mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-28 02:18:15 +00:00
fix: use lister for CA secret (#5598)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
839cdf14d9
commit
c8185feb11
4 changed files with 20 additions and 12 deletions
|
|
@ -413,6 +413,7 @@ func main() {
|
|||
logger.Error(err, "failed to create cache informer factory")
|
||||
os.Exit(1)
|
||||
}
|
||||
secretLister := kubeKyvernoInformer.Core().V1().Secrets().Lister().Secrets(config.KyvernoNamespace())
|
||||
informerBasedResolver, err := resolvers.NewInformerBasedResolver(cacheInformer.Core().V1().ConfigMaps().Lister())
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to create informer based resolver")
|
||||
|
|
@ -440,6 +441,7 @@ func main() {
|
|||
}
|
||||
certRenewer := tls.NewCertRenewer(
|
||||
kubeClient.CoreV1().Secrets(config.KyvernoNamespace()),
|
||||
secretLister,
|
||||
tls.CertRenewalInterval,
|
||||
tls.CAValidityDuration,
|
||||
tls.TLSValidityDuration,
|
||||
|
|
@ -606,7 +608,6 @@ func main() {
|
|||
openApiManager,
|
||||
admissionReports,
|
||||
)
|
||||
secretLister := kubeKyvernoInformer.Core().V1().Secrets().Lister()
|
||||
server := webhooks.NewServer(
|
||||
policyHandlers,
|
||||
resourceHandlers,
|
||||
|
|
@ -616,7 +617,7 @@ func main() {
|
|||
DumpPayload: dumpPayload,
|
||||
},
|
||||
func() ([]byte, []byte, error) {
|
||||
secret, err := secretLister.Secrets(config.KyvernoNamespace()).Get(tls.GenerateTLSPairSecretName())
|
||||
secret, err := secretLister.Get(tls.GenerateTLSPairSecretName())
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -359,7 +359,7 @@ func (c *controller) reconcileVerifyMutatingWebhookConfiguration(ctx context.Con
|
|||
}
|
||||
|
||||
func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func([]byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error)) error {
|
||||
caData, err := tls.ReadRootCASecret(c.secretClient)
|
||||
caData, err := tls.ReadRootCASecret(c.secretLister.Secrets(config.KyvernoNamespace()))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -388,7 +388,7 @@ func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context
|
|||
}
|
||||
|
||||
func (c *controller) reconcileMutatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func([]byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error)) error {
|
||||
caData, err := tls.ReadRootCASecret(c.secretClient)
|
||||
caData, err := tls.ReadRootCASecret(c.secretLister.Secrets(config.KyvernoNamespace()))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,21 +1,18 @@
|
|||
package tls
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
|
||||
"github.com/pkg/errors"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
corev1listers "k8s.io/client-go/listers/core/v1"
|
||||
)
|
||||
|
||||
var ErrorsNotFound = "root CA certificate not found"
|
||||
|
||||
// ReadRootCASecret returns the RootCA from the pre-defined secret
|
||||
func ReadRootCASecret(client controllerutils.GetClient[*corev1.Secret]) ([]byte, error) {
|
||||
func ReadRootCASecret(client corev1listers.SecretNamespaceLister) ([]byte, error) {
|
||||
sname := GenerateRootCASecretName()
|
||||
stlsca, err := client.Get(context.TODO(), sname, metav1.GetOptions{})
|
||||
stlsca, err := client.Get(sname)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ import (
|
|||
corev1 "k8s.io/api/core/v1"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
corev1listers "k8s.io/client-go/listers/core/v1"
|
||||
)
|
||||
|
||||
const (
|
||||
|
|
@ -44,6 +45,7 @@ type CertRenewer interface {
|
|||
// renews RootCA at the given interval
|
||||
type certRenewer struct {
|
||||
client controllerutils.ObjectClient[*corev1.Secret]
|
||||
lister corev1listers.SecretNamespaceLister
|
||||
certRenewalInterval time.Duration
|
||||
caValidityDuration time.Duration
|
||||
tlsValidityDuration time.Duration
|
||||
|
|
@ -53,9 +55,17 @@ type certRenewer struct {
|
|||
}
|
||||
|
||||
// NewCertRenewer returns an instance of CertRenewer
|
||||
func NewCertRenewer(client controllerutils.ObjectClient[*corev1.Secret], certRenewalInterval, caValidityDuration, tlsValidityDuration time.Duration, server string) *certRenewer {
|
||||
func NewCertRenewer(
|
||||
client controllerutils.ObjectClient[*corev1.Secret],
|
||||
lister corev1listers.SecretNamespaceLister,
|
||||
certRenewalInterval,
|
||||
caValidityDuration,
|
||||
tlsValidityDuration time.Duration,
|
||||
server string,
|
||||
) *certRenewer {
|
||||
return &certRenewer{
|
||||
client: client,
|
||||
lister: lister,
|
||||
certRenewalInterval: certRenewalInterval,
|
||||
caValidityDuration: caValidityDuration,
|
||||
tlsValidityDuration: tlsValidityDuration,
|
||||
|
|
@ -144,7 +154,7 @@ func (c *certRenewer) ValidateCert() (bool, error) {
|
|||
}
|
||||
|
||||
func (c *certRenewer) getSecret(name string) (*corev1.Secret, error) {
|
||||
if s, err := c.client.Get(context.TODO(), name, metav1.GetOptions{}); err != nil {
|
||||
if s, err := c.lister.Get(name); err != nil {
|
||||
return nil, err
|
||||
} else {
|
||||
return s, nil
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue