mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-15 20:20:22 +00:00
Code Activity

fix: update certmanager and config to take common name and namespace as arguments (#8129)

Browse source 
* feat: add namespace and common name args

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: remove unnecessary dns name

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

---------

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Vishal Choudhary 2023-08-28 17:34:37 +05:30 committed by GitHub
parent ce66667779
commit b374c05517
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 55 additions and 44 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
cmd/cleanup-controller/main.go
View file

@ -88,8 +88,8 @@ func main() {
ctx, setup, sdown := internal.Setup(appConfig, "kyverno-cleanup-controller", false) ctx, setup, sdown := internal.Setup(appConfig, "kyverno-cleanup-controller", false)
defer sdown() defer sdown()
// certificates informers // certificates informers
caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(), resyncPeriod) caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), resyncPeriod)
tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(), resyncPeriod) tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), resyncPeriod)
if !informers.StartInformersAndWaitForCacheSync(ctx, setup.Logger, caSecret, tlsSecret) { if !informers.StartInformersAndWaitForCacheSync(ctx, setup.Logger, caSecret, tlsSecret) {
setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync") setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
os.Exit(1) os.Exit(1)
@ -115,10 +115,10 @@ func main() {
tls.TLSValidityDuration, tls.TLSValidityDuration,
serverIP, serverIP,
config.KyvernoServiceName(), config.KyvernoServiceName(),
config.DnsNames(), config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()),
config.KyvernoNamespace(), config.KyvernoNamespace(),
config.GenerateRootCASecretName(), config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()),
config.GenerateTLSPairSecretName(), config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()),
) )
certController := internal.NewController( certController := internal.NewController(
certmanager.ControllerName, certmanager.ControllerName,
@ -126,6 +126,8 @@ func main() {
caSecret, caSecret,
tlsSecret, tlsSecret,
renewer, renewer,
config.KyvernoServiceName(),
config.KyvernoNamespace(),
), ),
certmanager.Workers, certmanager.Workers,
) )
@ -292,7 +294,7 @@ func main() {
// create server // create server
server := NewServer( server := NewServer(
func() ([]byte, []byte, error) { func() ([]byte, []byte, error) {
secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName()) secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()))
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }

4
cmd/kyverno-init/main.go
View file

@ -62,7 +62,7 @@ func main() {
failure := false failure := false
run := func(context.Context) { run := func(context.Context) {
name := config.GenerateRootCASecretName() name := config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace())
_, err := setup.KubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(context.TODO(), name, metav1.GetOptions{}) _, err := setup.KubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(context.TODO(), name, metav1.GetOptions{})
if err != nil { if err != nil {
logging.V(2).Info("failed to fetch root CA secret", "name", name, "error", err.Error()) logging.V(2).Info("failed to fetch root CA secret", "name", name, "error", err.Error())
@ -71,7 +71,7 @@ func main() {
} }
} }
name = config.GenerateTLSPairSecretName() name = config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace())
_, err = setup.KubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(context.TODO(), name, metav1.GetOptions{}) _, err = setup.KubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(context.TODO(), name, metav1.GetOptions{})
if err != nil { if err != nil {
logging.V(2).Info("failed to fetch TLS Pair secret", "name", name, "error", err.Error()) logging.V(2).Info("failed to fetch TLS Pair secret", "name", name, "error", err.Error())

14
cmd/kyverno/main.go
View file

@ -121,6 +121,8 @@ func createrLeaderControllers(
caInformer, caInformer,
tlsInformer, tlsInformer,
certRenewer, certRenewer,
config.KyvernoServiceName(),
config.KyvernoNamespace(),
) )
webhookController := webhookcontroller.NewController( webhookController := webhookcontroller.NewController(
dynamicClient.Discovery(), dynamicClient.Discovery(),
@ -229,8 +231,8 @@ func main() {
// setup // setup
signalCtx, setup, sdown := internal.Setup(appConfig, "kyverno-admission-controller", false) signalCtx, setup, sdown := internal.Setup(appConfig, "kyverno-admission-controller", false)
defer sdown() defer sdown()
caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(), resyncPeriod) caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), resyncPeriod)
tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(), resyncPeriod) tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), resyncPeriod)
if !informers.StartInformersAndWaitForCacheSync(signalCtx, setup.Logger, caSecret, tlsSecret) { if !informers.StartInformersAndWaitForCacheSync(signalCtx, setup.Logger, caSecret, tlsSecret) {
setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync") setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
os.Exit(1) os.Exit(1)
@ -262,10 +264,10 @@ func main() {
tls.TLSValidityDuration, tls.TLSValidityDuration,
serverIP, serverIP,
config.KyvernoServiceName(), config.KyvernoServiceName(),
config.DnsNames(), config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()),
config.KyvernoNamespace(), config.KyvernoNamespace(),
config.GenerateRootCASecretName(), config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()),
config.GenerateTLSPairSecretName(), config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()),
) )
policyCache := policycache.NewCache() policyCache := policycache.NewCache()
omitEventsValues := strings.Split(omitEvents, ",") omitEventsValues := strings.Split(omitEvents, ",")
@ -463,7 +465,7 @@ func main() {
DumpPayload: dumpPayload, DumpPayload: dumpPayload,
}, },
func() ([]byte, []byte, error) { func() ([]byte, []byte, error) {
secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName()) secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()))
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }

20
pkg/config/tls.go
View file

@ -2,22 +2,22 @@ package config
import "fmt" import "fmt"
func InClusterServiceName() string { func InClusterServiceName(commonName string, namespace string) string {
return KyvernoServiceName() + "." + KyvernoNamespace() + ".svc" return commonName + "." + namespace + ".svc"
} }
func DnsNames() []string { func DnsNames(commonName string, namespace string) []string {
return []string{ return []string{
KyvernoServiceName(), commonName,
fmt.Sprintf("%s.%s", KyvernoServiceName(), KyvernoNamespace()), fmt.Sprintf("%s.%s", commonName, namespace),
InClusterServiceName(), InClusterServiceName(commonName, namespace),
} }
} }
func GenerateTLSPairSecretName() string { func GenerateTLSPairSecretName(commonName string, namespace string) string {
return InClusterServiceName() + ".kyverno-tls-pair" return InClusterServiceName(commonName, namespace) + ".kyverno-tls-pair"
} }
func GenerateRootCASecretName() string { func GenerateRootCASecretName(commonName string, namespace string) string {
return InClusterServiceName() + ".kyverno-tls-ca" return InClusterServiceName(commonName, namespace) + ".kyverno-tls-ca"
} }

23
pkg/controllers/certmanager/controller.go
View file

@ -36,12 +36,17 @@ type controller struct {
queue workqueue.RateLimitingInterface queue workqueue.RateLimitingInterface
caEnqueue controllerutils.EnqueueFunc caEnqueue controllerutils.EnqueueFunc
tlsEnqueue controllerutils.EnqueueFunc tlsEnqueue controllerutils.EnqueueFunc
commonName string
namespace string
} }
func NewController( func NewController(
caInformer corev1informers.SecretInformer, caInformer corev1informers.SecretInformer,
tlsInformer corev1informers.SecretInformer, tlsInformer corev1informers.SecretInformer,
certRenewer tls.CertRenewer, certRenewer tls.CertRenewer,
commonName string,
namespace string,
) controllers.Controller { ) controllers.Controller {
queue := workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), ControllerName) queue := workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), ControllerName)
c := controller{ c := controller{
@ -51,6 +56,8 @@ func NewController(
queue: queue, queue: queue,
caEnqueue: controllerutils.AddDefaultEventHandlers(logger, caInformer.Informer(), queue), caEnqueue: controllerutils.AddDefaultEventHandlers(logger, caInformer.Informer(), queue),
tlsEnqueue: controllerutils.AddDefaultEventHandlers(logger, tlsInformer.Informer(), queue), tlsEnqueue: controllerutils.AddDefaultEventHandlers(logger, tlsInformer.Informer(), queue),
commonName: commonName,
namespace: namespace,
} }
return &c return &c
} }
@ -60,28 +67,28 @@ func (c *controller) Run(ctx context.Context, workers int) {
// this way we ensure the reconcile happens (hence renewal/creation) // this way we ensure the reconcile happens (hence renewal/creation)
if err := c.tlsEnqueue(&corev1.Secret{ if err := c.tlsEnqueue(&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: config.KyvernoNamespace(), Namespace: c.namespace,
Name: config.GenerateTLSPairSecretName(), Name: config.GenerateTLSPairSecretName(c.commonName, c.namespace),
}, },
}); err != nil { }); err != nil {
logger.Error(err, "failed to enqueue secret", "name", config.GenerateTLSPairSecretName()) logger.Error(err, "failed to enqueue secret", "name", config.GenerateTLSPairSecretName(c.commonName, c.namespace))
} }
if err := c.caEnqueue(&corev1.Secret{ if err := c.caEnqueue(&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Namespace: config.KyvernoNamespace(), Namespace: c.namespace,
Name: config.GenerateRootCASecretName(), Name: config.GenerateRootCASecretName(c.commonName, c.namespace),
}, },
}); err != nil { }); err != nil {
logger.Error(err, "failed to enqueue CA secret", "name", config.GenerateRootCASecretName()) logger.Error(err, "failed to enqueue CA secret", "name", config.GenerateRootCASecretName(c.commonName, c.namespace))
} }
controllerutils.Run(ctx, logger, ControllerName, time.Second, c.queue, workers, maxRetries, c.reconcile, c.ticker) controllerutils.Run(ctx, logger, ControllerName, time.Second, c.queue, workers, maxRetries, c.reconcile, c.ticker)
} }
func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, namespace, name string) error { func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, namespace, name string) error {
if namespace != config.KyvernoNamespace() { if namespace != c.namespace {
return nil return nil
} }
if name != config.GenerateTLSPairSecretName() && name != config.GenerateRootCASecretName() { if name != config.GenerateTLSPairSecretName(c.commonName, c.namespace) && name != config.GenerateRootCASecretName(c.commonName, c.namespace) {
return nil return nil
} }
return c.renewCertificates(ctx) return c.renewCertificates(ctx)

8
pkg/controllers/generic/webhook/controller.go
View file

@ -98,17 +98,17 @@ func NewController(
controllerutils.AddEventHandlersT( controllerutils.AddEventHandlersT(
secretInformer.Informer(), secretInformer.Informer(),
func(obj *corev1.Secret) { func(obj *corev1.Secret) {
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() { if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
c.enqueue() c.enqueue()
} }
}, },
func(_, obj *corev1.Secret) { func(_, obj *corev1.Secret) {
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() { if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
c.enqueue() c.enqueue()
} }
}, },
func(obj *corev1.Secret) { func(obj *corev1.Secret) {
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() { if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
c.enqueue() c.enqueue()
} }
}, },
@ -130,7 +130,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, _,
if key != c.webhookName { if key != c.webhookName {
return nil return nil
} }
caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(), config.KyvernoNamespace(), c.secretLister) caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), config.KyvernoNamespace(), c.secretLister)
if err != nil { if err != nil {
return err return err
} }

10
pkg/controllers/webhook/controller.go
View file

@ -158,17 +158,17 @@ func NewController(
controllerutils.AddEventHandlersT( controllerutils.AddEventHandlersT(
secretInformer.Informer(), secretInformer.Informer(),
func(obj *corev1.Secret) { func(obj *corev1.Secret) {
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() { if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
c.enqueueAll() c.enqueueAll()
} }
}, },
func(_, obj *corev1.Secret) { func(_, obj *corev1.Secret) {
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() { if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
c.enqueueAll() c.enqueueAll()
} }
}, },
func(obj *corev1.Secret) { func(obj *corev1.Secret) {
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() { if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
c.enqueueAll() c.enqueueAll()
} }
}, },
@ -340,7 +340,7 @@ func (c *controller) reconcileVerifyMutatingWebhookConfiguration(ctx context.Con
} }
func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(context.Context, config.Configuration, []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error)) error { func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(context.Context, config.Configuration, []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error)) error {
caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace())) caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace()))
if err != nil { if err != nil {
return err return err
} }
@ -370,7 +370,7 @@ func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context
} }
func (c *controller) reconcileMutatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(context.Context, config.Configuration, []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error)) error { func (c *controller) reconcileMutatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(context.Context, config.Configuration, []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error)) error {
caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace())) caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace()))
if err != nil { if err != nil {
return err return err
} }

6
pkg/tls/renewer.go
View file

@ -132,9 +132,9 @@ func (c *certRenewer) RenewCA(ctx context.Context) error {
return err return err
} }
if !valid { if !valid {
logger.Info("mismatched certs chain, renewing", "CA certificate", config.GenerateRootCASecretName(), "TLS certificate", config.GenerateTLSPairSecretName()) logger.Info("mismatched certs chain, renewing", "CA certificate", config.GenerateRootCASecretName(c.commonName, c.namespace), "TLS certificate", config.GenerateTLSPairSecretName(c.commonName, c.namespace))
if err := c.RenewTLS(ctx); err != nil { if err := c.RenewTLS(ctx); err != nil {
logger.Error(err, "failed to renew TLS certificate", "name", config.GenerateTLSPairSecretName()) logger.Error(err, "failed to renew TLS certificate", "name", config.GenerateTLSPairSecretName(c.commonName, c.namespace))
return err return err
} }
} }
@ -158,7 +158,7 @@ func (c *certRenewer) RenewTLS(ctx context.Context) error {
if cert != nil { if cert != nil {
valid, err := c.ValidateCert(ctx) valid, err := c.ValidateCert(ctx)
if err != nil || !valid { if err != nil || !valid {
logger.Info("invalid cert chain, renewing TLS certificate", "name", config.GenerateTLSPairSecretName(), "error", err.Error()) logger.Info("invalid cert chain, renewing TLS certificate", "name", config.GenerateTLSPairSecretName(c.commonName, c.namespace), "error", err.Error())
} else if !allCertificatesExpired(now.Add(5*c.certRenewalInterval), cert) { } else if !allCertificatesExpired(now.Add(5*c.certRenewalInterval), cert) {
logger.V(4).Info("TLS certificate does not need to be renewed") logger.V(4).Info("TLS certificate does not need to be renewed")
return nil return nil