diff --git a/cmd/cleanup-controller/main.go b/cmd/cleanup-controller/main.go index 1b147cb0af..b0b963f989 100644 --- a/cmd/cleanup-controller/main.go +++ b/cmd/cleanup-controller/main.go @@ -88,8 +88,8 @@ func main() { ctx, setup, sdown := internal.Setup(appConfig, "kyverno-cleanup-controller", false) defer sdown() // certificates informers - caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(), resyncPeriod) - tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(), resyncPeriod) + caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), resyncPeriod) + tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), resyncPeriod) if !informers.StartInformersAndWaitForCacheSync(ctx, setup.Logger, caSecret, tlsSecret) { setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync") os.Exit(1) @@ -115,10 +115,10 @@ func main() { tls.TLSValidityDuration, serverIP, config.KyvernoServiceName(), - config.DnsNames(), + config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()), config.KyvernoNamespace(), - config.GenerateRootCASecretName(), - config.GenerateTLSPairSecretName(), + config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), + config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), ) certController := internal.NewController( certmanager.ControllerName, @@ -126,6 +126,8 @@ func main() { caSecret, tlsSecret, renewer, + config.KyvernoServiceName(), + config.KyvernoNamespace(), ), certmanager.Workers, ) @@ -292,7 +294,7 @@ func main() { // create server server := NewServer( func() ([]byte, []byte, error) { - secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName()) + secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace())) if err != nil { return nil, nil, err } diff --git a/cmd/kyverno-init/main.go b/cmd/kyverno-init/main.go index 0dc14a0141..19a6a1660a 100644 --- a/cmd/kyverno-init/main.go +++ b/cmd/kyverno-init/main.go @@ -62,7 +62,7 @@ func main() { failure := false run := func(context.Context) { - name := config.GenerateRootCASecretName() + name := config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) _, err := setup.KubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(context.TODO(), name, metav1.GetOptions{}) if err != nil { logging.V(2).Info("failed to fetch root CA secret", "name", name, "error", err.Error()) @@ -71,7 +71,7 @@ func main() { } } - name = config.GenerateTLSPairSecretName() + name = config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) _, err = setup.KubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(context.TODO(), name, metav1.GetOptions{}) if err != nil { logging.V(2).Info("failed to fetch TLS Pair secret", "name", name, "error", err.Error()) diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go index ee4bd97b3b..874deb277b 100644 --- a/cmd/kyverno/main.go +++ b/cmd/kyverno/main.go @@ -121,6 +121,8 @@ func createrLeaderControllers( caInformer, tlsInformer, certRenewer, + config.KyvernoServiceName(), + config.KyvernoNamespace(), ) webhookController := webhookcontroller.NewController( dynamicClient.Discovery(), @@ -229,8 +231,8 @@ func main() { // setup signalCtx, setup, sdown := internal.Setup(appConfig, "kyverno-admission-controller", false) defer sdown() - caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(), resyncPeriod) - tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(), resyncPeriod) + caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), resyncPeriod) + tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), resyncPeriod) if !informers.StartInformersAndWaitForCacheSync(signalCtx, setup.Logger, caSecret, tlsSecret) { setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync") os.Exit(1) @@ -262,10 +264,10 @@ func main() { tls.TLSValidityDuration, serverIP, config.KyvernoServiceName(), - config.DnsNames(), + config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()), config.KyvernoNamespace(), - config.GenerateRootCASecretName(), - config.GenerateTLSPairSecretName(), + config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), + config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), ) policyCache := policycache.NewCache() omitEventsValues := strings.Split(omitEvents, ",") @@ -463,7 +465,7 @@ func main() { DumpPayload: dumpPayload, }, func() ([]byte, []byte, error) { - secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName()) + secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace())) if err != nil { return nil, nil, err } diff --git a/pkg/config/tls.go b/pkg/config/tls.go index 15d27d57d1..5ee85fd597 100644 --- a/pkg/config/tls.go +++ b/pkg/config/tls.go @@ -2,22 +2,22 @@ package config import "fmt" -func InClusterServiceName() string { - return KyvernoServiceName() + "." + KyvernoNamespace() + ".svc" +func InClusterServiceName(commonName string, namespace string) string { + return commonName + "." + namespace + ".svc" } -func DnsNames() []string { +func DnsNames(commonName string, namespace string) []string { return []string{ - KyvernoServiceName(), - fmt.Sprintf("%s.%s", KyvernoServiceName(), KyvernoNamespace()), - InClusterServiceName(), + commonName, + fmt.Sprintf("%s.%s", commonName, namespace), + InClusterServiceName(commonName, namespace), } } -func GenerateTLSPairSecretName() string { - return InClusterServiceName() + ".kyverno-tls-pair" +func GenerateTLSPairSecretName(commonName string, namespace string) string { + return InClusterServiceName(commonName, namespace) + ".kyverno-tls-pair" } -func GenerateRootCASecretName() string { - return InClusterServiceName() + ".kyverno-tls-ca" +func GenerateRootCASecretName(commonName string, namespace string) string { + return InClusterServiceName(commonName, namespace) + ".kyverno-tls-ca" } diff --git a/pkg/controllers/certmanager/controller.go b/pkg/controllers/certmanager/controller.go index 9798db98a4..7c8c7a4950 100644 --- a/pkg/controllers/certmanager/controller.go +++ b/pkg/controllers/certmanager/controller.go @@ -36,12 +36,17 @@ type controller struct { queue workqueue.RateLimitingInterface caEnqueue controllerutils.EnqueueFunc tlsEnqueue controllerutils.EnqueueFunc + + commonName string + namespace string } func NewController( caInformer corev1informers.SecretInformer, tlsInformer corev1informers.SecretInformer, certRenewer tls.CertRenewer, + commonName string, + namespace string, ) controllers.Controller { queue := workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), ControllerName) c := controller{ @@ -51,6 +56,8 @@ func NewController( queue: queue, caEnqueue: controllerutils.AddDefaultEventHandlers(logger, caInformer.Informer(), queue), tlsEnqueue: controllerutils.AddDefaultEventHandlers(logger, tlsInformer.Informer(), queue), + commonName: commonName, + namespace: namespace, } return &c } @@ -60,28 +67,28 @@ func (c *controller) Run(ctx context.Context, workers int) { // this way we ensure the reconcile happens (hence renewal/creation) if err := c.tlsEnqueue(&corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ - Namespace: config.KyvernoNamespace(), - Name: config.GenerateTLSPairSecretName(), + Namespace: c.namespace, + Name: config.GenerateTLSPairSecretName(c.commonName, c.namespace), }, }); err != nil { - logger.Error(err, "failed to enqueue secret", "name", config.GenerateTLSPairSecretName()) + logger.Error(err, "failed to enqueue secret", "name", config.GenerateTLSPairSecretName(c.commonName, c.namespace)) } if err := c.caEnqueue(&corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ - Namespace: config.KyvernoNamespace(), - Name: config.GenerateRootCASecretName(), + Namespace: c.namespace, + Name: config.GenerateRootCASecretName(c.commonName, c.namespace), }, }); err != nil { - logger.Error(err, "failed to enqueue CA secret", "name", config.GenerateRootCASecretName()) + logger.Error(err, "failed to enqueue CA secret", "name", config.GenerateRootCASecretName(c.commonName, c.namespace)) } controllerutils.Run(ctx, logger, ControllerName, time.Second, c.queue, workers, maxRetries, c.reconcile, c.ticker) } func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, namespace, name string) error { - if namespace != config.KyvernoNamespace() { + if namespace != c.namespace { return nil } - if name != config.GenerateTLSPairSecretName() && name != config.GenerateRootCASecretName() { + if name != config.GenerateTLSPairSecretName(c.commonName, c.namespace) && name != config.GenerateRootCASecretName(c.commonName, c.namespace) { return nil } return c.renewCertificates(ctx) diff --git a/pkg/controllers/generic/webhook/controller.go b/pkg/controllers/generic/webhook/controller.go index bd4fb5b2b9..6390259eb0 100644 --- a/pkg/controllers/generic/webhook/controller.go +++ b/pkg/controllers/generic/webhook/controller.go @@ -98,17 +98,17 @@ func NewController( controllerutils.AddEventHandlersT( secretInformer.Informer(), func(obj *corev1.Secret) { - if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() { + if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) { c.enqueue() } }, func(_, obj *corev1.Secret) { - if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() { + if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) { c.enqueue() } }, func(obj *corev1.Secret) { - if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() { + if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) { c.enqueue() } }, @@ -130,7 +130,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, _, if key != c.webhookName { return nil } - caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(), config.KyvernoNamespace(), c.secretLister) + caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), config.KyvernoNamespace(), c.secretLister) if err != nil { return err } diff --git a/pkg/controllers/webhook/controller.go b/pkg/controllers/webhook/controller.go index ff020102b2..0b26c5a597 100644 --- a/pkg/controllers/webhook/controller.go +++ b/pkg/controllers/webhook/controller.go @@ -158,17 +158,17 @@ func NewController( controllerutils.AddEventHandlersT( secretInformer.Informer(), func(obj *corev1.Secret) { - if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() { + if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) { c.enqueueAll() } }, func(_, obj *corev1.Secret) { - if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() { + if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) { c.enqueueAll() } }, func(obj *corev1.Secret) { - if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() { + if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) { c.enqueueAll() } }, @@ -340,7 +340,7 @@ func (c *controller) reconcileVerifyMutatingWebhookConfiguration(ctx context.Con } func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(context.Context, config.Configuration, []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error)) error { - caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace())) + caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace())) if err != nil { return err } @@ -370,7 +370,7 @@ func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context } func (c *controller) reconcileMutatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(context.Context, config.Configuration, []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error)) error { - caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace())) + caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace())) if err != nil { return err } diff --git a/pkg/tls/renewer.go b/pkg/tls/renewer.go index 40b07f2745..5ad01ecc0e 100644 --- a/pkg/tls/renewer.go +++ b/pkg/tls/renewer.go @@ -132,9 +132,9 @@ func (c *certRenewer) RenewCA(ctx context.Context) error { return err } if !valid { - logger.Info("mismatched certs chain, renewing", "CA certificate", config.GenerateRootCASecretName(), "TLS certificate", config.GenerateTLSPairSecretName()) + logger.Info("mismatched certs chain, renewing", "CA certificate", config.GenerateRootCASecretName(c.commonName, c.namespace), "TLS certificate", config.GenerateTLSPairSecretName(c.commonName, c.namespace)) if err := c.RenewTLS(ctx); err != nil { - logger.Error(err, "failed to renew TLS certificate", "name", config.GenerateTLSPairSecretName()) + logger.Error(err, "failed to renew TLS certificate", "name", config.GenerateTLSPairSecretName(c.commonName, c.namespace)) return err } } @@ -158,7 +158,7 @@ func (c *certRenewer) RenewTLS(ctx context.Context) error { if cert != nil { valid, err := c.ValidateCert(ctx) if err != nil || !valid { - logger.Info("invalid cert chain, renewing TLS certificate", "name", config.GenerateTLSPairSecretName(), "error", err.Error()) + logger.Info("invalid cert chain, renewing TLS certificate", "name", config.GenerateTLSPairSecretName(c.commonName, c.namespace), "error", err.Error()) } else if !allCertificatesExpired(now.Add(5*c.certRenewalInterval), cert) { logger.V(4).Info("TLS certificate does not need to be renewed") return nil