mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
feat: allow overriding ca and tls secret names (#8137)
* feat: allow overriding ca and tls secret names Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
b374c05517
commit
0f9fe30c08
12 changed files with 80 additions and 71 deletions
|
|
@ -4,6 +4,7 @@
|
|||
|
||||
### Note
|
||||
|
||||
- Added `--caSecretName` and `--tlsSecretName` flags to control names of certificate related secrets.
|
||||
- Added match conditions support in kyverno config map.
|
||||
- Deprecated flag `--imageSignatureRepository`. Will be removed in 1.12. Use per rule configuration `verifyImages.Repository` instead.
|
||||
- Added `--aggregateReports` flag for reports controller to enable/disable aggregated reports (default value is `true`).
|
||||
|
|
|
|||
|
|
@ -127,6 +127,8 @@ spec:
|
|||
image: {{ include "kyverno.image" (dict "image" .Values.admissionController.container.image "defaultTag" .Chart.AppVersion) | quote }}
|
||||
imagePullPolicy: {{ .Values.admissionController.container.image.pullPolicy }}
|
||||
args:
|
||||
- --caSecretName={{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
|
||||
- --tlsSecretName={{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
|
||||
- --backgroundServiceAccountName=system:serviceaccount:{{ include "kyverno.namespace" . }}:{{ include "kyverno.background-controller.serviceAccountName" . }}
|
||||
- --servicePort={{ .Values.admissionController.service.port }}
|
||||
{{- if .Values.admissionController.tracing.enabled }}
|
||||
|
|
|
|||
|
|
@ -86,6 +86,8 @@ spec:
|
|||
name: metrics
|
||||
protocol: TCP
|
||||
args:
|
||||
- --caSecretName={{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
|
||||
- --tlsSecretName={{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
|
||||
- --servicePort={{ .Values.cleanupController.service.port }}
|
||||
{{- if .Values.cleanupController.tracing.enabled }}
|
||||
- --enableTracing
|
||||
|
|
|
|||
|
|
@ -39,6 +39,11 @@ const (
|
|||
ttlWebhookControllerName = "ttl-webhook-controller"
|
||||
)
|
||||
|
||||
var (
|
||||
caSecretName string
|
||||
tlsSecretName string
|
||||
)
|
||||
|
||||
// TODO:
|
||||
// - helm review labels / selectors
|
||||
// - implement probes
|
||||
|
|
@ -68,6 +73,8 @@ func main() {
|
|||
flagset.IntVar(&servicePort, "servicePort", 443, "Port used by the Kyverno Service resource and for webhook configurations.")
|
||||
flagset.IntVar(&maxQueuedEvents, "maxQueuedEvents", 1000, "Maximum events to be queued.")
|
||||
flagset.DurationVar(&interval, "ttlReconciliationInterval", time.Minute, "Set this flag to set the interval after which the resource controller reconciliation should occur")
|
||||
flagset.StringVar(&caSecretName, "caSecretName", "", "Name of the secret containing CA.")
|
||||
flagset.StringVar(&tlsSecretName, "tlsSecretName", "", "Name of the secret containing TLS pair.")
|
||||
// config
|
||||
appConfig := internal.NewConfiguration(
|
||||
internal.WithProfiling(),
|
||||
|
|
@ -79,8 +86,8 @@ func main() {
|
|||
internal.WithKyvernoDynamicClient(),
|
||||
internal.WithConfigMapCaching(),
|
||||
internal.WithDeferredLoading(),
|
||||
internal.WithFlagSets(flagset),
|
||||
internal.WithMetadataClient(),
|
||||
internal.WithFlagSets(flagset),
|
||||
)
|
||||
// parse flags
|
||||
internal.ParseFlags(appConfig)
|
||||
|
|
@ -88,8 +95,8 @@ func main() {
|
|||
ctx, setup, sdown := internal.Setup(appConfig, "kyverno-cleanup-controller", false)
|
||||
defer sdown()
|
||||
// certificates informers
|
||||
caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), resyncPeriod)
|
||||
tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), resyncPeriod)
|
||||
caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), caSecretName, resyncPeriod)
|
||||
tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), tlsSecretName, resyncPeriod)
|
||||
if !informers.StartInformersAndWaitForCacheSync(ctx, setup.Logger, caSecret, tlsSecret) {
|
||||
setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
|
||||
os.Exit(1)
|
||||
|
|
@ -117,8 +124,8 @@ func main() {
|
|||
config.KyvernoServiceName(),
|
||||
config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()),
|
||||
config.KyvernoNamespace(),
|
||||
config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()),
|
||||
config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()),
|
||||
caSecretName,
|
||||
tlsSecretName,
|
||||
)
|
||||
certController := internal.NewController(
|
||||
certmanager.ControllerName,
|
||||
|
|
@ -126,7 +133,8 @@ func main() {
|
|||
caSecret,
|
||||
tlsSecret,
|
||||
renewer,
|
||||
config.KyvernoServiceName(),
|
||||
caSecretName,
|
||||
tlsSecretName,
|
||||
config.KyvernoNamespace(),
|
||||
),
|
||||
certmanager.Workers,
|
||||
|
|
@ -162,6 +170,7 @@ func main() {
|
|||
genericwebhookcontroller.Fail,
|
||||
genericwebhookcontroller.None,
|
||||
setup.Configuration,
|
||||
caSecretName,
|
||||
),
|
||||
webhookWorkers,
|
||||
)
|
||||
|
|
@ -200,6 +209,7 @@ func main() {
|
|||
genericwebhookcontroller.Ignore,
|
||||
genericwebhookcontroller.None,
|
||||
setup.Configuration,
|
||||
caSecretName,
|
||||
),
|
||||
webhookWorkers,
|
||||
)
|
||||
|
|
@ -294,7 +304,7 @@ func main() {
|
|||
// create server
|
||||
server := NewServer(
|
||||
func() ([]byte, []byte, error) {
|
||||
secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()))
|
||||
secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(tlsSecretName)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -16,7 +16,6 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/logging"
|
||||
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
|
||||
coordinationv1 "k8s.io/api/coordination/v1"
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
)
|
||||
|
|
@ -62,25 +61,7 @@ func main() {
|
|||
failure := false
|
||||
|
||||
run := func(context.Context) {
|
||||
name := config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace())
|
||||
_, err := setup.KubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(context.TODO(), name, metav1.GetOptions{})
|
||||
if err != nil {
|
||||
logging.V(2).Info("failed to fetch root CA secret", "name", name, "error", err.Error())
|
||||
if !errors.IsNotFound(err) {
|
||||
os.Exit(1)
|
||||
}
|
||||
}
|
||||
|
||||
name = config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace())
|
||||
_, err = setup.KubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(context.TODO(), name, metav1.GetOptions{})
|
||||
if err != nil {
|
||||
logging.V(2).Info("failed to fetch TLS Pair secret", "name", name, "error", err.Error())
|
||||
if !errors.IsNotFound(err) {
|
||||
os.Exit(1)
|
||||
}
|
||||
}
|
||||
|
||||
if err = acquireLeader(ctx, setup.KubeClient); err != nil {
|
||||
if err := acquireLeader(ctx, setup.KubeClient); err != nil {
|
||||
logging.V(2).Info("Failed to create lease 'kyvernopre-lock'")
|
||||
os.Exit(1)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -54,6 +54,11 @@ const (
|
|||
exceptionWebhookControllerName = "exception-webhook-controller"
|
||||
)
|
||||
|
||||
var (
|
||||
caSecretName string
|
||||
tlsSecretName string
|
||||
)
|
||||
|
||||
func showWarnings(ctx context.Context, logger logr.Logger) {
|
||||
logger = logger.WithName("warnings")
|
||||
// log if `forceFailurePolicyIgnore` flag has been set or not
|
||||
|
|
@ -121,7 +126,8 @@ func createrLeaderControllers(
|
|||
caInformer,
|
||||
tlsInformer,
|
||||
certRenewer,
|
||||
config.KyvernoServiceName(),
|
||||
caSecretName,
|
||||
tlsSecretName,
|
||||
config.KyvernoNamespace(),
|
||||
)
|
||||
webhookController := webhookcontroller.NewController(
|
||||
|
|
@ -144,6 +150,7 @@ func createrLeaderControllers(
|
|||
admissionReports,
|
||||
runtime,
|
||||
configuration,
|
||||
caSecretName,
|
||||
)
|
||||
exceptionWebhookController := genericwebhookcontroller.NewController(
|
||||
exceptionWebhookControllerName,
|
||||
|
|
@ -169,6 +176,7 @@ func createrLeaderControllers(
|
|||
genericwebhookcontroller.Fail,
|
||||
genericwebhookcontroller.None,
|
||||
configuration,
|
||||
caSecretName,
|
||||
)
|
||||
return []internal.Controller{
|
||||
internal.NewController(certmanager.ControllerName, certManager, certmanager.Workers),
|
||||
|
|
@ -207,6 +215,8 @@ func main() {
|
|||
flagset.BoolVar(&admissionReports, "admissionReports", true, "Enable or disable admission reports.")
|
||||
flagset.IntVar(&servicePort, "servicePort", 443, "Port used by the Kyverno Service resource and for webhook configurations.")
|
||||
flagset.StringVar(&backgroundServiceAccountName, "backgroundServiceAccountName", "", "Background service account name.")
|
||||
flagset.StringVar(&caSecretName, "caSecretName", "", "Name of the secret containing CA.")
|
||||
flagset.StringVar(&tlsSecretName, "tlsSecretName", "", "Name of the secret containing TLS pair.")
|
||||
// config
|
||||
appConfig := internal.NewConfiguration(
|
||||
internal.WithProfiling(),
|
||||
|
|
@ -231,8 +241,8 @@ func main() {
|
|||
// setup
|
||||
signalCtx, setup, sdown := internal.Setup(appConfig, "kyverno-admission-controller", false)
|
||||
defer sdown()
|
||||
caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), resyncPeriod)
|
||||
tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), resyncPeriod)
|
||||
caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), caSecretName, resyncPeriod)
|
||||
tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), tlsSecretName, resyncPeriod)
|
||||
if !informers.StartInformersAndWaitForCacheSync(signalCtx, setup.Logger, caSecret, tlsSecret) {
|
||||
setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
|
||||
os.Exit(1)
|
||||
|
|
@ -266,8 +276,8 @@ func main() {
|
|||
config.KyvernoServiceName(),
|
||||
config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()),
|
||||
config.KyvernoNamespace(),
|
||||
config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()),
|
||||
config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()),
|
||||
caSecretName,
|
||||
tlsSecretName,
|
||||
)
|
||||
policyCache := policycache.NewCache()
|
||||
omitEventsValues := strings.Split(omitEvents, ",")
|
||||
|
|
@ -465,7 +475,7 @@ func main() {
|
|||
DumpPayload: dumpPayload,
|
||||
},
|
||||
func() ([]byte, []byte, error) {
|
||||
secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()))
|
||||
secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(tlsSecretName)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -41283,6 +41283,8 @@ spec:
|
|||
image: "ghcr.io/kyverno/kyverno:latest"
|
||||
imagePullPolicy: IfNotPresent
|
||||
args:
|
||||
- --caSecretName=kyverno-svc.kyverno.svc.kyverno-tls-ca
|
||||
- --tlsSecretName=kyverno-svc.kyverno.svc.kyverno-tls-pair
|
||||
- --backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller
|
||||
- --servicePort=443
|
||||
- --disableMetrics=false
|
||||
|
|
@ -41533,6 +41535,8 @@ spec:
|
|||
name: metrics
|
||||
protocol: TCP
|
||||
args:
|
||||
- --caSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-ca
|
||||
- --tlsSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-pair
|
||||
- --servicePort=443
|
||||
- --disableMetrics=false
|
||||
- --otelConfig=prometheus
|
||||
|
|
|
|||
|
|
@ -13,11 +13,3 @@ func DnsNames(commonName string, namespace string) []string {
|
|||
InClusterServiceName(commonName, namespace),
|
||||
}
|
||||
}
|
||||
|
||||
func GenerateTLSPairSecretName(commonName string, namespace string) string {
|
||||
return InClusterServiceName(commonName, namespace) + ".kyverno-tls-pair"
|
||||
}
|
||||
|
||||
func GenerateRootCASecretName(commonName string, namespace string) string {
|
||||
return InClusterServiceName(commonName, namespace) + ".kyverno-tls-ca"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,7 +5,6 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
"github.com/kyverno/kyverno/pkg/controllers"
|
||||
"github.com/kyverno/kyverno/pkg/tls"
|
||||
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
|
||||
|
|
@ -37,27 +36,30 @@ type controller struct {
|
|||
caEnqueue controllerutils.EnqueueFunc
|
||||
tlsEnqueue controllerutils.EnqueueFunc
|
||||
|
||||
commonName string
|
||||
namespace string
|
||||
caSecretName string
|
||||
tlsSecretName string
|
||||
namespace string
|
||||
}
|
||||
|
||||
func NewController(
|
||||
caInformer corev1informers.SecretInformer,
|
||||
tlsInformer corev1informers.SecretInformer,
|
||||
certRenewer tls.CertRenewer,
|
||||
commonName string,
|
||||
caSecretName string,
|
||||
tlsSecretName string,
|
||||
namespace string,
|
||||
) controllers.Controller {
|
||||
queue := workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), ControllerName)
|
||||
c := controller{
|
||||
renewer: certRenewer,
|
||||
caLister: caInformer.Lister(),
|
||||
tlsLister: tlsInformer.Lister(),
|
||||
queue: queue,
|
||||
caEnqueue: controllerutils.AddDefaultEventHandlers(logger, caInformer.Informer(), queue),
|
||||
tlsEnqueue: controllerutils.AddDefaultEventHandlers(logger, tlsInformer.Informer(), queue),
|
||||
commonName: commonName,
|
||||
namespace: namespace,
|
||||
renewer: certRenewer,
|
||||
caLister: caInformer.Lister(),
|
||||
tlsLister: tlsInformer.Lister(),
|
||||
queue: queue,
|
||||
caEnqueue: controllerutils.AddDefaultEventHandlers(logger, caInformer.Informer(), queue),
|
||||
tlsEnqueue: controllerutils.AddDefaultEventHandlers(logger, tlsInformer.Informer(), queue),
|
||||
caSecretName: caSecretName,
|
||||
tlsSecretName: tlsSecretName,
|
||||
namespace: namespace,
|
||||
}
|
||||
return &c
|
||||
}
|
||||
|
|
@ -68,18 +70,18 @@ func (c *controller) Run(ctx context.Context, workers int) {
|
|||
if err := c.tlsEnqueue(&corev1.Secret{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Namespace: c.namespace,
|
||||
Name: config.GenerateTLSPairSecretName(c.commonName, c.namespace),
|
||||
Name: c.tlsSecretName,
|
||||
},
|
||||
}); err != nil {
|
||||
logger.Error(err, "failed to enqueue secret", "name", config.GenerateTLSPairSecretName(c.commonName, c.namespace))
|
||||
logger.Error(err, "failed to enqueue secret", "name", c.tlsSecretName)
|
||||
}
|
||||
if err := c.caEnqueue(&corev1.Secret{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Namespace: c.namespace,
|
||||
Name: config.GenerateRootCASecretName(c.commonName, c.namespace),
|
||||
Name: c.caSecretName,
|
||||
},
|
||||
}); err != nil {
|
||||
logger.Error(err, "failed to enqueue CA secret", "name", config.GenerateRootCASecretName(c.commonName, c.namespace))
|
||||
logger.Error(err, "failed to enqueue CA secret", "name", c.caSecretName)
|
||||
}
|
||||
controllerutils.Run(ctx, logger, ControllerName, time.Second, c.queue, workers, maxRetries, c.reconcile, c.ticker)
|
||||
}
|
||||
|
|
@ -88,7 +90,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
|
|||
if namespace != c.namespace {
|
||||
return nil
|
||||
}
|
||||
if name != config.GenerateTLSPairSecretName(c.commonName, c.namespace) && name != config.GenerateRootCASecretName(c.commonName, c.namespace) {
|
||||
if name != c.caSecretName && name != c.tlsSecretName {
|
||||
return nil
|
||||
}
|
||||
return c.renewCertificates(ctx)
|
||||
|
|
|
|||
|
|
@ -59,6 +59,7 @@ type controller struct {
|
|||
sideEffects *admissionregistrationv1.SideEffectClass
|
||||
configuration config.Configuration
|
||||
labelSelector *metav1.LabelSelector
|
||||
caSecretName string
|
||||
}
|
||||
|
||||
func NewController(
|
||||
|
|
@ -75,6 +76,7 @@ func NewController(
|
|||
failurePolicy *admissionregistrationv1.FailurePolicyType,
|
||||
sideEffects *admissionregistrationv1.SideEffectClass,
|
||||
configuration config.Configuration,
|
||||
caSecretName string,
|
||||
) controllers.Controller {
|
||||
queue := workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), controllerName)
|
||||
c := controller{
|
||||
|
|
@ -93,22 +95,23 @@ func NewController(
|
|||
sideEffects: sideEffects,
|
||||
configuration: configuration,
|
||||
labelSelector: labelSelector,
|
||||
caSecretName: caSecretName,
|
||||
}
|
||||
controllerutils.AddDefaultEventHandlers(c.logger, vwcInformer.Informer(), queue)
|
||||
controllerutils.AddEventHandlersT(
|
||||
secretInformer.Informer(),
|
||||
func(obj *corev1.Secret) {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == caSecretName {
|
||||
c.enqueue()
|
||||
}
|
||||
},
|
||||
func(_, obj *corev1.Secret) {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == caSecretName {
|
||||
c.enqueue()
|
||||
}
|
||||
},
|
||||
func(obj *corev1.Secret) {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == caSecretName {
|
||||
c.enqueue()
|
||||
}
|
||||
},
|
||||
|
|
@ -130,7 +133,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, _,
|
|||
if key != c.webhookName {
|
||||
return nil
|
||||
}
|
||||
caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), config.KyvernoNamespace(), c.secretLister)
|
||||
caData, err := tls.ReadRootCASecret(c.caSecretName, config.KyvernoNamespace(), c.secretLister)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -99,6 +99,7 @@ type controller struct {
|
|||
admissionReports bool
|
||||
runtime runtimeutils.Runtime
|
||||
configuration config.Configuration
|
||||
caSecretName string
|
||||
|
||||
// state
|
||||
lock sync.Mutex
|
||||
|
|
@ -125,6 +126,7 @@ func NewController(
|
|||
admissionReports bool,
|
||||
runtime runtimeutils.Runtime,
|
||||
configuration config.Configuration,
|
||||
caSecretName string,
|
||||
) controllers.Controller {
|
||||
queue := workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), ControllerName)
|
||||
c := controller{
|
||||
|
|
@ -148,6 +150,7 @@ func NewController(
|
|||
admissionReports: admissionReports,
|
||||
runtime: runtime,
|
||||
configuration: configuration,
|
||||
caSecretName: caSecretName,
|
||||
policyState: map[string]sets.Set[string]{
|
||||
config.MutatingWebhookConfigurationName: sets.New[string](),
|
||||
config.ValidatingWebhookConfigurationName: sets.New[string](),
|
||||
|
|
@ -158,17 +161,17 @@ func NewController(
|
|||
controllerutils.AddEventHandlersT(
|
||||
secretInformer.Informer(),
|
||||
func(obj *corev1.Secret) {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == caSecretName {
|
||||
c.enqueueAll()
|
||||
}
|
||||
},
|
||||
func(_, obj *corev1.Secret) {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == caSecretName {
|
||||
c.enqueueAll()
|
||||
}
|
||||
},
|
||||
func(obj *corev1.Secret) {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == caSecretName {
|
||||
c.enqueueAll()
|
||||
}
|
||||
},
|
||||
|
|
@ -340,7 +343,7 @@ func (c *controller) reconcileVerifyMutatingWebhookConfiguration(ctx context.Con
|
|||
}
|
||||
|
||||
func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(context.Context, config.Configuration, []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error)) error {
|
||||
caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace()))
|
||||
caData, err := tls.ReadRootCASecret(c.caSecretName, config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace()))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -370,7 +373,7 @@ func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context
|
|||
}
|
||||
|
||||
func (c *controller) reconcileMutatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(context.Context, config.Configuration, []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error)) error {
|
||||
caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace()))
|
||||
caData, err := tls.ReadRootCASecret(c.caSecretName, config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace()))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
|
|
@ -132,9 +131,9 @@ func (c *certRenewer) RenewCA(ctx context.Context) error {
|
|||
return err
|
||||
}
|
||||
if !valid {
|
||||
logger.Info("mismatched certs chain, renewing", "CA certificate", config.GenerateRootCASecretName(c.commonName, c.namespace), "TLS certificate", config.GenerateTLSPairSecretName(c.commonName, c.namespace))
|
||||
logger.Info("mismatched certs chain, renewing", "CA certificate", c.caSecret, "TLS certificate", c.pairSecret)
|
||||
if err := c.RenewTLS(ctx); err != nil {
|
||||
logger.Error(err, "failed to renew TLS certificate", "name", config.GenerateTLSPairSecretName(c.commonName, c.namespace))
|
||||
logger.Error(err, "failed to renew TLS certificate", "name", c.pairSecret)
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
|
@ -158,7 +157,7 @@ func (c *certRenewer) RenewTLS(ctx context.Context) error {
|
|||
if cert != nil {
|
||||
valid, err := c.ValidateCert(ctx)
|
||||
if err != nil || !valid {
|
||||
logger.Info("invalid cert chain, renewing TLS certificate", "name", config.GenerateTLSPairSecretName(c.commonName, c.namespace), "error", err.Error())
|
||||
logger.Info("invalid cert chain, renewing TLS certificate", "name", c.pairSecret, "error", err.Error())
|
||||
} else if !allCertificatesExpired(now.Add(5*c.certRenewalInterval), cert) {
|
||||
logger.V(4).Info("TLS certificate does not need to be renewed")
|
||||
return nil
|
||||
|
|
|
|||
Loading…
Reference in a new issue