1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-13 19:28:55 +00:00

fix: reduce tls package dependencies (#8107)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-08-24 13:52:57 +02:00 committed by GitHub
parent 10172ae8e0
commit 59c2a5d813
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 31 additions and 18 deletions

View file

@ -5,13 +5,10 @@ import (
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"fmt"
"math/big"
"net"
"strings"
"time"
"github.com/kyverno/kyverno/pkg/config"
)
// generateCA creates the self-signed CA cert and private key
@ -53,11 +50,7 @@ func generateCA(key *rsa.PrivateKey, certValidityDuration time.Duration) (*rsa.P
func generateTLS(server string, caCert *x509.Certificate, caKey *rsa.PrivateKey, certValidityDuration time.Duration) (*rsa.PrivateKey, *x509.Certificate, error) {
now := time.Now()
begin, end := now.Add(-1*time.Hour), now.Add(certValidityDuration)
dnsNames := []string{
config.KyvernoServiceName(),
fmt.Sprintf("%s.%s", config.KyvernoServiceName(), config.KyvernoNamespace()),
inClusterServiceName(),
}
dnsNames := dnsNames()
var ips []net.IP
if server != "" {
serverHost := server
@ -78,7 +71,7 @@ func generateTLS(server string, caCert *x509.Certificate, caKey *rsa.PrivateKey,
templ := &x509.Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{
CommonName: config.KyvernoServiceName(),
CommonName: commonName(),
},
DNSNames: dnsNames,
IPAddresses: ips,

View file

@ -3,7 +3,6 @@ package tls
import (
"fmt"
"github.com/kyverno/kyverno/pkg/config"
corev1 "k8s.io/api/core/v1"
corev1listers "k8s.io/client-go/listers/core/v1"
)
@ -24,7 +23,7 @@ func ReadRootCASecret(client corev1listers.SecretNamespaceLister) ([]byte, error
result = stlsca.Data[rootCAKey]
}
if len(result) == 0 {
return nil, fmt.Errorf("%s in secret %s/%s", ErrorsNotFound, config.KyvernoNamespace(), stlsca.Name)
return nil, fmt.Errorf("%s in secret %s/%s", ErrorsNotFound, secretNamespace(), stlsca.Name)
}
return result, nil
}

View file

@ -8,8 +8,6 @@ import (
"time"
"github.com/kyverno/kyverno/api/kyverno"
"github.com/kyverno/kyverno/pkg/config"
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -37,11 +35,18 @@ type CertRenewer interface {
RenewTLS(context.Context) error
}
type client interface {
Get(context.Context, string, metav1.GetOptions) (*corev1.Secret, error)
Create(context.Context, *corev1.Secret, metav1.CreateOptions) (*corev1.Secret, error)
Update(context.Context, *corev1.Secret, metav1.UpdateOptions) (*corev1.Secret, error)
Delete(context.Context, string, metav1.DeleteOptions) error
}
// certRenewer creates rootCA and pem pair to register
// webhook configurations and webhook server
// renews RootCA at the given interval
type certRenewer struct {
client controllerutils.ObjectClient[*corev1.Secret]
client client
certRenewalInterval time.Duration
caValidityDuration time.Duration
tlsValidityDuration time.Duration
@ -52,7 +57,7 @@ type certRenewer struct {
// NewCertRenewer returns an instance of CertRenewer
func NewCertRenewer(
client controllerutils.ObjectClient[*corev1.Secret],
client client,
certRenewalInterval,
caValidityDuration,
tlsValidityDuration time.Duration,
@ -214,7 +219,7 @@ func (c *certRenewer) decodeTLSSecret(ctx context.Context) (*corev1.Secret, *rsa
}
func (c *certRenewer) writeSecret(ctx context.Context, name string, key *rsa.PrivateKey, certs ...*x509.Certificate) error {
logger := logger.WithValues("name", name, "namespace", config.KyvernoNamespace())
logger := logger.WithValues("name", name, "namespace", secretNamespace())
secret, err := c.getSecret(ctx, name)
if err != nil && !apierrors.IsNotFound(err) {
logger.Error(err, "failed to get CA secret")
@ -224,7 +229,7 @@ func (c *certRenewer) writeSecret(ctx context.Context, name string, key *rsa.Pri
secret = &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: config.KyvernoNamespace(),
Namespace: secretNamespace(),
Labels: map[string]string{
kyverno.LabelCertManagedBy: kyverno.ValueKyvernoApp,
},

View file

@ -4,6 +4,7 @@ import (
"crypto/rsa"
"crypto/x509"
"encoding/pem"
"fmt"
"time"
"github.com/kyverno/kyverno/api/kyverno"
@ -96,11 +97,26 @@ func isSecretManagedByKyverno(secret *corev1.Secret) bool {
return true
}
// inClusterServiceName The generated service name should be the common name for TLS certificate
func inClusterServiceName() string {
return config.KyvernoServiceName() + "." + config.KyvernoNamespace() + ".svc"
}
func commonName() string {
return config.KyvernoServiceName()
}
func dnsNames() []string {
return []string{
commonName(),
fmt.Sprintf("%s.%s", config.KyvernoServiceName(), config.KyvernoNamespace()),
inClusterServiceName(),
}
}
func secretNamespace() string {
return config.KyvernoNamespace()
}
func GenerateTLSPairSecretName() string {
return inClusterServiceName() + ".kyverno-tls-pair"
}