reading kyverno svc from environment variable (#962)

* reading kyverno svc from environment variable

* updated readme

charts/kyverno/templates/deployment.yaml

@@ -62,6 +62,8 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
+          - name: KYVERNO_SVC
+            value: {{ template "kyverno.serviceName" . }}
         {{- with .Values.livenessProbe }}
           livenessProbe: {{ tpl (toYaml .) $ | nindent 12 }}
         {{- end }}

definitions/install.yaml

@@ -771,6 +771,8 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        - name: KYVERNO_SVC
+          value: kyverno-svc
         image: nirmata/kyverno:v1.1.6
         imagePullPolicy: Always
         livenessProbe:

documentation/installation.md

@@ -254,7 +254,7 @@ To run controller in this mode you should prepare a TLS key/certificate pair for
 
 1. Run `sudo scripts/deploy-controller-debug.sh --service=localhost --serverIP=<server_IP>`, where <server_IP> is the IP address of the host where controller runs. This scripts will generate a TLS certificate for debug webhook server and register this webhook in the cluster. It also registers a CustomResource policy.
 
-2. Start the controller using the following command: `sudo KYVERNO_NAMESPACE=<namespace> go run ./cmd/kyverno/main.go --kubeconfig=~/.kube/config --serverIP=<server_IP>`. In case environment variable "KYVERNO_NAMESPACE" is not passed kyverno will run in its default namespace "kyverno".
+2. Start the controller using the following command: `sudo KYVERNO_NAMESPACE=<namespace> KYVERNO_SVC=<service_name> go run ./cmd/kyverno/main.go --kubeconfig=~/.kube/config --serverIP=<server_IP>`. In case environment variable "KYVERNO_NAMESPACE" and "KYVERNO_SVC" is not passed kyverno will run in its default namespace "kyverno" and with default service name "kyverno-svc".
 
 # Filter Kubernetes resources that admission webhook should not process
 The admission webhook checks if a policy is applicable on all admission requests. The Kubernetes kinds that are not be processed can be filtered by adding a `ConfigMap` in namespace `kyverno` and specifying the resources to be filtered under `data.resourceFilters`. The default name of this `ConfigMap` is `init-config` but can be changed by modifying the value of the environment variable `INIT_CONFIG` in the kyverno deployment dpec. `data.resourceFilters` must be a sequence of one or more `[<Kind>,<Namespace>,<Name>]` entries with `*` as wildcard. Thus, an item `[Node,*,*]` means that admissions of `Node` in any namespace and with any name will be ignored.

pkg/config/config.go

@@ -10,9 +10,6 @@ import (
 
 // These constants MUST be equal to the corresponding names in service definition in definitions/install.yaml
 const (
-	//WebhookServiceName default kyverno webhook service name
-	WebhookServiceName = "kyverno-svc"
-
 	//MutatingWebhookConfigurationName default resource mutating webhook configuration name
 	MutatingWebhookConfigurationName = "kyverno-resource-mutating-webhook-cfg"
 	//MutatingWebhookConfigurationDebugName default resource mutating webhook configuration name for debug mode
@@ -61,6 +58,8 @@ var (
 	KubePolicyNamespace = getKyvernoNameSpace()
 	// KubePolicyDeploymentName define the default deployment namespace
 	KubePolicyDeploymentName = getKyvernoNameSpace()
+	//WebhookServiceName default kyverno webhook service name
+	WebhookServiceName = getWebhookServiceName()
 
 	//MutatingWebhookServicePath is the path for mutation webhook
 	MutatingWebhookServicePath = "/mutate"
@@ -97,3 +96,12 @@ func getKyvernoNameSpace() string {
 	}
 	return kyvernoNamespace
 }
+
+// getWebhookServiceName - setting default WebhookServiceName
+func getWebhookServiceName() string {
+	webhookServiceName := os.Getenv("KYVERNO_SVC")
+	if webhookServiceName == "" {
+		webhookServiceName = "kyverno-svc"
+	}
+	return webhookServiceName
+}

scripts/generate-self-signed-cert-and-k8secrets-debug.sh

@@ -14,6 +14,10 @@ case $i in
 esac
 done
 
+if [ "$service" == "" ]; then
+    service="kyverno-svc"
+fi
+
 destdir="certs"
 if [ ! -d "$destdir" ]; then
   mkdir ${destdir} || exit 1
@@ -61,11 +65,11 @@ echo "Generating corresponding kubernetes secrets for TLS pair and root CA"
 # create project namespace
 kubectl create ns kyverno
 # create tls pair secret
-kubectl -n kyverno create secret tls kyverno-svc.kyverno.svc.kyverno-tls-pair --cert=${destdir}/webhook.crt --key=${destdir}/webhook.key
+kubectl -n kyverno create secret tls ${service}.kyverno.svc.kyverno-tls-pair --cert=${destdir}/webhook.crt --key=${destdir}/webhook.key
 # annotate tls pair secret to specify use of self-signed certificates and check if root CA is created as secret
-kubectl annotate secret kyverno-svc.kyverno.svc.kyverno-tls-pair -n kyverno self-signed-cert=true
+kubectl annotate secret ${service}.kyverno.svc.kyverno-tls-pair -n kyverno self-signed-cert=true
 # create root CA secret
-kubectl -n kyverno create secret generic kyverno-svc.kyverno.svc.kyverno-tls-ca --from-file=${destdir}/rootCA.crt
+kubectl -n kyverno create secret generic ${service}.kyverno.svc.kyverno-tls-ca --from-file=${destdir}/rootCA.crt
 
 echo "Creating CRD"
 kubectl apply -f definitions/install_debug.yaml

scripts/generate-self-signed-cert-and-k8secrets.sh

@@ -1,5 +1,22 @@
 #!/bin/bash
 
+
+for i in "$@"
+do
+case $i in
+    --service=*)
+    service="${i#*=}"
+    shift
+    ;;
+esac
+done
+
+if [ "$service" == "" ]; then
+    service="kyverno-svc"
+fi
+
+echo "service is $service"
+
 echo "Generating self-signed certificate"
 # generate priv key for root CA
 openssl genrsa -out rootCA.key 4096 
@@ -8,7 +25,7 @@ openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
 # generate priv key
 openssl genrsa -out webhook.key 4096
 # generate certificate
-openssl req -new -key webhook.key -out webhook.csr -subj "/C=US/ST=test /L=test /O=test /OU=PIB/CN=kyverno-svc.kyverno.svc/emailAddress=test@test.com"
+openssl req -new -key webhook.key -out webhook.csr -subj "/C=US/ST=test /L=test /O=test /OU=PIB/CN=${service}.kyverno.svc/emailAddress=test@test.com"
 # sign the certificate using the root CA
 openssl x509 -req -in webhook.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out webhook.crt -days 1024 -sha256
 
@@ -16,8 +33,8 @@ echo "Generating corresponding kubernetes secrets for TLS pair and root CA"
 # create project namespace
 kubectl create ns kyverno
 # create tls pair secret
-kubectl -n kyverno create secret tls kyverno-svc.kyverno.svc.kyverno-tls-pair --cert=webhook.crt --key=webhook.key
+kubectl -n kyverno create secret tls ${service}.kyverno.svc.kyverno-tls-pair --cert=webhook.crt --key=webhook.key
 # annotate tls pair secret to specify use of self-signed certificates and check if root CA is created as secret
-kubectl annotate secret kyverno-svc.kyverno.svc.kyverno-tls-pair -n kyverno self-signed-cert=true
+kubectl annotate secret ${service}.kyverno.svc.kyverno-tls-pair -n kyverno self-signed-cert=true
 # create root CA secret
-kubectl -n kyverno create secret generic kyverno-svc.kyverno.svc.kyverno-tls-ca --from-file=rootCA.crt
+kubectl -n kyverno create secret generic ${service}.kyverno.svc.kyverno-tls-ca --from-file=rootCA.crt