mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-13 19:28:55 +00:00
fix: reduce tls package dependencies (#8107)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
parent
10172ae8e0
commit
59c2a5d813
4 changed files with 31 additions and 18 deletions
|
@ -5,13 +5,10 @@ import (
|
|||
"crypto/rsa"
|
||||
"crypto/x509"
|
||||
"crypto/x509/pkix"
|
||||
"fmt"
|
||||
"math/big"
|
||||
"net"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
)
|
||||
|
||||
// generateCA creates the self-signed CA cert and private key
|
||||
|
@ -53,11 +50,7 @@ func generateCA(key *rsa.PrivateKey, certValidityDuration time.Duration) (*rsa.P
|
|||
func generateTLS(server string, caCert *x509.Certificate, caKey *rsa.PrivateKey, certValidityDuration time.Duration) (*rsa.PrivateKey, *x509.Certificate, error) {
|
||||
now := time.Now()
|
||||
begin, end := now.Add(-1*time.Hour), now.Add(certValidityDuration)
|
||||
dnsNames := []string{
|
||||
config.KyvernoServiceName(),
|
||||
fmt.Sprintf("%s.%s", config.KyvernoServiceName(), config.KyvernoNamespace()),
|
||||
inClusterServiceName(),
|
||||
}
|
||||
dnsNames := dnsNames()
|
||||
var ips []net.IP
|
||||
if server != "" {
|
||||
serverHost := server
|
||||
|
@ -78,7 +71,7 @@ func generateTLS(server string, caCert *x509.Certificate, caKey *rsa.PrivateKey,
|
|||
templ := &x509.Certificate{
|
||||
SerialNumber: big.NewInt(1),
|
||||
Subject: pkix.Name{
|
||||
CommonName: config.KyvernoServiceName(),
|
||||
CommonName: commonName(),
|
||||
},
|
||||
DNSNames: dnsNames,
|
||||
IPAddresses: ips,
|
||||
|
|
|
@ -3,7 +3,6 @@ package tls
|
|||
import (
|
||||
"fmt"
|
||||
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
corev1listers "k8s.io/client-go/listers/core/v1"
|
||||
)
|
||||
|
@ -24,7 +23,7 @@ func ReadRootCASecret(client corev1listers.SecretNamespaceLister) ([]byte, error
|
|||
result = stlsca.Data[rootCAKey]
|
||||
}
|
||||
if len(result) == 0 {
|
||||
return nil, fmt.Errorf("%s in secret %s/%s", ErrorsNotFound, config.KyvernoNamespace(), stlsca.Name)
|
||||
return nil, fmt.Errorf("%s in secret %s/%s", ErrorsNotFound, secretNamespace(), stlsca.Name)
|
||||
}
|
||||
return result, nil
|
||||
}
|
||||
|
|
|
@ -8,8 +8,6 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
|
@ -37,11 +35,18 @@ type CertRenewer interface {
|
|||
RenewTLS(context.Context) error
|
||||
}
|
||||
|
||||
type client interface {
|
||||
Get(context.Context, string, metav1.GetOptions) (*corev1.Secret, error)
|
||||
Create(context.Context, *corev1.Secret, metav1.CreateOptions) (*corev1.Secret, error)
|
||||
Update(context.Context, *corev1.Secret, metav1.UpdateOptions) (*corev1.Secret, error)
|
||||
Delete(context.Context, string, metav1.DeleteOptions) error
|
||||
}
|
||||
|
||||
// certRenewer creates rootCA and pem pair to register
|
||||
// webhook configurations and webhook server
|
||||
// renews RootCA at the given interval
|
||||
type certRenewer struct {
|
||||
client controllerutils.ObjectClient[*corev1.Secret]
|
||||
client client
|
||||
certRenewalInterval time.Duration
|
||||
caValidityDuration time.Duration
|
||||
tlsValidityDuration time.Duration
|
||||
|
@ -52,7 +57,7 @@ type certRenewer struct {
|
|||
|
||||
// NewCertRenewer returns an instance of CertRenewer
|
||||
func NewCertRenewer(
|
||||
client controllerutils.ObjectClient[*corev1.Secret],
|
||||
client client,
|
||||
certRenewalInterval,
|
||||
caValidityDuration,
|
||||
tlsValidityDuration time.Duration,
|
||||
|
@ -214,7 +219,7 @@ func (c *certRenewer) decodeTLSSecret(ctx context.Context) (*corev1.Secret, *rsa
|
|||
}
|
||||
|
||||
func (c *certRenewer) writeSecret(ctx context.Context, name string, key *rsa.PrivateKey, certs ...*x509.Certificate) error {
|
||||
logger := logger.WithValues("name", name, "namespace", config.KyvernoNamespace())
|
||||
logger := logger.WithValues("name", name, "namespace", secretNamespace())
|
||||
secret, err := c.getSecret(ctx, name)
|
||||
if err != nil && !apierrors.IsNotFound(err) {
|
||||
logger.Error(err, "failed to get CA secret")
|
||||
|
@ -224,7 +229,7 @@ func (c *certRenewer) writeSecret(ctx context.Context, name string, key *rsa.Pri
|
|||
secret = &corev1.Secret{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: name,
|
||||
Namespace: config.KyvernoNamespace(),
|
||||
Namespace: secretNamespace(),
|
||||
Labels: map[string]string{
|
||||
kyverno.LabelCertManagedBy: kyverno.ValueKyvernoApp,
|
||||
},
|
||||
|
|
|
@ -4,6 +4,7 @@ import (
|
|||
"crypto/rsa"
|
||||
"crypto/x509"
|
||||
"encoding/pem"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
|
@ -96,11 +97,26 @@ func isSecretManagedByKyverno(secret *corev1.Secret) bool {
|
|||
return true
|
||||
}
|
||||
|
||||
// inClusterServiceName The generated service name should be the common name for TLS certificate
|
||||
func inClusterServiceName() string {
|
||||
return config.KyvernoServiceName() + "." + config.KyvernoNamespace() + ".svc"
|
||||
}
|
||||
|
||||
func commonName() string {
|
||||
return config.KyvernoServiceName()
|
||||
}
|
||||
|
||||
func dnsNames() []string {
|
||||
return []string{
|
||||
commonName(),
|
||||
fmt.Sprintf("%s.%s", config.KyvernoServiceName(), config.KyvernoNamespace()),
|
||||
inClusterServiceName(),
|
||||
}
|
||||
}
|
||||
|
||||
func secretNamespace() string {
|
||||
return config.KyvernoNamespace()
|
||||
}
|
||||
|
||||
func GenerateTLSPairSecretName() string {
|
||||
return inClusterServiceName() + ".kyverno-tls-pair"
|
||||
}
|
||||
|
|
Loading…
Add table
Reference in a new issue