mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
Remove secret from default resourceCache (#1878)
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
This commit is contained in:
shuting
GitHub
parent
02f1faca0b
commit
e9952fbaf2
5 changed files with 23 additions and 23 deletions
|
|
@ -148,8 +148,7 @@ func main() {
|
||||||
debug,
|
debug,
|
||||||
log.Log)
|
log.Log)
|
||||||
|
|
||||||
// Resource Mutating Webhook Watcher
|
webhookMonitor := webhookconfig.NewMonitor(kubeInformer.Core().V1().Secrets(), log.Log.WithName("WebhookMonitor"))
|
||||||
webhookMonitor := webhookconfig.NewMonitor(rCache, log.Log.WithName("WebhookMonitor"))
|
|
||||||
|
|
||||||
// KYVERNO CRD INFORMER
|
// KYVERNO CRD INFORMER
|
||||||
// watches CRD resources:
|
// watches CRD resources:
|
||||||
|
|
|
||||||
|
|
@ -33,7 +33,7 @@ type resourceCache struct {
|
||||||
log logr.Logger
|
log logr.Logger
|
||||||
}
|
}
|
||||||
|
|
||||||
var KyvernoDefaultInformer = []string{"ConfigMap", "Secret", "Deployment", "MutatingWebhookConfiguration", "ValidatingWebhookConfiguration"}
|
var KyvernoDefaultInformer = []string{"ConfigMap", "Deployment", "MutatingWebhookConfiguration", "ValidatingWebhookConfiguration"}
|
||||||
|
|
||||||
// NewResourceCache - initializes the ResourceCache
|
// NewResourceCache - initializes the ResourceCache
|
||||||
func NewResourceCache(dclient *dclient.Client, dInformer dynamicinformer.DynamicSharedInformerFactory, logger logr.Logger) (ResourceCache, error) {
|
func NewResourceCache(dclient *dclient.Client, dInformer dynamicinformer.DynamicSharedInformerFactory, logger logr.Logger) (ResourceCache, error) {
|
||||||
|
|
|
||||||
|
|
@ -65,7 +65,7 @@ func (c *CertRenewer) InitTLSPemPair(serverIP string) (*PemPair, error) {
|
||||||
logger.Info("using existing TLS key/certificate pair")
|
logger.Info("using existing TLS key/certificate pair")
|
||||||
return tlsPair, nil
|
return tlsPair, nil
|
||||||
}
|
}
|
||||||
} else {
|
} else if err != nil {
|
||||||
logger.V(3).Info("unable to find TLS pair", "reason", err.Error())
|
logger.V(3).Info("unable to find TLS pair", "reason", err.Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -13,6 +13,8 @@ import (
|
||||||
"k8s.io/client-go/rest"
|
"k8s.io/client-go/rest"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
var ErrorsNotFound = "root CA certificate not found"
|
||||||
|
|
||||||
// ReadRootCASecret returns the RootCA from the pre-defined secret
|
// ReadRootCASecret returns the RootCA from the pre-defined secret
|
||||||
func ReadRootCASecret(restConfig *rest.Config, client *client.Client) (result []byte, err error) {
|
func ReadRootCASecret(restConfig *rest.Config, client *client.Client) (result []byte, err error) {
|
||||||
certProps, err := GetTLSCertProps(restConfig)
|
certProps, err := GetTLSCertProps(restConfig)
|
||||||
|
|
@ -33,7 +35,7 @@ func ReadRootCASecret(restConfig *rest.Config, client *client.Client) (result []
|
||||||
|
|
||||||
result = tlsca.Data[RootCAKey]
|
result = tlsca.Data[RootCAKey]
|
||||||
if len(result) == 0 {
|
if len(result) == 0 {
|
||||||
return nil, errors.Errorf("root CA certificate not found in secret %s/%s", certProps.Namespace, tlsca.Name)
|
return nil, errors.Errorf("%s in secret %s/%s", ErrorsNotFound, certProps.Namespace, tlsca.Name)
|
||||||
}
|
}
|
||||||
|
|
||||||
return result, nil
|
return result, nil
|
||||||
|
|
|
||||||
|
|
@ -4,15 +4,16 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"os"
|
"os"
|
||||||
"reflect"
|
"reflect"
|
||||||
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/go-logr/logr"
|
"github.com/go-logr/logr"
|
||||||
"github.com/kyverno/kyverno/pkg/config"
|
"github.com/kyverno/kyverno/pkg/config"
|
||||||
"github.com/kyverno/kyverno/pkg/event"
|
"github.com/kyverno/kyverno/pkg/event"
|
||||||
"github.com/kyverno/kyverno/pkg/resourcecache"
|
|
||||||
"github.com/kyverno/kyverno/pkg/tls"
|
"github.com/kyverno/kyverno/pkg/tls"
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
v1 "k8s.io/api/core/v1"
|
||||||
|
informerv1 "k8s.io/client-go/informers/core/v1"
|
||||||
"k8s.io/client-go/tools/cache"
|
"k8s.io/client-go/tools/cache"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
@ -41,22 +42,14 @@ type Monitor struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
//NewMonitor returns a new instance of webhook monitor
|
//NewMonitor returns a new instance of webhook monitor
|
||||||
func NewMonitor(resCache resourcecache.ResourceCache, log logr.Logger) *Monitor {
|
func NewMonitor(nsInformer informerv1.SecretInformer, log logr.Logger) *Monitor {
|
||||||
monitor := &Monitor{
|
monitor := &Monitor{
|
||||||
t: time.Now(),
|
t: time.Now(),
|
||||||
secretQueue: make(chan bool, 1),
|
secretQueue: make(chan bool, 1),
|
||||||
log: log,
|
log: log,
|
||||||
}
|
}
|
||||||
|
|
||||||
var err error
|
nsInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
|
||||||
secretCache, ok := resCache.GetGVRCache("Secret")
|
|
||||||
if !ok {
|
|
||||||
if secretCache, err = resCache.CreateGVKInformer("Secret"); err != nil {
|
|
||||||
log.Error(err, "unable to start Secret's informer")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
secretCache.GetInformer().AddEventHandler(cache.ResourceEventHandlerFuncs{
|
|
||||||
AddFunc: monitor.addSecretFunc,
|
AddFunc: monitor.addSecretFunc,
|
||||||
UpdateFunc: monitor.updateSecretFunc,
|
UpdateFunc: monitor.updateSecretFunc,
|
||||||
})
|
})
|
||||||
|
|
@ -80,7 +73,7 @@ func (t *Monitor) SetTime(tm time.Time) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t *Monitor) addSecretFunc(obj interface{}) {
|
func (t *Monitor) addSecretFunc(obj interface{}) {
|
||||||
secret := obj.(*unstructured.Unstructured)
|
secret := obj.(*v1.Secret)
|
||||||
if secret.GetNamespace() != config.KyvernoNamespace {
|
if secret.GetNamespace() != config.KyvernoNamespace {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
@ -94,8 +87,8 @@ func (t *Monitor) addSecretFunc(obj interface{}) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t *Monitor) updateSecretFunc(oldObj interface{}, newObj interface{}) {
|
func (t *Monitor) updateSecretFunc(oldObj interface{}, newObj interface{}) {
|
||||||
old := oldObj.(*unstructured.Unstructured)
|
old := oldObj.(*v1.Secret)
|
||||||
new := newObj.(*unstructured.Unstructured)
|
new := newObj.(*v1.Secret)
|
||||||
if new.GetNamespace() != config.KyvernoNamespace {
|
if new.GetNamespace() != config.KyvernoNamespace {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
@ -105,7 +98,7 @@ func (t *Monitor) updateSecretFunc(oldObj interface{}, newObj interface{}) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if reflect.DeepEqual(old.UnstructuredContent()["data"], new.UnstructuredContent()["data"]) {
|
if reflect.DeepEqual(old.DeepCopy().Data, new.DeepCopy().Data) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -182,8 +175,11 @@ func (t *Monitor) Run(register *Register, certRenewer *tls.CertRenewer, eventGen
|
||||||
valid, err := certRenewer.ValidCert()
|
valid, err := certRenewer.ValidCert()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Error(err, "failed to validate cert")
|
logger.Error(err, "failed to validate cert")
|
||||||
|
|
||||||
|
if !strings.Contains(err.Error(), tls.ErrorsNotFound) {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if valid {
|
if valid {
|
||||||
continue
|
continue
|
||||||
|
|
@ -199,8 +195,11 @@ func (t *Monitor) Run(register *Register, certRenewer *tls.CertRenewer, eventGen
|
||||||
valid, err := certRenewer.ValidCert()
|
valid, err := certRenewer.ValidCert()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Error(err, "failed to validate cert")
|
logger.Error(err, "failed to validate cert")
|
||||||
|
|
||||||
|
if !strings.Contains(err.Error(), tls.ErrorsNotFound) {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if valid {
|
if valid {
|
||||||
continue
|
continue
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue