refactor: certificates management (kyverno#152)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
eddycharly · Oct 27, 2024 · 6e48774 · 6e48774
1 parent d7350c6
commit 6e48774
Show file tree

Hide file tree

Showing 20 changed files with 46 additions and 429 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
+.certs/
 .tools/
 website/site/
 /kyverno-envoy-plugin

diff --git a/Makefile b/Makefile
@@ -188,6 +188,21 @@ kind-load-image: ko-build
 	@echo Load image in kind... >&2
 	@$(KIND) load docker-image $(KO_REGISTRY)/$(PACKAGE):$(GIT_SHA)
 
+################
+# CERTIFICATES #
+################
+
+.PHONY: generate-certs
+generate-certs: ## Generate certificates
+generate-certs:
+	@echo Generating certificates... >&2
+	@rm -rf .certs
+	@mkdir -p .certs
+	@openssl req -new -x509  \
+        -subj "/CN=kyverno-sidecar-injector.kyverno.svc" \
+        -addext "subjectAltName = DNS:kyverno-sidecar-injector.kyverno.svc" \
+        -nodes -newkey rsa:4096 -keyout .certs/tls.key -out .certs/tls.crt 
+
 #########
 # ISTIO #
 #########
@@ -206,14 +221,17 @@ install-istio: $(HELM)
 .PHONY: install-kyverno-sidecar-injector
 install-kyverno-sidecar-injector: ## Install kyverno-sidecar-injector chart
 install-kyverno-sidecar-injector: kind-load-image
+install-kyverno-sidecar-injector: generate-certs
 install-kyverno-sidecar-injector: $(HELM)
 	@echo Build kyverno-sidecar-injector dependecy... >&2
 	@$(HELM) dependency build --skip-refresh ./charts/kyverno-sidecar-injector
 	@echo Install kyverno-sidecar-injector chart... >&2
 	@$(HELM) upgrade --install kyverno-sidecar-injector --namespace kyverno --create-namespace --wait ./charts/kyverno-sidecar-injector \
 		--set containers.injector.image.registry=$(KO_REGISTRY) \
 		--set containers.injector.image.repository=$(PACKAGE) \
-		--set containers.injector.image.tag=$(GIT_SHA)
+		--set containers.injector.image.tag=$(GIT_SHA) \
+		--set-file certificates.static.crt=.certs/tls.crt \
+		--set-file certificates.static.key=.certs/tls.key
 
 .PHONY: install-kyverno-authz-server
 install-kyverno-authz-server: ## Install kyverno-authz-server chart

diff --git a/charts/kyverno-sidecar-injector/templates/_helpers.tpl b/charts/kyverno-sidecar-injector/templates/_helpers.tpl
@@ -1,7 +1,7 @@
 {{/* vim: set filetype=mustache: */}}
 
 {{- define "sidecar-injector.name" -}}
-{{ template "kyverno.lib.names.name" . }}-sidecar-injector
+{{ template "kyverno.lib.names.name" . }}
 {{- end -}}
 
 {{- define "sidecar-injector.labels" -}}
@@ -18,10 +18,6 @@
 ) -}}
 {{- end -}}
 
-{{- define "sidecar-injector.role.name" -}}
-{{- include "kyverno.lib.names.fullname" . -}}:sidecar-injector
-{{- end -}}
-
 {{- define "sidecar-injector.service-account.name" -}}
 {{- if .Values.rbac.create -}}
     {{- default (include "sidecar-injector.name" .) .Values.rbac.serviceAccount.name -}}
@@ -30,10 +26,6 @@
 {{- end -}}
 {{- end -}}
 
-{{- define "sidecar-injector.serviceName" -}}
-{{- printf "%s-svc" (include "kyverno.lib.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
 {{- define "sidecar-injector.image" -}}
 {{- printf "%s/%s:%s" .registry .repository (default "latest" .tag) -}}
 {{- end -}}
diff --git a/charts/kyverno-sidecar-injector/templates/certificates/static.yaml b/charts/kyverno-sidecar-injector/templates/certificates/static.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.certificates.static -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "sidecar-injector.name" . }}
+  namespace: {{ template "kyverno.lib.namespace" . }}
+  labels:
+    {{- include "sidecar-injector.labels" . | nindent 4 }}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ .Values.certificates.static.crt | b64enc }}
+  tls.key: {{ .Values.certificates.static.key | b64enc }}
+{{- end }}
diff --git a/charts/kyverno-sidecar-injector/templates/service.yaml b/charts/kyverno-sidecar-injector/templates/service.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ template "sidecar-injector.service-account.name" . }}
+  name: {{ template "sidecar-injector.name" . }}
   namespace: {{ template "kyverno.lib.namespace" . }}
   labels:
     {{- include "sidecar-injector.labels" . | nindent 4 }}

diff --git a/...ecar-injector/templates/certificates.yaml → ...ar-injector/templates/webhook/static.yaml b/...ecar-injector/templates/certificates.yaml → ...ar-injector/templates/webhook/static.yaml
@@ -1,23 +1,4 @@
-{{- $ca := genCA (printf "*.%s.svc" (include "kyverno.lib.namespace" .)) 1024 -}}
-{{- $svcName := (printf "%s.%s.svc" (include "sidecar-injector.name" .) (include "kyverno.lib.namespace" .)) -}}
-{{- $tls := genSignedCert $svcName nil (list $svcName) 1024 $ca -}}
-{{- if .Values.certificates.selfSigned -}}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ template "sidecar-injector.name" . }}
-  namespace: {{ template "kyverno.lib.namespace" . }}
-  labels:
-    {{- include "sidecar-injector.labels" . | nindent 4 }}
-  annotations:
-    self-signed-cert: "true"
-type: kubernetes.io/tls
-data:
-  tls.key: {{ $tls.Key | b64enc }}
-  tls.crt: {{ $tls.Cert | b64enc }}
-  ca.crt: {{ $ca.Cert | b64enc }}
-{{- end }}
----
+{{- if .Values.certificates.static -}}
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
@@ -35,7 +16,7 @@ webhooks:
         name: {{ template "sidecar-injector.name" . }}
         namespace: {{ template "kyverno.lib.namespace" . }}
         path: "/mutate"
-      caBundle: {{ $ca.Cert | b64enc }}
+      caBundle: {{ index .Values.certificates.static.crt | b64enc }}
     failurePolicy: {{ .Values.webhook.failurePolicy }}
     sideEffects: None
     admissionReviewVersions: [ v1 ]
@@ -53,3 +34,4 @@ webhooks:
     namespaceSelector:
       {{- tpl (toYaml .) $ | nindent 6 }}
     {{- end }}
+{{- end }}
diff --git a/charts/kyverno-sidecar-injector/values.yaml b/charts/kyverno-sidecar-injector/values.yaml
@@ -27,9 +27,8 @@ rbac:
 
 certificates:
 
-  # -- Create self-signed certificates at deployment time.
-  # The certificates won't be automatically renewed if this is set to `true`.
-  selfSigned: true
+  # -- Static data to set in certificate secret
+  static: {}
 
 deployment:
 
@@ -230,12 +229,12 @@ webhook:
   annotations: {}
     # example.com/annotation: value
 
-  # -- Webhook object selector
-  objectSelector: ~
-
   # -- Webhook failure policy
   failurePolicy: Fail
 
+  # -- Webhook object selector
+  objectSelector: ~
+
   # -- Webhook namespace selector
   namespaceSelector:
     matchExpressions:

diff --git a/pkg/signals/context.go b/pkg/signals/context.go
@@ -12,7 +12,7 @@ func Context(ctx context.Context) (context.Context, context.CancelFunc) {
 	return signal.NotifyContext(ctx, syscall.SIGINT, syscall.SIGTERM)
 }
 
-func Do(ctx context.Context, f func(context.Context) error) error {
+func Do(ctx context.Context, callback func(context.Context) error) error {
 	// create a wait group
 	var group wait.Group
 	// wait all tasks in the group are over
@@ -28,5 +28,6 @@ func Do(ctx context.Context, f func(context.Context) error) error {
 		// wait signals are triggered
 		<-ctx.Done()
 	})
-	return f(ctx)
+	// invoke callback with signals aware context
+	return callback(ctx)
 }
diff --git a/sidecar-injector/Dockerfile b/sidecar-injector/Dockerfile
diff --git a/sidecar-injector/example-manifest/exampledeploy.yaml b/sidecar-injector/example-manifest/exampledeploy.yaml
diff --git a/sidecar-injector/example-manifest/policyfile-configmap.yaml b/sidecar-injector/example-manifest/policyfile-configmap.yaml
diff --git a/sidecar-injector/manifests/certs/tls.crt b/sidecar-injector/manifests/certs/tls.crt
diff --git a/sidecar-injector/manifests/certs/tls.key b/sidecar-injector/manifests/certs/tls.key
diff --git a/sidecar-injector/manifests/create-mutating-webhook.sh b/sidecar-injector/manifests/create-mutating-webhook.sh