fix: use new client in tls package (#4746)

* fix: use new client in tls package

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix import

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

cmd/kyverno/main.go

@@ -437,7 +437,10 @@ func main() {
 	policyCacheController := policycachecontroller.NewController(policyCache, kyvernoV1.ClusterPolicies(), kyvernoV1.Policies())
 
 	certRenewer, err := tls.NewCertRenewer(
-		kubeClient,
+		metrics.ObjectClient[*corev1.Secret](
+			metrics.NamespacedClientQueryRecorder(metricsConfig, config.KyvernoNamespace(), "Secret", metrics.KubeClient),
+			kubeClient.CoreV1().Secrets(config.KyvernoNamespace()),
+		),
 		clientConfig,
 		tls.CertRenewalInterval,
 		tls.CAValidityDuration,

pkg/tls/renewer.go

@@ -10,10 +10,10 @@ import (
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	"github.com/kyverno/kyverno/pkg/config"
+	controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 )
 
@@ -33,7 +33,7 @@ const (
 // webhook configurations and webhook server
 // renews RootCA at the given interval
 type CertRenewer struct {
-	client              kubernetes.Interface
+	client              controllerutils.ObjectClient[*corev1.Secret]
 	certRenewalInterval time.Duration
 	caValidityDuration  time.Duration
 	tlsValidityDuration time.Duration
@@ -44,7 +44,7 @@ type CertRenewer struct {
 }
 
 // NewCertRenewer returns an instance of CertRenewer
-func NewCertRenewer(client kubernetes.Interface, clientConfig *rest.Config, certRenewalInterval, caValidityDuration, tlsValidityDuration time.Duration, serverIP string, log logr.Logger) (*CertRenewer, error) {
+func NewCertRenewer(client controllerutils.ObjectClient[*corev1.Secret], clientConfig *rest.Config, certRenewalInterval, caValidityDuration, tlsValidityDuration time.Duration, serverIP string, log logr.Logger) (*CertRenewer, error) {
 	certProps, err := newCertificateProps(clientConfig)
 	if err != nil {
 		return nil, err
@@ -152,7 +152,7 @@ func (c *CertRenewer) ValidateCert() (bool, error) {
 }
 
 func (c *CertRenewer) getSecret(name string) (*corev1.Secret, error) {
-	if s, err := c.client.CoreV1().Secrets(config.KyvernoNamespace()).Get(context.TODO(), name, metav1.GetOptions{}); err != nil {
+	if s, err := c.client.Get(context.TODO(), name, metav1.GetOptions{}); err != nil {
 		return nil, err
 	} else {
 		return s, nil
@@ -226,14 +226,14 @@ func (c *CertRenewer) writeSecret(name string, key *rsa.PrivateKey, certs ...*x5
 		corev1.TLSPrivateKeyKey: privateKeyToPem(key),
 	}
 	if secret.ResourceVersion == "" {
-		if _, err := c.client.CoreV1().Secrets(config.KyvernoNamespace()).Create(context.TODO(), secret, metav1.CreateOptions{}); err != nil {
+		if _, err := c.client.Create(context.TODO(), secret, metav1.CreateOptions{}); err != nil {
 			logger.Error(err, "failed to update secret")
 			return err
 		} else {
 			logger.Info("secret created")
 		}
 	} else {
-		if _, err := c.client.CoreV1().Secrets(config.KyvernoNamespace()).Update(context.TODO(), secret, metav1.UpdateOptions{}); err != nil {
+		if _, err := c.client.Update(context.TODO(), secret, metav1.UpdateOptions{}); err != nil {
 			logger.Error(err, "failed to update secret")
 			return err
 		} else {