diff --git a/go.mod b/go.mod index 592be7fc2c..924965bdb2 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/operator-framework/operator-sdk v1.4.2 github.com/phoracek/networkmanager-go v0.1.0 github.com/pkg/errors v0.9.1 - github.com/qinqon/kube-admission-webhook v0.15.0 + github.com/qinqon/kube-admission-webhook v0.17.0 github.com/tidwall/gjson v1.8.0 github.com/tidwall/sjson v1.1.7 gopkg.in/yaml.v2 v2.4.0 diff --git a/go.sum b/go.sum index f25df077fa..f3e6f2b80c 100644 --- a/go.sum +++ b/go.sum @@ -1247,8 +1247,8 @@ github.com/prometheus/prometheus v2.3.2+incompatible/go.mod h1:oAIUtOny2rjMX0OWN github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= github.com/psampaz/go-mod-outdated v0.5.0/go.mod h1:Ow0f464qFSBVyz//3QyVLNPtL8/lLvjouMnjmVzNT/U= github.com/psampaz/go-mod-outdated v0.7.0/go.mod h1:r78NYWd1z+F9Zdsfy70svgXOz363B08BWnTyFSgEESs= -github.com/qinqon/kube-admission-webhook v0.15.0 h1:uST8Yhl+dVWx1gkb/iam3harXpZK3NFkERpzj2HMyBM= -github.com/qinqon/kube-admission-webhook v0.15.0/go.mod h1:eYJw+S+JSprEMLzGNmE0GFIlSrBQw0lAVES/ZjgM2FI= +github.com/qinqon/kube-admission-webhook v0.17.0 h1:JeJ3mlFLoSdjT6NfNc8bLp4xDiBEgg51vgmyz0PSq/M= +github.com/qinqon/kube-admission-webhook v0.17.0/go.mod h1:eYJw+S+JSprEMLzGNmE0GFIlSrBQw0lAVES/ZjgM2FI= github.com/quasilyte/go-consistent v0.0.0-20190521200055-c6f3937de18c/go.mod h1:5STLWrekHfjyYwxBRVRXNOSewLJ3PWfDJd1VyTS21fI= github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M= diff --git a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/configuration.go b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/configuration.go index 28becfc726..8c059e5015 100644 --- a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/configuration.go +++ b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/configuration.go @@ -83,7 +83,7 @@ func (m *Manager) readyWebhookConfiguration() (client.Object, error) { func (m *Manager) addCertificateToCABundle(caCert *x509.Certificate) error { m.log.Info("Reset CA bundle with one cert for webhook") _, err := m.updateWebhookCABundleWithFunc(func(currentCABundle []byte) ([]byte, error) { - return triple.AddCertToPEM(caCert, currentCABundle) + return triple.AddCertToPEM(caCert, currentCABundle, triple.CertsListSizeLimit) }) if err != nil { return errors.Wrap(err, "failed to update webhook CABundle") diff --git a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/manager.go b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/manager.go index ffc9950a1f..f9aaab1aa1 100644 --- a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/manager.go +++ b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/manager.go @@ -47,7 +47,7 @@ type Manager struct { // caCertDuration Options.CARotateInterval caCertDuration time.Duration - // caCertDuration Options.CAOverlapInterval + // caOverlapDuration Options.CAOverlapInterval caOverlapDuration time.Duration // serviceCertDuration Options.CertRotateInterval @@ -59,6 +59,9 @@ type Manager struct { // log initialized log that containes the webhook configuration name and // namespace so it's easy to debug. log logr.Logger + + // extraLabels Options.ExtraLabels + extraLabels map[string]string } // NewManager with create a certManager that generated a secret per service @@ -97,6 +100,7 @@ func NewManager( caOverlapDuration: options.CAOverlapInterval, serviceCertDuration: options.CertRotateInterval, serviceOverlapDuration: options.CertOverlapInterval, + extraLabels: options.ExtraLabels, log: logf.Log.WithName("certificate/Manager"). WithValues("webhookType", options.WebhookType, "webhookName", options.WebhookName), } diff --git a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/options.go b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/options.go index f7c245b922..aa6612405c 100644 --- a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/options.go +++ b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/options.go @@ -40,6 +40,9 @@ type Options struct { // CertOverlapInterval the duration of service certificates at bundle if // not set it will default to CertRotateInterval CertOverlapInterval time.Duration + + // ExtraLabels extra labels that will be added to created secrets + ExtraLabels map[string]string } func (o *Options) validate() error { diff --git a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/secret.go b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/secret.go index ddc3a0db03..eb98f34e35 100644 --- a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/secret.go +++ b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/secret.go @@ -39,7 +39,7 @@ func addTLSCertificate(data map[string][]byte, cert *x509.Certificate) error { certsPEM, hasCerts := data[corev1.TLSCertKey] if hasCerts { - certsPEMBytes, err := triple.AddCertToPEM(cert, []byte(certsPEM)) + certsPEMBytes, err := triple.AddCertToPEM(cert, []byte(certsPEM), triple.CertsListSizeLimit) if err != nil { return err } @@ -110,6 +110,7 @@ func (m *Manager) applySecret(secretKey types.NamespacedName, secretType corev1. Name: secretKey.Name, Namespace: secretKey.Namespace, Annotations: map[string]string{}, + Labels: m.extraLabels, }, Type: secretType, } diff --git a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/triple/pem.go b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/triple/pem.go index 206fd57f42..edf2ce30fc 100644 --- a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/triple/pem.go +++ b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/triple/pem.go @@ -38,6 +38,8 @@ const ( CertificateBlockType = "CERTIFICATE" // CertificateRequestBlockType is a possible value for pem.Block.Type. CertificateRequestBlockType = "CERTIFICATE REQUEST" + // CertsListSizeLimit sets the max size of a certs list + CertsListSizeLimit = 100 ) // EncodePublicKeyPEM returns PEM-encoded public data @@ -188,7 +190,7 @@ func ParseCertsPEM(pemCerts []byte) ([]*x509.Certificate, error) { return certs, nil } -func AddCertToPEM(cert *x509.Certificate, pemCerts []byte) ([]byte, error) { +func AddCertToPEM(cert *x509.Certificate, pemCerts []byte, maxListSize int) ([]byte, error) { certs := []*x509.Certificate{} if len(pemCerts) > 0 { var err error @@ -200,9 +202,21 @@ func AddCertToPEM(cert *x509.Certificate, pemCerts []byte) ([]byte, error) { // Prepend cert since it's what TLS expects [1] // [1] https://github.com/golang/go/blob/master/src/crypto/tls/tls.go#L292-L294 certs = append([]*x509.Certificate{cert}, certs...) + + certs = removeOldestCerts(certs, maxListSize) + return EncodeCertsPEM(certs), nil } +// removeOldestCerts removes old certs to avoid bloating +func removeOldestCerts(certs []*x509.Certificate, maxListSize int) []*x509.Certificate { + if len(certs) <= maxListSize { + return certs + } + // oldest certs are in the end + return certs[:maxListSize] +} + // parseRSAPublicKey parses a single RSA public key from the provided data func parseRSAPublicKey(data []byte) (*rsa.PublicKey, error) { var err error diff --git a/vendor/modules.txt b/vendor/modules.txt index b7715cdf2a..98d9ff465b 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -687,7 +687,7 @@ github.com/prometheus/common/model github.com/prometheus/procfs github.com/prometheus/procfs/internal/fs github.com/prometheus/procfs/internal/util -# github.com/qinqon/kube-admission-webhook v0.15.0 +# github.com/qinqon/kube-admission-webhook v0.17.0 ## explicit github.com/qinqon/kube-admission-webhook/pkg/certificate github.com/qinqon/kube-admission-webhook/pkg/certificate/triple