From 35d7685c289aa68c62726b78d4cf5ae586e63709 Mon Sep 17 00:00:00 2001 From: Jye Lee Date: Tue, 19 Jan 2021 14:22:34 -0800 Subject: [PATCH 1/4] wip: run as standalone --- Dockerfile | 23 ++++++++++ go.sum | 57 ------------------------ main.go | 98 ++++++++++++++++++++++++++++++++++++++++++ pkg/rotator/rotator.go | 2 +- 4 files changed, 122 insertions(+), 58 deletions(-) create mode 100644 Dockerfile create mode 100644 main.go diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..8c9cbed --- /dev/null +++ b/Dockerfile @@ -0,0 +1,23 @@ +FROM golang:1.14-alpine AS builder +WORKDIR /go/src/github.com/open-policy-agent/cert-controller + +RUN apk add git + +ENV CGO_ENABLED 0 +COPY go.mod go.sum ./ +RUN go mod download + +COPY pkg pkg +COPY main.go ./ +RUN go build -o cert-controller main.go + + +FROM scratch +WORKDIR /app + +COPY --from=builder /go/src/github.com/open-policy-agent/cert-controller/cert-controller . +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ + +USER 1000:1000 + +CMD ["/app/cert-controller"] \ No newline at end of file diff --git a/go.sum b/go.sum index f38167a..0681738 100644 --- a/go.sum +++ b/go.sum @@ -289,39 +289,30 @@ github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1Cpa github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1 h1:o0+MgICZLuZ7xjH7Vx6zS/zcu93/BEp1VwkIW1mEXCE= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= -github.com/onsi/gomega v1.10.2 h1:aY/nuoWlKJud2J6U0E3NWsjlg+0GtwXxgEqthRdzlcs= github.com/onsi/gomega v1.10.2/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= -github.com/prometheus/client_golang v1.0.0 h1:vrDKnkGzuGvhNAL56c7DBz29ZL+KxnoR0x7enabFceM= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= -github.com/prometheus/client_golang v1.7.1 h1:NTGy1Ja9pByO+xAeH/qiWnLrKtr3hJPNjaVUwnjpdpA= github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M= github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= -github.com/prometheus/common v0.4.1 h1:K0MGApIoQvMw27RTdJkPbr3JZ7DNbtxQNyi5STVM6Kw= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= -github.com/prometheus/common v0.10.0 h1:RyRA7RzGXQZiW+tGMr7sxa85G1z0yOpM1qq5c8lNawc= github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= -github.com/prometheus/procfs v0.1.3 h1:F0+tqvhOksq22sc6iCHF5WGlWjdwj92p0udFh1VFBS8= github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= @@ -343,7 +334,6 @@ github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb6 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= -github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= @@ -352,9 +342,7 @@ github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+ github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= -github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= @@ -376,22 +364,14 @@ go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= -go.uber.org/atomic v1.4.0 h1:cxzIVoETapQEqDhQu3QfnvXAV4AlzcvUCxkVUFw3+EU= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= -go.uber.org/atomic v1.6.0 h1:Ezj3JGmsOnG1MoRWQkPBsKLe9DwWD9QeXzTRzzldNVk= go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ= -go.uber.org/goleak v1.1.10 h1:z+mqJhf6ss6BSfSM671tgKyZBFPTTJM+HLxnhPC3wu0= go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= -go.uber.org/multierr v1.1.0 h1:HoEmRHQPVSqub6w2z2d2EOVs2fjyFRGyofhKuyDq0QI= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= -go.uber.org/multierr v1.5.0 h1:KCa4XfM8CWFCpxXRGok+Q0SS/0XBhMDbHHGABQLvD2A= go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU= -go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee h1:0mgffUl7nfd+FpvXMVz4IDEaUSmT1ysygQC7qYo7sG4= go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA= go.uber.org/zap v1.8.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= -go.uber.org/zap v1.10.0 h1:ORx85nbTijNz8ljznvCMR1ZBIPKFn3jQrag10X2AsuM= go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= -go.uber.org/zap v1.15.0 h1:ZZCA22JRF2gQE5FoNmhmrf7jeJJ2uhqDUNRYKm8dvmM= go.uber.org/zap v1.15.0/go.mod h1:Mb2vm2krFEG5DV0W9qcHBYFtp/Wku1cvYaqPsS/WYfc= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= @@ -402,7 +382,6 @@ golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -418,7 +397,6 @@ golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHl golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= -golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f h1:J5lckAjkw6qYlOZNj90mLYNTEKDvWeuc1yieZ8qUzUE= golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= @@ -426,7 +404,6 @@ golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKG golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.3.0 h1:RM4zey1++hCTbCVQfnWeKs9/IEsaBLA8vTkd0WVtmH4= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -450,15 +427,11 @@ golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7 h1:AeiKBIuRw3UomYXSbLy0Mc2dDLfdtbT/IVn4keq83P0= golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= -golang.org/x/net v0.0.0-20200707034311-ab3426394381 h1:VXak5I6aEWmAXeQjA+QSZzlgNrpq9mjcfDemuexIKsU= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6 h1:pE8b58s1HRDMi8RDc79m0HISf9D4TzseP40cEA6IGfs= golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -490,23 +463,18 @@ golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd h1:xhmwyvizuTgC2qz7ZlMluP20uW+C3Rm0FD/WLDX8884= golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4 h1:5/PjkGUjvEU5Gl6BxmvKRPpqo2uNMv4rcHBMwzk/st8= golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= -golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e h1:EHBhcS0mlXEAVwNyO2dLfjToGsyY4j24pTs2ScHnX7s= golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -536,13 +504,10 @@ golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtn golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200616133436-c1934b75d054 h1:HHeAlu5H9b71C+Fx0K+1dGgVFN1DM1/wz4aoGOA5qS8= golang.org/x/tools v0.0.0-20200616133436-c1934b75d054/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -gomodules.xyz/jsonpatch/v2 v2.1.0 h1:Phva6wqu+xR//Njw6iorylFFgn/z547tw5Ne3HZPQ+k= gomodules.xyz/jsonpatch/v2 v2.1.0/go.mod h1:IhYNNY4jnS53ZnfE4PAmpKtDpTCj1JFXc+3mwe7XcUU= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= @@ -551,11 +516,9 @@ google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEn google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= -google.golang.org/appengine v1.5.0 h1:KxkO13IPW4Lslp2bz+KHP2E3gtFlrIGNThxkZQ3g+4c= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.6 h1:lMO5rYAqUxkmaj76jAkRUvt5JZgFymx/+Q5Mzfivuhc= google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= @@ -580,25 +543,20 @@ google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQ google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.23.0 h1:4MY060fB1DLGMB/7MBTLnwQUY6+F09GEiz6SsrNqyzM= google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.24.0 h1:UhZDfRO8JRQru4/+LlLE0BRKGF8L+PICnvYZmx/fEGA= google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= -gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= -gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= @@ -606,9 +564,7 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ= gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= @@ -616,37 +572,24 @@ honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -honnef.co/go/tools v0.0.1-2019.2.3 h1:3JgtbtFHMiCmsznwGVTUWbgGov+pVqnlf1dEJTNAXeM= honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= -k8s.io/api v0.19.2 h1:q+/krnHWKsL7OBZg/rxnycsl9569Pud76UJ77MvKXms= k8s.io/api v0.19.2/go.mod h1:IQpK0zFQ1xc5iNIQPqzgoOwuFugaYHK4iCknlAQP9nI= -k8s.io/apiextensions-apiserver v0.19.2 h1:oG84UwiDsVDu7dlsGQs5GySmQHCzMhknfhFExJMz9tA= k8s.io/apiextensions-apiserver v0.19.2/go.mod h1:EYNjpqIAvNZe+svXVx9j4uBaVhTB4C94HkY3w058qcg= -k8s.io/apimachinery v0.19.2 h1:5Gy9vQpAGTKHPVOh5c4plE274X8D/6cuEiTO2zve7tc= k8s.io/apimachinery v0.19.2/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA= k8s.io/apiserver v0.19.2/go.mod h1:FreAq0bJ2vtZFj9Ago/X0oNGC51GfubKK/ViOKfVAOA= -k8s.io/client-go v0.19.2 h1:gMJuU3xJZs86L1oQ99R4EViAADUPMHHtS9jFshasHSc= k8s.io/client-go v0.19.2/go.mod h1:S5wPhCqyDNAlzM9CnEdgTGV4OqhsW3jGO1UM1epwfJA= k8s.io/code-generator v0.19.2/go.mod h1:moqLn7w0t9cMs4+5CQyxnfA/HV8MF6aAVENF+WZZhgk= -k8s.io/component-base v0.19.2 h1:jW5Y9RcZTb79liEhW3XDVTW7MuvEGP0tQZnfSX6/+gs= k8s.io/component-base v0.19.2/go.mod h1:g5LrsiTiabMLZ40AR6Hl45f088DevyGY+cCE2agEIVo= k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20200428234225-8167cfdcfc14/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= -k8s.io/klog/v2 v2.0.0 h1:Foj74zO6RbjjP4hBEKjnYtjjAhGg4jNynUdYF6fJrok= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= -k8s.io/klog/v2 v2.2.0 h1:XRvcwJozkgZ1UQJmfMGpvRthQHOvihEhYtDfAaxMz/A= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= -k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6 h1:+WnxoVtG8TMiudHBSEtrVL1egv36TkkJm+bA8AxicmQ= k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o= k8s.io/utils v0.0.0-20200729134348-d5654de09c73/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= -k8s.io/utils v0.0.0-20200912215256-4140de9c8800 h1:9ZNvfPvVIEsp/T1ez4GQuzCcCTEQWhovSofhqR73A6g= k8s.io/utils v0.0.0-20200912215256-4140de9c8800/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.9/go.mod h1:dzAXnQbTRyDlZPJX2SUPEqvnB+j7AJjtlox7PEwigU0= -sigs.k8s.io/controller-runtime v0.7.0 h1:bU20IBBEPccWz5+zXpLnpVsgBYxqclaHu1pVDl/gEt8= sigs.k8s.io/controller-runtime v0.7.0/go.mod h1:pJ3YBrJiAqMAZKi6UVGuE98ZrroV1p+pIhoHsMm9wdU= -sigs.k8s.io/structured-merge-diff/v4 v4.0.1 h1:YXTMot5Qz/X1iBRJhAt+vI+HVttY0WkSqqhKxQ0xVbA= sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= -sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= diff --git a/main.go b/main.go new file mode 100644 index 0000000..a6d5fd8 --- /dev/null +++ b/main.go @@ -0,0 +1,98 @@ +package main + +import ( + "flag" + "fmt" + "k8s.io/apimachinery/pkg/api/meta" + "k8s.io/client-go/rest" + "k8s.io/client-go/tools/clientcmd/api" + "os" + "github.com/open-policy-agent/cert-controller/pkg/rotator" + "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/runtime" + "sigs.k8s.io/controller-runtime/pkg/client/apiutil" + ctrl "sigs.k8s.io/controller-runtime" + clientgoscheme "k8s.io/client-go/kubernetes/scheme" +) + +var ( + certDir = flag.String("cert-dir", "/etc/tls-certs", "The directory where certs are stored, defaults to /certs") + caName = flag.String("ca-name", "ca-name", "The name of the ca cert, defaults to ca-name") + secretName = flag.String("secret-name", "secret-name", "The name of the secret, defaults to secret-name") + serviceName = flag.String("service-name", "webhook-service-name", "The name of the service, defaults to webhook-service-name") + caOrganization = flag.String("caOrganization", "organization", "The name of the CA organization, defaults to organization") + nameSpace = flag.String("namespace", "kube-system", "The namespace of your service, defaults to kube-system") + dnsName = flag.String("dns-name", *serviceName + "." + *nameSpace + ".svc", "The dns name of your service ..svc") + webhookName = flag.String("webhook-name", "webhook-name", "Your webhook name, defaults to webhook-name") +) + +var webhooks = []rotator.WebhookInfo{ + { + Name: *webhookName, + Type: rotator.Mutating, // Todo: allow selecting types + }, +} + +// TODO: print when it updates the secrets +// TODO: add a nice logger +// TODO: remove all the default values, PR to cert-controller say this is a POC to run as a standalone +// TODO: put all the vpa values in there +func main() { + fmt.Println("starting") + config := ctrl.GetConfigOrDie() + scheme := runtime.NewScheme() + + _ = clientgoscheme.AddToScheme(scheme) + _ = api.AddToScheme(scheme) + + mgr, err := ctrl.NewManager(config, ctrl.Options{ + Scheme: scheme, //TODO: try to remove + MetricsBindAddress: "0", //TODO: try to remove + LeaderElection: false, + Port: 443, //TODO: try to remove + CertDir: *certDir, + HealthProbeBindAddress: ":9090", //TODO: try to remove + MapperProvider: func(c *rest.Config) (meta.RESTMapper, error) { + return apiutil.NewDynamicRESTMapper(c) + }, + }) + if err != nil { + fmt.Println("unable to start manager:", err) + os.Exit(1) + } + + // Make sure certs are generated and valid if cert rotation is enabled. + fmt.Println("setting up cert rotation") + if err := rotator.AddRotator(mgr, &rotator.CertRotator{ + SecretKey: types.NamespacedName{ + Namespace: *nameSpace, + Name: *secretName, + }, + CertDir: *certDir, + CAName: *caName, + CAOrganization: *caOrganization, + DNSName: *dnsName, + Webhooks: webhooks, + }); err != nil { + fmt.Println("unable to set up cert rotation:", err) + os.Exit(1) + } + + fmt.Println("starting manager") + hadError := false + if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil { + fmt.Println("problem running manager:", err) + hadError = true + } + + // Manager stops controllers asynchronously. + // Instead, we use ControllerSwitch to synchronously prevent them from doing more work. + // This can be removed when finalizer and status teardown is removed. + fmt.Println("disabling controllers...") + // sw.Stop() TODO: see if this is safely deleted + + if hadError { + fmt.Println("had error:", err) + os.Exit(1) + } +} \ No newline at end of file diff --git a/pkg/rotator/rotator.go b/pkg/rotator/rotator.go index 59e261d..c402ada 100644 --- a/pkg/rotator/rotator.go +++ b/pkg/rotator/rotator.go @@ -41,7 +41,7 @@ const ( caCertName = "ca.crt" caKeyName = "ca.key" rotationCheckFrequency = 12 * time.Hour - certValidityDuration = 10 * 365 * 24 * time.Hour + certValidityDuration = 10 * time.Minute lookaheadInterval = 90 * 24 * time.Hour ) From 460fff6dab345aa25f6b8eaae309dc664e372b2b Mon Sep 17 00:00:00 2001 From: Jye Lee Date: Wed, 20 Jan 2021 11:56:52 -0800 Subject: [PATCH 2/4] set up logging and make certvalidity configurable --- .gitignore | 3 ++ Dockerfile | 3 +- go.mod | 1 + main.go | 58 ++++++++++++++-------------- pkg/rotator/rotator.go | 8 ++-- test.yaml | 85 ++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 123 insertions(+), 35 deletions(-) create mode 100644 test.yaml diff --git a/.gitignore b/.gitignore index 6952535..9783297 100644 --- a/.gitignore +++ b/.gitignore @@ -347,3 +347,6 @@ __pycache__/ # always include vendor directory !/vendor/** + +# ignore example cert-controller binary +cert-controller \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 8c9cbed..ae12993 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,7 +11,6 @@ COPY pkg pkg COPY main.go ./ RUN go build -o cert-controller main.go - FROM scratch WORKDIR /app @@ -20,4 +19,4 @@ COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ USER 1000:1000 -CMD ["/app/cert-controller"] \ No newline at end of file +ENTRYPOINT ["/app/cert-controller", "-cert-restart-on-secret-refresh"] \ No newline at end of file diff --git a/go.mod b/go.mod index 273a7e4..f6f3f55 100644 --- a/go.mod +++ b/go.mod @@ -6,6 +6,7 @@ require ( github.com/onsi/gomega v1.10.2 github.com/pkg/errors v0.9.1 go.uber.org/atomic v1.6.0 + go.uber.org/zap v1.10.0 k8s.io/api v0.19.2 k8s.io/apimachinery v0.19.2 k8s.io/client-go v0.19.2 diff --git a/main.go b/main.go index a6d5fd8..fdbd1f9 100644 --- a/main.go +++ b/main.go @@ -1,8 +1,8 @@ package main import ( + "go.uber.org/zap" "flag" - "fmt" "k8s.io/apimachinery/pkg/api/meta" "k8s.io/client-go/rest" "k8s.io/client-go/tools/clientcmd/api" @@ -13,19 +13,23 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client/apiutil" ctrl "sigs.k8s.io/controller-runtime" clientgoscheme "k8s.io/client-go/kubernetes/scheme" + "time" ) +// TODO: make all defaults "" and map loop to blow up when value is "" +// TODO: call flag parse to maybe fix arguments var ( - certDir = flag.String("cert-dir", "/etc/tls-certs", "The directory where certs are stored, defaults to /certs") - caName = flag.String("ca-name", "ca-name", "The name of the ca cert, defaults to ca-name") - secretName = flag.String("secret-name", "secret-name", "The name of the secret, defaults to secret-name") - serviceName = flag.String("service-name", "webhook-service-name", "The name of the service, defaults to webhook-service-name") - caOrganization = flag.String("caOrganization", "organization", "The name of the CA organization, defaults to organization") - nameSpace = flag.String("namespace", "kube-system", "The namespace of your service, defaults to kube-system") - dnsName = flag.String("dns-name", *serviceName + "." + *nameSpace + ".svc", "The dns name of your service ..svc") - webhookName = flag.String("webhook-name", "webhook-name", "Your webhook name, defaults to webhook-name") + certDir = flag.String("cert-dir", "", "The directory where certs are stored") + caName = flag.String("ca-name", "", "The name of the ca cert") + secretName = flag.String("secret-name", "", "The name of the secret") + serviceName = flag.String("service-name", "", "The name of the service") + caOrganization = flag.String("ca-organization", "", "The name of the CA organization") + nameSpace = flag.String("namespace", "", "The namespace of your service") + dnsName = flag.String("dns-name", "", "The dns name of your service ..svc") + webhookName = flag.String("webhook-name", "", "Your webhook name") ) + var webhooks = []rotator.WebhookInfo{ { Name: *webhookName, @@ -33,12 +37,16 @@ var webhooks = []rotator.WebhookInfo{ }, } -// TODO: print when it updates the secrets -// TODO: add a nice logger -// TODO: remove all the default values, PR to cert-controller say this is a POC to run as a standalone -// TODO: put all the vpa values in there func main() { - fmt.Println("starting") + flag.Parse() + + // configure logging. + logger, _ := zap.NewDevelopment() + + logger.Info("sleeping to demonstrate restart behavior") + time.Sleep(5 * time.Second) + + logger.Info("starting cert-controller") config := ctrl.GetConfigOrDie() scheme := runtime.NewScheme() @@ -46,23 +54,18 @@ func main() { _ = api.AddToScheme(scheme) mgr, err := ctrl.NewManager(config, ctrl.Options{ - Scheme: scheme, //TODO: try to remove - MetricsBindAddress: "0", //TODO: try to remove LeaderElection: false, - Port: 443, //TODO: try to remove CertDir: *certDir, - HealthProbeBindAddress: ":9090", //TODO: try to remove MapperProvider: func(c *rest.Config) (meta.RESTMapper, error) { return apiutil.NewDynamicRESTMapper(c) }, }) if err != nil { - fmt.Println("unable to start manager:", err) + logger.Error("unable to start manager", zap.Error(err)) os.Exit(1) } // Make sure certs are generated and valid if cert rotation is enabled. - fmt.Println("setting up cert rotation") if err := rotator.AddRotator(mgr, &rotator.CertRotator{ SecretKey: types.NamespacedName{ Namespace: *nameSpace, @@ -74,25 +77,20 @@ func main() { DNSName: *dnsName, Webhooks: webhooks, }); err != nil { - fmt.Println("unable to set up cert rotation:", err) + logger.Error("unable to set up cert rotation", zap.Error(err)) + os.Exit(1) } - fmt.Println("starting manager") + logger.Info("starting manager") hadError := false if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil { - fmt.Println("problem running manager:", err) + logger.Error("problem running manager", zap.Error(err)) hadError = true } - // Manager stops controllers asynchronously. - // Instead, we use ControllerSwitch to synchronously prevent them from doing more work. - // This can be removed when finalizer and status teardown is removed. - fmt.Println("disabling controllers...") - // sw.Stop() TODO: see if this is safely deleted - if hadError { - fmt.Println("had error:", err) + logger.Error("Error running manager", zap.Error(err)) os.Exit(1) } } \ No newline at end of file diff --git a/pkg/rotator/rotator.go b/pkg/rotator/rotator.go index c402ada..b1f9969 100644 --- a/pkg/rotator/rotator.go +++ b/pkg/rotator/rotator.go @@ -41,7 +41,6 @@ const ( caCertName = "ca.crt" caKeyName = "ca.key" rotationCheckFrequency = 12 * time.Hour - certValidityDuration = 10 * time.Minute lookaheadInterval = 90 * 24 * time.Hour ) @@ -63,6 +62,9 @@ var _ manager.Runnable = &CertRotator{} var restartOnSecretRefresh = false +var certValidityDuration = flag.Duration("cert-validity-duration", 10 * 365 * 24 * time.Hour, "Sets how long the cert is valid for, defaults to 10 years") + + //WebhookInfo is used by the rotator to receive info about resources to be updated with certificates type WebhookInfo struct { //Name is the name of the webhook for a validating or mutating webhook, or the CRD name in case of a CRD conversion webhook @@ -71,7 +73,7 @@ type WebhookInfo struct { } func init() { - flag.BoolVar(&restartOnSecretRefresh, "cert-restart-on-secret-refresh", false, "Kills the process when secrets are refreshed so that the pod can be restarted (secrets take up to 60s to be updated by running pods)") + flag.BoolVar(&restartOnSecretRefresh, "cert-restart-on-secret-refresh", true, "Kills the process when secrets are refreshed so that the pod can be restarted (secrets take up to 60s to be updated by running pods)") } func (w WebhookInfo) gvk() schema.GroupVersionKind { @@ -262,7 +264,7 @@ func (cr *CertRotator) refreshCerts(refreshCA bool, secret *corev1.Secret) error var caArtifacts *KeyPairArtifacts now := time.Now() begin := now.Add(-1 * time.Hour) - end := now.Add(certValidityDuration) + end := now.Add(*certValidityDuration) if refreshCA { var err error caArtifacts, err = cr.CreateCACert(begin, end) diff --git a/test.yaml b/test.yaml new file mode 100644 index 0000000..570e9c5 --- /dev/null +++ b/test.yaml @@ -0,0 +1,85 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vpa-admission-controller + namespace: default + labels: + app: busybox +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + foo: bar4 + spec: + containers: + - name: busybox + image: busybox + command: ["sh", "-c", "watch ls /certs"] + volumeMounts: + - name: certs + mountPath: "/certs" + readOnly: true + - name: cert-controller + args: + - cert-dir=/certs + - ca-name=foocaname + - secret-name=vpa-admission-controller-secret + - service-name=fooservice + - ca-organization=fooorg + - namespace=default + - dns-name=foo.bar.svc + - webhook-name=vpa-webhook-config + imagePullPolicy: Never + image: cert-controller + volumes: + - name: certs + secret: + secretName: vpa-admission-controller-secret +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: vpa-webhook-config + labels: + product: foundation + team: compute + project: vertical-pod-autoscaler + role: admission-controller + annotations: + samson/server_side_apply: 'true' +webhooks: +- name: vpa.k8s.io + failurePolicy: Ignore + admissionReviewVersions: ["v1beta1"] + rules: + - apiGroups: [""] + apiVersions: ["v1"] + operations: ["CREATE"] + resources: ["pods"] + clientConfig: + service: + namespace: default + name: vpa-webhook + sideEffects: None + timeoutSeconds: 30 + +# We need to create a bogus secret for the updater to fill +--- +apiVersion: v1 +kind: Secret +metadata: + labels: + project: foo + team: compute + role: bar + product: foundation + name: vpa-admission-controller-secret + namespace: default + annotations: + samson/server_side_apply: 'true' From a504b664641c86a7cd76316a144159cbd31bf637 Mon Sep 17 00:00:00 2001 From: Jye Lee Date: Thu, 21 Jan 2021 12:45:24 -0800 Subject: [PATCH 3/4] use println for debugging because the logs arent printing --- main.go | 29 +++++++++++++---------------- pkg/rotator/rotator.go | 9 +++++++++ test.yaml | 19 +++++++++++-------- 3 files changed, 33 insertions(+), 24 deletions(-) diff --git a/main.go b/main.go index fdbd1f9..810dc6e 100644 --- a/main.go +++ b/main.go @@ -1,23 +1,21 @@ package main import ( - "go.uber.org/zap" "flag" + "github.com/open-policy-agent/cert-controller/pkg/rotator" + "go.uber.org/zap" "k8s.io/apimachinery/pkg/api/meta" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/types" + clientgoscheme "k8s.io/client-go/kubernetes/scheme" "k8s.io/client-go/rest" "k8s.io/client-go/tools/clientcmd/api" "os" - "github.com/open-policy-agent/cert-controller/pkg/rotator" - "k8s.io/apimachinery/pkg/types" - "k8s.io/apimachinery/pkg/runtime" - "sigs.k8s.io/controller-runtime/pkg/client/apiutil" ctrl "sigs.k8s.io/controller-runtime" - clientgoscheme "k8s.io/client-go/kubernetes/scheme" + "sigs.k8s.io/controller-runtime/pkg/client/apiutil" "time" ) -// TODO: make all defaults "" and map loop to blow up when value is "" -// TODO: call flag parse to maybe fix arguments var ( certDir = flag.String("cert-dir", "", "The directory where certs are stored") caName = flag.String("ca-name", "", "The name of the ca cert") @@ -29,17 +27,16 @@ var ( webhookName = flag.String("webhook-name", "", "Your webhook name") ) - -var webhooks = []rotator.WebhookInfo{ - { - Name: *webhookName, - Type: rotator.Mutating, // Todo: allow selecting types - }, -} - func main() { flag.Parse() + var webhooks = []rotator.WebhookInfo{ + { + Name: *webhookName, + Type: rotator.Mutating, // Todo: allow selecting types + }, + } + // configure logging. logger, _ := zap.NewDevelopment() diff --git a/pkg/rotator/rotator.go b/pkg/rotator/rotator.go index b1f9969..211c97f 100644 --- a/pkg/rotator/rotator.go +++ b/pkg/rotator/rotator.go @@ -627,9 +627,11 @@ func (r *ReconcileWH) Reconcile(ctx context.Context, request reconcile.Request) } // Ensure certs on webhooks + fmt.Println("Starting cert injection") if err := r.ensureCerts(artifacts.CertPEM); err != nil { return reconcile.Result{}, err } + fmt.Println("Finished cert injection") // Set CAInjected if the reconciler has not exited early. r.wasCAInjected.Store(true) @@ -658,25 +660,32 @@ func (r *ReconcileWH) ensureCerts(certPem []byte) error { updatedResource.SetGroupVersionKind(gvk) if err := r.cache.Get(r.ctx, types.NamespacedName{Name: webhook.Name}, updatedResource); err != nil { if k8sErrors.IsNotFound(err) { + fmt.Println("Webhook not found. Unable to update certificate.", err) log.Error(err, "Webhook not found. Unable to update certificate.") continue } anyError = err log.Error(err, "Error getting webhook for certificate update.") + fmt.Println("Error getting webhook for certificate update.", err) + continue } if !updatedResource.GetDeletionTimestamp().IsZero() { + fmt.Println("Webhook is being deleted. Unable to update certificate") log.Info("Webhook is being deleted. Unable to update certificate") continue } log.Info("Ensuring CA cert", "name", webhook.Name, "gvk", gvk) if err := injectCert(updatedResource, certPem, webhook.Type); err != nil { + fmt.Println("Unable to inject cert to webhook.:", err) log.Error(err, "Unable to inject cert to webhook.") anyError = err continue } if err := r.writer.Update(r.ctx, updatedResource); err != nil { + fmt.Println("Error updating webhook with certificate:", err) + log.Error(err, "Error updating webhook with certificate") anyError = err continue diff --git a/test.yaml b/test.yaml index 570e9c5..77420b2 100644 --- a/test.yaml +++ b/test.yaml @@ -27,14 +27,14 @@ spec: readOnly: true - name: cert-controller args: - - cert-dir=/certs - - ca-name=foocaname - - secret-name=vpa-admission-controller-secret - - service-name=fooservice - - ca-organization=fooorg - - namespace=default - - dns-name=foo.bar.svc - - webhook-name=vpa-webhook-config + - -cert-dir=/certs + - -ca-name=foocaname + - -secret-name=vpa-admission-controller-secret + - -service-name=fooservice + - -ca-organization=fooorg + - -namespace=default + - -dns-name=foo.bar.svc + - -webhook-name=vpa-webhook-config imagePullPolicy: Never image: cert-controller volumes: @@ -63,6 +63,7 @@ webhooks: operations: ["CREATE"] resources: ["pods"] clientConfig: + caBundle: Cg== service: namespace: default name: vpa-webhook @@ -83,3 +84,5 @@ metadata: namespace: default annotations: samson/server_side_apply: 'true' + +# TODO: add clusterrole, clusterrolebinding, serviceaccount to read and update secrets and webhooks From b83755092e849f48b8eeea0f284cca60967dfc98 Mon Sep 17 00:00:00 2001 From: Jye Lee Date: Thu, 21 Jan 2021 14:23:21 -0800 Subject: [PATCH 4/4] use zap for logging, previous log never outputted to kubectl logs --- go.mod | 2 + main.go | 24 +++++++++++- pkg/rotator/rotator.go | 17 ++------- test.yaml | 85 ++++++++++++++++++++++++------------------ 4 files changed, 75 insertions(+), 53 deletions(-) diff --git a/go.mod b/go.mod index f6f3f55..359cfc4 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,9 @@ module github.com/open-policy-agent/cert-controller go 1.14 require ( + github.com/go-logr/zapr v0.1.0 github.com/onsi/gomega v1.10.2 + github.com/open-policy-agent/cert-controller v0.1.0 github.com/pkg/errors v0.9.1 go.uber.org/atomic v1.6.0 go.uber.org/zap v1.10.0 diff --git a/main.go b/main.go index 810dc6e..beba806 100644 --- a/main.go +++ b/main.go @@ -12,6 +12,8 @@ import ( "k8s.io/client-go/tools/clientcmd/api" "os" ctrl "sigs.k8s.io/controller-runtime" + logf "sigs.k8s.io/controller-runtime/pkg/log" + "github.com/go-logr/zapr" "sigs.k8s.io/controller-runtime/pkg/client/apiutil" "time" ) @@ -27,6 +29,21 @@ var ( webhookName = flag.String("webhook-name", "", "Your webhook name") ) +func buildLogger() (*zap.Logger, error) { + // build a logger: + // - without timestamps because docker already logs with timestamps + // - use "message" instead of "msg" for consistency with other services / datadog parsing + // - remove caller since it points to shared methods most of the time anyway + loggerConfig := zap.NewProductionConfig() + loggerConfig.EncoderConfig.TimeKey = "" + loggerConfig.EncoderConfig.MessageKey = "message" + loggerConfig.DisableCaller = true + if os.Getenv("DEBUG") == "1" { + loggerConfig.Level.SetLevel(zap.DebugLevel) + } + return loggerConfig.Build() +} + func main() { flag.Parse() @@ -38,7 +55,9 @@ func main() { } // configure logging. - logger, _ := zap.NewDevelopment() + logger, _ := buildLogger() + defer logger.Sync() // flush buffer + logf.SetLogger(zapr.NewLogger(logger)) // Set logger for cert-controller or it sends to /dev/null logger.Info("sleeping to demonstrate restart behavior") time.Sleep(5 * time.Second) @@ -63,6 +82,7 @@ func main() { } // Make sure certs are generated and valid if cert rotation is enabled. + setupFinished := make(chan struct{}) if err := rotator.AddRotator(mgr, &rotator.CertRotator{ SecretKey: types.NamespacedName{ Namespace: *nameSpace, @@ -72,10 +92,10 @@ func main() { CAName: *caName, CAOrganization: *caOrganization, DNSName: *dnsName, + IsReady: setupFinished, Webhooks: webhooks, }); err != nil { logger.Error("unable to set up cert rotation", zap.Error(err)) - os.Exit(1) } diff --git a/pkg/rotator/rotator.go b/pkg/rotator/rotator.go index 211c97f..59e261d 100644 --- a/pkg/rotator/rotator.go +++ b/pkg/rotator/rotator.go @@ -41,6 +41,7 @@ const ( caCertName = "ca.crt" caKeyName = "ca.key" rotationCheckFrequency = 12 * time.Hour + certValidityDuration = 10 * 365 * 24 * time.Hour lookaheadInterval = 90 * 24 * time.Hour ) @@ -62,9 +63,6 @@ var _ manager.Runnable = &CertRotator{} var restartOnSecretRefresh = false -var certValidityDuration = flag.Duration("cert-validity-duration", 10 * 365 * 24 * time.Hour, "Sets how long the cert is valid for, defaults to 10 years") - - //WebhookInfo is used by the rotator to receive info about resources to be updated with certificates type WebhookInfo struct { //Name is the name of the webhook for a validating or mutating webhook, or the CRD name in case of a CRD conversion webhook @@ -73,7 +71,7 @@ type WebhookInfo struct { } func init() { - flag.BoolVar(&restartOnSecretRefresh, "cert-restart-on-secret-refresh", true, "Kills the process when secrets are refreshed so that the pod can be restarted (secrets take up to 60s to be updated by running pods)") + flag.BoolVar(&restartOnSecretRefresh, "cert-restart-on-secret-refresh", false, "Kills the process when secrets are refreshed so that the pod can be restarted (secrets take up to 60s to be updated by running pods)") } func (w WebhookInfo) gvk() schema.GroupVersionKind { @@ -264,7 +262,7 @@ func (cr *CertRotator) refreshCerts(refreshCA bool, secret *corev1.Secret) error var caArtifacts *KeyPairArtifacts now := time.Now() begin := now.Add(-1 * time.Hour) - end := now.Add(*certValidityDuration) + end := now.Add(certValidityDuration) if refreshCA { var err error caArtifacts, err = cr.CreateCACert(begin, end) @@ -627,11 +625,9 @@ func (r *ReconcileWH) Reconcile(ctx context.Context, request reconcile.Request) } // Ensure certs on webhooks - fmt.Println("Starting cert injection") if err := r.ensureCerts(artifacts.CertPEM); err != nil { return reconcile.Result{}, err } - fmt.Println("Finished cert injection") // Set CAInjected if the reconciler has not exited early. r.wasCAInjected.Store(true) @@ -660,32 +656,25 @@ func (r *ReconcileWH) ensureCerts(certPem []byte) error { updatedResource.SetGroupVersionKind(gvk) if err := r.cache.Get(r.ctx, types.NamespacedName{Name: webhook.Name}, updatedResource); err != nil { if k8sErrors.IsNotFound(err) { - fmt.Println("Webhook not found. Unable to update certificate.", err) log.Error(err, "Webhook not found. Unable to update certificate.") continue } anyError = err log.Error(err, "Error getting webhook for certificate update.") - fmt.Println("Error getting webhook for certificate update.", err) - continue } if !updatedResource.GetDeletionTimestamp().IsZero() { - fmt.Println("Webhook is being deleted. Unable to update certificate") log.Info("Webhook is being deleted. Unable to update certificate") continue } log.Info("Ensuring CA cert", "name", webhook.Name, "gvk", gvk) if err := injectCert(updatedResource, certPem, webhook.Type); err != nil { - fmt.Println("Unable to inject cert to webhook.:", err) log.Error(err, "Unable to inject cert to webhook.") anyError = err continue } if err := r.writer.Update(r.ctx, updatedResource); err != nil { - fmt.Println("Error updating webhook with certificate:", err) - log.Error(err, "Error updating webhook with certificate") anyError = err continue diff --git a/test.yaml b/test.yaml index 77420b2..477dd7d 100644 --- a/test.yaml +++ b/test.yaml @@ -18,29 +18,40 @@ spec: foo: bar4 spec: containers: - - name: busybox - image: busybox - command: ["sh", "-c", "watch ls /certs"] - volumeMounts: - - name: certs - mountPath: "/certs" - readOnly: true - - name: cert-controller - args: - - -cert-dir=/certs - - -ca-name=foocaname - - -secret-name=vpa-admission-controller-secret - - -service-name=fooservice - - -ca-organization=fooorg - - -namespace=default - - -dns-name=foo.bar.svc - - -webhook-name=vpa-webhook-config - imagePullPolicy: Never - image: cert-controller + - name: busybox + image: busybox + command: ["sh", "-c", "watch ls /certs"] + volumeMounts: + - name: certs + mountPath: "/certs" + readOnly: true + - name: cert-controller + args: + - -cert-dir=/certs + - -ca-name=foocaname + - -secret-name=vpa-admission-controller-secret + - -service-name=fooservice + - -ca-organization=fooorg + - -namespace=default + - -dns-name=foo.bar.svc + - -webhook-name=vpa-webhook-config + imagePullPolicy: Never + image: cert-controller + resources: + limits: + cpu: 200m + memory: 500Mi + requests: + cpu: 50m + memory: 200Mi + volumeMounts: + - name: certs + mountPath: "/certs" + readOnly: true volumes: - - name: certs - secret: - secretName: vpa-admission-controller-secret + - name: certs + secret: + secretName: vpa-admission-controller-secret --- apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration @@ -54,21 +65,21 @@ metadata: annotations: samson/server_side_apply: 'true' webhooks: -- name: vpa.k8s.io - failurePolicy: Ignore - admissionReviewVersions: ["v1beta1"] - rules: - - apiGroups: [""] - apiVersions: ["v1"] - operations: ["CREATE"] - resources: ["pods"] - clientConfig: - caBundle: Cg== - service: - namespace: default - name: vpa-webhook - sideEffects: None - timeoutSeconds: 30 + - name: vpa.k8s.io + failurePolicy: Ignore + admissionReviewVersions: ["v1beta1"] + rules: + - apiGroups: [""] + apiVersions: ["v1"] + operations: ["CREATE"] + resources: ["pods"] + clientConfig: + caBundle: Cg== + service: + namespace: default + name: vpa-webhook + sideEffects: None + timeoutSeconds: 30 # We need to create a bogus secret for the updater to fill ---