1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-15 17:51:20 +00:00
Commit graph

57 commits

Author SHA1 Message Date
Mariam Fahmy
955738ce20
chore: set cert renewal time to 15 days before expiration (#8567)
* chore: set cert renewal time to 15 days before expiration

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

---------

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2023-12-06 13:37:01 +00:00
Charles-Edouard Brétéché
06d942f462
refactor: remove logger from tls package (#8157)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-08-29 10:31:56 +00:00
Charles-Edouard Brétéché
0f9fe30c08
feat: allow overriding ca and tls secret names (#8137)
* feat: allow overriding ca and tls secret names

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-08-28 14:05:49 +00:00
Vishal Choudhary
b374c05517
fix: update certmanager and config to take common name and namespace as arguments (#8129)
* feat: add namespace and common name args

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

* fix: remove unnecessary dns name

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>

---------

Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-08-28 12:04:37 +00:00
shuting
c751f1de58
fix: renew tls cert when ca cert is deleted (#8114)
Signed-off-by: ShutingZhao <shuting@nirmata.com>
2023-08-25 16:15:14 +00:00
Charles-Edouard Brétéché
ab6fc0ad1b
fix: reduce tls package dependencies (part 2) (#8109)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-08-25 11:24:52 +00:00
Charles-Edouard Brétéché
59c2a5d813
fix: reduce tls package dependencies (#8107)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-08-24 11:52:57 +00:00
Charles-Edouard Brétéché
2e842ec6a3
fix: server name without port to generated certificate (#8053)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-08-17 18:35:00 +05:30
Charles-Edouard Brétéché
ee897b3ebe
chore: move cert.kyverno.io/managed-by label in constants (#7942)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-07-31 16:17:51 +03:00
Charles-Edouard Brétéché
03702476fa
refactor: move kyverno constants out of v1 package (#7760)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-07-06 08:00:36 +00:00
Charles-Edouard Brétéché
f2bfc13edb
fix: stop using lister in tls renewer (#7629)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-06-21 13:35:43 +00:00
Charles-Edouard Brétéché
4a489b8979
fix: delete certificate secret if type is not TLS (#6368)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-02-22 17:04:17 +08:00
Fish-pro
fdfdcc058f
Remove dependency on github.com/pkg/errors (#6165)
Signed-off-by: Fish-pro <zechun.chen@daocloud.io>
2023-02-01 14:38:04 +08:00
Charles-Edouard Brétéché
ad19108d34
refactor: remove common package (#5750)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-12-21 20:30:45 +00:00
Charles-Edouard Brétéché
c8185feb11
fix: use lister for CA secret (#5598)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-12-07 14:08:37 +08:00
Charles-Edouard Brétéché
16aca2816f
fix: don't report ready until certs are valid (#4934)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-14 04:23:42 +00:00
Charles-Edouard Brétéché
090b68e55d
feat: make cert renewer private and add server name support (#4904)
* fix: remove unnecessary dependencies from tls package

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* feat: make cert renewer private and add server name support

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* nits

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-13 09:46:05 +00:00
Charles-Edouard Brétéché
d25dccbd9c
fix: remove unnecessary dependencies from tls package (#4903)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-12 09:36:26 +00:00
Charles-Edouard Brétéché
13ce3f55ed
fix: use new client in tls package (#4746)
* fix: use new client in tls package

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix import

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2022-10-06 08:11:59 +00:00
yinka
688b4fb8e3
add package logger in files (#4766)
* add package logger in files

Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* add package logger to initContainer and other files

Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* helm docs

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* helm default values

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* release notes

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: damilola olayinka <holayinkajr@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-10-02 19:45:03 +00:00
Charles-Edouard Brétéché
205bb28b52
feat: add typed client support and metrics wrapper (#4724)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-09-29 17:12:50 +05:30
Charles-Edouard Brétéché
42a2df56c1
refactor: add a couple of constants in api (#4640)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-09-19 09:11:12 +00:00
shuting
3bf3dcc1af
Add the metric "kyverno_client_queries_total" (#4359)
* Add metric "kyverno_kube_client_queries_total"

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* publish metric for missing queries

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Refactor the way Kyverno registers QPS metric

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Move clientsets to a dedicated folder

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Wrap Kyverno client and policyreport client to register client query metric

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* address linter comments

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* address linter comments

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Switch to use wrapper clients

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-08-31 11:33:47 +05:30
Charles-Edouard Brétéché
666bcb3c15
chore: make k8s api import aliases consistent (#3950)
* chore: make kyverno api import aliases consistent

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* chore: make apimachinery api import aliases consistent

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-17 22:14:31 +08:00
Charles-Edouard Brétéché
97cf1b3e95
feat: gracefull certificates rotation support (#3890)
* refactor: remove deployment hash on certs secrets

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* feat: add label on kyverno webhooks

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* feat: implement update ca bundle

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* test: set very low validity and expiration intervals

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix: writing secret

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* add renew ca

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* decouple ca and tls validity duration

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refactored code, everything is in place to finalize implementation

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* use real validity periods

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2022-05-12 14:07:25 +00:00
Charles-Edouard Brétéché
37a5a6652f
fix: write secret (#3891)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
2022-05-11 15:46:37 +00:00
Charles-Edouard Brétéché
8f825bb040
refactor: remove deployment hash on certs secrets (#3886)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-11 16:58:14 +02:00
Charles-Edouard Brétéché
c2602d8181
refactor: cleanup tls package (#3854)
* refactor: init certs with certs renewer directly

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refactor: tls package

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refactor: cleanup tls package

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-11 08:05:13 +00:00
Charles-Edouard Brétéché
a32d0f8029
fix: include ca key in secret (#3804)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
2022-05-11 07:11:50 +00:00
Charles-Edouard Brétéché
2064a69b8a
refactor: make config vars private (#3823)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-11 06:14:30 +00:00
Charles-Edouard Brétéché
bfc4290285
chore: enable more linters (#3862)
* chore: enable deadcode and unused linters

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* chore: enable more linters

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-10 21:20:04 +05:30
Charles-Edouard Brétéché
967ad7cb8e
refactor: remove the need for self-signed annotation on cert secret (#3850)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-10 08:58:51 +00:00
Charles-Edouard Brétéché
25c2bf0e1f
fix: remove k8s apiserver from self-generated cert (#3803)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
2022-05-05 13:26:55 +00:00
Charles-Edouard Brétéché
9a1a82e3b5
feat: parse all root CA certs (#3808)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-05 09:31:22 +01:00
Charles-Edouard Brétéché
a6924a11ab
refactor: use typed k8s client in tls package (#3678)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-04-26 20:18:14 +00:00
Prateek Pandey
c30dfe70a5
fix deployment replica type conversion and refactor webhook logs (#3022)
- add level in info webhook configuration update success logs
- fix deployment replica count conversion issue

Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com>
2022-01-19 17:14:33 +00:00
Kumar Mallikarjuna
037a320fba
Added TLS annotation check in the initContainer (#2956)
* Added TLS annotation check in the initContainer

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Error checks

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Refactor annotation addition code

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Strict error reporting

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Error handling for Secrets

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Updated error conditions

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Update for nil error

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
2022-01-11 08:47:24 +00:00
Kumar Mallikarjuna
9e16e763a0
ValidCert Secret Annotation Check (#2933)
* Annotation check for Secrets

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Fix inconsistent errors

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Fix linting error

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
2022-01-07 20:15:00 +00:00
Kumar Mallikarjuna
4410b6adc3
Fix condition for rolling update (#2930) 2022-01-07 17:33:01 +00:00
Kumar Mallikarjuna
214f338ec3
Fix TLS inconsitency in HA (#2910)
* Fix TLS inconsitency in HA

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Add error checks

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Remove rendundant err definitions

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Handle all Secret errors

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
2022-01-06 09:11:16 +00:00
Bricktop
d62234d776
Fix remaining static check findings (#2541)
Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
2021-10-13 16:00:41 -07:00
Bricktop
2d0df77963
Format error messages correctly (#2519)
* Format error messages correctly

Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>

* No punctuation at the end or errors

Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>

* Replace loop with simple if

Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>

* Fix more errors

Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
2021-10-12 14:29:20 -07:00
shuting
e9a972a362
feat: HA (#1931)
* Fix Dev setup

* webhook monitor - start webhook monitor in main process

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add leaderelection

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* - add isLeader; - update to use configmap lock

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* - add initialization method - add methods to get attributes

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* address comments

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* remove newContext in runLeaderElection

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add leader election to GenerateController

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* skip processing for non-leaders

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* skip processing for non-leaders

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add leader election to generate cleanup controller

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Gracefully drain request

* HA - Webhook Register / Webhook Monitor / Certificate Renewer (#1920)

* enable leader election for webhook register

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* extract certManager to its own process

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* leader election for cert manager

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* certManager - init certs by the leader

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add leader election to webhook monitor

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update log message

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add leader election to policy controller

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add leader election to policy report controller

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* rebuild leader election config

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* start informers in leaderelection

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* start policy informers in main

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* enable leader election in main

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* move eventHandler to the leader election start method

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* address reviewdog comments

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add clusterrole leaderelection

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fixed generate flow (#1936)

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* - init separate kubeclient for leaderelection - fix webhook monitor

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* address reviewdog comments

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* cleanup Kyverno managed resources on stopLeading

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* tag v1.4.0-beta1

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix cleanup process on Kyverno stops

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* bump kind to 0.11.0, k8s v1.21 (#1980)

Co-authored-by: vyankatesh <vyankatesh@neualto.com>
Co-authored-by: vyankatesh <vyankateshkd@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Pooja Singh <36136335+NoSkillGirl@users.noreply.github.com>
2021-06-08 12:37:19 -07:00
shuting
e9952fbaf2
Remove secret from default resourceCache (#1878)
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-05-04 22:10:01 -07:00
shuting
c816cf3d69
Add certificate renewer in webhook registration controller (#1692)
* load TLS pair from existing secret, if applicable

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* remove Kyverno managed secrets during shutdown

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* - add certificate renewer; - re-structure certificate package

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* commit un-saved file

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* eliminate throttling requests while registering webhook configs

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* disable webhook monitor (in old pod) during rolling update

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* remove webhook cleanup logic from init container

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update PR template

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update link to the website repo

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update repo name

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-03-16 11:31:04 -07:00
shuting
d82f19be4e
Feature/fix dev mode execution (#1477)
* add serverIP to X.509 certificate SANs

* disable webhook monitor in debug mode

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2021-01-20 15:25:27 -08:00
shuting
52d091c5a3
Improve / clean up code (#1444)
* Remove lock embedded in CRD controller, use concurrent map to store shcemas

* delete rcr info from data store

* skip policy validation on status update

* - remove status check in policy mutation; - fix test

* Remove fqdncn flag

* add flag profiling port

* skip policy mutation & validation on status update

* sync policy status every minute

* update log messages
2021-01-06 16:32:02 -08:00
Shuting Zhao
b9fb926ddb fixes for golint ./... 2020-11-17 13:07:30 -08:00
Shuting Zhao
e8c5d47bdf update names 2020-10-07 14:44:36 -07:00
Shuting Zhao
3c65f343fe update secret with unstructured obj 2020-10-07 14:30:00 -07:00