feat: allow overriding ca and tls secret names (#8137)

* feat: allow overriding ca and tls secret names

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

CHANGELOG.md

@@ -4,6 +4,7 @@
 
 ### Note
 
+- Added `--caSecretName` and `--tlsSecretName` flags to control names of certificate related secrets.
 - Added match conditions support in kyverno config map.
 - Deprecated flag `--imageSignatureRepository`. Will be removed in 1.12. Use per rule configuration `verifyImages.Repository` instead.
 - Added `--aggregateReports` flag for reports controller to enable/disable aggregated reports (default value is `true`).

charts/kyverno/templates/admission-controller/deployment.yaml

@@ -127,6 +127,8 @@ spec:
           image: {{ include "kyverno.image" (dict "image" .Values.admissionController.container.image "defaultTag" .Chart.AppVersion) | quote }}
           imagePullPolicy: {{ .Values.admissionController.container.image.pullPolicy }}
           args:
+            - --caSecretName={{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
+            - --tlsSecretName={{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
             - --backgroundServiceAccountName=system:serviceaccount:{{ include "kyverno.namespace" . }}:{{ include "kyverno.background-controller.serviceAccountName" . }}
             - --servicePort={{ .Values.admissionController.service.port }}
             {{- if .Values.admissionController.tracing.enabled }}

charts/kyverno/templates/cleanup-controller/deployment.yaml

@@ -86,6 +86,8 @@ spec:
             name: metrics
             protocol: TCP
           args:
+            - --caSecretName={{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
+            - --tlsSecretName={{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
             - --servicePort={{ .Values.cleanupController.service.port }}
             {{- if .Values.cleanupController.tracing.enabled }}
             - --enableTracing

cmd/cleanup-controller/main.go

@@ -39,6 +39,11 @@ const (
 	ttlWebhookControllerName    = "ttl-webhook-controller"
 )
 
+var (
+	caSecretName  string
+	tlsSecretName string
+)
+
 // TODO:
 // - helm review labels / selectors
 // - implement probes
@@ -68,6 +73,8 @@ func main() {
 	flagset.IntVar(&servicePort, "servicePort", 443, "Port used by the Kyverno Service resource and for webhook configurations.")
 	flagset.IntVar(&maxQueuedEvents, "maxQueuedEvents", 1000, "Maximum events to be queued.")
 	flagset.DurationVar(&interval, "ttlReconciliationInterval", time.Minute, "Set this flag to set the interval after which the resource controller reconciliation should occur")
+	flagset.StringVar(&caSecretName, "caSecretName", "", "Name of the secret containing CA.")
+	flagset.StringVar(&tlsSecretName, "tlsSecretName", "", "Name of the secret containing TLS pair.")
 	// config
 	appConfig := internal.NewConfiguration(
 		internal.WithProfiling(),
@@ -79,8 +86,8 @@ func main() {
 		internal.WithKyvernoDynamicClient(),
 		internal.WithConfigMapCaching(),
 		internal.WithDeferredLoading(),
-		internal.WithFlagSets(flagset),
 		internal.WithMetadataClient(),
+		internal.WithFlagSets(flagset),
 	)
 	// parse flags
 	internal.ParseFlags(appConfig)
@@ -88,8 +95,8 @@ func main() {
 	ctx, setup, sdown := internal.Setup(appConfig, "kyverno-cleanup-controller", false)
 	defer sdown()
 	// certificates informers
-	caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), resyncPeriod)
+	caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), caSecretName, resyncPeriod)
-	tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), resyncPeriod)
+	tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), tlsSecretName, resyncPeriod)
 	if !informers.StartInformersAndWaitForCacheSync(ctx, setup.Logger, caSecret, tlsSecret) {
 		setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
 		os.Exit(1)
@@ -117,8 +124,8 @@ func main() {
 				config.KyvernoServiceName(),
 				config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()),
 				config.KyvernoNamespace(),
-				config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()),
+				caSecretName,
-				config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()),
+				tlsSecretName,
 			)
 			certController := internal.NewController(
 				certmanager.ControllerName,
@@ -126,7 +133,8 @@ func main() {
 					caSecret,
 					tlsSecret,
 					renewer,
-					config.KyvernoServiceName(),
+					caSecretName,
+					tlsSecretName,
 					config.KyvernoNamespace(),
 				),
 				certmanager.Workers,
@@ -162,6 +170,7 @@ func main() {
 					genericwebhookcontroller.Fail,
 					genericwebhookcontroller.None,
 					setup.Configuration,
+					caSecretName,
 				),
 				webhookWorkers,
 			)
@@ -200,6 +209,7 @@ func main() {
 					genericwebhookcontroller.Ignore,
 					genericwebhookcontroller.None,
 					setup.Configuration,
+					caSecretName,
 				),
 				webhookWorkers,
 			)
@@ -294,7 +304,7 @@ func main() {
 	// create server
 	server := NewServer(
 		func() ([]byte, []byte, error) {
-			secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()))
+			secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(tlsSecretName)
 			if err != nil {
 				return nil, nil, err
 			}

cmd/kyverno-init/main.go

@@ -16,7 +16,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/logging"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
 	coordinationv1 "k8s.io/api/coordination/v1"
-	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 )
@@ -62,25 +61,7 @@ func main() {
 	failure := false
 
 	run := func(context.Context) {
-		name := config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace())
+		if err := acquireLeader(ctx, setup.KubeClient); err != nil {
-		_, err := setup.KubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(context.TODO(), name, metav1.GetOptions{})
-		if err != nil {
-			logging.V(2).Info("failed to fetch root CA secret", "name", name, "error", err.Error())
-			if !errors.IsNotFound(err) {
-				os.Exit(1)
-			}
-		}
-
-		name = config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace())
-		_, err = setup.KubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(context.TODO(), name, metav1.GetOptions{})
-		if err != nil {
-			logging.V(2).Info("failed to fetch TLS Pair secret", "name", name, "error", err.Error())
-			if !errors.IsNotFound(err) {
-				os.Exit(1)
-			}
-		}
-
-		if err = acquireLeader(ctx, setup.KubeClient); err != nil {
 			logging.V(2).Info("Failed to create lease 'kyvernopre-lock'")
 			os.Exit(1)
 		}

cmd/kyverno/main.go

@@ -54,6 +54,11 @@ const (
 	exceptionWebhookControllerName = "exception-webhook-controller"
 )
 
+var (
+	caSecretName  string
+	tlsSecretName string
+)
+
 func showWarnings(ctx context.Context, logger logr.Logger) {
 	logger = logger.WithName("warnings")
 	// log if `forceFailurePolicyIgnore` flag has been set or not
@@ -121,7 +126,8 @@ func createrLeaderControllers(
 		caInformer,
 		tlsInformer,
 		certRenewer,
-		config.KyvernoServiceName(),
+		caSecretName,
+		tlsSecretName,
 		config.KyvernoNamespace(),
 	)
 	webhookController := webhookcontroller.NewController(
@@ -144,6 +150,7 @@ func createrLeaderControllers(
 		admissionReports,
 		runtime,
 		configuration,
+		caSecretName,
 	)
 	exceptionWebhookController := genericwebhookcontroller.NewController(
 		exceptionWebhookControllerName,
@@ -169,6 +176,7 @@ func createrLeaderControllers(
 		genericwebhookcontroller.Fail,
 		genericwebhookcontroller.None,
 		configuration,
+		caSecretName,
 	)
 	return []internal.Controller{
 			internal.NewController(certmanager.ControllerName, certManager, certmanager.Workers),
@@ -207,6 +215,8 @@ func main() {
 	flagset.BoolVar(&admissionReports, "admissionReports", true, "Enable or disable admission reports.")
 	flagset.IntVar(&servicePort, "servicePort", 443, "Port used by the Kyverno Service resource and for webhook configurations.")
 	flagset.StringVar(&backgroundServiceAccountName, "backgroundServiceAccountName", "", "Background service account name.")
+	flagset.StringVar(&caSecretName, "caSecretName", "", "Name of the secret containing CA.")
+	flagset.StringVar(&tlsSecretName, "tlsSecretName", "", "Name of the secret containing TLS pair.")
 	// config
 	appConfig := internal.NewConfiguration(
 		internal.WithProfiling(),
@@ -231,8 +241,8 @@ func main() {
 	// setup
 	signalCtx, setup, sdown := internal.Setup(appConfig, "kyverno-admission-controller", false)
 	defer sdown()
-	caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), resyncPeriod)
+	caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), caSecretName, resyncPeriod)
-	tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), resyncPeriod)
+	tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), tlsSecretName, resyncPeriod)
 	if !informers.StartInformersAndWaitForCacheSync(signalCtx, setup.Logger, caSecret, tlsSecret) {
 		setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
 		os.Exit(1)
@@ -266,8 +276,8 @@ func main() {
 		config.KyvernoServiceName(),
 		config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()),
 		config.KyvernoNamespace(),
-		config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()),
+		caSecretName,
-		config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()),
+		tlsSecretName,
 	)
 	policyCache := policycache.NewCache()
 	omitEventsValues := strings.Split(omitEvents, ",")
@@ -465,7 +475,7 @@ func main() {
 			DumpPayload: dumpPayload,
 		},
 		func() ([]byte, []byte, error) {
-			secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()))
+			secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(tlsSecretName)
 			if err != nil {
 				return nil, nil, err
 			}

config/install-latest-testing.yaml

@@ -41283,6 +41283,8 @@ spec:
           image: "ghcr.io/kyverno/kyverno:latest"
           imagePullPolicy: IfNotPresent
           args:
+            - --caSecretName=kyverno-svc.kyverno.svc.kyverno-tls-ca
+            - --tlsSecretName=kyverno-svc.kyverno.svc.kyverno-tls-pair
             - --backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller
             - --servicePort=443
             - --disableMetrics=false
@@ -41533,6 +41535,8 @@ spec:
             name: metrics
             protocol: TCP
           args:
+            - --caSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-ca
+            - --tlsSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-pair
             - --servicePort=443
             - --disableMetrics=false
             - --otelConfig=prometheus

pkg/config/tls.go

@@ -13,11 +13,3 @@ func DnsNames(commonName string, namespace string) []string {
 		InClusterServiceName(commonName, namespace),
 	}
 }
-
-func GenerateTLSPairSecretName(commonName string, namespace string) string {
-	return InClusterServiceName(commonName, namespace) + ".kyverno-tls-pair"
-}
-
-func GenerateRootCASecretName(commonName string, namespace string) string {
-	return InClusterServiceName(commonName, namespace) + ".kyverno-tls-ca"
-}

pkg/controllers/certmanager/controller.go

@@ -5,7 +5,6 @@ import (
 	"time"
 
 	"github.com/go-logr/logr"
-	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/controllers"
 	"github.com/kyverno/kyverno/pkg/tls"
 	controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
@@ -37,27 +36,30 @@ type controller struct {
 	caEnqueue  controllerutils.EnqueueFunc
 	tlsEnqueue controllerutils.EnqueueFunc
 
-	commonName string
+	caSecretName  string
-	namespace  string
+	tlsSecretName string
+	namespace     string
 }
 
 func NewController(
 	caInformer corev1informers.SecretInformer,
 	tlsInformer corev1informers.SecretInformer,
 	certRenewer tls.CertRenewer,
-	commonName string,
+	caSecretName string,
+	tlsSecretName string,
 	namespace string,
 ) controllers.Controller {
 	queue := workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), ControllerName)
 	c := controller{
-		renewer:    certRenewer,
+		renewer:       certRenewer,
-		caLister:   caInformer.Lister(),
+		caLister:      caInformer.Lister(),
-		tlsLister:  tlsInformer.Lister(),
+		tlsLister:     tlsInformer.Lister(),
-		queue:      queue,
+		queue:         queue,
-		caEnqueue:  controllerutils.AddDefaultEventHandlers(logger, caInformer.Informer(), queue),
+		caEnqueue:     controllerutils.AddDefaultEventHandlers(logger, caInformer.Informer(), queue),
-		tlsEnqueue: controllerutils.AddDefaultEventHandlers(logger, tlsInformer.Informer(), queue),
+		tlsEnqueue:    controllerutils.AddDefaultEventHandlers(logger, tlsInformer.Informer(), queue),
-		commonName: commonName,
+		caSecretName:  caSecretName,
-		namespace:  namespace,
+		tlsSecretName: tlsSecretName,
+		namespace:     namespace,
 	}
 	return &c
 }
@@ -68,18 +70,18 @@ func (c *controller) Run(ctx context.Context, workers int) {
 	if err := c.tlsEnqueue(&corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: c.namespace,
-			Name:      config.GenerateTLSPairSecretName(c.commonName, c.namespace),
+			Name:      c.tlsSecretName,
 		},
 	}); err != nil {
-		logger.Error(err, "failed to enqueue secret", "name", config.GenerateTLSPairSecretName(c.commonName, c.namespace))
+		logger.Error(err, "failed to enqueue secret", "name", c.tlsSecretName)
 	}
 	if err := c.caEnqueue(&corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: c.namespace,
-			Name:      config.GenerateRootCASecretName(c.commonName, c.namespace),
+			Name:      c.caSecretName,
 		},
 	}); err != nil {
-		logger.Error(err, "failed to enqueue CA secret", "name", config.GenerateRootCASecretName(c.commonName, c.namespace))
+		logger.Error(err, "failed to enqueue CA secret", "name", c.caSecretName)
 	}
 	controllerutils.Run(ctx, logger, ControllerName, time.Second, c.queue, workers, maxRetries, c.reconcile, c.ticker)
 }
@@ -88,7 +90,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
 	if namespace != c.namespace {
 		return nil
 	}
-	if name != config.GenerateTLSPairSecretName(c.commonName, c.namespace) && name != config.GenerateRootCASecretName(c.commonName, c.namespace) {
+	if name != c.caSecretName && name != c.tlsSecretName {
 		return nil
 	}
 	return c.renewCertificates(ctx)

pkg/controllers/generic/webhook/controller.go

@@ -59,6 +59,7 @@ type controller struct {
 	sideEffects    *admissionregistrationv1.SideEffectClass
 	configuration  config.Configuration
 	labelSelector  *metav1.LabelSelector
+	caSecretName   string
 }
 
 func NewController(
@@ -75,6 +76,7 @@ func NewController(
 	failurePolicy *admissionregistrationv1.FailurePolicyType,
 	sideEffects *admissionregistrationv1.SideEffectClass,
 	configuration config.Configuration,
+	caSecretName string,
 ) controllers.Controller {
 	queue := workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), controllerName)
 	c := controller{
@@ -93,22 +95,23 @@ func NewController(
 		sideEffects:    sideEffects,
 		configuration:  configuration,
 		labelSelector:  labelSelector,
+		caSecretName:   caSecretName,
 	}
 	controllerutils.AddDefaultEventHandlers(c.logger, vwcInformer.Informer(), queue)
 	controllerutils.AddEventHandlersT(
 		secretInformer.Informer(),
 		func(obj *corev1.Secret) {
-			if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
+			if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == caSecretName {
 				c.enqueue()
 			}
 		},
 		func(_, obj *corev1.Secret) {
-			if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
+			if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == caSecretName {
 				c.enqueue()
 			}
 		},
 		func(obj *corev1.Secret) {
-			if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
+			if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == caSecretName {
 				c.enqueue()
 			}
 		},
@@ -130,7 +133,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, _,
 	if key != c.webhookName {
 		return nil
 	}
-	caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), config.KyvernoNamespace(), c.secretLister)
+	caData, err := tls.ReadRootCASecret(c.caSecretName, config.KyvernoNamespace(), c.secretLister)
 	if err != nil {
 		return err
 	}

pkg/controllers/webhook/controller.go

@@ -99,6 +99,7 @@ type controller struct {
 	admissionReports   bool
 	runtime            runtimeutils.Runtime
 	configuration      config.Configuration
+	caSecretName       string
 
 	// state
 	lock        sync.Mutex
@@ -125,6 +126,7 @@ func NewController(
 	admissionReports bool,
 	runtime runtimeutils.Runtime,
 	configuration config.Configuration,
+	caSecretName string,
 ) controllers.Controller {
 	queue := workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), ControllerName)
 	c := controller{
@@ -148,6 +150,7 @@ func NewController(
 		admissionReports:   admissionReports,
 		runtime:            runtime,
 		configuration:      configuration,
+		caSecretName:       caSecretName,
 		policyState: map[string]sets.Set[string]{
 			config.MutatingWebhookConfigurationName:   sets.New[string](),
 			config.ValidatingWebhookConfigurationName: sets.New[string](),
@@ -158,17 +161,17 @@ func NewController(
 	controllerutils.AddEventHandlersT(
 		secretInformer.Informer(),
 		func(obj *corev1.Secret) {
-			if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
+			if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == caSecretName {
 				c.enqueueAll()
 			}
 		},
 		func(_, obj *corev1.Secret) {
-			if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
+			if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == caSecretName {
 				c.enqueueAll()
 			}
 		},
 		func(obj *corev1.Secret) {
-			if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
+			if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == caSecretName {
 				c.enqueueAll()
 			}
 		},
@@ -340,7 +343,7 @@ func (c *controller) reconcileVerifyMutatingWebhookConfiguration(ctx context.Con
 }
 
 func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(context.Context, config.Configuration, []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error)) error {
-	caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace()))
+	caData, err := tls.ReadRootCASecret(c.caSecretName, config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace()))
 	if err != nil {
 		return err
 	}
@@ -370,7 +373,7 @@ func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context
 }
 
 func (c *controller) reconcileMutatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(context.Context, config.Configuration, []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error)) error {
-	caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace()))
+	caData, err := tls.ReadRootCASecret(c.caSecretName, config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace()))
 	if err != nil {
 		return err
 	}

pkg/tls/renewer.go

@@ -8,7 +8,6 @@ import (
 	"time"
 
 	"github.com/kyverno/kyverno/api/kyverno"
-	"github.com/kyverno/kyverno/pkg/config"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -132,9 +131,9 @@ func (c *certRenewer) RenewCA(ctx context.Context) error {
 		return err
 	}
 	if !valid {
-		logger.Info("mismatched certs chain, renewing", "CA certificate", config.GenerateRootCASecretName(c.commonName, c.namespace), "TLS certificate", config.GenerateTLSPairSecretName(c.commonName, c.namespace))
+		logger.Info("mismatched certs chain, renewing", "CA certificate", c.caSecret, "TLS certificate", c.pairSecret)
 		if err := c.RenewTLS(ctx); err != nil {
-			logger.Error(err, "failed to renew TLS certificate", "name", config.GenerateTLSPairSecretName(c.commonName, c.namespace))
+			logger.Error(err, "failed to renew TLS certificate", "name", c.pairSecret)
 			return err
 		}
 	}
@@ -158,7 +157,7 @@ func (c *certRenewer) RenewTLS(ctx context.Context) error {
 	if cert != nil {
 		valid, err := c.ValidateCert(ctx)
 		if err != nil || !valid {
-			logger.Info("invalid cert chain, renewing TLS certificate", "name", config.GenerateTLSPairSecretName(c.commonName, c.namespace), "error", err.Error())
+			logger.Info("invalid cert chain, renewing TLS certificate", "name", c.pairSecret, "error", err.Error())
 		} else if !allCertificatesExpired(now.Add(5*c.certRenewalInterval), cert) {
 			logger.V(4).Info("TLS certificate does not need to be renewed")
 			return nil