mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
fix: reduce tls package dependencies (part 2) (#8109)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
da086a252a
commit
ab6fc0ad1b
11 changed files with 84 additions and 69 deletions
|
|
@ -88,8 +88,8 @@ func main() {
|
||||||
ctx, setup, sdown := internal.Setup(appConfig, "kyverno-cleanup-controller", false)
|
ctx, setup, sdown := internal.Setup(appConfig, "kyverno-cleanup-controller", false)
|
||||||
defer sdown()
|
defer sdown()
|
||||||
// certificates informers
|
// certificates informers
|
||||||
caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), tls.GenerateRootCASecretName(), resyncPeriod)
|
caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(), resyncPeriod)
|
||||||
tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), tls.GenerateTLSPairSecretName(), resyncPeriod)
|
tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(), resyncPeriod)
|
||||||
if !informers.StartInformersAndWaitForCacheSync(ctx, setup.Logger, caSecret, tlsSecret) {
|
if !informers.StartInformersAndWaitForCacheSync(ctx, setup.Logger, caSecret, tlsSecret) {
|
||||||
setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
|
setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
|
|
@ -114,6 +114,11 @@ func main() {
|
||||||
tls.CAValidityDuration,
|
tls.CAValidityDuration,
|
||||||
tls.TLSValidityDuration,
|
tls.TLSValidityDuration,
|
||||||
serverIP,
|
serverIP,
|
||||||
|
config.KyvernoServiceName(),
|
||||||
|
config.DnsNames(),
|
||||||
|
config.KyvernoNamespace(),
|
||||||
|
config.GenerateRootCASecretName(),
|
||||||
|
config.GenerateTLSPairSecretName(),
|
||||||
)
|
)
|
||||||
certController := internal.NewController(
|
certController := internal.NewController(
|
||||||
certmanager.ControllerName,
|
certmanager.ControllerName,
|
||||||
|
|
@ -287,7 +292,7 @@ func main() {
|
||||||
// create server
|
// create server
|
||||||
server := NewServer(
|
server := NewServer(
|
||||||
func() ([]byte, []byte, error) {
|
func() ([]byte, []byte, error) {
|
||||||
secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(tls.GenerateTLSPairSecretName())
|
secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, err
|
return nil, nil, err
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -14,7 +14,6 @@ import (
|
||||||
"github.com/kyverno/kyverno/pkg/config"
|
"github.com/kyverno/kyverno/pkg/config"
|
||||||
"github.com/kyverno/kyverno/pkg/leaderelection"
|
"github.com/kyverno/kyverno/pkg/leaderelection"
|
||||||
"github.com/kyverno/kyverno/pkg/logging"
|
"github.com/kyverno/kyverno/pkg/logging"
|
||||||
"github.com/kyverno/kyverno/pkg/tls"
|
|
||||||
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
|
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
|
||||||
coordinationv1 "k8s.io/api/coordination/v1"
|
coordinationv1 "k8s.io/api/coordination/v1"
|
||||||
"k8s.io/apimachinery/pkg/api/errors"
|
"k8s.io/apimachinery/pkg/api/errors"
|
||||||
|
|
@ -63,7 +62,7 @@ func main() {
|
||||||
failure := false
|
failure := false
|
||||||
|
|
||||||
run := func(context.Context) {
|
run := func(context.Context) {
|
||||||
name := tls.GenerateRootCASecretName()
|
name := config.GenerateRootCASecretName()
|
||||||
_, err := setup.KubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(context.TODO(), name, metav1.GetOptions{})
|
_, err := setup.KubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(context.TODO(), name, metav1.GetOptions{})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logging.V(2).Info("failed to fetch root CA secret", "name", name, "error", err.Error())
|
logging.V(2).Info("failed to fetch root CA secret", "name", name, "error", err.Error())
|
||||||
|
|
@ -72,7 +71,7 @@ func main() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
name = tls.GenerateTLSPairSecretName()
|
name = config.GenerateTLSPairSecretName()
|
||||||
_, err = setup.KubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(context.TODO(), name, metav1.GetOptions{})
|
_, err = setup.KubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(context.TODO(), name, metav1.GetOptions{})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logging.V(2).Info("failed to fetch TLS Pair secret", "name", name, "error", err.Error())
|
logging.V(2).Info("failed to fetch TLS Pair secret", "name", name, "error", err.Error())
|
||||||
|
|
|
||||||
|
|
@ -229,8 +229,8 @@ func main() {
|
||||||
// setup
|
// setup
|
||||||
signalCtx, setup, sdown := internal.Setup(appConfig, "kyverno-admission-controller", false)
|
signalCtx, setup, sdown := internal.Setup(appConfig, "kyverno-admission-controller", false)
|
||||||
defer sdown()
|
defer sdown()
|
||||||
caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), tls.GenerateRootCASecretName(), resyncPeriod)
|
caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(), resyncPeriod)
|
||||||
tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), tls.GenerateTLSPairSecretName(), resyncPeriod)
|
tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(), resyncPeriod)
|
||||||
if !informers.StartInformersAndWaitForCacheSync(signalCtx, setup.Logger, caSecret, tlsSecret) {
|
if !informers.StartInformersAndWaitForCacheSync(signalCtx, setup.Logger, caSecret, tlsSecret) {
|
||||||
setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
|
setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
|
|
@ -261,6 +261,11 @@ func main() {
|
||||||
tls.CAValidityDuration,
|
tls.CAValidityDuration,
|
||||||
tls.TLSValidityDuration,
|
tls.TLSValidityDuration,
|
||||||
serverIP,
|
serverIP,
|
||||||
|
config.KyvernoServiceName(),
|
||||||
|
config.DnsNames(),
|
||||||
|
config.KyvernoNamespace(),
|
||||||
|
config.GenerateRootCASecretName(),
|
||||||
|
config.GenerateTLSPairSecretName(),
|
||||||
)
|
)
|
||||||
policyCache := policycache.NewCache()
|
policyCache := policycache.NewCache()
|
||||||
omitEventsValues := strings.Split(omitEvents, ",")
|
omitEventsValues := strings.Split(omitEvents, ",")
|
||||||
|
|
@ -458,7 +463,7 @@ func main() {
|
||||||
DumpPayload: dumpPayload,
|
DumpPayload: dumpPayload,
|
||||||
},
|
},
|
||||||
func() ([]byte, []byte, error) {
|
func() ([]byte, []byte, error) {
|
||||||
secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(tls.GenerateTLSPairSecretName())
|
secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, err
|
return nil, nil, err
|
||||||
}
|
}
|
||||||
|
|
|
||||||
23
pkg/config/tls.go
Normal file
23
pkg/config/tls.go
Normal file
|
|
@ -0,0 +1,23 @@
|
||||||
|
package config
|
||||||
|
|
||||||
|
import "fmt"
|
||||||
|
|
||||||
|
func InClusterServiceName() string {
|
||||||
|
return KyvernoServiceName() + "." + KyvernoNamespace() + ".svc"
|
||||||
|
}
|
||||||
|
|
||||||
|
func DnsNames() []string {
|
||||||
|
return []string{
|
||||||
|
KyvernoServiceName(),
|
||||||
|
fmt.Sprintf("%s.%s", KyvernoServiceName(), KyvernoNamespace()),
|
||||||
|
InClusterServiceName(),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func GenerateTLSPairSecretName() string {
|
||||||
|
return InClusterServiceName() + ".kyverno-tls-pair"
|
||||||
|
}
|
||||||
|
|
||||||
|
func GenerateRootCASecretName() string {
|
||||||
|
return InClusterServiceName() + ".kyverno-tls-ca"
|
||||||
|
}
|
||||||
|
|
@ -61,18 +61,18 @@ func (c *controller) Run(ctx context.Context, workers int) {
|
||||||
if err := c.tlsEnqueue(&corev1.Secret{
|
if err := c.tlsEnqueue(&corev1.Secret{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: config.KyvernoNamespace(),
|
Namespace: config.KyvernoNamespace(),
|
||||||
Name: tls.GenerateTLSPairSecretName(),
|
Name: config.GenerateTLSPairSecretName(),
|
||||||
},
|
},
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
logger.Error(err, "failed to enqueue secret", "name", tls.GenerateTLSPairSecretName())
|
logger.Error(err, "failed to enqueue secret", "name", config.GenerateTLSPairSecretName())
|
||||||
}
|
}
|
||||||
if err := c.caEnqueue(&corev1.Secret{
|
if err := c.caEnqueue(&corev1.Secret{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Namespace: config.KyvernoNamespace(),
|
Namespace: config.KyvernoNamespace(),
|
||||||
Name: tls.GenerateRootCASecretName(),
|
Name: config.GenerateRootCASecretName(),
|
||||||
},
|
},
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
logger.Error(err, "failed to enqueue CA secret", "name", tls.GenerateRootCASecretName())
|
logger.Error(err, "failed to enqueue CA secret", "name", config.GenerateRootCASecretName())
|
||||||
}
|
}
|
||||||
controllerutils.Run(ctx, logger, ControllerName, time.Second, c.queue, workers, maxRetries, c.reconcile, c.ticker)
|
controllerutils.Run(ctx, logger, ControllerName, time.Second, c.queue, workers, maxRetries, c.reconcile, c.ticker)
|
||||||
}
|
}
|
||||||
|
|
@ -81,7 +81,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
|
||||||
if namespace != config.KyvernoNamespace() {
|
if namespace != config.KyvernoNamespace() {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
if name != tls.GenerateTLSPairSecretName() && name != tls.GenerateRootCASecretName() {
|
if name != config.GenerateTLSPairSecretName() && name != config.GenerateRootCASecretName() {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
return c.renewCertificates(ctx)
|
return c.renewCertificates(ctx)
|
||||||
|
|
|
||||||
|
|
@ -98,17 +98,17 @@ func NewController(
|
||||||
controllerutils.AddEventHandlersT(
|
controllerutils.AddEventHandlersT(
|
||||||
secretInformer.Informer(),
|
secretInformer.Informer(),
|
||||||
func(obj *corev1.Secret) {
|
func(obj *corev1.Secret) {
|
||||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == tls.GenerateRootCASecretName() {
|
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() {
|
||||||
c.enqueue()
|
c.enqueue()
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
func(_, obj *corev1.Secret) {
|
func(_, obj *corev1.Secret) {
|
||||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == tls.GenerateRootCASecretName() {
|
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() {
|
||||||
c.enqueue()
|
c.enqueue()
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
func(obj *corev1.Secret) {
|
func(obj *corev1.Secret) {
|
||||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == tls.GenerateRootCASecretName() {
|
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() {
|
||||||
c.enqueue()
|
c.enqueue()
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
@ -130,7 +130,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, _,
|
||||||
if key != c.webhookName {
|
if key != c.webhookName {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
caData, err := tls.ReadRootCASecret(c.secretLister)
|
caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(), config.KyvernoNamespace(), c.secretLister)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -158,17 +158,17 @@ func NewController(
|
||||||
controllerutils.AddEventHandlersT(
|
controllerutils.AddEventHandlersT(
|
||||||
secretInformer.Informer(),
|
secretInformer.Informer(),
|
||||||
func(obj *corev1.Secret) {
|
func(obj *corev1.Secret) {
|
||||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == tls.GenerateRootCASecretName() {
|
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() {
|
||||||
c.enqueueAll()
|
c.enqueueAll()
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
func(_, obj *corev1.Secret) {
|
func(_, obj *corev1.Secret) {
|
||||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == tls.GenerateRootCASecretName() {
|
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() {
|
||||||
c.enqueueAll()
|
c.enqueueAll()
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
func(obj *corev1.Secret) {
|
func(obj *corev1.Secret) {
|
||||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == tls.GenerateRootCASecretName() {
|
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() {
|
||||||
c.enqueueAll()
|
c.enqueueAll()
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
@ -340,7 +340,7 @@ func (c *controller) reconcileVerifyMutatingWebhookConfiguration(ctx context.Con
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(context.Context, config.Configuration, []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error)) error {
|
func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(context.Context, config.Configuration, []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error)) error {
|
||||||
caData, err := tls.ReadRootCASecret(c.secretLister.Secrets(config.KyvernoNamespace()))
|
caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace()))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
@ -370,7 +370,7 @@ func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *controller) reconcileMutatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(context.Context, config.Configuration, []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error)) error {
|
func (c *controller) reconcileMutatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(context.Context, config.Configuration, []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error)) error {
|
||||||
caData, err := tls.ReadRootCASecret(c.secretLister.Secrets(config.KyvernoNamespace()))
|
caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace()))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -47,10 +47,9 @@ func generateCA(key *rsa.PrivateKey, certValidityDuration time.Duration) (*rsa.P
|
||||||
|
|
||||||
// generateTLS takes the results of GenerateCACert and uses it to create the
|
// generateTLS takes the results of GenerateCACert and uses it to create the
|
||||||
// PEM-encoded public certificate and private key, respectively
|
// PEM-encoded public certificate and private key, respectively
|
||||||
func generateTLS(server string, caCert *x509.Certificate, caKey *rsa.PrivateKey, certValidityDuration time.Duration) (*rsa.PrivateKey, *x509.Certificate, error) {
|
func generateTLS(server string, caCert *x509.Certificate, caKey *rsa.PrivateKey, certValidityDuration time.Duration, commonName string, dnsNames []string) (*rsa.PrivateKey, *x509.Certificate, error) {
|
||||||
now := time.Now()
|
now := time.Now()
|
||||||
begin, end := now.Add(-1*time.Hour), now.Add(certValidityDuration)
|
begin, end := now.Add(-1*time.Hour), now.Add(certValidityDuration)
|
||||||
dnsNames := dnsNames()
|
|
||||||
var ips []net.IP
|
var ips []net.IP
|
||||||
if server != "" {
|
if server != "" {
|
||||||
serverHost := server
|
serverHost := server
|
||||||
|
|
@ -71,7 +70,7 @@ func generateTLS(server string, caCert *x509.Certificate, caKey *rsa.PrivateKey,
|
||||||
templ := &x509.Certificate{
|
templ := &x509.Certificate{
|
||||||
SerialNumber: big.NewInt(1),
|
SerialNumber: big.NewInt(1),
|
||||||
Subject: pkix.Name{
|
Subject: pkix.Name{
|
||||||
CommonName: commonName(),
|
CommonName: commonName,
|
||||||
},
|
},
|
||||||
DNSNames: dnsNames,
|
DNSNames: dnsNames,
|
||||||
IPAddresses: ips,
|
IPAddresses: ips,
|
||||||
|
|
|
||||||
|
|
@ -7,12 +7,11 @@ import (
|
||||||
corev1listers "k8s.io/client-go/listers/core/v1"
|
corev1listers "k8s.io/client-go/listers/core/v1"
|
||||||
)
|
)
|
||||||
|
|
||||||
var ErrorsNotFound = "root CA certificate not found"
|
var errorsNotFound = "root CA certificate not found"
|
||||||
|
|
||||||
// ReadRootCASecret returns the RootCA from the pre-defined secret
|
// ReadRootCASecret returns the RootCA from the pre-defined secret
|
||||||
func ReadRootCASecret(client corev1listers.SecretNamespaceLister) ([]byte, error) {
|
func ReadRootCASecret(name, namespace string, client corev1listers.SecretNamespaceLister) ([]byte, error) {
|
||||||
sname := GenerateRootCASecretName()
|
stlsca, err := client.Get(name)
|
||||||
stlsca, err := client.Get(sname)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
@ -23,7 +22,7 @@ func ReadRootCASecret(client corev1listers.SecretNamespaceLister) ([]byte, error
|
||||||
result = stlsca.Data[rootCAKey]
|
result = stlsca.Data[rootCAKey]
|
||||||
}
|
}
|
||||||
if len(result) == 0 {
|
if len(result) == 0 {
|
||||||
return nil, fmt.Errorf("%s in secret %s/%s", ErrorsNotFound, secretNamespace(), stlsca.Name)
|
return nil, fmt.Errorf("%s in secret %s/%s", errorsNotFound, namespace, stlsca.Name)
|
||||||
}
|
}
|
||||||
return result, nil
|
return result, nil
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -52,7 +52,12 @@ type certRenewer struct {
|
||||||
tlsValidityDuration time.Duration
|
tlsValidityDuration time.Duration
|
||||||
|
|
||||||
// server is an IP address or domain name where Kyverno controller runs. Only required if out-of-cluster.
|
// server is an IP address or domain name where Kyverno controller runs. Only required if out-of-cluster.
|
||||||
server string
|
server string
|
||||||
|
commonName string
|
||||||
|
dnsNames []string
|
||||||
|
namespace string
|
||||||
|
caSecret string
|
||||||
|
pairSecret string
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewCertRenewer returns an instance of CertRenewer
|
// NewCertRenewer returns an instance of CertRenewer
|
||||||
|
|
@ -62,6 +67,11 @@ func NewCertRenewer(
|
||||||
caValidityDuration,
|
caValidityDuration,
|
||||||
tlsValidityDuration time.Duration,
|
tlsValidityDuration time.Duration,
|
||||||
server string,
|
server string,
|
||||||
|
commonName string,
|
||||||
|
dnsNames []string,
|
||||||
|
namespace string,
|
||||||
|
caSecret string,
|
||||||
|
pairSecret string,
|
||||||
) *certRenewer {
|
) *certRenewer {
|
||||||
return &certRenewer{
|
return &certRenewer{
|
||||||
client: client,
|
client: client,
|
||||||
|
|
@ -69,6 +79,11 @@ func NewCertRenewer(
|
||||||
caValidityDuration: caValidityDuration,
|
caValidityDuration: caValidityDuration,
|
||||||
tlsValidityDuration: tlsValidityDuration,
|
tlsValidityDuration: tlsValidityDuration,
|
||||||
server: server,
|
server: server,
|
||||||
|
commonName: commonName,
|
||||||
|
dnsNames: dnsNames,
|
||||||
|
namespace: namespace,
|
||||||
|
caSecret: caSecret,
|
||||||
|
pairSecret: pairSecret,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -142,7 +157,7 @@ func (c *certRenewer) RenewTLS(ctx context.Context) error {
|
||||||
}
|
}
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
tlsKey, tlsCert, err := generateTLS(c.server, caCerts[len(caCerts)-1], caKey, c.tlsValidityDuration)
|
tlsKey, tlsCert, err := generateTLS(c.server, caCerts[len(caCerts)-1], caKey, c.tlsValidityDuration, c.commonName, c.dnsNames)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Error(err, "failed to generate TLS")
|
logger.Error(err, "failed to generate TLS")
|
||||||
return err
|
return err
|
||||||
|
|
@ -201,11 +216,11 @@ func (c *certRenewer) decodeSecret(ctx context.Context, name string) (*corev1.Se
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *certRenewer) decodeCASecret(ctx context.Context) (*corev1.Secret, *rsa.PrivateKey, []*x509.Certificate, error) {
|
func (c *certRenewer) decodeCASecret(ctx context.Context) (*corev1.Secret, *rsa.PrivateKey, []*x509.Certificate, error) {
|
||||||
return c.decodeSecret(ctx, GenerateRootCASecretName())
|
return c.decodeSecret(ctx, c.caSecret)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *certRenewer) decodeTLSSecret(ctx context.Context) (*corev1.Secret, *rsa.PrivateKey, *x509.Certificate, error) {
|
func (c *certRenewer) decodeTLSSecret(ctx context.Context) (*corev1.Secret, *rsa.PrivateKey, *x509.Certificate, error) {
|
||||||
secret, key, certs, err := c.decodeSecret(ctx, GenerateTLSPairSecretName())
|
secret, key, certs, err := c.decodeSecret(ctx, c.pairSecret)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, nil, err
|
return nil, nil, nil, err
|
||||||
}
|
}
|
||||||
|
|
@ -219,7 +234,7 @@ func (c *certRenewer) decodeTLSSecret(ctx context.Context) (*corev1.Secret, *rsa
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *certRenewer) writeSecret(ctx context.Context, name string, key *rsa.PrivateKey, certs ...*x509.Certificate) error {
|
func (c *certRenewer) writeSecret(ctx context.Context, name string, key *rsa.PrivateKey, certs ...*x509.Certificate) error {
|
||||||
logger := logger.WithValues("name", name, "namespace", secretNamespace())
|
logger := logger.WithValues("name", name, "namespace", c.namespace)
|
||||||
secret, err := c.getSecret(ctx, name)
|
secret, err := c.getSecret(ctx, name)
|
||||||
if err != nil && !apierrors.IsNotFound(err) {
|
if err != nil && !apierrors.IsNotFound(err) {
|
||||||
logger.Error(err, "failed to get CA secret")
|
logger.Error(err, "failed to get CA secret")
|
||||||
|
|
@ -229,7 +244,7 @@ func (c *certRenewer) writeSecret(ctx context.Context, name string, key *rsa.Pri
|
||||||
secret = &corev1.Secret{
|
secret = &corev1.Secret{
|
||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: name,
|
Name: name,
|
||||||
Namespace: secretNamespace(),
|
Namespace: c.namespace,
|
||||||
Labels: map[string]string{
|
Labels: map[string]string{
|
||||||
kyverno.LabelCertManagedBy: kyverno.ValueKyvernoApp,
|
kyverno.LabelCertManagedBy: kyverno.ValueKyvernoApp,
|
||||||
},
|
},
|
||||||
|
|
@ -262,10 +277,10 @@ func (c *certRenewer) writeSecret(ctx context.Context, name string, key *rsa.Pri
|
||||||
|
|
||||||
// writeCASecret stores the CA cert in secret
|
// writeCASecret stores the CA cert in secret
|
||||||
func (c *certRenewer) writeCASecret(ctx context.Context, key *rsa.PrivateKey, certs ...*x509.Certificate) error {
|
func (c *certRenewer) writeCASecret(ctx context.Context, key *rsa.PrivateKey, certs ...*x509.Certificate) error {
|
||||||
return c.writeSecret(ctx, GenerateRootCASecretName(), key, certs...)
|
return c.writeSecret(ctx, c.caSecret, key, certs...)
|
||||||
}
|
}
|
||||||
|
|
||||||
// writeTLSSecret Writes the pair of TLS certificate and key to the specified secret.
|
// writeTLSSecret Writes the pair of TLS certificate and key to the specified secret.
|
||||||
func (c *certRenewer) writeTLSSecret(ctx context.Context, key *rsa.PrivateKey, cert *x509.Certificate) error {
|
func (c *certRenewer) writeTLSSecret(ctx context.Context, key *rsa.PrivateKey, cert *x509.Certificate) error {
|
||||||
return c.writeSecret(ctx, GenerateTLSPairSecretName(), key, cert)
|
return c.writeSecret(ctx, c.pairSecret, key, cert)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -4,11 +4,9 @@ import (
|
||||||
"crypto/rsa"
|
"crypto/rsa"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"encoding/pem"
|
"encoding/pem"
|
||||||
"fmt"
|
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/kyverno/kyverno/api/kyverno"
|
"github.com/kyverno/kyverno/api/kyverno"
|
||||||
"github.com/kyverno/kyverno/pkg/config"
|
|
||||||
corev1 "k8s.io/api/core/v1"
|
corev1 "k8s.io/api/core/v1"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
@ -96,31 +94,3 @@ func isSecretManagedByKyverno(secret *corev1.Secret) bool {
|
||||||
}
|
}
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
func inClusterServiceName() string {
|
|
||||||
return config.KyvernoServiceName() + "." + config.KyvernoNamespace() + ".svc"
|
|
||||||
}
|
|
||||||
|
|
||||||
func commonName() string {
|
|
||||||
return config.KyvernoServiceName()
|
|
||||||
}
|
|
||||||
|
|
||||||
func dnsNames() []string {
|
|
||||||
return []string{
|
|
||||||
commonName(),
|
|
||||||
fmt.Sprintf("%s.%s", config.KyvernoServiceName(), config.KyvernoNamespace()),
|
|
||||||
inClusterServiceName(),
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func secretNamespace() string {
|
|
||||||
return config.KyvernoNamespace()
|
|
||||||
}
|
|
||||||
|
|
||||||
func GenerateTLSPairSecretName() string {
|
|
||||||
return inClusterServiceName() + ".kyverno-tls-pair"
|
|
||||||
}
|
|
||||||
|
|
||||||
func GenerateRootCASecretName() string {
|
|
||||||
return inClusterServiceName() + ".kyverno-tls-ca"
|
|
||||||
}
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue