move client to pkg, helper script for self-signed certs & update documentation

documentation/installation.md

@@ -69,5 +69,9 @@ Kyverno uses secrets created above to define the TLS configuration for the webse
 
 To deploy the Kyverno project, run `kubectl create -f definitions/install.yaml`. You can ignore the error 'namespaces "kyverno" already exists', which occurs as we previously created the namespace while creating the secrets.
 
+*If tls pair secret is created and secret for root CA is not defined, then Kyverno follows its default behaviour of generating new tls pair and generate certificate signing request for issuer to issue certificate.*
+
+Script to generate self-signed certificate and corresponding kubernetes secrets: [helper script](/scripts/generate-self-signed-cert-and-k8secrets.sh)
+
 ---
 <small>*Read Next >> [Writing Policies](/documentation/writing-policies.md)*</small>

init.go

@@ -3,7 +3,7 @@ package main
 import (
 	"log"
 
-	client "github.com/nirmata/kyverno/client"
+	client "github.com/nirmata/kyverno/pkg/dclient"
 	tls "github.com/nirmata/kyverno/pkg/tls"
 
 	rest "k8s.io/client-go/rest"

main.go

@@ -4,8 +4,8 @@ import (
 	"flag"
 	"log"
 
-	client "github.com/nirmata/kyverno/client"
 	controller "github.com/nirmata/kyverno/pkg/controller"
+	client "github.com/nirmata/kyverno/pkg/dclient"
 	event "github.com/nirmata/kyverno/pkg/event"
 	"github.com/nirmata/kyverno/pkg/sharedinformer"
 	"github.com/nirmata/kyverno/pkg/violation"

pkg/controller/controller.go

@@ -6,9 +6,9 @@ import (
 	"os"
 	"time"
 
-	client "github.com/nirmata/kyverno/client"
 	types "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1"
 	lister "github.com/nirmata/kyverno/pkg/client/listers/policy/v1alpha1"
+	client "github.com/nirmata/kyverno/pkg/dclient"
 	event "github.com/nirmata/kyverno/pkg/event"
 	"github.com/nirmata/kyverno/pkg/sharedinformer"
 	violation "github.com/nirmata/kyverno/pkg/violation"

pkg/engine/generation.go

@@ -4,8 +4,8 @@ import (
 	"fmt"
 	"log"
 
-	client "github.com/nirmata/kyverno/client"
 	kubepolicy "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1"
+	client "github.com/nirmata/kyverno/pkg/dclient"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 

pkg/event/controller.go

@@ -6,10 +6,10 @@ import (
 	"os"
 	"time"
 
-	client "github.com/nirmata/kyverno/client"
 	"github.com/nirmata/kyverno/pkg/client/clientset/versioned/scheme"
 	policyscheme "github.com/nirmata/kyverno/pkg/client/clientset/versioned/scheme"
 	v1alpha1 "github.com/nirmata/kyverno/pkg/client/listers/policy/v1alpha1"
+	client "github.com/nirmata/kyverno/pkg/dclient"
 	"github.com/nirmata/kyverno/pkg/sharedinformer"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"

pkg/violation/builder.go

@@ -5,9 +5,9 @@ import (
 	"log"
 	"os"
 
-	client "github.com/nirmata/kyverno/client"
 	types "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1"
 	v1alpha1 "github.com/nirmata/kyverno/pkg/client/listers/policy/v1alpha1"
+	client "github.com/nirmata/kyverno/pkg/dclient"
 	event "github.com/nirmata/kyverno/pkg/event"
 	"github.com/nirmata/kyverno/pkg/sharedinformer"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"

pkg/webhooks/registration.go

@@ -4,7 +4,7 @@ import (
 	"errors"
 	"io/ioutil"
 
-	"github.com/nirmata/kyverno/client"
+	"github.com/nirmata/kyverno/pkg/dclient"
 	"github.com/nirmata/kyverno/pkg/config"
 
 	admregapi "k8s.io/api/admissionregistration/v1beta1"

pkg/webhooks/server.go

@@ -12,9 +12,9 @@ import (
 	"os"
 	"time"
 
-	"github.com/nirmata/kyverno/client"
 	"github.com/nirmata/kyverno/pkg/client/listers/policy/v1alpha1"
 	"github.com/nirmata/kyverno/pkg/config"
+	client "github.com/nirmata/kyverno/pkg/dclient"
 	engine "github.com/nirmata/kyverno/pkg/engine"
 	"github.com/nirmata/kyverno/pkg/sharedinformer"
 	tlsutils "github.com/nirmata/kyverno/pkg/tls"

scripts/generate-self-signed-cert-and-k8secrets.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+echo "Generating self-signed certificate"
+# generate priv key for root CA
+openssl genrsa -out rootCA.key 4096 
+# generate root CA
+openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt -subj "/C=US/ST=test/L=test /O=test /OU=PIB/CN=*.kyverno.svc/emailAddress=test@test.com"
+# generate priv key
+openssl genrsa -out webhook.key 4096
+# generate certificate
+openssl req -new -key webhook.key -out webhook.csr -subj "/C=US/ST=test /L=test /O=test /OU=PIB/CN=kyverno-svc.kyverno.svc/emailAddress=test@test.com"
+# sign the certificate using the root CA
+openssl x509 -req -in webhook.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out webhook.crt -days 1024 -sha256
+
+echo "Generating corresponding kubernetes secrets for TLS pair and root CA"
+# create project namespace
+kubectl create ns kyverno
+# create tls pair secret
+kubectl -n kyverno create secret tls kyverno-svc.kyverno.svc.kyverno-tls-pair --cert=webhook.crt --key=webhook.key
+# annotate tls pair secret to specify use of self-signed certificates and check if root CA is created as secret
+kubectl annotate secret kyverno-svc.kyverno.svc.kyverno-tls-pair -n kyverno self-signed-cert=true
+# create root CA secret
+kubectl -n kyverno create secret generic kyverno-svc.kyverno.svc.kyverno-tls-ca --from-file=rootCA.crt