1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00

fix: update certmanager and config to take common name and namespace as arguments (#8129)

* feat: add namespace and common name args

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: remove unnecessary dns name

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

---------

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Vishal Choudhary 2023-08-28 17:34:37 +05:30 committed by GitHub
parent ce66667779
commit b374c05517
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 55 additions and 44 deletions

View file

@ -88,8 +88,8 @@ func main() {
ctx, setup, sdown := internal.Setup(appConfig, "kyverno-cleanup-controller", false)
defer sdown()
// certificates informers
caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(), resyncPeriod)
tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(), resyncPeriod)
caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), resyncPeriod)
tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), resyncPeriod)
if !informers.StartInformersAndWaitForCacheSync(ctx, setup.Logger, caSecret, tlsSecret) {
setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
os.Exit(1)
@ -115,10 +115,10 @@ func main() {
tls.TLSValidityDuration,
serverIP,
config.KyvernoServiceName(),
config.DnsNames(),
config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()),
config.KyvernoNamespace(),
config.GenerateRootCASecretName(),
config.GenerateTLSPairSecretName(),
config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()),
config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()),
)
certController := internal.NewController(
certmanager.ControllerName,
@ -126,6 +126,8 @@ func main() {
caSecret,
tlsSecret,
renewer,
config.KyvernoServiceName(),
config.KyvernoNamespace(),
),
certmanager.Workers,
)
@ -292,7 +294,7 @@ func main() {
// create server
server := NewServer(
func() ([]byte, []byte, error) {
secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName())
secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()))
if err != nil {
return nil, nil, err
}

View file

@ -62,7 +62,7 @@ func main() {
failure := false
run := func(context.Context) {
name := config.GenerateRootCASecretName()
name := config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace())
_, err := setup.KubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(context.TODO(), name, metav1.GetOptions{})
if err != nil {
logging.V(2).Info("failed to fetch root CA secret", "name", name, "error", err.Error())
@ -71,7 +71,7 @@ func main() {
}
}
name = config.GenerateTLSPairSecretName()
name = config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace())
_, err = setup.KubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(context.TODO(), name, metav1.GetOptions{})
if err != nil {
logging.V(2).Info("failed to fetch TLS Pair secret", "name", name, "error", err.Error())

View file

@ -121,6 +121,8 @@ func createrLeaderControllers(
caInformer,
tlsInformer,
certRenewer,
config.KyvernoServiceName(),
config.KyvernoNamespace(),
)
webhookController := webhookcontroller.NewController(
dynamicClient.Discovery(),
@ -229,8 +231,8 @@ func main() {
// setup
signalCtx, setup, sdown := internal.Setup(appConfig, "kyverno-admission-controller", false)
defer sdown()
caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(), resyncPeriod)
tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(), resyncPeriod)
caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), resyncPeriod)
tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), resyncPeriod)
if !informers.StartInformersAndWaitForCacheSync(signalCtx, setup.Logger, caSecret, tlsSecret) {
setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
os.Exit(1)
@ -262,10 +264,10 @@ func main() {
tls.TLSValidityDuration,
serverIP,
config.KyvernoServiceName(),
config.DnsNames(),
config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()),
config.KyvernoNamespace(),
config.GenerateRootCASecretName(),
config.GenerateTLSPairSecretName(),
config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()),
config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()),
)
policyCache := policycache.NewCache()
omitEventsValues := strings.Split(omitEvents, ",")
@ -463,7 +465,7 @@ func main() {
DumpPayload: dumpPayload,
},
func() ([]byte, []byte, error) {
secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName())
secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()))
if err != nil {
return nil, nil, err
}

View file

@ -2,22 +2,22 @@ package config
import "fmt"
func InClusterServiceName() string {
return KyvernoServiceName() + "." + KyvernoNamespace() + ".svc"
func InClusterServiceName(commonName string, namespace string) string {
return commonName + "." + namespace + ".svc"
}
func DnsNames() []string {
func DnsNames(commonName string, namespace string) []string {
return []string{
KyvernoServiceName(),
fmt.Sprintf("%s.%s", KyvernoServiceName(), KyvernoNamespace()),
InClusterServiceName(),
commonName,
fmt.Sprintf("%s.%s", commonName, namespace),
InClusterServiceName(commonName, namespace),
}
}
func GenerateTLSPairSecretName() string {
return InClusterServiceName() + ".kyverno-tls-pair"
func GenerateTLSPairSecretName(commonName string, namespace string) string {
return InClusterServiceName(commonName, namespace) + ".kyverno-tls-pair"
}
func GenerateRootCASecretName() string {
return InClusterServiceName() + ".kyverno-tls-ca"
func GenerateRootCASecretName(commonName string, namespace string) string {
return InClusterServiceName(commonName, namespace) + ".kyverno-tls-ca"
}

View file

@ -36,12 +36,17 @@ type controller struct {
queue workqueue.RateLimitingInterface
caEnqueue controllerutils.EnqueueFunc
tlsEnqueue controllerutils.EnqueueFunc
commonName string
namespace string
}
func NewController(
caInformer corev1informers.SecretInformer,
tlsInformer corev1informers.SecretInformer,
certRenewer tls.CertRenewer,
commonName string,
namespace string,
) controllers.Controller {
queue := workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), ControllerName)
c := controller{
@ -51,6 +56,8 @@ func NewController(
queue: queue,
caEnqueue: controllerutils.AddDefaultEventHandlers(logger, caInformer.Informer(), queue),
tlsEnqueue: controllerutils.AddDefaultEventHandlers(logger, tlsInformer.Informer(), queue),
commonName: commonName,
namespace: namespace,
}
return &c
}
@ -60,28 +67,28 @@ func (c *controller) Run(ctx context.Context, workers int) {
// this way we ensure the reconcile happens (hence renewal/creation)
if err := c.tlsEnqueue(&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Namespace: config.KyvernoNamespace(),
Name: config.GenerateTLSPairSecretName(),
Namespace: c.namespace,
Name: config.GenerateTLSPairSecretName(c.commonName, c.namespace),
},
}); err != nil {
logger.Error(err, "failed to enqueue secret", "name", config.GenerateTLSPairSecretName())
logger.Error(err, "failed to enqueue secret", "name", config.GenerateTLSPairSecretName(c.commonName, c.namespace))
}
if err := c.caEnqueue(&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Namespace: config.KyvernoNamespace(),
Name: config.GenerateRootCASecretName(),
Namespace: c.namespace,
Name: config.GenerateRootCASecretName(c.commonName, c.namespace),
},
}); err != nil {
logger.Error(err, "failed to enqueue CA secret", "name", config.GenerateRootCASecretName())
logger.Error(err, "failed to enqueue CA secret", "name", config.GenerateRootCASecretName(c.commonName, c.namespace))
}
controllerutils.Run(ctx, logger, ControllerName, time.Second, c.queue, workers, maxRetries, c.reconcile, c.ticker)
}
func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, namespace, name string) error {
if namespace != config.KyvernoNamespace() {
if namespace != c.namespace {
return nil
}
if name != config.GenerateTLSPairSecretName() && name != config.GenerateRootCASecretName() {
if name != config.GenerateTLSPairSecretName(c.commonName, c.namespace) && name != config.GenerateRootCASecretName(c.commonName, c.namespace) {
return nil
}
return c.renewCertificates(ctx)

View file

@ -98,17 +98,17 @@ func NewController(
controllerutils.AddEventHandlersT(
secretInformer.Informer(),
func(obj *corev1.Secret) {
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() {
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
c.enqueue()
}
},
func(_, obj *corev1.Secret) {
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() {
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
c.enqueue()
}
},
func(obj *corev1.Secret) {
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() {
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
c.enqueue()
}
},
@ -130,7 +130,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, _,
if key != c.webhookName {
return nil
}
caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(), config.KyvernoNamespace(), c.secretLister)
caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), config.KyvernoNamespace(), c.secretLister)
if err != nil {
return err
}

View file

@ -158,17 +158,17 @@ func NewController(
controllerutils.AddEventHandlersT(
secretInformer.Informer(),
func(obj *corev1.Secret) {
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() {
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
c.enqueueAll()
}
},
func(_, obj *corev1.Secret) {
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() {
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
c.enqueueAll()
}
},
func(obj *corev1.Secret) {
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() {
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
c.enqueueAll()
}
},
@ -340,7 +340,7 @@ func (c *controller) reconcileVerifyMutatingWebhookConfiguration(ctx context.Con
}
func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(context.Context, config.Configuration, []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error)) error {
caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace()))
caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace()))
if err != nil {
return err
}
@ -370,7 +370,7 @@ func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context
}
func (c *controller) reconcileMutatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(context.Context, config.Configuration, []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error)) error {
caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace()))
caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace()))
if err != nil {
return err
}

View file

@ -132,9 +132,9 @@ func (c *certRenewer) RenewCA(ctx context.Context) error {
return err
}
if !valid {
logger.Info("mismatched certs chain, renewing", "CA certificate", config.GenerateRootCASecretName(), "TLS certificate", config.GenerateTLSPairSecretName())
logger.Info("mismatched certs chain, renewing", "CA certificate", config.GenerateRootCASecretName(c.commonName, c.namespace), "TLS certificate", config.GenerateTLSPairSecretName(c.commonName, c.namespace))
if err := c.RenewTLS(ctx); err != nil {
logger.Error(err, "failed to renew TLS certificate", "name", config.GenerateTLSPairSecretName())
logger.Error(err, "failed to renew TLS certificate", "name", config.GenerateTLSPairSecretName(c.commonName, c.namespace))
return err
}
}
@ -158,7 +158,7 @@ func (c *certRenewer) RenewTLS(ctx context.Context) error {
if cert != nil {
valid, err := c.ValidateCert(ctx)
if err != nil || !valid {
logger.Info("invalid cert chain, renewing TLS certificate", "name", config.GenerateTLSPairSecretName(), "error", err.Error())
logger.Info("invalid cert chain, renewing TLS certificate", "name", config.GenerateTLSPairSecretName(c.commonName, c.namespace), "error", err.Error())
} else if !allCertificatesExpired(now.Add(5*c.certRenewalInterval), cert) {
logger.V(4).Info("TLS certificate does not need to be renewed")
return nil