fix: reduce tls package dependencies (part 2) (#8109)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-28 02:18:15 +00:00 · 2023-08-25 13:24:52 +02:00 · 2023-08-25 13:24:52 +02:00 · ab6fc0ad1b
commit ab6fc0ad1b
parent da086a252a
11 changed files with 84 additions and 69 deletions
--- a/cmd/cleanup-controller/main.go
+++ b/cmd/cleanup-controller/main.go
@ -88,8 +88,8 @@ func main() {
 	ctx, setup, sdown := internal.Setup(appConfig, "kyverno-cleanup-controller", false)
 	defer sdown()
 	// certificates informers
-	caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), tls.GenerateRootCASecretName(), resyncPeriod)
-	tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), tls.GenerateTLSPairSecretName(), resyncPeriod)
+	caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(), resyncPeriod)
+	tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(), resyncPeriod)
 	if !informers.StartInformersAndWaitForCacheSync(ctx, setup.Logger, caSecret, tlsSecret) {
 		setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
 		os.Exit(1)
@ -114,6 +114,11 @@ func main() {
 				tls.CAValidityDuration,
 				tls.TLSValidityDuration,
 				serverIP,
+				config.KyvernoServiceName(),
+				config.DnsNames(),
+				config.KyvernoNamespace(),
+				config.GenerateRootCASecretName(),
+				config.GenerateTLSPairSecretName(),
 			)
 			certController := internal.NewController(
 				certmanager.ControllerName,
@ -287,7 +292,7 @@ func main() {
 	// create server
 	server := NewServer(
 		func() ([]byte, []byte, error) {
-			secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(tls.GenerateTLSPairSecretName())
+			secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName())
 			if err != nil {
 				return nil, nil, err
 			}
--- a/cmd/kyverno-init/main.go
+++ b/cmd/kyverno-init/main.go
@ -14,7 +14,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/leaderelection"
 	"github.com/kyverno/kyverno/pkg/logging"
-	"github.com/kyverno/kyverno/pkg/tls"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
 	coordinationv1 "k8s.io/api/coordination/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@ -63,7 +62,7 @@ func main() {
 	failure := false

 	run := func(context.Context) {
-		name := tls.GenerateRootCASecretName()
+		name := config.GenerateRootCASecretName()
 		_, err := setup.KubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(context.TODO(), name, metav1.GetOptions{})
 		if err != nil {
 			logging.V(2).Info("failed to fetch root CA secret", "name", name, "error", err.Error())
@ -72,7 +71,7 @@ func main() {
 			}
 		}

-		name = tls.GenerateTLSPairSecretName()
+		name = config.GenerateTLSPairSecretName()
 		_, err = setup.KubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(context.TODO(), name, metav1.GetOptions{})
 		if err != nil {
 			logging.V(2).Info("failed to fetch TLS Pair secret", "name", name, "error", err.Error())
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@ -229,8 +229,8 @@ func main() {
 	// setup
 	signalCtx, setup, sdown := internal.Setup(appConfig, "kyverno-admission-controller", false)
 	defer sdown()
-	caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), tls.GenerateRootCASecretName(), resyncPeriod)
-	tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), tls.GenerateTLSPairSecretName(), resyncPeriod)
+	caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(), resyncPeriod)
+	tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(), resyncPeriod)
 	if !informers.StartInformersAndWaitForCacheSync(signalCtx, setup.Logger, caSecret, tlsSecret) {
 		setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
 		os.Exit(1)
@ -261,6 +261,11 @@ func main() {
 		tls.CAValidityDuration,
 		tls.TLSValidityDuration,
 		serverIP,
+		config.KyvernoServiceName(),
+		config.DnsNames(),
+		config.KyvernoNamespace(),
+		config.GenerateRootCASecretName(),
+		config.GenerateTLSPairSecretName(),
 	)
 	policyCache := policycache.NewCache()
 	omitEventsValues := strings.Split(omitEvents, ",")
@ -458,7 +463,7 @@ func main() {
 			DumpPayload: dumpPayload,
 		},
 		func() ([]byte, []byte, error) {
-			secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(tls.GenerateTLSPairSecretName())
+			secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName())
 			if err != nil {
 				return nil, nil, err
 			}
--- a/pkg/config/tls.go
+++ b/pkg/config/tls.go
@ -0,0 +1,23 @@
+package config
+
+import "fmt"
+
+func InClusterServiceName() string {
+	return KyvernoServiceName() + "." + KyvernoNamespace() + ".svc"
+}
+
+func DnsNames() []string {
+	return []string{
+		KyvernoServiceName(),
+		fmt.Sprintf("%s.%s", KyvernoServiceName(), KyvernoNamespace()),
+		InClusterServiceName(),
+	}
+}
+
+func GenerateTLSPairSecretName() string {
+	return InClusterServiceName() + ".kyverno-tls-pair"
+}
+
+func GenerateRootCASecretName() string {
+	return InClusterServiceName() + ".kyverno-tls-ca"
+}
--- a/pkg/controllers/certmanager/controller.go
+++ b/pkg/controllers/certmanager/controller.go
@ -61,18 +61,18 @@ func (c *controller) Run(ctx context.Context, workers int) {
 	if err := c.tlsEnqueue(&corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: config.KyvernoNamespace(),
-			Name:      tls.GenerateTLSPairSecretName(),
+			Name:      config.GenerateTLSPairSecretName(),
 		},
 	}); err != nil {
-		logger.Error(err, "failed to enqueue secret", "name", tls.GenerateTLSPairSecretName())
+		logger.Error(err, "failed to enqueue secret", "name", config.GenerateTLSPairSecretName())
 	}
 	if err := c.caEnqueue(&corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: config.KyvernoNamespace(),
-			Name:      tls.GenerateRootCASecretName(),
+			Name:      config.GenerateRootCASecretName(),
 		},
 	}); err != nil {
-		logger.Error(err, "failed to enqueue CA secret", "name", tls.GenerateRootCASecretName())
+		logger.Error(err, "failed to enqueue CA secret", "name", config.GenerateRootCASecretName())
 	}
 	controllerutils.Run(ctx, logger, ControllerName, time.Second, c.queue, workers, maxRetries, c.reconcile, c.ticker)
 }
@ -81,7 +81,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
 	if namespace != config.KyvernoNamespace() {
 		return nil
 	}
-	if name != tls.GenerateTLSPairSecretName() && name != tls.GenerateRootCASecretName() {
+	if name != config.GenerateTLSPairSecretName() && name != config.GenerateRootCASecretName() {
 		return nil
 	}
 	return c.renewCertificates(ctx)
--- a/pkg/controllers/generic/webhook/controller.go
+++ b/pkg/controllers/generic/webhook/controller.go
@ -98,17 +98,17 @@ func NewController(
 	controllerutils.AddEventHandlersT(
 		secretInformer.Informer(),
 		func(obj *corev1.Secret) {
-			if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == tls.GenerateRootCASecretName() {
+			if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() {
 				c.enqueue()
 			}
 		},
 		func(_, obj *corev1.Secret) {
-			if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == tls.GenerateRootCASecretName() {
+			if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() {
 				c.enqueue()
 			}
 		},
 		func(obj *corev1.Secret) {
-			if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == tls.GenerateRootCASecretName() {
+			if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() {
 				c.enqueue()
 			}
 		},
@ -130,7 +130,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, _,
 	if key != c.webhookName {
 		return nil
 	}
-	caData, err := tls.ReadRootCASecret(c.secretLister)
+	caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(), config.KyvernoNamespace(), c.secretLister)
 	if err != nil {
 		return err
 	}
--- a/pkg/controllers/webhook/controller.go
+++ b/pkg/controllers/webhook/controller.go
@ -158,17 +158,17 @@ func NewController(
 	controllerutils.AddEventHandlersT(
 		secretInformer.Informer(),
 		func(obj *corev1.Secret) {
-			if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == tls.GenerateRootCASecretName() {
+			if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() {
 				c.enqueueAll()
 			}
 		},
 		func(_, obj *corev1.Secret) {
-			if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == tls.GenerateRootCASecretName() {
+			if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() {
 				c.enqueueAll()
 			}
 		},
 		func(obj *corev1.Secret) {
-			if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == tls.GenerateRootCASecretName() {
+			if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() {
 				c.enqueueAll()
 			}
 		},
@ -340,7 +340,7 @@ func (c *controller) reconcileVerifyMutatingWebhookConfiguration(ctx context.Con
 }

 func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(context.Context, config.Configuration, []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error)) error {
-	caData, err := tls.ReadRootCASecret(c.secretLister.Secrets(config.KyvernoNamespace()))
+	caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace()))
 	if err != nil {
 		return err
 	}
@ -370,7 +370,7 @@ func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context
 }

 func (c *controller) reconcileMutatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(context.Context, config.Configuration, []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error)) error {
-	caData, err := tls.ReadRootCASecret(c.secretLister.Secrets(config.KyvernoNamespace()))
+	caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace()))
 	if err != nil {
 		return err
 	}
--- a/pkg/tls/keypair.go
+++ b/pkg/tls/keypair.go
@ -47,10 +47,9 @@ func generateCA(key *rsa.PrivateKey, certValidityDuration time.Duration) (*rsa.P

 // generateTLS takes the results of GenerateCACert and uses it to create the
 // PEM-encoded public certificate and private key, respectively
-func generateTLS(server string, caCert *x509.Certificate, caKey *rsa.PrivateKey, certValidityDuration time.Duration) (*rsa.PrivateKey, *x509.Certificate, error) {
+func generateTLS(server string, caCert *x509.Certificate, caKey *rsa.PrivateKey, certValidityDuration time.Duration, commonName string, dnsNames []string) (*rsa.PrivateKey, *x509.Certificate, error) {
 	now := time.Now()
 	begin, end := now.Add(-1*time.Hour), now.Add(certValidityDuration)
-	dnsNames := dnsNames()
 	var ips []net.IP
 	if server != "" {
 		serverHost := server
@ -71,7 +70,7 @@ func generateTLS(server string, caCert *x509.Certificate, caKey *rsa.PrivateKey,
 	templ := &x509.Certificate{
 		SerialNumber: big.NewInt(1),
 		Subject: pkix.Name{
-			CommonName: commonName(),
+			CommonName: commonName,
 		},
 		DNSNames:              dnsNames,
 		IPAddresses:           ips,
--- a/pkg/tls/reader.go
+++ b/pkg/tls/reader.go
@ -7,12 +7,11 @@ import (
 	corev1listers "k8s.io/client-go/listers/core/v1"
 )

-var ErrorsNotFound = "root CA certificate not found"
+var errorsNotFound = "root CA certificate not found"

 // ReadRootCASecret returns the RootCA from the pre-defined secret
-func ReadRootCASecret(client corev1listers.SecretNamespaceLister) ([]byte, error) {
-	sname := GenerateRootCASecretName()
-	stlsca, err := client.Get(sname)
+func ReadRootCASecret(name, namespace string, client corev1listers.SecretNamespaceLister) ([]byte, error) {
+	stlsca, err := client.Get(name)
 	if err != nil {
 		return nil, err
 	}
@ -23,7 +22,7 @@ func ReadRootCASecret(client corev1listers.SecretNamespaceLister) ([]byte, error
 		result = stlsca.Data[rootCAKey]
 	}
 	if len(result) == 0 {
-		return nil, fmt.Errorf("%s in secret %s/%s", ErrorsNotFound, secretNamespace(), stlsca.Name)
+		return nil, fmt.Errorf("%s in secret %s/%s", errorsNotFound, namespace, stlsca.Name)
 	}
 	return result, nil
 }
--- a/pkg/tls/renewer.go
+++ b/pkg/tls/renewer.go
@ -52,7 +52,12 @@ type certRenewer struct {
 	tlsValidityDuration time.Duration

 	// server is an IP address or domain name where Kyverno controller runs. Only required if out-of-cluster.
-	server string
+	server     string
+	commonName string
+	dnsNames   []string
+	namespace  string
+	caSecret   string
+	pairSecret string
 }

 // NewCertRenewer returns an instance of CertRenewer
@ -62,6 +67,11 @@ func NewCertRenewer(
 	caValidityDuration,
 	tlsValidityDuration time.Duration,
 	server string,
+	commonName string,
+	dnsNames []string,
+	namespace string,
+	caSecret string,
+	pairSecret string,
 ) *certRenewer {
 	return &certRenewer{
 		client:              client,
@ -69,6 +79,11 @@ func NewCertRenewer(
 		caValidityDuration:  caValidityDuration,
 		tlsValidityDuration: tlsValidityDuration,
 		server:              server,
+		commonName:          commonName,
+		dnsNames:            dnsNames,
+		namespace:           namespace,
+		caSecret:            caSecret,
+		pairSecret:          pairSecret,
 	}
 }

@ -142,7 +157,7 @@ func (c *certRenewer) RenewTLS(ctx context.Context) error {
 		}
 		return err
 	}
-	tlsKey, tlsCert, err := generateTLS(c.server, caCerts[len(caCerts)-1], caKey, c.tlsValidityDuration)
+	tlsKey, tlsCert, err := generateTLS(c.server, caCerts[len(caCerts)-1], caKey, c.tlsValidityDuration, c.commonName, c.dnsNames)
 	if err != nil {
 		logger.Error(err, "failed to generate TLS")
 		return err
@ -201,11 +216,11 @@ func (c *certRenewer) decodeSecret(ctx context.Context, name string) (*corev1.Se
 }

 func (c *certRenewer) decodeCASecret(ctx context.Context) (*corev1.Secret, *rsa.PrivateKey, []*x509.Certificate, error) {
-	return c.decodeSecret(ctx, GenerateRootCASecretName())
+	return c.decodeSecret(ctx, c.caSecret)
 }

 func (c *certRenewer) decodeTLSSecret(ctx context.Context) (*corev1.Secret, *rsa.PrivateKey, *x509.Certificate, error) {
-	secret, key, certs, err := c.decodeSecret(ctx, GenerateTLSPairSecretName())
+	secret, key, certs, err := c.decodeSecret(ctx, c.pairSecret)
 	if err != nil {
 		return nil, nil, nil, err
 	}
@ -219,7 +234,7 @@ func (c *certRenewer) decodeTLSSecret(ctx context.Context) (*corev1.Secret, *rsa
 }

 func (c *certRenewer) writeSecret(ctx context.Context, name string, key *rsa.PrivateKey, certs ...*x509.Certificate) error {
-	logger := logger.WithValues("name", name, "namespace", secretNamespace())
+	logger := logger.WithValues("name", name, "namespace", c.namespace)
 	secret, err := c.getSecret(ctx, name)
 	if err != nil && !apierrors.IsNotFound(err) {
 		logger.Error(err, "failed to get CA secret")
@ -229,7 +244,7 @@ func (c *certRenewer) writeSecret(ctx context.Context, name string, key *rsa.Pri
 		secret = &corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      name,
-				Namespace: secretNamespace(),
+				Namespace: c.namespace,
 				Labels: map[string]string{
 					kyverno.LabelCertManagedBy: kyverno.ValueKyvernoApp,
 				},
@ -262,10 +277,10 @@ func (c *certRenewer) writeSecret(ctx context.Context, name string, key *rsa.Pri

 // writeCASecret stores the CA cert in secret
 func (c *certRenewer) writeCASecret(ctx context.Context, key *rsa.PrivateKey, certs ...*x509.Certificate) error {
-	return c.writeSecret(ctx, GenerateRootCASecretName(), key, certs...)
+	return c.writeSecret(ctx, c.caSecret, key, certs...)
 }

 // writeTLSSecret Writes the pair of TLS certificate and key to the specified secret.
 func (c *certRenewer) writeTLSSecret(ctx context.Context, key *rsa.PrivateKey, cert *x509.Certificate) error {
-	return c.writeSecret(ctx, GenerateTLSPairSecretName(), key, cert)
+	return c.writeSecret(ctx, c.pairSecret, key, cert)
 }
--- a/pkg/tls/utils.go
+++ b/pkg/tls/utils.go
@ -4,11 +4,9 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
-	"fmt"
 	"time"

 	"github.com/kyverno/kyverno/api/kyverno"
-	"github.com/kyverno/kyverno/pkg/config"
 	corev1 "k8s.io/api/core/v1"
 )

@ -96,31 +94,3 @@ func isSecretManagedByKyverno(secret *corev1.Secret) bool {
 	}
 	return true
 }
-
-func inClusterServiceName() string {
-	return config.KyvernoServiceName() + "." + config.KyvernoNamespace() + ".svc"
-}
-
-func commonName() string {
-	return config.KyvernoServiceName()
-}
-
-func dnsNames() []string {
-	return []string{
-		commonName(),
-		fmt.Sprintf("%s.%s", config.KyvernoServiceName(), config.KyvernoNamespace()),
-		inClusterServiceName(),
-	}
-}
-
-func secretNamespace() string {
-	return config.KyvernoNamespace()
-}
-
-func GenerateTLSPairSecretName() string {
-	return inClusterServiceName() + ".kyverno-tls-pair"
-}
-
-func GenerateRootCASecretName() string {
-	return inClusterServiceName() + ".kyverno-tls-ca"
-}