mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-15 17:51:20 +00:00
fix: update certmanager and config to take common name and namespace as arguments (#8129)
* feat: add namespace and common name args Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: remove unnecessary dns name Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> --------- Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Vishal Choudhary
GitHub
parent
ce66667779
commit
b374c05517
8 changed files with 55 additions and 44 deletions
|
|
@ -88,8 +88,8 @@ func main() {
|
|||
ctx, setup, sdown := internal.Setup(appConfig, "kyverno-cleanup-controller", false)
|
||||
defer sdown()
|
||||
// certificates informers
|
||||
caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(), resyncPeriod)
|
||||
tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(), resyncPeriod)
|
||||
caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), resyncPeriod)
|
||||
tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), resyncPeriod)
|
||||
if !informers.StartInformersAndWaitForCacheSync(ctx, setup.Logger, caSecret, tlsSecret) {
|
||||
setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
|
||||
os.Exit(1)
|
||||
|
|
@ -115,10 +115,10 @@ func main() {
|
|||
tls.TLSValidityDuration,
|
||||
serverIP,
|
||||
config.KyvernoServiceName(),
|
||||
config.DnsNames(),
|
||||
config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()),
|
||||
config.KyvernoNamespace(),
|
||||
config.GenerateRootCASecretName(),
|
||||
config.GenerateTLSPairSecretName(),
|
||||
config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()),
|
||||
config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()),
|
||||
)
|
||||
certController := internal.NewController(
|
||||
certmanager.ControllerName,
|
||||
|
|
@ -126,6 +126,8 @@ func main() {
|
|||
caSecret,
|
||||
tlsSecret,
|
||||
renewer,
|
||||
config.KyvernoServiceName(),
|
||||
config.KyvernoNamespace(),
|
||||
),
|
||||
certmanager.Workers,
|
||||
)
|
||||
|
|
@ -292,7 +294,7 @@ func main() {
|
|||
// create server
|
||||
server := NewServer(
|
||||
func() ([]byte, []byte, error) {
|
||||
secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName())
|
||||
secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()))
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -62,7 +62,7 @@ func main() {
|
|||
failure := false
|
||||
|
||||
run := func(context.Context) {
|
||||
name := config.GenerateRootCASecretName()
|
||||
name := config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace())
|
||||
_, err := setup.KubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(context.TODO(), name, metav1.GetOptions{})
|
||||
if err != nil {
|
||||
logging.V(2).Info("failed to fetch root CA secret", "name", name, "error", err.Error())
|
||||
|
|
@ -71,7 +71,7 @@ func main() {
|
|||
}
|
||||
}
|
||||
|
||||
name = config.GenerateTLSPairSecretName()
|
||||
name = config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace())
|
||||
_, err = setup.KubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(context.TODO(), name, metav1.GetOptions{})
|
||||
if err != nil {
|
||||
logging.V(2).Info("failed to fetch TLS Pair secret", "name", name, "error", err.Error())
|
||||
|
|
|
|||
|
|
@ -121,6 +121,8 @@ func createrLeaderControllers(
|
|||
caInformer,
|
||||
tlsInformer,
|
||||
certRenewer,
|
||||
config.KyvernoServiceName(),
|
||||
config.KyvernoNamespace(),
|
||||
)
|
||||
webhookController := webhookcontroller.NewController(
|
||||
dynamicClient.Discovery(),
|
||||
|
|
@ -229,8 +231,8 @@ func main() {
|
|||
// setup
|
||||
signalCtx, setup, sdown := internal.Setup(appConfig, "kyverno-admission-controller", false)
|
||||
defer sdown()
|
||||
caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(), resyncPeriod)
|
||||
tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(), resyncPeriod)
|
||||
caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), resyncPeriod)
|
||||
tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), resyncPeriod)
|
||||
if !informers.StartInformersAndWaitForCacheSync(signalCtx, setup.Logger, caSecret, tlsSecret) {
|
||||
setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
|
||||
os.Exit(1)
|
||||
|
|
@ -262,10 +264,10 @@ func main() {
|
|||
tls.TLSValidityDuration,
|
||||
serverIP,
|
||||
config.KyvernoServiceName(),
|
||||
config.DnsNames(),
|
||||
config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()),
|
||||
config.KyvernoNamespace(),
|
||||
config.GenerateRootCASecretName(),
|
||||
config.GenerateTLSPairSecretName(),
|
||||
config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()),
|
||||
config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()),
|
||||
)
|
||||
policyCache := policycache.NewCache()
|
||||
omitEventsValues := strings.Split(omitEvents, ",")
|
||||
|
|
@ -463,7 +465,7 @@ func main() {
|
|||
DumpPayload: dumpPayload,
|
||||
},
|
||||
func() ([]byte, []byte, error) {
|
||||
secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName())
|
||||
secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(config.GenerateTLSPairSecretName(config.KyvernoServiceName(), config.KyvernoNamespace()))
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,22 +2,22 @@ package config
|
|||
|
||||
import "fmt"
|
||||
|
||||
func InClusterServiceName() string {
|
||||
return KyvernoServiceName() + "." + KyvernoNamespace() + ".svc"
|
||||
func InClusterServiceName(commonName string, namespace string) string {
|
||||
return commonName + "." + namespace + ".svc"
|
||||
}
|
||||
|
||||
func DnsNames() []string {
|
||||
func DnsNames(commonName string, namespace string) []string {
|
||||
return []string{
|
||||
KyvernoServiceName(),
|
||||
fmt.Sprintf("%s.%s", KyvernoServiceName(), KyvernoNamespace()),
|
||||
InClusterServiceName(),
|
||||
commonName,
|
||||
fmt.Sprintf("%s.%s", commonName, namespace),
|
||||
InClusterServiceName(commonName, namespace),
|
||||
}
|
||||
}
|
||||
|
||||
func GenerateTLSPairSecretName() string {
|
||||
return InClusterServiceName() + ".kyverno-tls-pair"
|
||||
func GenerateTLSPairSecretName(commonName string, namespace string) string {
|
||||
return InClusterServiceName(commonName, namespace) + ".kyverno-tls-pair"
|
||||
}
|
||||
|
||||
func GenerateRootCASecretName() string {
|
||||
return InClusterServiceName() + ".kyverno-tls-ca"
|
||||
func GenerateRootCASecretName(commonName string, namespace string) string {
|
||||
return InClusterServiceName(commonName, namespace) + ".kyverno-tls-ca"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -36,12 +36,17 @@ type controller struct {
|
|||
queue workqueue.RateLimitingInterface
|
||||
caEnqueue controllerutils.EnqueueFunc
|
||||
tlsEnqueue controllerutils.EnqueueFunc
|
||||
|
||||
commonName string
|
||||
namespace string
|
||||
}
|
||||
|
||||
func NewController(
|
||||
caInformer corev1informers.SecretInformer,
|
||||
tlsInformer corev1informers.SecretInformer,
|
||||
certRenewer tls.CertRenewer,
|
||||
commonName string,
|
||||
namespace string,
|
||||
) controllers.Controller {
|
||||
queue := workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), ControllerName)
|
||||
c := controller{
|
||||
|
|
@ -51,6 +56,8 @@ func NewController(
|
|||
queue: queue,
|
||||
caEnqueue: controllerutils.AddDefaultEventHandlers(logger, caInformer.Informer(), queue),
|
||||
tlsEnqueue: controllerutils.AddDefaultEventHandlers(logger, tlsInformer.Informer(), queue),
|
||||
commonName: commonName,
|
||||
namespace: namespace,
|
||||
}
|
||||
return &c
|
||||
}
|
||||
|
|
@ -60,28 +67,28 @@ func (c *controller) Run(ctx context.Context, workers int) {
|
|||
// this way we ensure the reconcile happens (hence renewal/creation)
|
||||
if err := c.tlsEnqueue(&corev1.Secret{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Namespace: config.KyvernoNamespace(),
|
||||
Name: config.GenerateTLSPairSecretName(),
|
||||
Namespace: c.namespace,
|
||||
Name: config.GenerateTLSPairSecretName(c.commonName, c.namespace),
|
||||
},
|
||||
}); err != nil {
|
||||
logger.Error(err, "failed to enqueue secret", "name", config.GenerateTLSPairSecretName())
|
||||
logger.Error(err, "failed to enqueue secret", "name", config.GenerateTLSPairSecretName(c.commonName, c.namespace))
|
||||
}
|
||||
if err := c.caEnqueue(&corev1.Secret{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Namespace: config.KyvernoNamespace(),
|
||||
Name: config.GenerateRootCASecretName(),
|
||||
Namespace: c.namespace,
|
||||
Name: config.GenerateRootCASecretName(c.commonName, c.namespace),
|
||||
},
|
||||
}); err != nil {
|
||||
logger.Error(err, "failed to enqueue CA secret", "name", config.GenerateRootCASecretName())
|
||||
logger.Error(err, "failed to enqueue CA secret", "name", config.GenerateRootCASecretName(c.commonName, c.namespace))
|
||||
}
|
||||
controllerutils.Run(ctx, logger, ControllerName, time.Second, c.queue, workers, maxRetries, c.reconcile, c.ticker)
|
||||
}
|
||||
|
||||
func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, namespace, name string) error {
|
||||
if namespace != config.KyvernoNamespace() {
|
||||
if namespace != c.namespace {
|
||||
return nil
|
||||
}
|
||||
if name != config.GenerateTLSPairSecretName() && name != config.GenerateRootCASecretName() {
|
||||
if name != config.GenerateTLSPairSecretName(c.commonName, c.namespace) && name != config.GenerateRootCASecretName(c.commonName, c.namespace) {
|
||||
return nil
|
||||
}
|
||||
return c.renewCertificates(ctx)
|
||||
|
|
|
|||
|
|
@ -98,17 +98,17 @@ func NewController(
|
|||
controllerutils.AddEventHandlersT(
|
||||
secretInformer.Informer(),
|
||||
func(obj *corev1.Secret) {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
|
||||
c.enqueue()
|
||||
}
|
||||
},
|
||||
func(_, obj *corev1.Secret) {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
|
||||
c.enqueue()
|
||||
}
|
||||
},
|
||||
func(obj *corev1.Secret) {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
|
||||
c.enqueue()
|
||||
}
|
||||
},
|
||||
|
|
@ -130,7 +130,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, _,
|
|||
if key != c.webhookName {
|
||||
return nil
|
||||
}
|
||||
caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(), config.KyvernoNamespace(), c.secretLister)
|
||||
caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), config.KyvernoNamespace(), c.secretLister)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -158,17 +158,17 @@ func NewController(
|
|||
controllerutils.AddEventHandlersT(
|
||||
secretInformer.Informer(),
|
||||
func(obj *corev1.Secret) {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
|
||||
c.enqueueAll()
|
||||
}
|
||||
},
|
||||
func(_, obj *corev1.Secret) {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
|
||||
c.enqueueAll()
|
||||
}
|
||||
},
|
||||
func(obj *corev1.Secret) {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName() {
|
||||
if obj.GetNamespace() == config.KyvernoNamespace() && obj.GetName() == config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()) {
|
||||
c.enqueueAll()
|
||||
}
|
||||
},
|
||||
|
|
@ -340,7 +340,7 @@ func (c *controller) reconcileVerifyMutatingWebhookConfiguration(ctx context.Con
|
|||
}
|
||||
|
||||
func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(context.Context, config.Configuration, []byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error)) error {
|
||||
caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace()))
|
||||
caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace()))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -370,7 +370,7 @@ func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context
|
|||
}
|
||||
|
||||
func (c *controller) reconcileMutatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func(context.Context, config.Configuration, []byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error)) error {
|
||||
caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace()))
|
||||
caData, err := tls.ReadRootCASecret(config.GenerateRootCASecretName(config.KyvernoServiceName(), config.KyvernoNamespace()), config.KyvernoNamespace(), c.secretLister.Secrets(config.KyvernoNamespace()))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -132,9 +132,9 @@ func (c *certRenewer) RenewCA(ctx context.Context) error {
|
|||
return err
|
||||
}
|
||||
if !valid {
|
||||
logger.Info("mismatched certs chain, renewing", "CA certificate", config.GenerateRootCASecretName(), "TLS certificate", config.GenerateTLSPairSecretName())
|
||||
logger.Info("mismatched certs chain, renewing", "CA certificate", config.GenerateRootCASecretName(c.commonName, c.namespace), "TLS certificate", config.GenerateTLSPairSecretName(c.commonName, c.namespace))
|
||||
if err := c.RenewTLS(ctx); err != nil {
|
||||
logger.Error(err, "failed to renew TLS certificate", "name", config.GenerateTLSPairSecretName())
|
||||
logger.Error(err, "failed to renew TLS certificate", "name", config.GenerateTLSPairSecretName(c.commonName, c.namespace))
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
|
@ -158,7 +158,7 @@ func (c *certRenewer) RenewTLS(ctx context.Context) error {
|
|||
if cert != nil {
|
||||
valid, err := c.ValidateCert(ctx)
|
||||
if err != nil || !valid {
|
||||
logger.Info("invalid cert chain, renewing TLS certificate", "name", config.GenerateTLSPairSecretName(), "error", err.Error())
|
||||
logger.Info("invalid cert chain, renewing TLS certificate", "name", config.GenerateTLSPairSecretName(c.commonName, c.namespace), "error", err.Error())
|
||||
} else if !allCertificatesExpired(now.Add(5*c.certRenewalInterval), cert) {
|
||||
logger.V(4).Info("TLS certificate does not need to be renewed")
|
||||
return nil
|
||||
|
|
|
|||
Loading…
Reference in a new issue