From ab6fc0ad1b9dc8a95c0ecd8f74a5ca684e62329e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Fri, 25 Aug 2023 13:24:52 +0200 Subject: [PATCH] fix: reduce tls package dependencies (part 2) (#8109) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- cmd/cleanup-controller/main.go | 11 +++++-- cmd/kyverno-init/main.go | 5 ++- cmd/kyverno/main.go | 11 +++++-- pkg/config/tls.go | 23 ++++++++++++++ pkg/controllers/certmanager/controller.go | 10 +++--- pkg/controllers/generic/webhook/controller.go | 8 ++--- pkg/controllers/webhook/controller.go | 10 +++--- pkg/tls/keypair.go | 5 ++- pkg/tls/reader.go | 9 +++--- pkg/tls/renewer.go | 31 ++++++++++++++----- pkg/tls/utils.go | 30 ------------------ 11 files changed, 84 insertions(+), 69 deletions(-) create mode 100644 pkg/config/tls.go diff --git a/cmd/cleanup-controller/main.go b/cmd/cleanup-controller/main.go index e4719e2956..1b147cb0af 100644 --- a/cmd/cleanup-controller/main.go +++ b/cmd/cleanup-controller/main.go @@ -88,8 +88,8 @@ func main() { ctx, setup, sdown := internal.Setup(appConfig, "kyverno-cleanup-controller", false) defer sdown() // certificates informers - caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), tls.GenerateRootCASecretName(), resyncPeriod) - tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), tls.GenerateTLSPairSecretName(), resyncPeriod) + caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(), resyncPeriod) + tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(), resyncPeriod) if !informers.StartInformersAndWaitForCacheSync(ctx, setup.Logger, caSecret, tlsSecret) { setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync") os.Exit(1) @@ -114,6 +114,11 @@ func main() { tls.CAValidityDuration, tls.TLSValidityDuration, serverIP, + config.KyvernoServiceName(), + config.DnsNames(), + config.KyvernoNamespace(), + config.GenerateRootCASecretName(), + config.GenerateTLSPairSecretName(), ) certController := internal.NewController( certmanager.ControllerName, @@ -287,7 +292,7 @@ func main() { // create server server := NewServer( func() ([]byte, []byte, error) { - secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(tls.GenerateTLSPairSecretName()) + secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName()) if err != nil { return nil, nil, err } diff --git a/cmd/kyverno-init/main.go b/cmd/kyverno-init/main.go index 2ebf54f1ac..0dc14a0141 100644 --- a/cmd/kyverno-init/main.go +++ b/cmd/kyverno-init/main.go @@ -14,7 +14,6 @@ import ( "github.com/kyverno/kyverno/pkg/config" "github.com/kyverno/kyverno/pkg/leaderelection" "github.com/kyverno/kyverno/pkg/logging" - "github.com/kyverno/kyverno/pkg/tls" kubeutils "github.com/kyverno/kyverno/pkg/utils/kube" coordinationv1 "k8s.io/api/coordination/v1" "k8s.io/apimachinery/pkg/api/errors" @@ -63,7 +62,7 @@ func main() { failure := false run := func(context.Context) { - name := tls.GenerateRootCASecretName() + name := config.GenerateRootCASecretName() _, err := setup.KubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(context.TODO(), name, metav1.GetOptions{}) if err != nil { logging.V(2).Info("failed to fetch root CA secret", "name", name, "error", err.Error()) @@ -72,7 +71,7 @@ func main() { } } - name = tls.GenerateTLSPairSecretName() + name = config.GenerateTLSPairSecretName() _, err = setup.KubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(context.TODO(), name, metav1.GetOptions{}) if err != nil { logging.V(2).Info("failed to fetch TLS Pair secret", "name", name, "error", err.Error()) diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go index 0fa9fed509..ee4bd97b3b 100644 --- a/cmd/kyverno/main.go +++ b/cmd/kyverno/main.go @@ -229,8 +229,8 @@ func main() { // setup signalCtx, setup, sdown := internal.Setup(appConfig, "kyverno-admission-controller", false) defer sdown() - caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), tls.GenerateRootCASecretName(), resyncPeriod) - tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), tls.GenerateTLSPairSecretName(), resyncPeriod) + caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(), resyncPeriod) + tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(), resyncPeriod) if !informers.StartInformersAndWaitForCacheSync(signalCtx, setup.Logger, caSecret, tlsSecret) { setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync") os.Exit(1) @@ -261,6 +261,11 @@ func main() { tls.CAValidityDuration, tls.TLSValidityDuration, serverIP, + config.KyvernoServiceName(), + config.DnsNames(), + config.KyvernoNamespace(), + config.GenerateRootCASecretName(), + config.GenerateTLSPairSecretName(), ) policyCache := policycache.NewCache() omitEventsValues := strings.Split(omitEvents, ",") @@ -458,7 +463,7 @@ func main() { DumpPayload: dumpPayload, }, func() ([]byte, []byte, error) { - secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(tls.GenerateTLSPairSecretName()) + secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName()) if err != nil { return nil, nil, err } diff --git a/pkg/config/tls.go b/pkg/config/tls.go new file mode 100644 index 0000000000..15d27d57d1 --- /dev/null +++ b/pkg/config/tls.go @@ -0,0 +1,23 @@ +package config + +import "fmt" + +func InClusterServiceName() string { + return KyvernoServiceName() + "." + KyvernoNamespace() + ".svc" +} + +func DnsNames() []string { + return []string{ + KyvernoServiceName(), + fmt.Sprintf("%s.%s", KyvernoServiceName(), KyvernoNamespace()), + InClusterServiceName(), + } +} + +func GenerateTLSPairSecretName() string { + return InClusterServiceName() + ".kyverno-tls-pair" +} + +func GenerateRootCASecretName() string { + return InClusterServiceName() + ".kyverno-tls-ca" +} diff --git a/pkg/controllers/certmanager/controller.go b/pkg/controllers/certmanager/controller.go index 49aa949fd2..9798db98a4 100644 --- a/pkg/controllers/certmanager/controller.go +++ b/pkg/controllers/certmanager/controller.go @@ -61,18 +61,18 @@ func (c *controller) Run(ctx context.Context, workers int) { if err := c.tlsEnqueue(&corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Namespace: config.KyvernoNamespace(), - Name: tls.GenerateTLSPairSecretName(), + Name: config.GenerateTLSPairSecretName(), }, }); err != nil { - logger.Error(err, "failed to enqueue secret", "name", tls.GenerateTLSPairSecretName()) + logger.Error(err, "failed to enqueue secret", "name", config.GenerateTLSPairSecretName()) } if err := c.caEnqueue(&corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Namespace: config.KyvernoNamespace(), - Name: tls.GenerateRootCASecretName(), + Name: config.GenerateRootCASecretName(), }, }); err != nil { - logger.Error(err, "failed to enqueue CA secret", "name", tls.GenerateRootCASecretName()) + logger.Error(err, "failed to enqueue CA secret", "name", config.GenerateRootCASecretName()) } controllerutils.Run(ctx, logger, ControllerName, time.Second, c.queue, workers, maxRetries, c.reconcile, c.ticker) } @@ -81,7 +81,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam if namespace != config.KyvernoNamespace() { return nil } - if name != tls.GenerateTLSPairSecretName() && name != tls.GenerateRootCASecretName() { + if name != config.GenerateTLSPairSecretName() && name != config.GenerateRootCASecretName() { return nil } return c.renewCertificates(ctx) diff --git a/pkg/controllers/generic/webhook/controller.go b/pkg/controllers/generic/webhook/controller.go index f95bb53eb6..bd4fb5b2b9 100644 --- a/pkg/controllers/generic/webhook/controller.go +++ b/pkg/controllers/generic/webhook/controller.go @@ -98,17 +98,17 @@ func NewController( controllerutils.AddEventHandlersT( secretInformer.Informer(), func(obj *corev1.Secret) { - if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == tls.GenerateRootCASecretName() { + if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() { c.enqueue() } }, func(_, obj *corev1.Secret) { - if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == tls.GenerateRootCASecretName() { + if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() { c.enqueue() } }, func(obj *corev1.Secret) { - if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == tls.GenerateRootCASecretName() { + if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() { c.enqueue() } }, @@ -130,7 +130,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, _, if key != c.webhookName { return nil } - caData, err := tls.ReadRootCASecret(c.secretLister) + caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(), config.KyvernoNamespace(), c.secretLister) if err != nil { return err } diff --git a/pkg/controllers/webhook/controller.go b/pkg/controllers/webhook/controller.go index 614b1fc37b..ff020102b2 100644 --- a/pkg/controllers/webhook/controller.go +++ b/pkg/controllers/webhook/controller.go @@ -158,17 +158,17 @@ func NewController( controllerutils.AddEventHandlersT( secretInformer.Informer(), func(obj *corev1.Secret) { - if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == tls.GenerateRootCASecretName() { + if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() { c.enqueueAll() } }, func(_, obj *corev1.Secret) { - if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == tls.GenerateRootCASecretName() { + if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() { c.enqueueAll() } }, func(obj *corev1.Secret) { - if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == tls.GenerateRootCASecretName() { + if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() { c.enqueueAll() } }, @@ -340,7 +340,7 @@ func (c *controller) reconcileVerifyMutatingWebhookConfiguration(ctx context.Con } func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(context.Context, config.Configuration, []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error)) error { - caData, err := tls.ReadRootCASecret(c.secretLister.Secrets(config.KyvernoNamespace())) + caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace())) if err != nil { return err } @@ -370,7 +370,7 @@ func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context } func (c *controller) reconcileMutatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(context.Context, config.Configuration, []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error)) error { - caData, err := tls.ReadRootCASecret(c.secretLister.Secrets(config.KyvernoNamespace())) + caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace())) if err != nil { return err } diff --git a/pkg/tls/keypair.go b/pkg/tls/keypair.go index 7bf433a812..e9c1caf684 100644 --- a/pkg/tls/keypair.go +++ b/pkg/tls/keypair.go @@ -47,10 +47,9 @@ func generateCA(key *rsa.PrivateKey, certValidityDuration time.Duration) (*rsa.P // generateTLS takes the results of GenerateCACert and uses it to create the // PEM-encoded public certificate and private key, respectively -func generateTLS(server string, caCert *x509.Certificate, caKey *rsa.PrivateKey, certValidityDuration time.Duration) (*rsa.PrivateKey, *x509.Certificate, error) { +func generateTLS(server string, caCert *x509.Certificate, caKey *rsa.PrivateKey, certValidityDuration time.Duration, commonName string, dnsNames []string) (*rsa.PrivateKey, *x509.Certificate, error) { now := time.Now() begin, end := now.Add(-1*time.Hour), now.Add(certValidityDuration) - dnsNames := dnsNames() var ips []net.IP if server != "" { serverHost := server @@ -71,7 +70,7 @@ func generateTLS(server string, caCert *x509.Certificate, caKey *rsa.PrivateKey, templ := &x509.Certificate{ SerialNumber: big.NewInt(1), Subject: pkix.Name{ - CommonName: commonName(), + CommonName: commonName, }, DNSNames: dnsNames, IPAddresses: ips, diff --git a/pkg/tls/reader.go b/pkg/tls/reader.go index cd35f85bfd..3800a8f5c6 100644 --- a/pkg/tls/reader.go +++ b/pkg/tls/reader.go @@ -7,12 +7,11 @@ import ( corev1listers "k8s.io/client-go/listers/core/v1" ) -var ErrorsNotFound = "root CA certificate not found" +var errorsNotFound = "root CA certificate not found" // ReadRootCASecret returns the RootCA from the pre-defined secret -func ReadRootCASecret(client corev1listers.SecretNamespaceLister) ([]byte, error) { - sname := GenerateRootCASecretName() - stlsca, err := client.Get(sname) +func ReadRootCASecret(name, namespace string, client corev1listers.SecretNamespaceLister) ([]byte, error) { + stlsca, err := client.Get(name) if err != nil { return nil, err } @@ -23,7 +22,7 @@ func ReadRootCASecret(client corev1listers.SecretNamespaceLister) ([]byte, error result = stlsca.Data[rootCAKey] } if len(result) == 0 { - return nil, fmt.Errorf("%s in secret %s/%s", ErrorsNotFound, secretNamespace(), stlsca.Name) + return nil, fmt.Errorf("%s in secret %s/%s", errorsNotFound, namespace, stlsca.Name) } return result, nil } diff --git a/pkg/tls/renewer.go b/pkg/tls/renewer.go index 19db03ba95..937a5e646a 100644 --- a/pkg/tls/renewer.go +++ b/pkg/tls/renewer.go @@ -52,7 +52,12 @@ type certRenewer struct { tlsValidityDuration time.Duration // server is an IP address or domain name where Kyverno controller runs. Only required if out-of-cluster. - server string + server string + commonName string + dnsNames []string + namespace string + caSecret string + pairSecret string } // NewCertRenewer returns an instance of CertRenewer @@ -62,6 +67,11 @@ func NewCertRenewer( caValidityDuration, tlsValidityDuration time.Duration, server string, + commonName string, + dnsNames []string, + namespace string, + caSecret string, + pairSecret string, ) *certRenewer { return &certRenewer{ client: client, @@ -69,6 +79,11 @@ func NewCertRenewer( caValidityDuration: caValidityDuration, tlsValidityDuration: tlsValidityDuration, server: server, + commonName: commonName, + dnsNames: dnsNames, + namespace: namespace, + caSecret: caSecret, + pairSecret: pairSecret, } } @@ -142,7 +157,7 @@ func (c *certRenewer) RenewTLS(ctx context.Context) error { } return err } - tlsKey, tlsCert, err := generateTLS(c.server, caCerts[len(caCerts)-1], caKey, c.tlsValidityDuration) + tlsKey, tlsCert, err := generateTLS(c.server, caCerts[len(caCerts)-1], caKey, c.tlsValidityDuration, c.commonName, c.dnsNames) if err != nil { logger.Error(err, "failed to generate TLS") return err @@ -201,11 +216,11 @@ func (c *certRenewer) decodeSecret(ctx context.Context, name string) (*corev1.Se } func (c *certRenewer) decodeCASecret(ctx context.Context) (*corev1.Secret, *rsa.PrivateKey, []*x509.Certificate, error) { - return c.decodeSecret(ctx, GenerateRootCASecretName()) + return c.decodeSecret(ctx, c.caSecret) } func (c *certRenewer) decodeTLSSecret(ctx context.Context) (*corev1.Secret, *rsa.PrivateKey, *x509.Certificate, error) { - secret, key, certs, err := c.decodeSecret(ctx, GenerateTLSPairSecretName()) + secret, key, certs, err := c.decodeSecret(ctx, c.pairSecret) if err != nil { return nil, nil, nil, err } @@ -219,7 +234,7 @@ func (c *certRenewer) decodeTLSSecret(ctx context.Context) (*corev1.Secret, *rsa } func (c *certRenewer) writeSecret(ctx context.Context, name string, key *rsa.PrivateKey, certs ...*x509.Certificate) error { - logger := logger.WithValues("name", name, "namespace", secretNamespace()) + logger := logger.WithValues("name", name, "namespace", c.namespace) secret, err := c.getSecret(ctx, name) if err != nil && !apierrors.IsNotFound(err) { logger.Error(err, "failed to get CA secret") @@ -229,7 +244,7 @@ func (c *certRenewer) writeSecret(ctx context.Context, name string, key *rsa.Pri secret = &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: name, - Namespace: secretNamespace(), + Namespace: c.namespace, Labels: map[string]string{ kyverno.LabelCertManagedBy: kyverno.ValueKyvernoApp, }, @@ -262,10 +277,10 @@ func (c *certRenewer) writeSecret(ctx context.Context, name string, key *rsa.Pri // writeCASecret stores the CA cert in secret func (c *certRenewer) writeCASecret(ctx context.Context, key *rsa.PrivateKey, certs ...*x509.Certificate) error { - return c.writeSecret(ctx, GenerateRootCASecretName(), key, certs...) + return c.writeSecret(ctx, c.caSecret, key, certs...) } // writeTLSSecret Writes the pair of TLS certificate and key to the specified secret. func (c *certRenewer) writeTLSSecret(ctx context.Context, key *rsa.PrivateKey, cert *x509.Certificate) error { - return c.writeSecret(ctx, GenerateTLSPairSecretName(), key, cert) + return c.writeSecret(ctx, c.pairSecret, key, cert) } diff --git a/pkg/tls/utils.go b/pkg/tls/utils.go index 098150b00b..1e05eb0b47 100644 --- a/pkg/tls/utils.go +++ b/pkg/tls/utils.go @@ -4,11 +4,9 @@ import ( "crypto/rsa" "crypto/x509" "encoding/pem" - "fmt" "time" "github.com/kyverno/kyverno/api/kyverno" - "github.com/kyverno/kyverno/pkg/config" corev1 "k8s.io/api/core/v1" ) @@ -96,31 +94,3 @@ func isSecretManagedByKyverno(secret *corev1.Secret) bool { } return true } - -func inClusterServiceName() string { - return config.KyvernoServiceName() + "." + config.KyvernoNamespace() + ".svc" -} - -func commonName() string { - return config.KyvernoServiceName() -} - -func dnsNames() []string { - return []string{ - commonName(), - fmt.Sprintf("%s.%s", config.KyvernoServiceName(), config.KyvernoNamespace()), - inClusterServiceName(), - } -} - -func secretNamespace() string { - return config.KyvernoNamespace() -} - -func GenerateTLSPairSecretName() string { - return inClusterServiceName() + ".kyverno-tls-pair" -} - -func GenerateRootCASecretName() string { - return inClusterServiceName() + ".kyverno-tls-ca" -}