Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(certmanager): use controller-runtime style controller #10

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat(certmanager): use controller-runtime style controller #10

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1f0cf7a
feat(certmanager): use controller-runtime style controller
KhaledEmaraDev Jan 15, 2025
46c93e5
feat(certmanager): add metrics for the reconciler
KhaledEmaraDev Jan 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
229 changes: 105 additions & 124 deletions certmanager/controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,165 +2,146 @@ package certmanager

import (
"context"
"crypto/tls"
"errors"
"fmt"
"time"

"github.com/go-logr/logr"
tlsMgr "github.com/kyverno/pkg/tls"
"github.com/kyverno/pkg/tls"
"github.com/prometheus/client_golang/prometheus"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
corev1informers "k8s.io/client-go/informers/core/v1"
corev1listers "k8s.io/client-go/listers/core/v1"
"k8s.io/client-go/util/workqueue"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/client-go/tools/record"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/log"
"sigs.k8s.io/controller-runtime/pkg/metrics"
"sigs.k8s.io/controller-runtime/pkg/predicate"
)

const (
// Workers is the number of workers for this controller
Workers = 1
ControllerName = "certmanager-controller"
maxRetries = 10
)

type CertManagerController interface {
// Run starts the controller
Run(context.Context, int)

// GetCertificate can be used to fetch secrets in tls.Config
GetCertificate(*tls.ClientHelloInfo) (*tls.Certificate, error)
}

type controller struct {
logger logr.Logger

renewer tlsMgr.CertRenewer

// listers
caLister corev1listers.SecretLister
tlsLister corev1listers.SecretLister

// queue
queue workqueue.RateLimitingInterface
caEnqueue EnqueueFunc
tlsEnqueue EnqueueFunc
var (
reconcileCount = prometheus.NewCounter(prometheus.CounterOpts{
Name: "certmanager_controller_reconcile_total",
Help: "Total number of reconciliations.",
})
requeueCount = prometheus.NewCounter(prometheus.CounterOpts{
Name: "certmanager_controller_requeue_total",
Help: "Total number of requeues.",
})
droppedCount = prometheus.NewCounter(prometheus.CounterOpts{
Name: "certmanager_controller_dropped_total",
Help: "Total number of objects dropped from the queue.",
})
)

tlsConfig *tlsMgr.Config
type CertController struct {
client.Client
Scheme *runtime.Scheme
record.EventRecorder
Renewer tls.CertRenewer
caSecretName string
tlsSecretName string
namespace string
}

func NewController(
logger logr.Logger,
caInformer corev1informers.SecretInformer,
tlsInformer corev1informers.SecretInformer,
certRenewer tlsMgr.CertRenewer,
config *tlsMgr.Config,
) CertManagerController {
queue := workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), ControllerName)
c := controller{
logger: logger,
renewer: certRenewer,
caLister: caInformer.Lister(),
tlsLister: tlsInformer.Lister(),
queue: queue,
caEnqueue: AddDefaultEventHandlers(logger, caInformer.Informer(), queue),
tlsEnqueue: AddDefaultEventHandlers(logger, tlsInformer.Informer(), queue),
tlsConfig: config,
client client.Client,
scheme *runtime.Scheme,
recorder record.EventRecorder,
certRenewer tls.CertRenewer,
caSecretName string,
tlsSecretName string,
namespace string,
) *CertController {
return &CertController{
Client: client,
Scheme: scheme,
EventRecorder: recorder,
Renewer: certRenewer,
caSecretName: caSecretName,
tlsSecretName: tlsSecretName,
namespace: namespace,
}
return &c
}

func (c *controller) Run(ctx context.Context, workers int) {
// we need to enqueue our secrets in case they don't exist yet in the cluster
// this way we ensure the reconcile happens (hence renewal/creation)
if err := c.tlsEnqueue(&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Namespace: c.tlsConfig.Namespace,
Name: tlsMgr.GenerateTLSPairSecretName(c.tlsConfig),
},
}); err != nil {
c.logger.V(2).Error(err, "failed to enqueue secret", "name", tlsMgr.GenerateTLSPairSecretName(c.tlsConfig))
}
if err := c.caEnqueue(&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Namespace: c.tlsConfig.Namespace,
Name: tlsMgr.GenerateRootCASecretName(c.tlsConfig),
},
}); err != nil {
c.logger.V(2).Error(err, "failed to enqueue CA secret", "name", tlsMgr.GenerateRootCASecretName(c.tlsConfig))
func (r *CertController) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
logger := log.FromContext(ctx)
reconcileCount.Inc()

if req.Namespace != r.namespace {
droppedCount.Inc()
return ctrl.Result{}, nil
}
run(ctx, c.logger, ControllerName, time.Second, c.queue, workers, maxRetries, c.reconcile, c.ticker)
}

func (c *controller) GetCertificate(*tls.ClientHelloInfo) (*tls.Certificate, error) {
secret, err := c.tlsLister.Secrets(c.tlsConfig.Namespace).Get(tlsMgr.GenerateTLSPairSecretName(c.tlsConfig))
if err != nil {
return nil, err
} else if secret == nil {
return nil, errors.New("tls secret not found")
} else if secret.Type != corev1.SecretTypeTLS {
return nil, errors.New("secret is not a TLS secret")
if req.Name != r.caSecretName && req.Name != r.tlsSecretName {
droppedCount.Inc()
return ctrl.Result{}, nil
}

cert, err := tls.X509KeyPair(secret.Data[corev1.TLSCertKey], secret.Data[corev1.TLSPrivateKeyKey])
if err != nil {
return nil, err
logger.V(4).Info("reconciling certificate")
if err := r.renewCertificates(ctx); err != nil {
logger.Error(err, "failed to renew certificates")
return ctrl.Result{}, err
}

return &cert, nil
requeueCount.Inc()
return ctrl.Result{
RequeueAfter: tls.CertRenewalInterval,
}, nil
}

func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, namespace, name string) error {
if namespace != c.tlsConfig.Namespace {
return nil
func (r *CertController) renewCertificates(ctx context.Context) error {
logger := log.FromContext(ctx)
if err := RetryFunc(ctx, time.Second, 5*time.Second, logger, "failed to renew CA", r.Renewer.RenewCA)(); err != nil {
return err
}
if name != tlsMgr.GenerateTLSPairSecretName(c.tlsConfig) && name != tlsMgr.GenerateRootCASecretName(c.tlsConfig) {
return nil
if err := RetryFunc(ctx, time.Second, 5*time.Second, logger, "failed to renew TLS", r.Renewer.RenewTLS)(); err != nil {
return err
}
return c.renewCertificates(ctx)
return nil
}

func (c *controller) ticker(ctx context.Context, logger logr.Logger) {
certsRenewalTicker := time.NewTicker(tlsMgr.CertRenewalInterval)
defer certsRenewalTicker.Stop()
for {
select {
case <-certsRenewalTicker.C:
{
list, err := c.caLister.List(labels.Everything())
if err == nil {
for _, secret := range list {
if err := c.caEnqueue(secret); err != nil {
logger.V(2).Error(err, "failed to enqueue secret", "name", secret.Name)
}
}
} else {
logger.V(2).Error(err, "falied to list secrets")
}
}
{
list, err := c.tlsLister.List(labels.Everything())
if err == nil {
for _, secret := range list {
if err := c.tlsEnqueue(secret); err != nil {
logger.V(2).Error(err, "failed to enqueue secret", "name", secret.Name)
}
}
func (r *CertController) SetupWithManager(mgr ctrl.Manager) error {
secretPredicate := predicate.NewPredicateFuncs(func(obj client.Object) bool {
return obj.GetNamespace() == r.namespace && (obj.GetName() == r.caSecretName || obj.GetName() == r.tlsSecretName)
})

if err := ctrl.NewControllerManagedBy(mgr).
For(&corev1.Secret{}).
WithEventFilter(secretPredicate).
Complete(r); err != nil {
return fmt.Errorf("failed to build controller: %w", err)
}

return nil
}

func RetryFunc(ctx context.Context, retryInterval, timeout time.Duration, logger logr.Logger, msg string, run func(context.Context) error) func() error {
return func() error {
ctx, cancel := context.WithTimeout(ctx, timeout)
defer cancel()
registerTicker := time.NewTicker(retryInterval)
defer registerTicker.Stop()
var err error
for {
select {
case <-registerTicker.C:
if err = run(ctx); err != nil {
logger.V(3).Info(msg, "reason", err.Error())
} else {
logger.V(2).Error(err, "falied to list secrets")
return nil
}
case <-ctx.Done():
return fmt.Errorf("retry times out: %w", err)
}
case <-ctx.Done():
return
}
}
}

func (c *controller) renewCertificates(ctx context.Context) error {
if err := retryFunc(ctx, time.Second, 5*time.Second, c.logger, "failed to renew CA", c.renewer.RenewCA)(); err != nil {
return err
}
if err := retryFunc(ctx, time.Second, 5*time.Second, c.logger, "failed to renew TLS", c.renewer.RenewTLS)(); err != nil {
return err
}
return nil
func init() {
metrics.Registry.MustRegister(reconcileCount, requeueCount, droppedCount)
}
65 changes: 42 additions & 23 deletions certmanager/go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,50 +1,69 @@
module github.com/kyverno/pkg/certmanager

go 1.20
go 1.22.0

toolchain go1.23.2

replace github.com/kyverno/pkg/tls => ../tls

require (
github.com/go-logr/logr v1.2.4
github.com/go-logr/logr v1.4.2
github.com/kyverno/pkg/tls v0.0.9
k8s.io/api v0.28.0
k8s.io/apimachinery v0.28.0
k8s.io/client-go v0.28.0
k8s.io/api v0.31.0
k8s.io/apimachinery v0.31.0
k8s.io/client-go v0.31.0
sigs.k8s.io/controller-runtime v0.19.4
)

require (
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/emicklei/go-restful/v3 v3.10.2 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/emicklei/go-restful/v3 v3.11.0 // indirect
github.com/evanphx/json-patch/v5 v5.9.0 // indirect
github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/fxamacker/cbor/v2 v2.7.0 // indirect
github.com/go-openapi/jsonpointer v0.19.6 // indirect
github.com/go-openapi/jsonreference v0.20.2 // indirect
github.com/go-openapi/swag v0.22.3 // indirect
github.com/go-openapi/swag v0.22.4 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/protobuf v1.5.3 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/go-cmp v0.5.9 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/uuid v1.3.0 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/imdario/mergo v0.3.6 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
golang.org/x/net v0.13.0 // indirect
golang.org/x/oauth2 v0.8.0 // indirect
golang.org/x/sys v0.10.0 // indirect
golang.org/x/term v0.10.0 // indirect
golang.org/x/text v0.11.0 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/prometheus/client_golang v1.19.1 // indirect
github.com/prometheus/client_model v0.6.1 // indirect
github.com/prometheus/common v0.55.0 // indirect
github.com/prometheus/procfs v0.15.1 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/x448/float16 v0.8.4 // indirect
golang.org/x/exp v0.0.0-20230515195305-f3d0a9c9a5cc // indirect
golang.org/x/net v0.26.0 // indirect
golang.org/x/oauth2 v0.21.0 // indirect
golang.org/x/sys v0.21.0 // indirect
golang.org/x/term v0.21.0 // indirect
golang.org/x/text v0.16.0 // indirect
golang.org/x/time v0.3.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/protobuf v1.30.0 // indirect
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
google.golang.org/protobuf v1.34.2 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/klog/v2 v2.100.1 // indirect
k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
k8s.io/apiextensions-apiserver v0.31.0 // indirect
k8s.io/klog/v2 v2.130.1 // indirect
k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
sigs.k8s.io/yaml v1.3.0 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
sigs.k8s.io/yaml v1.4.0 // indirect
)
Loading
Loading