mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity
5973 commits 15 branches 540 tags 276 MiB
Commit graph

46 commits

Author SHA1 Message Date
Charles-Edouard Brétéché
4a489b8979
fix: delete certificate secret if type is not TLS (#6368) 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
 2023-02-22 17:04:17 +08:00
Fish-pro
fdfdcc058f
Remove dependency on github.com/pkg/errors (#6165) 
Signed-off-by: Fish-pro <zechun.chen@daocloud.io>
 2023-02-01 14:38:04 +08:00
Charles-Edouard Brétéché
ad19108d34
refactor: remove common package (#5750) 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
 2022-12-21 20:30:45 +00:00
Charles-Edouard Brétéché
c8185feb11
fix: use lister for CA secret (#5598) 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
 2022-12-07 14:08:37 +08:00
Charles-Edouard Brétéché
16aca2816f
fix: don't report ready until certs are valid (#4934) 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
 2022-10-14 04:23:42 +00:00
Charles-Edouard Brétéché
090b68e55d
feat: make cert renewer private and add server name support (#4904) 
* fix: remove unnecessary dependencies from tls package

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* feat: make cert renewer private and add server name support

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* nits

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
 2022-10-13 09:46:05 +00:00
Charles-Edouard Brétéché
d25dccbd9c
fix: remove unnecessary dependencies from tls package (#4903) 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
 2022-10-12 09:36:26 +00:00
Charles-Edouard Brétéché
13ce3f55ed
fix: use new client in tls package (#4746) 
* fix: use new client in tls package

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix import

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
 2022-10-06 08:11:59 +00:00
yinka
688b4fb8e3
add package logger in files (#4766) 
* add package logger in files

Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* add package logger to initContainer and other files

Signed-off-by: damilola olayinka <holayinkajr@gmail.com>

* helm docs

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* helm default values

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* release notes

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: damilola olayinka <holayinkajr@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-10-02 19:45:03 +00:00
Charles-Edouard Brétéché
205bb28b52
feat: add typed client support and metrics wrapper (#4724) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-09-29 17:12:50 +05:30
Charles-Edouard Brétéché
42a2df56c1
refactor: add a couple of constants in api (#4640) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-09-19 09:11:12 +00:00
shuting
3bf3dcc1af
Add the metric "kyverno_client_queries_total" (#4359) 
* Add metric "kyverno_kube_client_queries_total"

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* publish metric for missing queries

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Refactor the way Kyverno registers QPS metric

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Move clientsets to a dedicated folder

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Wrap Kyverno client and policyreport client to register client query metric

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* address linter comments

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* address linter comments

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Switch to use wrapper clients

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-08-31 11:33:47 +05:30
Charles-Edouard Brétéché
666bcb3c15
chore: make k8s api import aliases consistent (#3950) 
* chore: make kyverno api import aliases consistent

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* chore: make apimachinery api import aliases consistent

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-05-17 22:14:31 +08:00
Charles-Edouard Brétéché
97cf1b3e95
feat: gracefull certificates rotation support (#3890) 
* refactor: remove deployment hash on certs secrets

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* feat: add label on kyverno webhooks

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* feat: implement update ca bundle

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* test: set very low validity and expiration intervals

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* fix: writing secret

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* add renew ca

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* decouple ca and tls validity duration

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refactored code, everything is in place to finalize implementation

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* use real validity periods

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
 2022-05-12 14:07:25 +00:00
Charles-Edouard Brétéché
37a5a6652f
fix: write secret (#3891) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-05-11 15:46:37 +00:00
Charles-Edouard Brétéché
8f825bb040
refactor: remove deployment hash on certs secrets (#3886) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-05-11 16:58:14 +02:00
Charles-Edouard Brétéché
c2602d8181
refactor: cleanup tls package (#3854) 
* refactor: init certs with certs renewer directly

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refactor: tls package

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refactor: cleanup tls package

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-05-11 08:05:13 +00:00
Charles-Edouard Brétéché
a32d0f8029
fix: include ca key in secret (#3804) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-05-11 07:11:50 +00:00
Charles-Edouard Brétéché
2064a69b8a
refactor: make config vars private (#3823) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-05-11 06:14:30 +00:00
Charles-Edouard Brétéché
bfc4290285
chore: enable more linters (#3862) 
* chore: enable deadcode and unused linters

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* chore: enable more linters

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-05-10 21:20:04 +05:30
Charles-Edouard Brétéché
967ad7cb8e
refactor: remove the need for self-signed annotation on cert secret (#3850) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-05-10 08:58:51 +00:00
Charles-Edouard Brétéché
25c2bf0e1f
fix: remove k8s apiserver from self-generated cert (#3803) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
 2022-05-05 13:26:55 +00:00
Charles-Edouard Brétéché
9a1a82e3b5
feat: parse all root CA certs (#3808) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-05-05 09:31:22 +01:00
Charles-Edouard Brétéché
a6924a11ab
refactor: use typed k8s client in tls package (#3678) 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
 2022-04-26 20:18:14 +00:00
Prateek Pandey
c30dfe70a5
fix deployment replica type conversion and refactor webhook logs (#3022) 
- add level in info webhook configuration update success logs
- fix deployment replica count conversion issue

Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com>
 2022-01-19 17:14:33 +00:00
Kumar Mallikarjuna
037a320fba
Added TLS annotation check in the initContainer (#2956) 
* Added TLS annotation check in the initContainer

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Error checks

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Refactor annotation addition code

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Strict error reporting

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Error handling for Secrets

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Updated error conditions

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Update for nil error

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
 2022-01-11 08:47:24 +00:00
Kumar Mallikarjuna
9e16e763a0
ValidCert Secret Annotation Check (#2933) 
* Annotation check for Secrets

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Fix inconsistent errors

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Fix linting error

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
 2022-01-07 20:15:00 +00:00
Kumar Mallikarjuna
4410b6adc3
Fix condition for rolling update (#2930) 2022-01-07 17:33:01 +00:00
Kumar Mallikarjuna
214f338ec3
Fix TLS inconsitency in HA (#2910) 
* Fix TLS inconsitency in HA

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Add error checks

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Remove rendundant err definitions

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Handle all Secret errors

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
 2022-01-06 09:11:16 +00:00
Bricktop
d62234d776
Fix remaining static check findings (#2541) 
Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
 2021-10-13 16:00:41 -07:00
Bricktop
2d0df77963
Format error messages correctly (#2519) 
* Format error messages correctly

Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>

* No punctuation at the end or errors

Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>

* Replace loop with simple if

Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>

* Fix more errors

Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
 2021-10-12 14:29:20 -07:00
shuting
e9a972a362
feat: HA (#1931) 
* Fix Dev setup

* webhook monitor - start webhook monitor in main process

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add leaderelection

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* - add isLeader; - update to use configmap lock

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* - add initialization method - add methods to get attributes

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* address comments

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* remove newContext in runLeaderElection

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add leader election to GenerateController

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* skip processing for non-leaders

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* skip processing for non-leaders

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add leader election to generate cleanup controller

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* Gracefully drain request

* HA - Webhook Register / Webhook Monitor / Certificate Renewer (#1920)

* enable leader election for webhook register

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* extract certManager to its own process

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* leader election for cert manager

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* certManager - init certs by the leader

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add leader election to webhook monitor

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update log message

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add leader election to policy controller

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add leader election to policy report controller

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* rebuild leader election config

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* start informers in leaderelection

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* start policy informers in main

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* enable leader election in main

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* move eventHandler to the leader election start method

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* address reviewdog comments

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add clusterrole leaderelection

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fixed generate flow (#1936)

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* - init separate kubeclient for leaderelection - fix webhook monitor

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* address reviewdog comments

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* cleanup Kyverno managed resources on stopLeading

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* tag v1.4.0-beta1

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fix cleanup process on Kyverno stops

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* bump kind to 0.11.0, k8s v1.21 (#1980)

Co-authored-by: vyankatesh <vyankatesh@neualto.com>
Co-authored-by: vyankatesh <vyankateshkd@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Pooja Singh <36136335+NoSkillGirl@users.noreply.github.com>
 2021-06-08 12:37:19 -07:00
shuting
e9952fbaf2
Remove secret from default resourceCache (#1878) 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-05-04 22:10:01 -07:00
shuting
c816cf3d69
Add certificate renewer in webhook registration controller (#1692) 
* load TLS pair from existing secret, if applicable

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* remove Kyverno managed secrets during shutdown

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* - add certificate renewer; - re-structure certificate package

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* commit un-saved file

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* eliminate throttling requests while registering webhook configs

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* disable webhook monitor (in old pod) during rolling update

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* remove webhook cleanup logic from init container

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update PR template

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update link to the website repo

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update repo name

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
 2021-03-16 11:31:04 -07:00
shuting
d82f19be4e
Feature/fix dev mode execution (#1477) 
* add serverIP to X.509 certificate SANs

* disable webhook monitor in debug mode

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Jim Bugwadia <jim@nirmata.com>
 2021-01-20 15:25:27 -08:00
shuting
52d091c5a3
Improve / clean up code (#1444) 
* Remove lock embedded in CRD controller, use concurrent map to store shcemas

* delete rcr info from data store

* skip policy validation on status update

* - remove status check in policy mutation; - fix test

* Remove fqdncn flag

* add flag profiling port

* skip policy mutation & validation on status update

* sync policy status every minute

* update log messages
 2021-01-06 16:32:02 -08:00
Shuting Zhao
b9fb926ddb fixes for golint ./... 2020-11-17 13:07:30 -08:00
Shuting Zhao
e8c5d47bdf update names 2020-10-07 14:44:36 -07:00
Shuting Zhao
3c65f343fe update secret with unstructured obj 2020-10-07 14:30:00 -07:00
Shuting Zhao
db92f20364 - use self-signed certificate to build TLS webhook server; 
- remove CSR related code
 2020-10-07 14:19:23 -07:00
Shuting Zhao
cdc5190c56 update nirmata/kyverno to kyverno/kyverno 2020-10-07 11:12:31 -07:00
Yuvraj
801c7513cb golanfci-lint changes 
Signed-off-by: Yuvraj <yuvraj.yad001@gmail.com>
 2020-03-24 00:35:05 +05:30
shivkumar dudhani
1e5f871665 lowercase the cmdline arg 2020-01-08 16:40:19 -08:00
shivkumar dudhani
38dcb2e94f flag to use FQDN as CommonName in CSR 2020-01-06 16:12:53 -08:00
shivdudhani
200f3fce63 refactor code 2019-06-05 17:43:59 -07:00
Maxim Goncharenko
d4148b0255 Moved TLS utils to named package 2019-05-14 17:57:57 +03:00