeleteOptions{}) } caKey, caCert, err := generateCA(key, c.caValidityDuration) if err != nil { - logger.Error(err, "failed to generate CA") - return err + return fmt.Errorf("failed to generate CA (%w)", err) } certs = append(certs, caCert) if err := c.writeCASecret(ctx, caKey, certs...); err != nil { - logger.Error(err, "failed to write CA") - return err + return fmt.Errorf("failed to write CA (%w)", err) } - - logger.Info("CA was renewed") valid, err := c.ValidateCert(ctx) if err != nil { - logger.Error(err, "failed to validate certs") - return err + return fmt.Errorf("failed to validate certs (%w)", err) } if !valid { - logger.Info("mismatched certs chain, renewing", "CA certificate", c.caSecret, "TLS certificate", c.pairSecret) if err := c.RenewTLS(ctx); err != nil { - logger.Error(err, "failed to renew TLS certificate", "name", c.pairSecret) - return err + return fmt.Errorf("failed to renew TLS certificate (%w)", err) } } @@ -145,48 +129,34 @@ func (c *certRenewer) RenewCA(ctx context.Context) error { func (c *certRenewer) RenewTLS(ctx context.Context) error { _, caKey, caCerts, err := c.decodeCASecret(ctx) if err != nil { - logger.Error(err, "failed to read CA") - return err + return fmt.Errorf("failed to read CA (%w)", err) } secret, _, cert, err := c.decodeTLSSecret(ctx) if err != nil && !apierrors.IsNotFound(err) { - logger.Error(err, "failed to read TLS") - return err + return fmt.Errorf("failed to read TLS (%w)", err) } now := time.Now() if cert != nil { valid, err := c.ValidateCert(ctx) if err != nil || !valid { - logger.Info("invalid cert chain, renewing TLS certificate", "name", c.pairSecret, "error", err.Error()) } else if !allCertificatesExpired(now.Add(5*c.certRenewalInterval), cert) { - logger.V(4).Info("TLS certificate does not need to be renewed") return nil } } if !isSecretManagedByKyverno(secret) { - err := fmt.Errorf("tls is not valid but certificates are not managed by kyverno, we can't renew them") - logger.Error(err, "tls is not valid but certificates are not managed by kyverno, we can't renew them") - return err + return fmt.Errorf("tls is not valid but certificates are not managed by kyverno, we can't renew them") } if secret != nil && secret.Type != corev1.SecretTypeTLS { - logger.Info("TLS secret type is not TLS, we're going to delete it and regenrate one") - err := c.client.Delete(ctx, secret.Name, metav1.DeleteOptions{}) - if err != nil { - logger.Error(err, "failed to delete TLS secret") - } - return err + return c.client.Delete(ctx, secret.Name, metav1.DeleteOptions{}) } tlsKey, tlsCert, err := generateTLS(c.server, caCerts[len(caCerts)-1], caKey, c.tlsValidityDuration, c.commonName, c.dnsNames) if err != nil { - logger.Error(err, "failed to generate TLS") - return err + return fmt.Errorf("failed to generate TLS (%w)", err) } if err := c.writeTLSSecret(ctx, tlsKey, tlsCert); err != nil { - logger.Error(err, "failed to write TLS") - return err + return fmt.Errorf("failed to write TLS (%w)", err) } - logger.Info("TLS was renewed") return nil } @@ -254,11 +224,9 @@ func (c *certRenewer) decodeTLSSecret(ctx context.Context) (*corev1.Secret, *rsa } func (c *certRenewer) writeSecret(ctx context.Context, name string, key *rsa.PrivateKey, certs ...*x509.Certificate) error { - logger := logger.WithValues("name", name, "namespace", c.namespace) secret, err := c.getSecret(ctx, name) if err != nil && !apierrors.IsNotFound(err) { - logger.Error(err, "failed to get CA secret") - return err + return fmt.Errorf("failed to get CA secret (%w)", err) } if secret == nil { secret = &corev1.Secret{ @@ -279,17 +247,11 @@ func (c *certRenewer) writeSecret(ctx context.Context, name string, key *rsa.Pri } if secret.ResourceVersion == "" { if _, err := c.client.Create(ctx, secret, metav1.CreateOptions{}); err != nil { - logger.Error(err, "failed to update secret") - return err - } else { - logger.Info("secret created") + return fmt.Errorf("failed to create secret (%w)", err) } } else { if _, err := c.client.Update(ctx, secret, metav1.UpdateOptions{}); err != nil { - logger.Error(err, "failed to update secret") - return err - } else { - logger.Info("secret updated") + return fmt.Errorf("failed to update secret (%w)", err) } } return nil diff --git a/pkg/tls/utils.go b/pkg/tls/utils.go index 1e05eb0b47..82494f3405 100644 --- a/pkg/tls/utils.go +++ b/pkg/tls/utils.go @@ -46,8 +46,6 @@ func pemToCertificates(raw []byte) []*x509.Certificate { cert, err := x509.ParseCertificate(certPemBlock.Bytes) if err == nil { certs = append(certs, cert) - } else { - logger.Error(err, "failed to parse cert") } } }