From 01fb5ad4ed1e90418cf70547cd62142fc185ec29 Mon Sep 17 00:00:00 2001 From: Alvaro Iradier Date: Thu, 20 Jul 2023 11:52:25 +0200 Subject: [PATCH 1/4] feat(admission-controller): simplify certificate options --- charts/admission-controller/README.md | 7 ++----- .../templates/_helpers.tpl | 19 ------------------- charts/admission-controller/values.yaml | 19 ------------------- 3 files changed, 2 insertions(+), 43 deletions(-) diff --git a/charts/admission-controller/README.md b/charts/admission-controller/README.md index 81a55d3fe..fd041895d 100644 --- a/charts/admission-controller/README.md +++ b/charts/admission-controller/README.md @@ -143,10 +143,7 @@ The following table lists the configurable parameters of the `admission-controll | webhook.dryRun | Dry Run request | false | | webhook.logLevel | Log Level - Valid Values are: error, info, debug, trace | info | | webhook.ssl.reuseTLSSecret | Reuse existing TLS Secret during chart upgrade | false | -| webhook.ssl.ca.cert | For outbound connections (secure backend, proxy,...)
And inbound connections to serve HttpRequests as Kubernetes Webhook.
A PEM-encoded x509 certificate authority.
If empty, a new CA will be autogenerated. | "" | -| webhook.ssl.ca.key | For outbound connections (secure backend, proxy,...)
A PEM-encoded private key of the certificate authority to use in the certificate generation.
If empty, a new CA will be autogenerated. | "" | -| webhook.ssl.cert | For inbound connections to serve HttpRequests as Kubernetes Webhook.
A PEM-encoded x509 certificate signed by the CA.
If empty, a new cert will be generated.
If provided, it must be valid with the `webhook.ssl.ca`.
If this is set, the key must also be provided. | "" | -| webhook.ssl.key | For inbound connections to serve HttpRequests as Kubernetes Webhook.
A PEM-encoded private key signed by the CA.
If empty, a new key will be generated.
If provided, it must be valid with the `webhook.ssl.ca`.
If this is set, the cert must also be provided. | "" | +| webhook.ssl.ca.cert | For outbound connections (secure backend, proxy,...)
A PEM-encoded x509 certificate authority. | "" | | webhook.customEntryPoint | Custom entrypoint for the webhook
Remember to provide the webhook valid arguments with `--tls_cert_file` and `--tls_private_key_file`.
default: /bin/webhook --tls_cert_file /cert/tls.crt --tls_private_key_file /cert/tls.key | [] | | webhook.http.port | HTTP serve port where the requests will be served from | 5000 | | scc.create | Enable the creation of Security Context Constraints in Openshift | true | @@ -176,7 +173,7 @@ The following table lists the configurable parameters of the `admission-controll | scanner.priorityClassName | priorityClassName config for the scanner | | | scanner.tolerations | Tolerations for scheduling for the scanner | [] | | scanner.affinity | Configure affinity rules for the scanner | {} | -| scanner.ssl.ca.cert | For outbound connections (secure backend, proxy,...).
A PEM-encoded x509 certificate authority.
If empty, a new CA will be autogenerated. | "" | +| scanner.ssl.ca.cert | For outbound connections (secure backend, proxy,...).
A PEM-encoded x509 certificate authority. | "" | | scanner.customEntryPoint | Custom entrypoint for the scanner.
Remember to provide the scanner valid arguments with `--server_port` and optionally `--auth_secure_token`
default: /inline-scan-service --server_port=8080 | [] | diff --git a/charts/admission-controller/templates/_helpers.tpl b/charts/admission-controller/templates/_helpers.tpl index 633c39b32..775b0dc2f 100644 --- a/charts/admission-controller/templates/_helpers.tpl +++ b/charts/admission-controller/templates/_helpers.tpl @@ -161,15 +161,10 @@ Create the name of the service account to use Generate certificates for aggregated api server */}} -{{- $cert := genCA ( printf "%s.%s.svc" (include "admissionController.webhook.fullname" .) .Release.Namespace ) 3650 -}} - {{- define "admissionController.webhook.gen-certs" -}} {{- $secretName := printf "%s-tls" (include "admissionController.webhook.fullname" .) -}} {{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName -}} {{- $ca := genCA (include "admissionController.webhook.fullname" .) 3650 -}} - {{- if (and .Values.webhook.ssl.ca.cert .Values.webhook.ssl.ca.key) -}} - {{- $ca = buildCustomCert (.Values.webhook.ssl.ca.cert | b64enc) (.Values.webhook.ssl.ca.key | b64enc) -}} - {{- end -}} {{- $cn := printf "%s.%s.svc" (include "admissionController.webhook.fullname" .) .Release.Namespace -}} {{- $san := list $cn -}} @@ -257,20 +252,6 @@ Create the name of the service account to use {{ default (include "admissionController.scanner.fullname" .) .Values.serviceAccounts.scanner.name }} {{- end -}} -{{/* -Generate certificates for aggregated api server -*/}} - -{{- $cert := genCA ( printf "%s.%s.svc" (include "admissionController.scanner.fullname" .) .Release.Namespace ) 3650 -}} - -{{- define "admissionController.scanner.gen-certs" -}} -{{- $ca := genCA (include "admissionController.scanner.fullname" .) 3650 -}} -{{- $cn := printf "%s.%s.svc" (include "admissionController.scanner.fullname" .) .Release.Namespace -}} -{{- $san := list $cn -}} -{{- $cert := genSignedCert $cn nil $san 3650 $ca -}} -{{- printf "%s$%s$%s" ($cert.Cert | b64enc) ($cert.Key | b64enc) ($ca.Cert | b64enc) -}} -{{- end -}} - {{/* Allow overriding registry and repository for air-gapped environments */}} diff --git a/charts/admission-controller/values.yaml b/charts/admission-controller/values.yaml index a8659473d..1149211af 100644 --- a/charts/admission-controller/values.yaml +++ b/charts/admission-controller/values.yaml @@ -220,26 +220,8 @@ webhook: reuseTLSSecret: false ca: # For outbound connections (secure backend, proxy,...) - #
And inbound connections to serve HttpRequests as Kubernetes Webhook. #
A PEM-encoded x509 certificate authority. - #
If empty, a new CA will be autogenerated. cert: "" - # For outbound connections (secure backend, proxy,...) - #
A PEM-encoded private key of the certificate authority to use in the certificate generation. - #
If empty, a new CA will be autogenerated. - key: "" - # For inbound connections to serve HttpRequests as Kubernetes Webhook. - #
A PEM-encoded x509 certificate signed by the CA. - #
If empty, a new cert will be generated. - #
If provided, it must be valid with the `webhook.ssl.ca`. - #
If this is set, the key must also be provided. - cert: "" - # For inbound connections to serve HttpRequests as Kubernetes Webhook. - #
A PEM-encoded private key signed by the CA. - #
If empty, a new key will be generated. - #
If provided, it must be valid with the `webhook.ssl.ca`. - #
If this is set, the cert must also be provided. - key: "" # Custom entrypoint for the webhook #
Remember to provide the webhook valid arguments with `--tls_cert_file` and `--tls_private_key_file`. @@ -348,7 +330,6 @@ scanner: ca: # For outbound connections (secure backend, proxy,...). #
A PEM-encoded x509 certificate authority. - #
If empty, a new CA will be autogenerated. cert: "" # Custom entrypoint for the scanner. From 81e43113f79b5bb555ab4b3dd7171fbe245aa467 Mon Sep 17 00:00:00 2001 From: Alvaro Iradier Date: Thu, 20 Jul 2023 11:58:13 +0200 Subject: [PATCH 2/4] Update CI tests --- .../custom-ca-and-certs-values.yaml.template | 102 ------------------ .../ci/custom-ca-values.yaml.template | 28 ----- 2 files changed, 130 deletions(-) delete mode 100644 charts/admission-controller/ci/custom-ca-and-certs-values.yaml.template diff --git a/charts/admission-controller/ci/custom-ca-and-certs-values.yaml.template b/charts/admission-controller/ci/custom-ca-and-certs-values.yaml.template deleted file mode 100644 index 124188850..000000000 --- a/charts/admission-controller/ci/custom-ca-and-certs-values.yaml.template +++ /dev/null @@ -1,102 +0,0 @@ -sysdig: - secureAPIToken: ${SECURE_API_TOKEN} -clusterName: CI-Cluster -webhook: - ssl: - ca: - cert: | - -----BEGIN CERTIFICATE----- - MIIC5zCCAc+gAwIBAgIJAPzgoOe8gf7eMA0GCSqGSIb3DQEBBQUAMCAxHjAcBgNV - BAMTFXN5c2RpZy1leGFtcGxlLWNoYXJ0czAeFw0yMjAxMjEwOTQxMzVaFw0zMjAx - MTkwOTQxMzVaMCAxHjAcBgNVBAMTFXN5c2RpZy1leGFtcGxlLWNoYXJ0czCCASIw - DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMhqr9oTv+AD7wP1RoBu3RPdthYK - 4BEizy4+Eh2lSCNnbSWTy172V181I7mEcDvnddTWz895BkVTRrSwyjCh25/pNxJJ - 7mKAT4Xo11X5d8gbKXJoR8kutFVoAsY0bHi5TQ1uCIC6w67GQVsphmaSanfrD06z - dYbyuRmGuHaffECp7RvOrAuaxyG4jOgDRk7e9SV38Rs4knv7cDT9C91kpVlZEEDv - 7wCOgLPEdxddClLB1OCRNQERXaAHfz18yWtUQW5ZWS8PuCTlNhC8g5PghqHDobhf - Fc9zD6BoK+YO8TSVWNOIll+1RlOEBtEsCGHZ3RcvXNDu+wBaYP1MqtG2vFUCAwEA - AaMkMCIwIAYDVR0RBBkwF4IVc3lzZGlnLWV4YW1wbGUtY2hhcnRzMA0GCSqGSIb3 - DQEBBQUAA4IBAQC3DHjxyWKwtqzU2KfJc+wVqsTPdyzc/fQUpvkkD84avNycmiZP - mJALph/IMlZ8leYi+kbH4egMHmRutmpLV2cOjozYKEBeqBhPesKbFSxRHW2iNJSr - l4lFyg1Y8TTMdr9wjxu8TkIzP9p4NQgajPLD8VsxSKSe5azRA5i3oUzk5Edn13Yj - WirNI49DZYXaxrx5xGkKLZ6++IFwQFXOit7yvE1eQQIsZrDAEyU/KXp9kbyxlQwZ - gfE2elzgom9LZuSB33qIPASwtunelTHnKJPadBbYL3V7W33+DtGl2NhK1pGn07w2 - HKqPVSj3/vnCWV/miAs8BgJz+RrphtegNnAd - -----END CERTIFICATE----- - key: | - -----BEGIN RSA PRIVATE KEY----- - MIIEowIBAAKCAQEAyGqv2hO/4APvA/VGgG7dE922FgrgESLPLj4SHaVII2dtJZPL - XvZXXzUjuYRwO+d11NbPz3kGRVNGtLDKMKHbn+k3EknuYoBPhejXVfl3yBspcmhH - yS60VWgCxjRseLlNDW4IgLrDrsZBWymGZpJqd+sPTrN1hvK5GYa4dp98QKntG86s - C5rHIbiM6ANGTt71JXfxGziSe/twNP0L3WSlWVkQQO/vAI6As8R3F10KUsHU4JE1 - ARFdoAd/PXzJa1RBbllZLw+4JOU2ELyDk+CGocOhuF8Vz3MPoGgr5g7xNJVY04iW - X7VGU4QG0SwIYdndFy9c0O77AFpg/Uyq0ba8VQIDAQABAoIBADBEwaWcLBIf4Gjr - odc83DH0q+4TIHQAFjXk7SgGrqEYP8lVFx3/5nsfqUL9CqrizBY+xj4Jv+DidZz/ - FzMvSF3zJThaZfeDP6PYuEQUmSywngLX6rIhdX08V6604YsR1eTuI04drRNi3ErA - bYY2rT3EdyNVRXEC9GGZeMPZFWvdFAoiLYud+hVcBNiBGvgvg1eSleXMlJnG0PN6 - Mw6FYXKRKvaI1yWwY/O2SCBf+/kn60Bd3K4uMNDCALZcx6oMxLPg14jWCMwN8bqE - QrG7eu7VE+6ZJr5YtS9PVI3f8YjYPz+ipq6ZXZ/AXKtACjw/DUlM5UOiVUCJMyxq - VJIPAuECgYEA4+gLd+5+6pzqG8Um9Qyk7GIOvaTjDTy3aSrdqygWXkkPEBjOxiQz - yxY3sA7TwSIwO6eVDXGXjMyuhxdJDFrKwvTdJE2wRS281YoObb3OKJBb4kAzij8M - jmPooT1kSHzym+7fKI7Ipwq8NLydOpVa+qEe6FVbabsCzvVzPDKEMfsCgYEA4R8p - MY3vhgzRIYZp0fOOkzkhGaKrP1ZvlG5/zpifoeQAV3wEZHDMNyu4s3ZvIqKOrCll - j45C8nLEQAaVWAHNokaIWQ3JjzeqKicV7o3UZnbe8eIYQVqxLzulfwbLG0Z2nuwo - GAetwQBpa2Ne1inEJaq1Q0xadl2hd/1ADLfKye8CgYBU31dWBHUzPdhZGySU4W6R - sTq4GS2NAm1zNslyMe2SkzaO0g4+78ByAwYeBIeLRwYbUR9K8GB1yMu990f21+Dm - lXW9TUk1mgDWrSEOcT7TEF+HdE09UJmGdWJumYQ9Enru4xgr7HCA9Jh+MzeCV5iX - +WSfNRpj14cGN5YAdveP/QKBgQDYMM2lijIBIOPhdyy+dFBycAWqkb41CDQFboyM - gaOjm8r8ONwa/PwQ64rnxY/6yfOLwAGJeEwweyied/QJ3Ul2Upf0NbpgMEvZSUnV - mxzj/boivkce1BKeUoCfWY3JtsSJ4C6szQr+8v9KItbbgqacqbCDXZruWwKKsYlF - 7WbwvwKBgE+YoUGm6A5bnIZDK6ak/Ln0Md4vHJe5NFqBqJIaOv2tkibTlMPkYr7U - KVl9Td1idmSvscgNJsbKacwQ6VmCj6juaLS+dFjKmJxyr6XleH4Bzy47WgBFLTt/ - hm767Sr8DUbKmVQfDACehweVvqC/wKKVc2Y0FCAvt90IQfMsF5sk - -----END RSA PRIVATE KEY----- - cert: | - -----BEGIN CERTIFICATE----- - MIIDWjCCAkKgAwIBAgIRAP2yMVPZm0hoIbHvPT5R7RAwDQYJKoZIhvcNAQELBQAw - IDEeMBwGA1UEAxMVc3lzZGlnLWV4YW1wbGUtY2hhcnRzMB4XDTIyMDEyMTA5NTAx - MloXDTMyMDExOTA5NTAxMlowNzE1MDMGA1UEAxMsZm9vLWFkbWlzc2lvbi1jb250 - cm9sbGVyLXdlYmhvb2suZGVmYXVsdC5zdmMwggEiMA0GCSqGSIb3DQEBAQUAA4IB - DwAwggEKAoIBAQDabzF6z6K6rxIFp8zp0VzGxzOpKl1b5oXwRP9JE1kh/LHH4bHO - KxJnQBA2PsYXiM2NC7JNI1oMsEEb/wZA2O54V/wNO+M0shIDJ/gwFavIreAfEX2H - SRWO4Eqqhes7XzTbStSzCNp7DU1ganeRx3L3kxDXa5oW5EYW6NtHWBdn6+bUnI5A - zDI4uY+F7Mfw/UiZno5X4BMC6jSMiY64+S2Neal096kzRvKlvZ5L+gn0ILZdjmnM - MCQ4Ek7ZmFbbVSgxnsi1chSuQLTkexBsq8Gin172z+metyxDcB2oD/AOTT+5TnLf - WDC5NXwOt17v3JH0ZL+7HduaTlzRZUhrzSy9AgMBAAGjeDB2MA4GA1UdDwEB/wQE - AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIw - ADA3BgNVHREEMDAugixmb28tYWRtaXNzaW9uLWNvbnRyb2xsZXItd2ViaG9vay5k - ZWZhdWx0LnN2YzANBgkqhkiG9w0BAQsFAAOCAQEArTArbCNfcqQ9pXn0sLd84y7b - ilw7xklKtgLJXRvB/ZuL/7j2OVBx0qcwBK+EXOBXk8oeExDF8tgJkH9c4zdxXQOM - Vcz2XRdYsvDEel5CIzf35o1Zym1gEHXtyz1cg98bvIQ7uNhbn22gOpcMTqz6nyjp - RrY+Sllb3bu8yN6l4Pu+/vBFhVFCekC5rcljpyQDhPyb9SIlt9AURzBr2XBYk4xW - IRPxAMt8OV1R9Tynjhl0poat0CoWup8KfCMpDMu8K2hZXz4T9bDW9F/EKSqf3crA - /tnNN7uCcmsJETyj0nACklRqIb4LpodKDIlJjctzCGp4AcUFjhmotpQUG/+v+A== - -----END CERTIFICATE----- - key: | - -----BEGIN RSA PRIVATE KEY----- - MIIEowIBAAKCAQEA2m8xes+iuq8SBafM6dFcxsczqSpdW+aF8ET/SRNZIfyxx+Gx - zisSZ0AQNj7GF4jNjQuyTSNaDLBBG/8GQNjueFf8DTvjNLISAyf4MBWryK3gHxF9 - h0kVjuBKqoXrO18020rUswjaew1NYGp3kcdy95MQ12uaFuRGFujbR1gXZ+vm1JyO - QMwyOLmPhezH8P1ImZ6OV+ATAuo0jImOuPktjXmpdPepM0bypb2eS/oJ9CC2XY5p - zDAkOBJO2ZhW21UoMZ7ItXIUrkC05HsQbKvBop9e9s/pnrcsQ3AdqA/wDk0/uU5y - 31gwuTV8Drde79yR9GS/ux3bmk5c0WVIa80svQIDAQABAoIBAQDV9G4xziml1A/C - DF+Rcyn95ma6vy1c9AqjkuG+8T2wJbT5hR9FQzkuezil+YzMxooYKqnGFueAYDAW - PREh+ZpztDLFv7BIEFfGUaMvbjqqQW2y4M3k8ng0T4uzRaNor1O1rLF0gCqItzng - Q8jEuOjqiVnIt7Ph0ky46fLHCgk7Fq28blpvfJ8Mpv7ECF3KdtweQgK2csOiD30n - yaujST/g+Y9jUfXX2ufCUBzbTdWUoMqOFamNe7Vk0u9vvwYnnh/HqJPDeG/U/L0Z - sszk7sujiMWEAYfIXF6HMNpk39ztBGft4sF8/TAcaw9WvioHXzZgQ6QSG/fnrV/a - DMtM6VQ9AoGBAPNagbmTmw9qzu3CqAvlzRLNBg87V1haZSnt5oqSHdrp2YHG6j8O - qLkayJ2t81Y7ar9VXvEzkt/wUruGlMWZcxNJ9Be7XmyI3vG3Wv6W0fdyY6zxSOfI - WMbm9kD0FaAs4fSHVI3GoZmMCro8qgsXoR1sanT8EJvTlH/8HNS/dx7PAoGBAOXJ - K4ZjpkTBwtF6kC8ImwJ/WBlN/K/nRiJjC5E16GUM/XfYu/rDfvbvTpNba5cbIObZ - aeJmhz/mO6wWPUccQmzvtIEIgy/xXEhXSFRzl6CFT5xzl13fTRrCjPlhs2wwCmsH - sWNYR2KvLqiHkhaMH/J5NMhBvdISkG/70v8kS76zAoGANhoHASTpsjHCs2U1Sv/Z - 6bYfBL/imUfvebTkLiZx8LtQmeOJLF+r7wsfUr7bfG5VOxhVtTYMDzE0k3BGHvAQ - f1dPpv8G7QY42nAzEKqjH2oU8tvpo24NHps2YBZjwGp6CY0UpThlsOdLc0ANZc3p - CcuSl1N6tcoCF7oLBtlSOE0CgYAAweD62Gk74MebmSPQg96+61yG+NLUYZbBlkH7 - gIn7i0dqlbRI50wL1E4V/j8kiFpbaGwI6v2XIFMiBhC9o0I0ybV2l2iXR9xeAKuk - W50sUkQo59if3pSKegms6L2GpcHjCGt1QF073gfxVkENAfk4+11JK65MevMu602O - ubfmMQKBgC2hLEXizXZ0TO6F2RgFD0pvSbGnpa+00TflowXKMdPNA4tDIlhTtZ/x - NIs1ZDu6T8ZgD/eOFm+/gWrbNK/K6ykLyFrKld8luR9q8I2JMuP+iZRaDUIHyYSm - W/ODsrxtCp/4n2herlzqLYufC4dFnrp5nFM8ekoAru53flNPvsCh - -----END RSA PRIVATE KEY----- diff --git a/charts/admission-controller/ci/custom-ca-values.yaml.template b/charts/admission-controller/ci/custom-ca-values.yaml.template index 564af81b5..0abaa47b0 100644 --- a/charts/admission-controller/ci/custom-ca-values.yaml.template +++ b/charts/admission-controller/ci/custom-ca-values.yaml.template @@ -23,31 +23,3 @@ webhook: gfE2elzgom9LZuSB33qIPASwtunelTHnKJPadBbYL3V7W33+DtGl2NhK1pGn07w2 HKqPVSj3/vnCWV/miAs8BgJz+RrphtegNnAd -----END CERTIFICATE----- - key: | - -----BEGIN RSA PRIVATE KEY----- - MIIEowIBAAKCAQEAyGqv2hO/4APvA/VGgG7dE922FgrgESLPLj4SHaVII2dtJZPL - XvZXXzUjuYRwO+d11NbPz3kGRVNGtLDKMKHbn+k3EknuYoBPhejXVfl3yBspcmhH - yS60VWgCxjRseLlNDW4IgLrDrsZBWymGZpJqd+sPTrN1hvK5GYa4dp98QKntG86s - C5rHIbiM6ANGTt71JXfxGziSe/twNP0L3WSlWVkQQO/vAI6As8R3F10KUsHU4JE1 - ARFdoAd/PXzJa1RBbllZLw+4JOU2ELyDk+CGocOhuF8Vz3MPoGgr5g7xNJVY04iW - X7VGU4QG0SwIYdndFy9c0O77AFpg/Uyq0ba8VQIDAQABAoIBADBEwaWcLBIf4Gjr - odc83DH0q+4TIHQAFjXk7SgGrqEYP8lVFx3/5nsfqUL9CqrizBY+xj4Jv+DidZz/ - FzMvSF3zJThaZfeDP6PYuEQUmSywngLX6rIhdX08V6604YsR1eTuI04drRNi3ErA - bYY2rT3EdyNVRXEC9GGZeMPZFWvdFAoiLYud+hVcBNiBGvgvg1eSleXMlJnG0PN6 - Mw6FYXKRKvaI1yWwY/O2SCBf+/kn60Bd3K4uMNDCALZcx6oMxLPg14jWCMwN8bqE - QrG7eu7VE+6ZJr5YtS9PVI3f8YjYPz+ipq6ZXZ/AXKtACjw/DUlM5UOiVUCJMyxq - VJIPAuECgYEA4+gLd+5+6pzqG8Um9Qyk7GIOvaTjDTy3aSrdqygWXkkPEBjOxiQz - yxY3sA7TwSIwO6eVDXGXjMyuhxdJDFrKwvTdJE2wRS281YoObb3OKJBb4kAzij8M - jmPooT1kSHzym+7fKI7Ipwq8NLydOpVa+qEe6FVbabsCzvVzPDKEMfsCgYEA4R8p - MY3vhgzRIYZp0fOOkzkhGaKrP1ZvlG5/zpifoeQAV3wEZHDMNyu4s3ZvIqKOrCll - j45C8nLEQAaVWAHNokaIWQ3JjzeqKicV7o3UZnbe8eIYQVqxLzulfwbLG0Z2nuwo - GAetwQBpa2Ne1inEJaq1Q0xadl2hd/1ADLfKye8CgYBU31dWBHUzPdhZGySU4W6R - sTq4GS2NAm1zNslyMe2SkzaO0g4+78ByAwYeBIeLRwYbUR9K8GB1yMu990f21+Dm - lXW9TUk1mgDWrSEOcT7TEF+HdE09UJmGdWJumYQ9Enru4xgr7HCA9Jh+MzeCV5iX - +WSfNRpj14cGN5YAdveP/QKBgQDYMM2lijIBIOPhdyy+dFBycAWqkb41CDQFboyM - gaOjm8r8ONwa/PwQ64rnxY/6yfOLwAGJeEwweyied/QJ3Ul2Upf0NbpgMEvZSUnV - mxzj/boivkce1BKeUoCfWY3JtsSJ4C6szQr+8v9KItbbgqacqbCDXZruWwKKsYlF - 7WbwvwKBgE+YoUGm6A5bnIZDK6ak/Ln0Md4vHJe5NFqBqJIaOv2tkibTlMPkYr7U - KVl9Td1idmSvscgNJsbKacwQ6VmCj6juaLS+dFjKmJxyr6XleH4Bzy47WgBFLTt/ - hm767Sr8DUbKmVQfDACehweVvqC/wKKVc2Y0FCAvt90IQfMsF5sk - -----END RSA PRIVATE KEY----- From 2937bb05fe08d37abc1286678af876c84caac059 Mon Sep 17 00:00:00 2001 From: Alvaro Iradier Date: Thu, 20 Jul 2023 12:16:48 +0200 Subject: [PATCH 3/4] Bump chart version --- charts/admission-controller/Chart.yaml | 2 +- charts/admission-controller/README.md | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/admission-controller/Chart.yaml b/charts/admission-controller/Chart.yaml index feafb5cb2..5df3b1e70 100644 --- a/charts/admission-controller/Chart.yaml +++ b/charts/admission-controller/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: admission-controller description: Sysdig Admission Controller using Sysdig Secure inline image scanner type: application -version: 0.11.4 +version: 0.11.5 appVersion: 3.9.24 home: https://sysdiglabs.github.io/admission-controller/ icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4 diff --git a/charts/admission-controller/README.md b/charts/admission-controller/README.md index fd041895d..67c757ed5 100644 --- a/charts/admission-controller/README.md +++ b/charts/admission-controller/README.md @@ -23,7 +23,7 @@ $ pre-commit run -a $ helm repo add sysdig https://charts.sysdig.com $ helm repo update $ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \ - --create-namespace -n sysdig-admission-controller --version=0.11.4 \ + --create-namespace -n sysdig-admission-controller --version=0.11.5 \ --set clusterName=CLUSTER_NAME \ --set sysdig.secureAPIToken=SECURE_API_TOKEN ``` @@ -55,7 +55,7 @@ This chart deploys the Sysdig Admission Controller on a [Kubernetes](http://kube To install the chart with the release name `admission-controller`: ```console -$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller -n sysdig-admission-controller --version=0.11.4 +$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller -n sysdig-admission-controller --version=0.11.5 ``` The command deploys the Sysdig Admission Controller on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. @@ -181,7 +181,7 @@ Specify each parameter using the **`--set key=value[,key=value]`** argument to ` ```console $ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \ - --create-namespace -n sysdig-admission-controller --version=0.11.4 \ + --create-namespace -n sysdig-admission-controller --version=0.11.5 \ --set sysdig.secureAPIToken=YOUR-KEY-HERE,clusterName=YOUR-CLUSTER-NAME ``` @@ -190,7 +190,7 @@ installing the chart. For example: ```console $ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \ - --create-namespace -n sysdig-admission-controller --version=0.11.4 \ + --create-namespace -n sysdig-admission-controller --version=0.11.5 \ --values values.yaml ``` From 9533fb3e5a86884b45ec129f5b4c0b28a5b06d11 Mon Sep 17 00:00:00 2001 From: Alvaro Iradier Date: Thu, 20 Jul 2023 12:51:53 +0200 Subject: [PATCH 4/4] Remove usage of TLS cert and key, as it is inconsistent with the provided CA for trust --- charts/admission-controller/templates/_helpers.tpl | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/charts/admission-controller/templates/_helpers.tpl b/charts/admission-controller/templates/_helpers.tpl index 775b0dc2f..7ff74cdf1 100644 --- a/charts/admission-controller/templates/_helpers.tpl +++ b/charts/admission-controller/templates/_helpers.tpl @@ -164,17 +164,14 @@ Generate certificates for aggregated api server {{- define "admissionController.webhook.gen-certs" -}} {{- $secretName := printf "%s-tls" (include "admissionController.webhook.fullname" .) -}} {{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName -}} - {{- $ca := genCA (include "admissionController.webhook.fullname" .) 3650 -}} - {{- $cn := printf "%s.%s.svc" (include "admissionController.webhook.fullname" .) .Release.Namespace -}} - {{- $san := list $cn -}} - {{- $cert := genSignedCert $cn nil $san 3650 $ca -}} - - {{- if (and .Values.webhook.ssl.cert .Values.webhook.ssl.key) -}} - {{- printf "%s$%s$%s" (.Values.webhook.ssl.cert | b64enc) (.Values.webhook.ssl.key | b64enc) ($ca.Cert | b64enc) -}} - {{- else if and .Values.webhook.ssl.reuseTLSSecret $secret -}} + {{- if and .Values.webhook.ssl.reuseTLSSecret $secret -}} {{- printf "%s$%s$%s" (index $secret.data "tls.crt") (index $secret.data "tls.key") (index $secret.data "ca.crt") -}} {{- else -}} + {{- $ca := genCA (include "admissionController.webhook.fullname" .) 3650 -}} + {{- $cn := printf "%s.%s.svc" (include "admissionController.webhook.fullname" .) .Release.Namespace -}} + {{- $san := list $cn -}} + {{- $cert := genSignedCert $cn nil $san 3650 $ca -}} {{- printf "%s$%s$%s" ($cert.Cert | b64enc) ($cert.Key | b64enc) ($ca.Cert | b64enc) -}} {{- end -}} {{- end -}}