fix: include ca key in secret (#3804)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>

charts/kyverno/README.md

@@ -130,7 +130,7 @@ The command removes all the Kubernetes components associated with the chart and
 | serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
 | serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
 | serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
-| createSelfSignedCert | bool | `false` | Kyverno requires a certificate key pair and corresponding certificate authority to properly register its webhooks. This can be done in one of 3 ways: 1) Use kube-controller-manager to generate a CA-signed certificate (preferred) 2) Provide your own CA and cert.    In this case, you will need to create a certificate with a specific name and data structure.    As long as you follow the naming scheme, it will be automatically picked up.    kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entry named rootCA.crt)    kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt) 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false |
+| createSelfSignedCert | bool | `false` | Kyverno requires a certificate key pair and corresponding certificate authority to properly register its webhooks. This can be done in one of 3 ways: 1) Use kube-controller-manager to generate a CA-signed certificate (preferred) 2) Provide your own CA and cert.    In this case, you will need to create a certificate with a specific name and data structure.    As long as you follow the naming scheme, it will be automatically picked up.    kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entries named tls.key and tls.crt)    kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt) 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false |
 | installCRDs | bool | `true` | Whether to have Helm install the Kyverno CRDs. If the CRDs are not installed by Helm, they must be added before policies can be created. |
 | networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
 | networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |

charts/kyverno/templates/secret.yaml

@@ -7,8 +7,10 @@ metadata:
   name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
   labels: {{ include "kyverno.labels" . | nindent 4 }}
     app: kyverno
+type: kubernetes.io/tls
 data:
-  rootCA.crt: {{ $ca.Cert | b64enc }}
+  tls.key: {{ $ca.Key | b64enc }}
+  tls.crt: {{ $ca.Cert | b64enc }}
 ---
 apiVersion: v1
 kind: Secret

charts/kyverno/values.yaml

@@ -351,7 +351,7 @@ serviceMonitor:
 # 2) Provide your own CA and cert.
 #    In this case, you will need to create a certificate with a specific name and data structure.
 #    As long as you follow the naming scheme, it will be automatically picked up.
-#    kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entry named rootCA.crt)
+#    kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entries named tls.key and tls.crt)
 #    kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt)
 # 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true
 # If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false

pkg/tls/certRenewer.go

@@ -24,7 +24,7 @@ const (
 	// ManagedByLabel is added to Kyverno managed secrets
 	ManagedByLabel          string = "cert.kyverno.io/managed-by"
 	MasterDeploymentUID     string = "cert.kyverno.io/master-deployment-uid"
-	RootCAKey               string = "rootCA.crt"
+	rootCAKey               string = "rootCA.crt"
 	rollingUpdateAnnotation string = "update.kyverno.io/force-rolling-update"
 )
 
@@ -145,9 +145,10 @@ func (c *CertRenewer) WriteCACertToSecret(caPEM *PemPair) error {
 					},
 				},
 				Data: map[string][]byte{
-					RootCAKey: caPEM.Certificate,
+					v1.TLSCertKey:       caPEM.Certificate,
+					v1.TLSPrivateKeyKey: caPEM.PrivateKey,
 				},
-				Type: v1.SecretTypeOpaque,
+				Type: v1.SecretTypeTLS,
 			}
 			_, err = c.client.CoreV1().Secrets(c.certProps.Namespace).Create(context.TODO(), secret, metav1.CreateOptions{})
 			if err == nil {
@@ -164,9 +165,11 @@ func (c *CertRenewer) WriteCACertToSecret(caPEM *PemPair) error {
 	}
 
 	dataMap := map[string][]byte{
-		RootCAKey: caPEM.Certificate,
+		v1.TLSCertKey:       caPEM.Certificate,
+		v1.TLSPrivateKeyKey: caPEM.PrivateKey,
 	}
 
+	secret.Type = v1.SecretTypeTLS
 	secret.Data = dataMap
 	_, err = c.client.CoreV1().Secrets(c.certProps.Namespace).Update(context.TODO(), secret, metav1.UpdateOptions{})
 	if err != nil {

pkg/tls/reader.go

@@ -45,12 +45,15 @@ func ReadRootCASecret(restConfig *rest.Config, client kubernetes.Interface) (res
 	if managedByKyverno && (ok && deplHashSec != deplHash) {
 		return nil, fmt.Errorf("outdated secret")
 	}
-
-	result = stlsca.Data[RootCAKey]
+	// try "tls.crt"
+	result = stlsca.Data[v1.TLSCertKey]
+	// if not there, try old "rootCA.crt"
+	if len(result) == 0 {
+		result = stlsca.Data[rootCAKey]
+	}
 	if len(result) == 0 {
 		return nil, errors.Errorf("%s in secret %s/%s", ErrorsNotFound, certProps.Namespace, stlsca.Name)
 	}
-
 	return result, nil
 }