From c8185feb115e94c11d84e8e3cfa231f556e31dd4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
 <charled.breteche@gmail.com>
Date: Wed, 7 Dec 2022 07:08:37 +0100
Subject: [PATCH] fix: use lister for CA secret (#5598)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---
 cmd/kyverno/main.go                   |  5 +++--
 pkg/controllers/webhook/controller.go |  4 ++--
 pkg/tls/reader.go                     |  9 +++------
 pkg/tls/renewer.go                    | 14 ++++++++++++--
 4 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go
index 76eceb2a69..c9b59f9edd 100644
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@@ -413,6 +413,7 @@ func main() {
 		logger.Error(err, "failed to create cache informer factory")
 		os.Exit(1)
 	}
+	secretLister := kubeKyvernoInformer.Core().V1().Secrets().Lister().Secrets(config.KyvernoNamespace())
 	informerBasedResolver, err := resolvers.NewInformerBasedResolver(cacheInformer.Core().V1().ConfigMaps().Lister())
 	if err != nil {
 		logger.Error(err, "failed to create informer based resolver")
@@ -440,6 +441,7 @@ func main() {
 	}
 	certRenewer := tls.NewCertRenewer(
 		kubeClient.CoreV1().Secrets(config.KyvernoNamespace()),
+		secretLister,
 		tls.CertRenewalInterval,
 		tls.CAValidityDuration,
 		tls.TLSValidityDuration,
@@ -606,7 +608,6 @@ func main() {
 		openApiManager,
 		admissionReports,
 	)
-	secretLister := kubeKyvernoInformer.Core().V1().Secrets().Lister()
 	server := webhooks.NewServer(
 		policyHandlers,
 		resourceHandlers,
@@ -616,7 +617,7 @@ func main() {
 			DumpPayload: dumpPayload,
 		},
 		func() ([]byte, []byte, error) {
-			secret, err := secretLister.Secrets(config.KyvernoNamespace()).Get(tls.GenerateTLSPairSecretName())
+			secret, err := secretLister.Get(tls.GenerateTLSPairSecretName())
 			if err != nil {
 				return nil, nil, err
 			}
diff --git a/pkg/controllers/webhook/controller.go b/pkg/controllers/webhook/controller.go
index 5d96463c3d..4387a2b408 100644
--- a/pkg/controllers/webhook/controller.go
+++ b/pkg/controllers/webhook/controller.go
@@ -359,7 +359,7 @@ func (c *controller) reconcileVerifyMutatingWebhookConfiguration(ctx context.Con
 }
 
 func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func([]byte) (*admissionregistrationv1.ValidatingWebhookConfiguration, error)) error {
-	caData, err := tls.ReadRootCASecret(c.secretClient)
+	caData, err := tls.ReadRootCASecret(c.secretLister.Secrets(config.KyvernoNamespace()))
 	if err != nil {
 		return err
 	}
@@ -388,7 +388,7 @@ func (c *controller) reconcileValidatingWebhookConfiguration(ctx context.Context
 }
 
 func (c *controller) reconcileMutatingWebhookConfiguration(ctx context.Context, autoUpdateWebhooks bool, build func([]byte) (*admissionregistrationv1.MutatingWebhookConfiguration, error)) error {
-	caData, err := tls.ReadRootCASecret(c.secretClient)
+	caData, err := tls.ReadRootCASecret(c.secretLister.Secrets(config.KyvernoNamespace()))
 	if err != nil {
 		return err
 	}
diff --git a/pkg/tls/reader.go b/pkg/tls/reader.go
index 98f886127a..b33b3e266e 100644
--- a/pkg/tls/reader.go
+++ b/pkg/tls/reader.go
@@ -1,21 +1,18 @@
 package tls
 
 import (
-	"context"
-
 	"github.com/kyverno/kyverno/pkg/config"
-	controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
 	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	corev1listers "k8s.io/client-go/listers/core/v1"
 )
 
 var ErrorsNotFound = "root CA certificate not found"
 
 // ReadRootCASecret returns the RootCA from the pre-defined secret
-func ReadRootCASecret(client controllerutils.GetClient[*corev1.Secret]) ([]byte, error) {
+func ReadRootCASecret(client corev1listers.SecretNamespaceLister) ([]byte, error) {
 	sname := GenerateRootCASecretName()
-	stlsca, err := client.Get(context.TODO(), sname, metav1.GetOptions{})
+	stlsca, err := client.Get(sname)
 	if err != nil {
 		return nil, err
 	}
diff --git a/pkg/tls/renewer.go b/pkg/tls/renewer.go
index b45d0cf091..c49ff42ca8 100644
--- a/pkg/tls/renewer.go
+++ b/pkg/tls/renewer.go
@@ -13,6 +13,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	corev1listers "k8s.io/client-go/listers/core/v1"
 )
 
 const (
@@ -44,6 +45,7 @@ type CertRenewer interface {
 // renews RootCA at the given interval
 type certRenewer struct {
 	client              controllerutils.ObjectClient[*corev1.Secret]
+	lister              corev1listers.SecretNamespaceLister
 	certRenewalInterval time.Duration
 	caValidityDuration  time.Duration
 	tlsValidityDuration time.Duration
@@ -53,9 +55,17 @@ type certRenewer struct {
 }
 
 // NewCertRenewer returns an instance of CertRenewer
-func NewCertRenewer(client controllerutils.ObjectClient[*corev1.Secret], certRenewalInterval, caValidityDuration, tlsValidityDuration time.Duration, server string) *certRenewer {
+func NewCertRenewer(
+	client controllerutils.ObjectClient[*corev1.Secret],
+	lister corev1listers.SecretNamespaceLister,
+	certRenewalInterval,
+	caValidityDuration,
+	tlsValidityDuration time.Duration,
+	server string,
+) *certRenewer {
 	return &certRenewer{
 		client:              client,
+		lister:              lister,
 		certRenewalInterval: certRenewalInterval,
 		caValidityDuration:  caValidityDuration,
 		tlsValidityDuration: tlsValidityDuration,
@@ -144,7 +154,7 @@ func (c *certRenewer) ValidateCert() (bool, error) {
 }
 
 func (c *certRenewer) getSecret(name string) (*corev1.Secret, error) {
-	if s, err := c.client.Get(context.TODO(), name, metav1.GetOptions{}); err != nil {
+	if s, err := c.lister.Get(name); err != nil {
 		return nil, err
 	} else {
 		return s, nil