mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
fix: don't report ready until certs are valid (#4934)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
b7247b5935
commit
16aca2816f
5 changed files with 31 additions and 27 deletions
|
|
@ -589,10 +589,11 @@ func main() {
|
|||
kyvernoInformer.Kyverno().V1().Policies(),
|
||||
)
|
||||
runtime := runtimeutils.NewRuntime(
|
||||
logger.WithName("runtime"),
|
||||
logger.WithName("runtime-checks"),
|
||||
serverIP,
|
||||
kubeKyvernoInformer.Coordination().V1().Leases(),
|
||||
kubeKyvernoInformer.Apps().V1().Deployments(),
|
||||
certRenewer,
|
||||
)
|
||||
// create non leader controllers
|
||||
nonLeaderControllers, nonLeaderBootstrap := createNonLeaderControllers(
|
||||
|
|
|
|||
|
|
@ -56,7 +56,7 @@ func generateTLS(server string, caCert *x509.Certificate, caKey *rsa.PrivateKey,
|
|||
dnsNames := []string{
|
||||
config.KyvernoServiceName(),
|
||||
fmt.Sprintf("%s.%s", config.KyvernoServiceName(), config.KyvernoNamespace()),
|
||||
InClusterServiceName(),
|
||||
inClusterServiceName(),
|
||||
}
|
||||
var ips []net.IP
|
||||
if server != "" {
|
||||
|
|
|
|||
|
|
@ -27,6 +27,11 @@ const (
|
|||
rootCAKey = "rootCA.crt"
|
||||
)
|
||||
|
||||
type CertValidator interface {
|
||||
// ValidateCert checks the certificates validity
|
||||
ValidateCert() (bool, error)
|
||||
}
|
||||
|
||||
type CertRenewer interface {
|
||||
// RenewCA renews the CA certificate if needed
|
||||
RenewCA() error
|
||||
|
|
@ -48,7 +53,7 @@ type certRenewer struct {
|
|||
}
|
||||
|
||||
// NewCertRenewer returns an instance of CertRenewer
|
||||
func NewCertRenewer(client controllerutils.ObjectClient[*corev1.Secret], certRenewalInterval, caValidityDuration, tlsValidityDuration time.Duration, server string) CertRenewer {
|
||||
func NewCertRenewer(client controllerutils.ObjectClient[*corev1.Secret], certRenewalInterval, caValidityDuration, tlsValidityDuration time.Duration, server string) *certRenewer {
|
||||
return &certRenewer{
|
||||
client: client,
|
||||
certRenewalInterval: certRenewalInterval,
|
||||
|
|
@ -71,7 +76,7 @@ func (c *certRenewer) RenewCA() error {
|
|||
logger.V(4).Info("CA certificate does not need to be renewed")
|
||||
return nil
|
||||
}
|
||||
if !IsSecretManagedByKyverno(secret) {
|
||||
if !isSecretManagedByKyverno(secret) {
|
||||
err := fmt.Errorf("tls is not valid but certificates are not managed by kyverno, we can't renew them")
|
||||
logger.Error(err, "tls is not valid but certificates are not managed by kyverno, we can't renew them")
|
||||
return err
|
||||
|
|
@ -107,7 +112,7 @@ func (c *certRenewer) RenewTLS() error {
|
|||
logger.V(4).Info("TLS certificate does not need to be renewed")
|
||||
return nil
|
||||
}
|
||||
if !IsSecretManagedByKyverno(secret) {
|
||||
if !isSecretManagedByKyverno(secret) {
|
||||
err := fmt.Errorf("tls is not valid but certificates are not managed by kyverno, we can't renew them")
|
||||
logger.Error(err, "tls is not valid but certificates are not managed by kyverno, we can't renew them")
|
||||
return err
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ import (
|
|||
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
appsv1 "k8s.io/api/apps/v1"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
)
|
||||
|
||||
|
|
@ -84,21 +83,7 @@ func validateCert(now time.Time, cert *x509.Certificate, caCerts ...*x509.Certif
|
|||
return true
|
||||
}
|
||||
|
||||
// IsKyvernoInRollingUpdate returns true if Kyverno is in rolling update
|
||||
func IsKyvernoInRollingUpdate(deploy *appsv1.Deployment) bool {
|
||||
var replicas int32 = 1
|
||||
if deploy.Spec.Replicas != nil {
|
||||
replicas = *deploy.Spec.Replicas
|
||||
}
|
||||
nonTerminatedReplicas := deploy.Status.Replicas
|
||||
if nonTerminatedReplicas > replicas {
|
||||
logger.Info("detect Kyverno is in rolling update, won't trigger the update again")
|
||||
return true
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func IsSecretManagedByKyverno(secret *corev1.Secret) bool {
|
||||
func isSecretManagedByKyverno(secret *corev1.Secret) bool {
|
||||
if secret != nil {
|
||||
labels := secret.GetLabels()
|
||||
if labels == nil {
|
||||
|
|
@ -111,15 +96,15 @@ func IsSecretManagedByKyverno(secret *corev1.Secret) bool {
|
|||
return true
|
||||
}
|
||||
|
||||
// InClusterServiceName The generated service name should be the common name for TLS certificate
|
||||
func InClusterServiceName() string {
|
||||
// inClusterServiceName The generated service name should be the common name for TLS certificate
|
||||
func inClusterServiceName() string {
|
||||
return config.KyvernoServiceName() + "." + config.KyvernoNamespace() + ".svc"
|
||||
}
|
||||
|
||||
func GenerateTLSPairSecretName() string {
|
||||
return InClusterServiceName() + ".kyverno-tls-pair"
|
||||
return inClusterServiceName() + ".kyverno-tls-pair"
|
||||
}
|
||||
|
||||
func GenerateRootCASecretName() string {
|
||||
return InClusterServiceName() + ".kyverno-tls-ca"
|
||||
return inClusterServiceName() + ".kyverno-tls-ca"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,6 +5,7 @@ import (
|
|||
|
||||
"github.com/go-logr/logr"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
"github.com/kyverno/kyverno/pkg/tls"
|
||||
appsv1 "k8s.io/api/apps/v1"
|
||||
coordinationv1 "k8s.io/api/coordination/v1"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
|
|
@ -32,6 +33,7 @@ type runtime struct {
|
|||
serverIP string
|
||||
leaseLister coordinationv1listers.LeaseLister
|
||||
deploymentLister appsv1listers.DeploymentLister
|
||||
certValidator tls.CertValidator
|
||||
logger logr.Logger
|
||||
}
|
||||
|
||||
|
|
@ -40,12 +42,14 @@ func NewRuntime(
|
|||
serverIP string,
|
||||
leaseInformer coordinationv1informers.LeaseInformer,
|
||||
deploymentInformer appsv1informers.DeploymentInformer,
|
||||
certValidator tls.CertValidator,
|
||||
) Runtime {
|
||||
return &runtime{
|
||||
logger: logger,
|
||||
serverIP: serverIP,
|
||||
leaseLister: leaseInformer.Lister(),
|
||||
deploymentLister: deploymentInformer.Lister(),
|
||||
logger: logger,
|
||||
certValidator: certValidator,
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -58,7 +62,7 @@ func (c *runtime) IsLive() bool {
|
|||
}
|
||||
|
||||
func (c *runtime) IsReady() bool {
|
||||
return c.check()
|
||||
return c.check() && c.validateCertificates()
|
||||
}
|
||||
|
||||
func (c *runtime) IsRollingUpdate() bool {
|
||||
|
|
@ -119,3 +123,12 @@ func (c *runtime) check() bool {
|
|||
}
|
||||
return time.Now().Before(annTime.Add(IdleDeadline))
|
||||
}
|
||||
|
||||
func (c *runtime) validateCertificates() bool {
|
||||
validity, err := c.certValidator.ValidateCert()
|
||||
if err != nil {
|
||||
c.logger.Error(err, "failed to validate certificates")
|
||||
return false
|
||||
}
|
||||
return validity
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue