mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-06 16:06:56 +00:00
2a656f6de0
* feat: mutate existing, replace GR by UR in webhook server (#3601) * add attributes for post mutation Signed-off-by: ShutingZhao <shuting@nirmata.com> * add UR informer to webhook server Signed-off-by: ShutingZhao <shuting@nirmata.com> * - replace gr with ur in the webhook server; - create ur for mutateExsiting policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * replace gr by ur across entire packages Signed-off-by: ShutingZhao <shuting@nirmata.com> * add YAMLs Signed-off-by: ShutingZhao <shuting@nirmata.com> * update api docs & fix unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * add UR deletion handler Signed-off-by: ShutingZhao <shuting@nirmata.com> * add api docs for v1beta1 Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix clientset method Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix v1beta1 client registration Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: mutate existing - generates UR for admission requests (#3623) Signed-off-by: ShutingZhao <shuting@nirmata.com> * replace with UR in policy controller generate rules (#3635) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * - enable mutate engine to process mutateExisting rules; - add unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * implemented ur background reconciliation for mutateExisting policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix webhook update error Signed-off-by: ShutingZhao <shuting@nirmata.com> * temporary comment out new unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: mutate existing, replace GR by UR in webhook server (#3601) * add attributes for post mutation Signed-off-by: ShutingZhao <shuting@nirmata.com> * add UR informer to webhook server Signed-off-by: ShutingZhao <shuting@nirmata.com> * - replace gr with ur in the webhook server; - create ur for mutateExsiting policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * replace gr by ur across entire packages Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix missing policy.kyverno.io/policy-name label (#3599) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * refactor cli code from pkg to cmd (#3591) * refactor cli code from pkg to cmd Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * fixes in imports Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * fixes tests Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * fixed conflicts Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * moved non-commands to utils Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> * add YAMLs Signed-off-by: ShutingZhao <shuting@nirmata.com> * update api docs & fix unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * add UR deletion handler Signed-off-by: ShutingZhao <shuting@nirmata.com> * add api docs for v1beta1 Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix clientset method Signed-off-by: ShutingZhao <shuting@nirmata.com> * add-kms-libraries for cosign (#3603) * add-kms-libraries Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> * Shifted providers to cosign package Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * Add support for custom image extractors (#3596) Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net> * Update vulnerable dependencies (#3577) Signed-off-by: Shubham Gupta <shubham.gupta2956@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix v1beta1 client registration Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: mutate existing - generates UR for admission requests (#3623) Signed-off-by: ShutingZhao <shuting@nirmata.com> * updating version in Chart.yaml (#3618) * updatimg version in Chart.yaml Signed-off-by: Prateeknandle <prateeknandle@gmail.com> * changes from, make gen-helm Signed-off-by: Prateeknandle <prateeknandle@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * Allow kyverno-policies to have preconditions defined (#3606) * Allow kyverno-policies to have preconditions defined Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix docs Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Signed-off-by: ShutingZhao <shuting@nirmata.com> * replace with UR in policy controller generate rules (#3635) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * - enable mutate engine to process mutateExisting rules; - add unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * implemented ur background reconciliation for mutateExisting policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix webhook update error Signed-off-by: ShutingZhao <shuting@nirmata.com> * temporary comment out new unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * Image verify attestors (#3614) * fix logs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix logs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * support multiple attestors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * rm CLI tests (not currently supported) Signed-off-by: Jim Bugwadia <jim@nirmata.com> * apply attestor repo Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix entryError assignment Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add intermediary certs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Allow defining imagePullSecrets (#3633) * Allow defining imagePullSecrets Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use dict for imagePullSecrets Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Simplify how imagePullSecrets is defined Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Signed-off-by: ShutingZhao <shuting@nirmata.com> * Fix race condition in pCache (#3632) * fix race condition in pCache Signed-off-by: ShutingZhao <shuting@nirmata.com> * refact: remove unused Run function from generate (#3638) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * Remove helm mode setting (#3628) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * refactor: image utils (#3630) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * -resolve lift comments; -fix informer sync issue Signed-off-by: ShutingZhao <shuting@nirmata.com> * refact the update request cleanup controller Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * - fix delete request for mutateExisting; - fix context variable substitution; - improve logging Signed-off-by: ShutingZhao <shuting@nirmata.com> * - enable events; - add last applied annotation Signed-off-by: ShutingZhao <shuting@nirmata.com> * enable mutate existing on policy creation Signed-off-by: ShutingZhao <shuting@nirmata.com> * update autogen code Signed-off-by: ShutingZhao <shuting@nirmata.com> * merge main Signed-off-by: ShutingZhao <shuting@nirmata.com> * add unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * address list comments Signed-off-by: ShutingZhao <shuting@nirmata.com> * update api docs Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix "Implicit memory aliasing in for loop" Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove unused definitions Signed-off-by: ShutingZhao <shuting@nirmata.com> * update api docs Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> Co-authored-by: Mritunjay Kumar Sharma <mritunjaysharma394@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Co-authored-by: Anushka Mittal <55237170+anushkamittal20@users.noreply.github.com> Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com> Co-authored-by: Shubham Gupta <shubham.gupta2956@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Prateek Nandle <56027872+Prateeknandle@users.noreply.github.com> Co-authored-by: treydock <tdockendorf@osc.edu> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
180 lines
4.3 KiB
Go
180 lines
4.3 KiB
Go
package webhookconfig
|
|
|
|
import (
|
|
"os"
|
|
"reflect"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/go-logr/logr"
|
|
"github.com/kyverno/kyverno/pkg/common"
|
|
"github.com/kyverno/kyverno/pkg/config"
|
|
ktls "github.com/kyverno/kyverno/pkg/tls"
|
|
v1 "k8s.io/api/core/v1"
|
|
informerv1 "k8s.io/client-go/informers/core/v1"
|
|
"k8s.io/client-go/kubernetes"
|
|
"k8s.io/client-go/tools/cache"
|
|
)
|
|
|
|
type Interface interface {
|
|
// Run starts the certManager
|
|
Run(stopCh <-chan struct{})
|
|
|
|
// InitTLSPemPair initializes the TLSPemPair
|
|
// it should be invoked by the leader
|
|
InitTLSPemPair()
|
|
|
|
// GetTLSPemPair gets the existing TLSPemPair from the secret
|
|
GetTLSPemPair() (*ktls.PemPair, error)
|
|
}
|
|
type certManager struct {
|
|
renewer *ktls.CertRenewer
|
|
secretInformer informerv1.SecretInformer
|
|
secretQueue chan bool
|
|
stopCh <-chan struct{}
|
|
log logr.Logger
|
|
}
|
|
|
|
func NewCertManager(secretInformer informerv1.SecretInformer, kubeClient kubernetes.Interface, certRenewer *ktls.CertRenewer, log logr.Logger, stopCh <-chan struct{}) (Interface, error) {
|
|
manager := &certManager{
|
|
renewer: certRenewer,
|
|
secretInformer: secretInformer,
|
|
secretQueue: make(chan bool, 1),
|
|
stopCh: stopCh,
|
|
log: log,
|
|
}
|
|
|
|
secretInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
|
|
AddFunc: manager.addSecretFunc,
|
|
UpdateFunc: manager.updateSecretFunc,
|
|
})
|
|
|
|
return manager, nil
|
|
}
|
|
|
|
func (m *certManager) addSecretFunc(obj interface{}) {
|
|
secret := obj.(*v1.Secret)
|
|
if secret.GetNamespace() != config.KyvernoNamespace {
|
|
return
|
|
}
|
|
|
|
val, ok := secret.GetAnnotations()[ktls.SelfSignedAnnotation]
|
|
if !ok || val != "true" {
|
|
return
|
|
}
|
|
|
|
m.secretQueue <- true
|
|
}
|
|
|
|
func (m *certManager) updateSecretFunc(oldObj interface{}, newObj interface{}) {
|
|
old := oldObj.(*v1.Secret)
|
|
new := newObj.(*v1.Secret)
|
|
if new.GetNamespace() != config.KyvernoNamespace {
|
|
return
|
|
}
|
|
|
|
val, ok := new.GetAnnotations()[ktls.SelfSignedAnnotation]
|
|
if !ok || val != "true" {
|
|
return
|
|
}
|
|
|
|
if reflect.DeepEqual(old.DeepCopy().Data, new.DeepCopy().Data) {
|
|
return
|
|
}
|
|
|
|
m.secretQueue <- true
|
|
m.log.V(4).Info("secret updated, reconciling webhook configurations")
|
|
}
|
|
|
|
func (m *certManager) InitTLSPemPair() {
|
|
_, err := m.renewer.InitTLSPemPair()
|
|
if err != nil {
|
|
m.log.Error(err, "initialization error")
|
|
os.Exit(1)
|
|
}
|
|
}
|
|
|
|
func (m *certManager) GetTLSPemPair() (*ktls.PemPair, error) {
|
|
var tls *ktls.PemPair
|
|
var err error
|
|
|
|
retryReadTLS := func() error {
|
|
tls, err = ktls.ReadTLSPair(m.renewer.ClientConfig(), m.renewer.Client())
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
m.log.Info("read TLS pem pair from the secret")
|
|
return nil
|
|
}
|
|
|
|
msg := "failed to read TLS pair"
|
|
f := common.RetryFunc(time.Second, time.Minute, retryReadTLS, msg, m.log.WithName("GetTLSPemPair/Retry"))
|
|
err = f()
|
|
|
|
return tls, err
|
|
}
|
|
|
|
func (m *certManager) Run(stopCh <-chan struct{}) {
|
|
if !cache.WaitForCacheSync(stopCh, m.secretInformer.Informer().HasSynced) {
|
|
m.log.Info("failed to sync informer cache")
|
|
return
|
|
}
|
|
|
|
m.secretInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
|
|
AddFunc: m.addSecretFunc,
|
|
UpdateFunc: m.updateSecretFunc,
|
|
})
|
|
|
|
m.log.Info("start managing certificate")
|
|
certsRenewalTicker := time.NewTicker(ktls.CertRenewalInterval)
|
|
defer certsRenewalTicker.Stop()
|
|
|
|
for {
|
|
select {
|
|
case <-certsRenewalTicker.C:
|
|
valid, err := m.renewer.ValidCert()
|
|
if err != nil {
|
|
m.log.Error(err, "failed to validate cert")
|
|
|
|
if !strings.Contains(err.Error(), ktls.ErrorsNotFound) {
|
|
continue
|
|
}
|
|
}
|
|
|
|
if valid {
|
|
continue
|
|
}
|
|
|
|
m.log.Info("rootCA is about to expire, trigger a rolling update to renew the cert")
|
|
if err := m.renewer.RollingUpdate(); err != nil {
|
|
m.log.Error(err, "unable to trigger a rolling update to renew rootCA, force restarting")
|
|
os.Exit(1)
|
|
}
|
|
|
|
case <-m.secretQueue:
|
|
valid, err := m.renewer.ValidCert()
|
|
if err != nil {
|
|
m.log.Error(err, "failed to validate cert")
|
|
|
|
if !strings.Contains(err.Error(), ktls.ErrorsNotFound) {
|
|
continue
|
|
}
|
|
}
|
|
|
|
if valid {
|
|
continue
|
|
}
|
|
|
|
m.log.Info("rootCA has changed, updating webhook configurations")
|
|
if err := m.renewer.RollingUpdate(); err != nil {
|
|
m.log.Error(err, "unable to trigger a rolling update to re-register webhook server, force restarting")
|
|
os.Exit(1)
|
|
}
|
|
|
|
case <-m.stopCh:
|
|
m.log.V(2).Info("stopping cert renewer")
|
|
return
|
|
}
|
|
}
|
|
}
|