fix: reduce tls package dependencies (#8107)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-13 19:28:55 +00:00 · 2023-08-24 13:52:57 +02:00 · 2023-08-24 13:52:57 +02:00 · 59c2a5d813
commit 59c2a5d813
parent 10172ae8e0
4 changed files with 31 additions and 18 deletions
--- a/pkg/tls/keypair.go
+++ b/pkg/tls/keypair.go
@ -5,13 +5,10 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
-	"fmt"
 	"math/big"
 	"net"
 	"strings"
 	"time"
-
-	"github.com/kyverno/kyverno/pkg/config"
 )

 // generateCA creates the self-signed CA cert and private key
@ -53,11 +50,7 @@ func generateCA(key *rsa.PrivateKey, certValidityDuration time.Duration) (*rsa.P
 func generateTLS(server string, caCert *x509.Certificate, caKey *rsa.PrivateKey, certValidityDuration time.Duration) (*rsa.PrivateKey, *x509.Certificate, error) {
 	now := time.Now()
 	begin, end := now.Add(-1*time.Hour), now.Add(certValidityDuration)
-	dnsNames := []string{
-		config.KyvernoServiceName(),
-		fmt.Sprintf("%s.%s", config.KyvernoServiceName(), config.KyvernoNamespace()),
-		inClusterServiceName(),
-	}
+	dnsNames := dnsNames()
 	var ips []net.IP
 	if server != "" {
 		serverHost := server
@ -78,7 +71,7 @@ func generateTLS(server string, caCert *x509.Certificate, caKey *rsa.PrivateKey,
 	templ := &x509.Certificate{
 		SerialNumber: big.NewInt(1),
 		Subject: pkix.Name{
-			CommonName: config.KyvernoServiceName(),
+			CommonName: commonName(),
 		},
 		DNSNames:              dnsNames,
 		IPAddresses:           ips,
--- a/pkg/tls/reader.go
+++ b/pkg/tls/reader.go
@ -3,7 +3,6 @@ package tls
 import (
 	"fmt"

-	"github.com/kyverno/kyverno/pkg/config"
 	corev1 "k8s.io/api/core/v1"
 	corev1listers "k8s.io/client-go/listers/core/v1"
 )
@ -24,7 +23,7 @@ func ReadRootCASecret(client corev1listers.SecretNamespaceLister) ([]byte, error
 		result = stlsca.Data[rootCAKey]
 	}
 	if len(result) == 0 {
-		return nil, fmt.Errorf("%s in secret %s/%s", ErrorsNotFound, config.KyvernoNamespace(), stlsca.Name)
+		return nil, fmt.Errorf("%s in secret %s/%s", ErrorsNotFound, secretNamespace(), stlsca.Name)
 	}
 	return result, nil
 }
--- a/pkg/tls/renewer.go
+++ b/pkg/tls/renewer.go
@ -8,8 +8,6 @@ import (
 	"time"

 	"github.com/kyverno/kyverno/api/kyverno"
-	"github.com/kyverno/kyverno/pkg/config"
-	controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -37,11 +35,18 @@ type CertRenewer interface {
 	RenewTLS(context.Context) error
 }

+type client interface {
+	Get(context.Context, string, metav1.GetOptions) (*corev1.Secret, error)
+	Create(context.Context, *corev1.Secret, metav1.CreateOptions) (*corev1.Secret, error)
+	Update(context.Context, *corev1.Secret, metav1.UpdateOptions) (*corev1.Secret, error)
+	Delete(context.Context, string, metav1.DeleteOptions) error
+}
+
 // certRenewer creates rootCA and pem pair to register
 // webhook configurations and webhook server
 // renews RootCA at the given interval
 type certRenewer struct {
-	client              controllerutils.ObjectClient[*corev1.Secret]
+	client              client
 	certRenewalInterval time.Duration
 	caValidityDuration  time.Duration
 	tlsValidityDuration time.Duration
@ -52,7 +57,7 @@ type certRenewer struct {

 // NewCertRenewer returns an instance of CertRenewer
 func NewCertRenewer(
-	client controllerutils.ObjectClient[*corev1.Secret],
+	client client,
 	certRenewalInterval,
 	caValidityDuration,
 	tlsValidityDuration time.Duration,
@ -214,7 +219,7 @@ func (c *certRenewer) decodeTLSSecret(ctx context.Context) (*corev1.Secret, *rsa
 }

 func (c *certRenewer) writeSecret(ctx context.Context, name string, key *rsa.PrivateKey, certs ...*x509.Certificate) error {
-	logger := logger.WithValues("name", name, "namespace", config.KyvernoNamespace())
+	logger := logger.WithValues("name", name, "namespace", secretNamespace())
 	secret, err := c.getSecret(ctx, name)
 	if err != nil && !apierrors.IsNotFound(err) {
 		logger.Error(err, "failed to get CA secret")
@ -224,7 +229,7 @@ func (c *certRenewer) writeSecret(ctx context.Context, name string, key *rsa.Pri
 		secret = &corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      name,
-				Namespace: config.KyvernoNamespace(),
+				Namespace: secretNamespace(),
 				Labels: map[string]string{
 					kyverno.LabelCertManagedBy: kyverno.ValueKyvernoApp,
 				},
--- a/pkg/tls/utils.go
+++ b/pkg/tls/utils.go
@ -4,6 +4,7 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
+	"fmt"
 	"time"

 	"github.com/kyverno/kyverno/api/kyverno"
@ -96,11 +97,26 @@ func isSecretManagedByKyverno(secret *corev1.Secret) bool {
 	return true
 }

-// inClusterServiceName The generated service name should be the common name for TLS certificate
 func inClusterServiceName() string {
 	return config.KyvernoServiceName() + "." + config.KyvernoNamespace() + ".svc"
 }

+func commonName() string {
+	return config.KyvernoServiceName()
+}
+
+func dnsNames() []string {
+	return []string{
+		commonName(),
+		fmt.Sprintf("%s.%s", config.KyvernoServiceName(), config.KyvernoNamespace()),
+		inClusterServiceName(),
+	}
+}
+
+func secretNamespace() string {
+	return config.KyvernoNamespace()
+}
+
 func GenerateTLSPairSecretName() string {
 	return inClusterServiceName() + ".kyverno-tls-pair"
 }