diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index eabdac9bb2..0d5dd235e8 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -130,7 +130,7 @@ The command removes all the Kubernetes components associated with the chart and | serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval | | serviceMonitor.secure | bool | `false` | Is TLS required for endpoint | | serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint | -| createSelfSignedCert | bool | `false` | Kyverno requires a certificate key pair and corresponding certificate authority to properly register its webhooks. This can be done in one of 3 ways: 1) Use kube-controller-manager to generate a CA-signed certificate (preferred) 2) Provide your own CA and cert. In this case, you will need to create a certificate with a specific name and data structure. As long as you follow the naming scheme, it will be automatically picked up. kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entry named rootCA.crt) kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt) 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false | +| createSelfSignedCert | bool | `false` | Kyverno requires a certificate key pair and corresponding certificate authority to properly register its webhooks. This can be done in one of 3 ways: 1) Use kube-controller-manager to generate a CA-signed certificate (preferred) 2) Provide your own CA and cert. In this case, you will need to create a certificate with a specific name and data structure. As long as you follow the naming scheme, it will be automatically picked up. kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entries named tls.key and tls.crt) kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt) 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false | | installCRDs | bool | `true` | Whether to have Helm install the Kyverno CRDs. If the CRDs are not installed by Helm, they must be added before policies can be created. | | networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. | | networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. | diff --git a/charts/kyverno/templates/secret.yaml b/charts/kyverno/templates/secret.yaml index 63bdd895f0..f3b891d189 100644 --- a/charts/kyverno/templates/secret.yaml +++ b/charts/kyverno/templates/secret.yaml @@ -7,8 +7,10 @@ metadata: name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca labels: {{ include "kyverno.labels" . | nindent 4 }} app: kyverno +type: kubernetes.io/tls data: - rootCA.crt: {{ $ca.Cert | b64enc }} + tls.key: {{ $ca.Key | b64enc }} + tls.crt: {{ $ca.Cert | b64enc }} --- apiVersion: v1 kind: Secret diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 0cd2924ddd..af87cbc4bb 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -351,7 +351,7 @@ serviceMonitor: # 2) Provide your own CA and cert. # In this case, you will need to create a certificate with a specific name and data structure. # As long as you follow the naming scheme, it will be automatically picked up. -# kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entry named rootCA.crt) +# kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entries named tls.key and tls.crt) # kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt) # 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true # If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false diff --git a/pkg/tls/certRenewer.go b/pkg/tls/certRenewer.go index 30194dfda9..fa5691069a 100644 --- a/pkg/tls/certRenewer.go +++ b/pkg/tls/certRenewer.go @@ -24,7 +24,7 @@ const ( // ManagedByLabel is added to Kyverno managed secrets ManagedByLabel string = "cert.kyverno.io/managed-by" MasterDeploymentUID string = "cert.kyverno.io/master-deployment-uid" - RootCAKey string = "rootCA.crt" + rootCAKey string = "rootCA.crt" rollingUpdateAnnotation string = "update.kyverno.io/force-rolling-update" ) @@ -145,9 +145,10 @@ func (c *CertRenewer) WriteCACertToSecret(caPEM *PemPair) error { }, }, Data: map[string][]byte{ - RootCAKey: caPEM.Certificate, + v1.TLSCertKey: caPEM.Certificate, + v1.TLSPrivateKeyKey: caPEM.PrivateKey, }, - Type: v1.SecretTypeOpaque, + Type: v1.SecretTypeTLS, } _, err = c.client.CoreV1().Secrets(c.certProps.Namespace).Create(context.TODO(), secret, metav1.CreateOptions{}) if err == nil { @@ -164,9 +165,11 @@ func (c *CertRenewer) WriteCACertToSecret(caPEM *PemPair) error { } dataMap := map[string][]byte{ - RootCAKey: caPEM.Certificate, + v1.TLSCertKey: caPEM.Certificate, + v1.TLSPrivateKeyKey: caPEM.PrivateKey, } + secret.Type = v1.SecretTypeTLS secret.Data = dataMap _, err = c.client.CoreV1().Secrets(c.certProps.Namespace).Update(context.TODO(), secret, metav1.UpdateOptions{}) if err != nil { diff --git a/pkg/tls/reader.go b/pkg/tls/reader.go index 4d79ef743e..64856ec13c 100644 --- a/pkg/tls/reader.go +++ b/pkg/tls/reader.go @@ -45,12 +45,15 @@ func ReadRootCASecret(restConfig *rest.Config, client kubernetes.Interface) (res if managedByKyverno && (ok && deplHashSec != deplHash) { return nil, fmt.Errorf("outdated secret") } - - result = stlsca.Data[RootCAKey] + // try "tls.crt" + result = stlsca.Data[v1.TLSCertKey] + // if not there, try old "rootCA.crt" + if len(result) == 0 { + result = stlsca.Data[rootCAKey] + } if len(result) == 0 { return nil, errors.Errorf("%s in secret %s/%s", ErrorsNotFound, certProps.Namespace, stlsca.Name) } - return result, nil }