mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 02:18:15 +00:00
Code Activity

fix: delete certificate secret if type is not TLS (#6368)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-02-22 10:04:17 +01:00 committed by GitHub
parent ef7265ca6d
commit 4a489b8979
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 20 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
pkg/controllers/certmanager/controller.go
View file

@ -76,7 +76,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
if name != tls.GenerateTLSPairSecretName() && name != tls.GenerateRootCASecretName() {
return nil
}
return c.renewCertificates()
return c.renewCertificates(ctx)
}
func (c *controller) ticker(ctx context.Context, logger logr.Logger) {
@ -101,11 +101,11 @@ func (c *controller) ticker(ctx context.Context, logger logr.Logger) {
}
}
func (c *controller) renewCertificates() error {
if err := retryutils.RetryFunc(context.TODO(), time.Second, 5*time.Second, logger, "failed to renew CA", c.renewer.RenewCA)(); err != nil {
func (c *controller) renewCertificates(ctx context.Context) error {
if err := retryutils.RetryFunc(ctx, time.Second, 5*time.Second, logger, "failed to renew CA", c.renewer.RenewCA)(); err != nil {
return err
}
if err := retryutils.RetryFunc(context.TODO(), time.Second, 5*time.Second, logger, "failed to renew TLS", c.renewer.RenewTLS)(); err != nil {
if err := retryutils.RetryFunc(ctx, time.Second, 5*time.Second, logger, "failed to renew TLS", c.renewer.RenewTLS)(); err != nil {
return err
}
return nil

16
pkg/tls/renewer.go
View file

@ -91,6 +91,14 @@ func (c *certRenewer) RenewCA(ctx context.Context) error {
logger.Error(err, "tls is not valid but certificates are not managed by kyverno, we can't renew them")
return err
}
if secret != nil && secret.Type != corev1.SecretTypeTLS {
logger.Info("CA secret type is not TLS, we're going to delete it and regenrate one")
err := c.client.Delete(ctx, secret.Name, metav1.DeleteOptions{})
if err != nil {
logger.Error(err, "failed to delete CA secret")
}
return err
}
caKey, caCert, err := generateCA(key, c.caValidityDuration)
if err != nil {
logger.Error(err, "failed to generate CA")
@ -127,6 +135,14 @@ func (c *certRenewer) RenewTLS(ctx context.Context) error {
logger.Error(err, "tls is not valid but certificates are not managed by kyverno, we can't renew them")
return err
}
if secret != nil && secret.Type != corev1.SecretTypeTLS {
logger.Info("TLS secret type is not TLS, we're going to delete it and regenrate one")
err := c.client.Delete(ctx, secret.Name, metav1.DeleteOptions{})
if err != nil {
logger.Error(err, "failed to delete TLS secret")
}
return err
}
tlsKey, tlsCert, err := generateTLS(c.server, caCerts[len(caCerts)-1], caKey, c.tlsValidityDuration)
if err != nil {
logger.Error(err, "failed to generate TLS")