From f16aa09ffb4577c3ef2a2638b5c958559d50400e Mon Sep 17 00:00:00 2001 From: Jorge Turrado Date: Wed, 11 Jan 2023 00:52:57 +0100 Subject: [PATCH 01/12] feat: use self-signed certs Signed-off-by: Jorge Turrado --- cmd/operator/main.go | 125 +++----------------- config/rbac/role.yaml | 10 ++ pkg/certificates/certificate_manager.go | 151 ++++++++++++++++++++++++ 3 files changed, 177 insertions(+), 109 deletions(-) create mode 100644 pkg/certificates/certificate_manager.go diff --git a/cmd/operator/main.go b/cmd/operator/main.go index 8068e9c1536..6936b62c68b 100644 --- a/cmd/operator/main.go +++ b/cmd/operator/main.go @@ -17,19 +17,14 @@ limitations under the License. package main import ( - "context" "flag" "fmt" "os" "runtime" "time" - "github.com/open-policy-agent/cert-controller/pkg/rotator" "github.com/spf13/pflag" - corev1 "k8s.io/api/core/v1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" apimachineryruntime "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/types" utilruntime "k8s.io/apimachinery/pkg/util/runtime" kubeinformers "k8s.io/client-go/informers" "k8s.io/client-go/kubernetes" @@ -37,14 +32,13 @@ import ( _ "k8s.io/client-go/plugin/pkg/client/auth" "k8s.io/client-go/tools/cache" ctrl "sigs.k8s.io/controller-runtime" - "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/controller" "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/log/zap" - "sigs.k8s.io/controller-runtime/pkg/manager" kedav1alpha1 "github.com/kedacore/keda/v2/apis/keda/v1alpha1" kedacontrollers "github.com/kedacore/keda/v2/controllers/keda" + "github.com/kedacore/keda/v2/pkg/certificates" "github.com/kedacore/keda/v2/pkg/k8s" "github.com/kedacore/keda/v2/pkg/metricsservice" "github.com/kedacore/keda/v2/pkg/scaling" @@ -88,8 +82,8 @@ func main() { var operatorServiceName string var metricsServerServiceName string var webhooksServiceName string - var enableCertRotation bool + var validatingWebhookName string pflag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") pflag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") pflag.StringVar(&metricsServiceAddr, "metrics-service-bind-address", ":9666", "The address the gRPRC Metrics Service endpoint binds to.") @@ -104,9 +98,8 @@ func main() { pflag.StringVar(&operatorServiceName, "operator-service-name", "keda-operator", "Operator service name. Defaults to keda-operator") pflag.StringVar(&metricsServerServiceName, "metrics-server-service-name", "keda-metrics-apiserver", "Metrics server service name. Defaults to keda-metrics-apiserver") pflag.StringVar(&webhooksServiceName, "webhooks-service-name", "keda-admission-webhooks", "Webhook service name. Defaults to keda-admission-webhooks") - pflag.BoolVar(&enableCertRotation, "enable-cert-rotation", false, "enable automatic generation and rotation of TLS certificates/keys") - + pflag.StringVar(&validatingWebhookName, "validating-webhook-name", "keda-admission", "ValidatingWebhookConfiguration name. Defaults to keda-admission") opts := zap.Options{} opts.BindFlags(flag.CommandLine) pflag.CommandLine.AddGoFlagSet(flag.CommandLine) @@ -252,7 +245,19 @@ func main() { } if enableCertRotation { - if err := addCertificateRotation(ctx, mgr, certSecretName, certDir, operatorServiceName, metricsServerServiceName, webhooksServiceName); err != nil { + certManager := certificates.CertManager{ + SecretName: certSecretName, + CertDir: certDir, + OperatorService: operatorServiceName, + MetricsServerService: metricsServerServiceName, + WebhookService: webhooksServiceName, + CAName: "KEDA", + CAOrganization: "KEDAORG", + ValidatingWebhookName: validatingWebhookName, + ApiServiceName: "v1beta1.external.metrics.k8s.io", + Logger: setupLog, + } + if err := certManager.AddCertificateRotation(ctx, mgr); err != nil { setupLog.Error(err, "unable to set up cert rotation") os.Exit(1) } @@ -283,101 +288,3 @@ func main() { os.Exit(1) } } - -// +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=validatingwebhookconfigurations,verbs=get;list;watch;update;patch -// +kubebuilder:rbac:groups="",namespace=keda,resources=secrets,verbs=get;list;watch;create;update;patch;delete - -// addCertificateRotation registers all needed services to generate the certificates and patches needed resources with the caBundle -func addCertificateRotation(ctx context.Context, mgr manager.Manager, secretName, certDir, operatorServiceName, metricsServerServiceName, webhooksServiceName string) error { - caName := "kedaorg-ca" - caOrganization := "kedaorg" - - var rotatorHooks = []rotator.WebhookInfo{ - { - Name: "keda-admission", - Type: rotator.Validating, - }, - } - - // Make sure certs are generated and valid if cert rotation is enabled. - setupFinished := make(chan struct{}) - ensureSecret(ctx, mgr, secretName) - extraDNSNames := []string{} - extraDNSNames = append(extraDNSNames, getDNSNames(operatorServiceName)...) - extraDNSNames = append(extraDNSNames, getDNSNames(webhooksServiceName)...) - extraDNSNames = append(extraDNSNames, getDNSNames(metricsServerServiceName)...) - - setupLog.V(1).Info("setting up cert rotation") - if err := rotator.AddRotator(mgr, &rotator.CertRotator{ - SecretKey: types.NamespacedName{ - Namespace: kedautil.GetPodNamespace(), - Name: secretName, - }, - CertDir: certDir, - CAName: caName, - CAOrganization: caOrganization, - DNSName: extraDNSNames[0], - ExtraDNSNames: extraDNSNames, - IsReady: setupFinished, - Webhooks: rotatorHooks, - RestartOnSecretRefresh: true, - RequireLeaderElection: true, - }); err != nil { - return err - } - return nil -} - -// getDNSNames creates all the possible DNS names for a given service -func getDNSNames(service string) []string { - namespace := kedautil.GetPodNamespace() - return []string{ - service, - fmt.Sprintf("%s.%s", service, namespace), - fmt.Sprintf("%s.%s.svc", service, namespace), - fmt.Sprintf("%s.%s.svc.local", service, namespace), - } -} - -// ensureSecret ensures that the secret used for storing TLS certificates exists -func ensureSecret(ctx context.Context, mgr manager.Manager, secretName string) { - secrets := &corev1.SecretList{} - kedaNamespace := kedautil.GetPodNamespace() - opt := &client.ListOptions{ - Namespace: kedaNamespace, - } - - err := mgr.GetAPIReader().List(ctx, secrets, opt) - if err != nil { - setupLog.Error(err, "unable to check secrets") - os.Exit(1) - } - - exists := false - for _, secret := range secrets.Items { - if secret.Name == secretName { - exists = true - break - } - } - if !exists { - secret := &corev1.Secret{ - ObjectMeta: v1.ObjectMeta{ - Name: secretName, - Namespace: kedaNamespace, - Labels: map[string]string{ - "app": "keda-operator", - "app.kubernetes.io/name": "keda-operator", - "app.kubernetes.io/component": "keda-operator", - "app.kubernetes.io/part-of": "keda", - }, - }, - } - err = mgr.GetClient().Create(ctx, secret) - if err != nil { - setupLog.Error(err, "unable to create certificates secret") - os.Exit(1) - } - setupLog.V(1).Info(fmt.Sprintf("created the secret %s to store cert-controller certificates", secretName)) - } -} diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 50fdd338b85..b6e06bb53ea 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -53,6 +53,16 @@ rules: - patch - update - watch +- apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - get + - list + - patch + - update + - watch - apiGroups: - apps resources: diff --git a/pkg/certificates/certificate_manager.go b/pkg/certificates/certificate_manager.go new file mode 100644 index 00000000000..803b6f1e08e --- /dev/null +++ b/pkg/certificates/certificate_manager.go @@ -0,0 +1,151 @@ +/* +Copyright 2023 The KEDA Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package certificates + +import ( + "context" + "fmt" + "os" + + corev1 "k8s.io/api/core/v1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + _ "k8s.io/client-go/plugin/pkg/client/auth" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/manager" + + "github.com/go-logr/logr" + kedautil "github.com/kedacore/keda/v2/pkg/util" + "github.com/open-policy-agent/cert-controller/pkg/rotator" +) + +// +kubebuilder:rbac:groups=apiregistration.k8s.io,resources=apiservices,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=validatingwebhookconfigurations,verbs=get;list;watch;update;patch +// +kubebuilder:rbac:groups="",namespace=keda,resources=secrets,verbs=get;list;watch;create;update;patch;delete + +type CertManager struct { + SecretName string + CertDir string + OperatorService string + MetricsServerService string + WebhookService string + CAName string + CAOrganization string + ValidatingWebhookName string + ApiServiceName string + Logger logr.Logger + Ready chan struct{} +} + +// AddCertificateRotation registers all needed services to generate the certificates and patches needed resources with the caBundle +func (cm CertManager) AddCertificateRotation(ctx context.Context, mgr manager.Manager) error { + + var rotatorHooks = []rotator.WebhookInfo{ + { + Name: cm.ValidatingWebhookName, + Type: rotator.Validating, + }, + { + Name: cm.ApiServiceName, + Type: rotator.APIService, + }, + } + + err := cm.ensureSecret(ctx, mgr, cm.SecretName) + if err != nil { + return err + } + extraDNSNames := []string{} + extraDNSNames = append(extraDNSNames, getDNSNames(cm.OperatorService)...) + extraDNSNames = append(extraDNSNames, getDNSNames(cm.WebhookService)...) + extraDNSNames = append(extraDNSNames, getDNSNames(cm.MetricsServerService)...) + + cm.Logger.V(1).Info("setting up cert rotation") + if err := rotator.AddRotator(mgr, &rotator.CertRotator{ + SecretKey: types.NamespacedName{ + Namespace: kedautil.GetPodNamespace(), + Name: cm.SecretName, + }, + CertDir: cm.CertDir, + CAName: cm.CAName, + CAOrganization: cm.CAOrganization, + DNSName: extraDNSNames[0], + ExtraDNSNames: extraDNSNames, + IsReady: cm.Ready, + Webhooks: rotatorHooks, + RestartOnSecretRefresh: true, + RequireLeaderElection: true, + }); err != nil { + return err + } + return nil +} + +// getDNSNames creates all the possible DNS names for a given service +func getDNSNames(service string) []string { + namespace := kedautil.GetPodNamespace() + return []string{ + service, + fmt.Sprintf("%s.%s", service, namespace), + fmt.Sprintf("%s.%s.svc", service, namespace), + fmt.Sprintf("%s.%s.svc.local", service, namespace), + } +} + +// ensureSecret ensures that the secret used for storing TLS certificates exists +func (cm CertManager) ensureSecret(ctx context.Context, mgr manager.Manager, secretName string) error { + secrets := &corev1.SecretList{} + kedaNamespace := kedautil.GetPodNamespace() + opt := &client.ListOptions{ + Namespace: kedaNamespace, + } + + err := mgr.GetAPIReader().List(ctx, secrets, opt) + if err != nil { + cm.Logger.Error(err, "unable to check secrets") + os.Exit(1) + } + + exists := false + for _, secret := range secrets.Items { + if secret.Name == secretName { + exists = true + break + } + } + if !exists { + secret := &corev1.Secret{ + ObjectMeta: v1.ObjectMeta{ + Name: secretName, + Namespace: kedaNamespace, + Labels: map[string]string{ + "app": "keda-operator", + "app.kubernetes.io/name": "keda-operator", + "app.kubernetes.io/component": "keda-operator", + "app.kubernetes.io/part-of": "keda", + }, + }, + } + err = mgr.GetClient().Create(ctx, secret) + if err != nil { + cm.Logger.Error(err, "unable to create certificates secret") + return err + } + cm.Logger.V(1).Info(fmt.Sprintf("created the secret %s to store cert-controller certificates", secretName)) + } + return nil +} From 487b19360891a6458fb58bd8f7aee3beced2ebb0 Mon Sep 17 00:00:00 2001 From: Jorge Turrado Date: Wed, 11 Jan 2023 01:38:10 +0100 Subject: [PATCH 02/12] use certs for gRPC TLS and metrics server Signed-off-by: Jorge Turrado --- Dockerfile.adapter | 3 -- cmd/adapter/main.go | 5 ++- cmd/operator/main.go | 6 ++- config/metrics-server/api_service.yaml | 1 - config/metrics-server/deployment.yaml | 7 ++-- pkg/metricsservice/client.go | 15 +++++-- pkg/metricsservice/server.go | 25 ++++++++---- pkg/metricsservice/utils/tls.go | 56 ++++++++++++++++++++++++++ 8 files changed, 96 insertions(+), 22 deletions(-) create mode 100644 pkg/metricsservice/utils/tls.go diff --git a/Dockerfile.adapter b/Dockerfile.adapter index 555dba47e6d..9a67a3e596f 100644 --- a/Dockerfile.adapter +++ b/Dockerfile.adapter @@ -20,8 +20,6 @@ COPY vendor/ vendor/ COPY go.mod go.mod COPY go.sum go.sum -RUN mkdir -p /apiserver.local.config/certificates && chmod -R 777 /apiserver.local.config - # Build # https://www.docker.com/blog/faster-multi-platform-builds-dockerfile-cross-compilation-guide/ ARG TARGETOS @@ -32,7 +30,6 @@ RUN VERSION=${BUILD_VERSION} GIT_COMMIT=${GIT_COMMIT} GIT_VERSION=${GIT_VERSION} # Refer to https://github.com/GoogleContainerTools/distroless for more details FROM gcr.io/distroless/static:nonroot WORKDIR / -COPY --from=builder --chown=nonroot:nonroot /apiserver.local.config /apiserver.local.config COPY --from=builder /workspace/bin/keda-adapter . # 65532 is numeric for nonroot USER 65532:65532 diff --git a/cmd/adapter/main.go b/cmd/adapter/main.go index ec5440b7f28..9ca7f008347 100644 --- a/cmd/adapter/main.go +++ b/cmd/adapter/main.go @@ -69,6 +69,7 @@ var ( metricsAPIServerPort int disableCompression bool metricsServiceAddr string + certDir string ) func (a *Adapter) makeProvider(ctx context.Context, globalHTTPTimeout time.Duration, maxConcurrentReconciles int) (provider.MetricsProvider, <-chan struct{}, error) { @@ -160,7 +161,7 @@ func (a *Adapter) makeProvider(ctx context.Context, globalHTTPTimeout time.Durat go func() { prometheusServer.NewServer(fmt.Sprintf(":%v", prometheusMetricsPort), prometheusMetricsPath) }() logger.Info("Connecting Metrics Service gRPC client to the server", "address", metricsServiceAddr) - grpcClient, err := metricsservice.NewGrpcClient(metricsServiceAddr) + grpcClient, err := metricsservice.NewGrpcClient(metricsServiceAddr, certDir) if err != nil { logger.Error(err, "error connecting Metrics Service gRPC client to the server", "address", metricsServiceAddr) return nil, nil, err @@ -244,6 +245,8 @@ func main() { cmd.Flags().Float32Var(&adapterClientRequestQPS, "kube-api-qps", 20.0, "Set the QPS rate for throttling requests sent to the apiserver") cmd.Flags().IntVar(&adapterClientRequestBurst, "kube-api-burst", 30, "Set the burst for throttling requests sent to the apiserver") cmd.Flags().BoolVar(&disableCompression, "disable-compression", true, "Disable response compression for k8s restAPI in client-go. ") + cmd.Flags().StringVar(&certDir, "cert-dir", "/certs", "Webhook certificates dir to use. Defaults to /certs") + if err := cmd.Flags().Parse(os.Args); err != nil { return } diff --git a/cmd/operator/main.go b/cmd/operator/main.go index 6936b62c68b..76d656f99b8 100644 --- a/cmd/operator/main.go +++ b/cmd/operator/main.go @@ -244,6 +244,7 @@ func main() { os.Exit(1) } + certReady := make(chan struct{}) if enableCertRotation { certManager := certificates.CertManager{ SecretName: certSecretName, @@ -256,14 +257,17 @@ func main() { ValidatingWebhookName: validatingWebhookName, ApiServiceName: "v1beta1.external.metrics.k8s.io", Logger: setupLog, + Ready: certReady, } if err := certManager.AddCertificateRotation(ctx, mgr); err != nil { setupLog.Error(err, "unable to set up cert rotation") os.Exit(1) } + } else { + close(certReady) } - grpcServer := metricsservice.NewGrpcServer(&scaledHandler, metricsServiceAddr) + grpcServer := metricsservice.NewGrpcServer(&scaledHandler, metricsServiceAddr, certDir, certReady) if err := mgr.Add(&grpcServer); err != nil { setupLog.Error(err, "unable to set up Metrics Service gRPC server") os.Exit(1) diff --git a/config/metrics-server/api_service.yaml b/config/metrics-server/api_service.yaml index cef8b603b73..c7dd322baab 100644 --- a/config/metrics-server/api_service.yaml +++ b/config/metrics-server/api_service.yaml @@ -13,6 +13,5 @@ spec: namespace: keda group: external.metrics.k8s.io version: v1beta1 - insecureSkipTLSVerify: true groupPriorityMinimum: 100 versionPriority: 100 diff --git a/config/metrics-server/deployment.yaml b/config/metrics-server/deployment.yaml index 874ebf0c615..dae6a4d8f1e 100644 --- a/config/metrics-server/deployment.yaml +++ b/config/metrics-server/deployment.yaml @@ -59,6 +59,9 @@ spec: - --secure-port=6443 - --logtostderr=true - --v=0 + - --client-ca-file=/certs/ca.crt + - --tls-cert-file=/certs/tls.crt + - --tls-private-key-file=/certs/tls.key ports: - containerPort: 6443 name: https @@ -69,8 +72,6 @@ spec: volumeMounts: - mountPath: /tmp name: temp-vol - - mountPath: /apiserver.local.config/certificates - name: certs - mountPath: /certs name: certificates readOnly: true @@ -88,8 +89,6 @@ spec: volumes: - name: temp-vol emptyDir: {} - - name: certs - emptyDir: {} - name: certificates secret: defaultMode: 420 diff --git a/pkg/metricsservice/client.go b/pkg/metricsservice/client.go index d5d52b7bd10..bb4aa8d9520 100644 --- a/pkg/metricsservice/client.go +++ b/pkg/metricsservice/client.go @@ -24,11 +24,11 @@ import ( "github.com/go-logr/logr" "google.golang.org/grpc" "google.golang.org/grpc/connectivity" - "google.golang.org/grpc/credentials/insecure" "k8s.io/metrics/pkg/apis/external_metrics" "k8s.io/metrics/pkg/apis/external_metrics/v1beta1" "github.com/kedacore/keda/v2/pkg/metricsservice/api" + "github.com/kedacore/keda/v2/pkg/metricsservice/utils" ) type GrpcClient struct { @@ -36,7 +36,7 @@ type GrpcClient struct { connection *grpc.ClientConn } -func NewGrpcClient(url string) (*GrpcClient, error) { +func NewGrpcClient(url, certDir string) (*GrpcClient, error) { retryPolicy := `{ "methodConfig": [{ "timeout": "3s", @@ -49,8 +49,15 @@ func NewGrpcClient(url string) (*GrpcClient, error) { } }]}` - // TODO fix Transport layer - use TLS - conn, err := grpc.Dial(url, grpc.WithTransportCredentials(insecure.NewCredentials()), grpc.WithDefaultServiceConfig(retryPolicy)) + creds, err := utils.LoadTLSCredentials(certDir) + if err != nil { + return nil, err + } + opts := []grpc.DialOption{ + grpc.WithTransportCredentials(creds), + grpc.WithDefaultServiceConfig(retryPolicy), + } + conn, err := grpc.Dial(url, opts...) if err != nil { return nil, err } diff --git a/pkg/metricsservice/server.go b/pkg/metricsservice/server.go index 06703f5b3ec..47dc2d307b4 100644 --- a/pkg/metricsservice/server.go +++ b/pkg/metricsservice/server.go @@ -26,6 +26,7 @@ import ( logf "sigs.k8s.io/controller-runtime/pkg/log" "github.com/kedacore/keda/v2/pkg/metricsservice/api" + "github.com/kedacore/keda/v2/pkg/metricsservice/utils" "github.com/kedacore/keda/v2/pkg/scaling" ) @@ -34,6 +35,8 @@ var log = logf.Log.WithName("grpc_server") type GrpcServer struct { server *grpc.Server address string + certDir string + certsReady chan struct{} scalerHandler *scaling.ScaleHandler api.UnimplementedMetricsServiceServer } @@ -60,17 +63,13 @@ func (s *GrpcServer) GetMetrics(ctx context.Context, in *api.ScaledObjectRef) (* } // NewGrpcServer creates a new instance of GrpcServer -func NewGrpcServer(scaleHandler *scaling.ScaleHandler, address string) GrpcServer { - // nosemgrep: go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection - gsrv := grpc.NewServer() - srv := GrpcServer{ - server: gsrv, +func NewGrpcServer(scaleHandler *scaling.ScaleHandler, address, certDir string, certsReady chan struct{}) GrpcServer { + return GrpcServer{ address: address, scalerHandler: scaleHandler, + certDir: certDir, + certsReady: certsReady, } - - api.RegisterMetricsServiceServer(gsrv, &srv) - return srv } func (s *GrpcServer) startServer() error { @@ -89,6 +88,16 @@ func (s *GrpcServer) startServer() error { // Start starts a new gRPC Metrics Service, this implements Runnable interface // of controller-runtime Manager, so we can use mgr.Add() to start this component. func (s *GrpcServer) Start(ctx context.Context) error { + <-s.certsReady + if s.server == nil { + creds, err := utils.LoadTLSCredentials(s.certDir) + if err != nil { + return err + } + s.server = grpc.NewServer(grpc.Creds(creds)) + api.RegisterMetricsServiceServer(s.server, s) + } + errChan := make(chan error) go func() { diff --git a/pkg/metricsservice/utils/tls.go b/pkg/metricsservice/utils/tls.go new file mode 100644 index 00000000000..82cddb3b653 --- /dev/null +++ b/pkg/metricsservice/utils/tls.go @@ -0,0 +1,56 @@ +/* +Copyright 2023 The KEDA Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package utils + +import ( + "crypto/tls" + "crypto/x509" + "fmt" + "io/ioutil" + "path" + + "google.golang.org/grpc/credentials" +) + +// LoadTLSCredentials reads the certificate from the given path and returns TLS transport credentials +func LoadTLSCredentials(certDir string) (credentials.TransportCredentials, error) { + // Load certificate of the CA who signed client's certificate + pemClientCA, err := ioutil.ReadFile(path.Join(certDir, "ca.crt")) + if err != nil { + return nil, err + } + + certPool := x509.NewCertPool() + if !certPool.AppendCertsFromPEM(pemClientCA) { + return nil, fmt.Errorf("failed to add client CA's certificate") + } + + // Load certificate and private key + cert, err := tls.LoadX509KeyPair(path.Join(certDir, "tls.crt"), path.Join(certDir, "tls.key")) + if err != nil { + return nil, err + } + + // Create the credentials and return it + config := &tls.Config{ + Certificates: []tls.Certificate{cert}, + ClientAuth: tls.RequireAndVerifyClientCert, + ClientCAs: certPool, + } + + return credentials.NewTLS(config), nil +} From 89abc8da0513714d389ade5b8ea03ac861234ef4 Mon Sep 17 00:00:00 2001 From: Jorge Turrado Date: Wed, 11 Jan 2023 01:55:06 +0100 Subject: [PATCH 03/12] use already existing arg Signed-off-by: Jorge Turrado --- cmd/adapter/main.go | 5 +---- config/metrics-server/deployment.yaml | 1 + 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/cmd/adapter/main.go b/cmd/adapter/main.go index 9ca7f008347..d5a2149bb2a 100644 --- a/cmd/adapter/main.go +++ b/cmd/adapter/main.go @@ -69,7 +69,6 @@ var ( metricsAPIServerPort int disableCompression bool metricsServiceAddr string - certDir string ) func (a *Adapter) makeProvider(ctx context.Context, globalHTTPTimeout time.Duration, maxConcurrentReconciles int) (provider.MetricsProvider, <-chan struct{}, error) { @@ -82,7 +81,6 @@ func (a *Adapter) makeProvider(ctx context.Context, globalHTTPTimeout time.Durat logger.Error(err, "failed to add keda scheme to runtime scheme") return nil, nil, fmt.Errorf("failed to add keda scheme to runtime scheme (%s)", err) } - namespace, err := getWatchNamespace() if err != nil { logger.Error(err, "failed to get watch namespace") @@ -161,7 +159,7 @@ func (a *Adapter) makeProvider(ctx context.Context, globalHTTPTimeout time.Durat go func() { prometheusServer.NewServer(fmt.Sprintf(":%v", prometheusMetricsPort), prometheusMetricsPath) }() logger.Info("Connecting Metrics Service gRPC client to the server", "address", metricsServiceAddr) - grpcClient, err := metricsservice.NewGrpcClient(metricsServiceAddr, certDir) + grpcClient, err := metricsservice.NewGrpcClient(metricsServiceAddr, a.SecureServing.ServerCert.CertDirectory) if err != nil { logger.Error(err, "error connecting Metrics Service gRPC client to the server", "address", metricsServiceAddr) return nil, nil, err @@ -245,7 +243,6 @@ func main() { cmd.Flags().Float32Var(&adapterClientRequestQPS, "kube-api-qps", 20.0, "Set the QPS rate for throttling requests sent to the apiserver") cmd.Flags().IntVar(&adapterClientRequestBurst, "kube-api-burst", 30, "Set the burst for throttling requests sent to the apiserver") cmd.Flags().BoolVar(&disableCompression, "disable-compression", true, "Disable response compression for k8s restAPI in client-go. ") - cmd.Flags().StringVar(&certDir, "cert-dir", "/certs", "Webhook certificates dir to use. Defaults to /certs") if err := cmd.Flags().Parse(os.Args); err != nil { return diff --git a/config/metrics-server/deployment.yaml b/config/metrics-server/deployment.yaml index dae6a4d8f1e..833ea678f14 100644 --- a/config/metrics-server/deployment.yaml +++ b/config/metrics-server/deployment.yaml @@ -62,6 +62,7 @@ spec: - --client-ca-file=/certs/ca.crt - --tls-cert-file=/certs/tls.crt - --tls-private-key-file=/certs/tls.key + - --cert-dir=/certs ports: - containerPort: 6443 name: https From 7fffc254831239c2985eac27524d73c04985ebfb Mon Sep 17 00:00:00 2001 From: Jorge Turrado Date: Wed, 11 Jan 2023 02:12:48 +0100 Subject: [PATCH 04/12] add extra dns name Signed-off-by: Jorge Turrado --- pkg/certificates/certificate_manager.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/certificates/certificate_manager.go b/pkg/certificates/certificate_manager.go index 803b6f1e08e..56a3f048682 100644 --- a/pkg/certificates/certificate_manager.go +++ b/pkg/certificates/certificate_manager.go @@ -103,6 +103,7 @@ func getDNSNames(service string) []string { fmt.Sprintf("%s.%s", service, namespace), fmt.Sprintf("%s.%s.svc", service, namespace), fmt.Sprintf("%s.%s.svc.local", service, namespace), + fmt.Sprintf("%s.%s.svc.cluster.local", service, namespace), } } From 72bc1f7fdaa2f8e383708ecb08f52bff9aa50cbc Mon Sep 17 00:00:00 2001 From: Jorge Turrado Date: Wed, 11 Jan 2023 02:16:31 +0100 Subject: [PATCH 05/12] update dns names Signed-off-by: Jorge Turrado --- cmd/adapter/main.go | 2 +- pkg/certificates/certificate_manager.go | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/cmd/adapter/main.go b/cmd/adapter/main.go index d5a2149bb2a..ab3ab4ee542 100644 --- a/cmd/adapter/main.go +++ b/cmd/adapter/main.go @@ -199,7 +199,7 @@ func runScaledObjectController(ctx context.Context, mgr manager.Manager, scaleHa // generateDefaultMetricsServiceAddr generates default Metrics Service gRPC Server address based on the current Namespace. // By default the Metrics Service gRPC Server runs in the same namespace on the keda-operator pod. func generateDefaultMetricsServiceAddr() string { - return fmt.Sprintf("keda-operator.%s.svc.cluster.local:9666", kedautil.GetPodNamespace()) + return fmt.Sprintf("keda-operator.%s:9666", kedautil.GetPodNamespace()) } func printVersion() { diff --git a/pkg/certificates/certificate_manager.go b/pkg/certificates/certificate_manager.go index 56a3f048682..803b6f1e08e 100644 --- a/pkg/certificates/certificate_manager.go +++ b/pkg/certificates/certificate_manager.go @@ -103,7 +103,6 @@ func getDNSNames(service string) []string { fmt.Sprintf("%s.%s", service, namespace), fmt.Sprintf("%s.%s.svc", service, namespace), fmt.Sprintf("%s.%s.svc.local", service, namespace), - fmt.Sprintf("%s.%s.svc.cluster.local", service, namespace), } } From aec65a7c2e18898940c050d6b8f810cad8ee8049 Mon Sep 17 00:00:00 2001 From: Jorge Turrado Date: Wed, 11 Jan 2023 23:52:57 +0100 Subject: [PATCH 06/12] remove cert-rotator replace Signed-off-by: Jorge Turrado --- go.mod | 5 +---- go.sum | 4 ++-- .../open-policy-agent/cert-controller/pkg/rotator/rotator.go | 4 ++-- vendor/modules.txt | 3 +-- 4 files changed, 6 insertions(+), 10 deletions(-) diff --git a/go.mod b/go.mod index c5ad8678701..db0814ac904 100644 --- a/go.mod +++ b/go.mod @@ -51,7 +51,7 @@ require ( github.com/onsi/ginkgo v1.16.5 github.com/onsi/ginkgo/v2 v2.5.0 github.com/onsi/gomega v1.24.1 - github.com/open-policy-agent/cert-controller v0.5.0 + github.com/open-policy-agent/cert-controller v0.6.0 github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 github.com/pkg/errors v0.9.1 github.com/prometheus/client_golang v1.14.0 @@ -99,9 +99,6 @@ replace ( // https://nvd.nist.gov/vuln/detail/CVE-2022-1996 github.com/emicklei/go-restful => github.com/emicklei/go-restful v2.16.0+incompatible - // Needed for certificate generation till the PR is merged: https://github.com/open-policy-agent/cert-controller/pull/52 - github.com/open-policy-agent/cert-controller => github.com/jorturfer/cert-controller v0.5.0 - // https://avd.aquasec.com/nvd/2022/cve-2022-27191/ golang.org/x/crypto => golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90 diff --git a/go.sum b/go.sum index fa470063637..2c2cfcb28b8 100644 --- a/go.sum +++ b/go.sum @@ -589,8 +589,6 @@ github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqx github.com/joho/godotenv v1.4.0 h1:3l4+N6zfMWnkbPEXKng2o2/MR5mSwTrBih4ZEkkz1lg= github.com/joho/godotenv v1.4.0/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4= github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ= -github.com/jorturfer/cert-controller v0.5.0 h1:NuII7efZ14UsCn6a4vPbsQ+POvcmJ0S/UFPIkkXpRFw= -github.com/jorturfer/cert-controller v0.5.0/go.mod h1:uOQW+2tMU51vSxy1Yt162oVUTMdqLuotC0aObQxrh6k= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA= @@ -737,6 +735,8 @@ github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1y github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY= github.com/onsi/gomega v1.24.1 h1:KORJXNNTzJXzu4ScJWssJfJMnJ+2QJqhoQSRwNlze9E= github.com/onsi/gomega v1.24.1/go.mod h1:3AOiACssS3/MajrniINInwbfOOtfZvplPzuRSmvt1jM= +github.com/open-policy-agent/cert-controller v0.6.0 h1:HBhe1kS0GTk5dRHdklwgJKoGIctWisueIYnIYJu65Q0= +github.com/open-policy-agent/cert-controller v0.6.0/go.mod h1:uOQW+2tMU51vSxy1Yt162oVUTMdqLuotC0aObQxrh6k= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/otiai10/copy v1.0.2/go.mod h1:c7RpqBkwMom4bYTSkLSym4VSJz/XtncWRAj/J4PEIMY= github.com/otiai10/copy v1.7.0 h1:hVoPiN+t+7d2nzzwMiDHPSOogsWAStewq3TwU05+clE= diff --git a/vendor/github.com/open-policy-agent/cert-controller/pkg/rotator/rotator.go b/vendor/github.com/open-policy-agent/cert-controller/pkg/rotator/rotator.go index 396ffb9247c..9815ad31eaa 100644 --- a/vendor/github.com/open-policy-agent/cert-controller/pkg/rotator/rotator.go +++ b/vendor/github.com/open-policy-agent/cert-controller/pkg/rotator/rotator.go @@ -476,8 +476,8 @@ func (cr *CertRotator) CreateCACert(begin, end time.Time) (*KeyPairArtifacts, er // CreateCertPEM takes the results of CreateCACert and uses it to create the // PEM-encoded public certificate and private key, respectively func (cr *CertRotator) CreateCertPEM(ca *KeyPairArtifacts, begin, end time.Time) ([]byte, []byte, error) { - dnsNames := cr.ExtraDNSNames - dnsNames = append(dnsNames, cr.DNSName) + dnsNames := []string{cr.DNSName} + dnsNames = append(dnsNames, cr.ExtraDNSNames...) templ := &x509.Certificate{ SerialNumber: big.NewInt(1), Subject: pkix.Name{ diff --git a/vendor/modules.txt b/vendor/modules.txt index 3ae741fe676..1ea08a96500 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -930,7 +930,7 @@ github.com/onsi/gomega/matchers/support/goraph/edge github.com/onsi/gomega/matchers/support/goraph/node github.com/onsi/gomega/matchers/support/goraph/util github.com/onsi/gomega/types -# github.com/open-policy-agent/cert-controller v0.5.0 => github.com/jorturfer/cert-controller v0.5.0 +# github.com/open-policy-agent/cert-controller v0.6.0 ## explicit; go 1.17 github.com/open-policy-agent/cert-controller/pkg/rotator # github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 @@ -2411,7 +2411,6 @@ sigs.k8s.io/yaml # github.com/chzyer/logex => github.com/chzyer/logex v1.2.1 # github.com/dgrijalva/jwt-go => github.com/golang-jwt/jwt/v4 v4.1.0 # github.com/emicklei/go-restful => github.com/emicklei/go-restful v2.16.0+incompatible -# github.com/open-policy-agent/cert-controller => github.com/jorturfer/cert-controller v0.5.0 # golang.org/x/crypto => golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90 # golang.org/x/net => golang.org/x/net v0.4.0 # golang.org/x/text => golang.org/x/text v0.4.0 From 8e1de0f4b7b2695e74ce665f7a8287a0b89ee77b Mon Sep 17 00:00:00 2001 From: Jorge Turrado Date: Thu, 12 Jan 2023 00:00:09 +0100 Subject: [PATCH 07/12] implement tls in metrics grpc server Signed-off-by: Jorge Turrado --- pkg/certificates/certificate_manager.go | 5 +++++ pkg/metricsservice/client.go | 2 +- pkg/metricsservice/server.go | 2 +- pkg/metricsservice/utils/tls.go | 26 ++++++++++++++++++------- 4 files changed, 26 insertions(+), 9 deletions(-) diff --git a/pkg/certificates/certificate_manager.go b/pkg/certificates/certificate_manager.go index 803b6f1e08e..54ab092d858 100644 --- a/pkg/certificates/certificate_manager.go +++ b/pkg/certificates/certificate_manager.go @@ -18,6 +18,7 @@ package certificates import ( "context" + "crypto/x509" "fmt" "os" @@ -89,6 +90,10 @@ func (cm CertManager) AddCertificateRotation(ctx context.Context, mgr manager.Ma Webhooks: rotatorHooks, RestartOnSecretRefresh: true, RequireLeaderElection: true, + ExtKeyUsages: &[]x509.ExtKeyUsage{ + x509.ExtKeyUsageServerAuth, + x509.ExtKeyUsageClientAuth, + }, }); err != nil { return err } diff --git a/pkg/metricsservice/client.go b/pkg/metricsservice/client.go index bb4aa8d9520..5ffcced0f92 100644 --- a/pkg/metricsservice/client.go +++ b/pkg/metricsservice/client.go @@ -49,7 +49,7 @@ func NewGrpcClient(url, certDir string) (*GrpcClient, error) { } }]}` - creds, err := utils.LoadTLSCredentials(certDir) + creds, err := utils.LoadGrpcTLSCredentials(certDir, false) if err != nil { return nil, err } diff --git a/pkg/metricsservice/server.go b/pkg/metricsservice/server.go index 47dc2d307b4..efde50a8b00 100644 --- a/pkg/metricsservice/server.go +++ b/pkg/metricsservice/server.go @@ -90,7 +90,7 @@ func (s *GrpcServer) startServer() error { func (s *GrpcServer) Start(ctx context.Context) error { <-s.certsReady if s.server == nil { - creds, err := utils.LoadTLSCredentials(s.certDir) + creds, err := utils.LoadGrpcTLSCredentials(s.certDir, true) if err != nil { return err } diff --git a/pkg/metricsservice/utils/tls.go b/pkg/metricsservice/utils/tls.go index 82cddb3b653..2ffe65c175c 100644 --- a/pkg/metricsservice/utils/tls.go +++ b/pkg/metricsservice/utils/tls.go @@ -26,15 +26,19 @@ import ( "google.golang.org/grpc/credentials" ) -// LoadTLSCredentials reads the certificate from the given path and returns TLS transport credentials -func LoadTLSCredentials(certDir string) (credentials.TransportCredentials, error) { +// LoadGrpcTLSCredentials reads the certificate from the given path and returns TLS transport credentials +func LoadGrpcTLSCredentials(certDir string, server bool) (credentials.TransportCredentials, error) { // Load certificate of the CA who signed client's certificate pemClientCA, err := ioutil.ReadFile(path.Join(certDir, "ca.crt")) if err != nil { return nil, err } - certPool := x509.NewCertPool() + // Get the SystemCertPool, continue with an empty pool on error + certPool, _ := x509.SystemCertPool() + if certPool == nil { + certPool = x509.NewCertPool() + } if !certPool.AppendCertsFromPEM(pemClientCA) { return nil, fmt.Errorf("failed to add client CA's certificate") } @@ -46,10 +50,18 @@ func LoadTLSCredentials(certDir string) (credentials.TransportCredentials, error } // Create the credentials and return it - config := &tls.Config{ - Certificates: []tls.Certificate{cert}, - ClientAuth: tls.RequireAndVerifyClientCert, - ClientCAs: certPool, + var config *tls.Config + if server { + config = &tls.Config{ + Certificates: []tls.Certificate{cert}, + ClientAuth: tls.RequireAndVerifyClientCert, + ClientCAs: certPool, + } + } else { + config = &tls.Config{ + Certificates: []tls.Certificate{cert}, + RootCAs: certPool, + } } return credentials.NewTLS(config), nil From 6dbd34af0bd8b9ce5519a11764e87688bda3fb6e Mon Sep 17 00:00:00 2001 From: Jorge Turrado Date: Thu, 12 Jan 2023 00:15:12 +0100 Subject: [PATCH 08/12] update changelog Signed-off-by: Jorge Turrado --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 67233d402e3..96a54de84b5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -58,7 +58,8 @@ Here is an overview of all new **experimental** features: ### Improvements -- **Redis**: Add support to Redis 7 ([#4052](https://github.com/kedacore/keda/issues/4052)) +- **General**: Use (self-signed) certificates for all the communications (internals and externals) ([#3931](https://github.com/kedacore/keda/issues/3931)) +- **Redis Scalers**: Add support to Redis 7 ([#4052](https://github.com/kedacore/keda/issues/4052)) ### Fixes From c9c4e17797d696a90689999d64f2934e3fbd9712 Mon Sep 17 00:00:00 2001 From: Jorge Turrado Date: Thu, 12 Jan 2023 00:20:42 +0100 Subject: [PATCH 09/12] set TLS13 as min version for internal communications Signed-off-by: Jorge Turrado --- pkg/metricsservice/utils/tls.go | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/pkg/metricsservice/utils/tls.go b/pkg/metricsservice/utils/tls.go index 2ffe65c175c..c8418a506a7 100644 --- a/pkg/metricsservice/utils/tls.go +++ b/pkg/metricsservice/utils/tls.go @@ -50,18 +50,15 @@ func LoadGrpcTLSCredentials(certDir string, server bool) (credentials.TransportC } // Create the credentials and return it - var config *tls.Config + config := &tls.Config{ + MinVersion: tls.VersionTLS13, + Certificates: []tls.Certificate{cert}, + } if server { - config = &tls.Config{ - Certificates: []tls.Certificate{cert}, - ClientAuth: tls.RequireAndVerifyClientCert, - ClientCAs: certPool, - } + config.ClientAuth = tls.RequireAndVerifyClientCert + config.ClientCAs = certPool } else { - config = &tls.Config{ - Certificates: []tls.Certificate{cert}, - RootCAs: certPool, - } + config.RootCAs = certPool } return credentials.NewTLS(config), nil From 5cfd697ae29c9ae295ec78093fa2c4c5bb9d5af9 Mon Sep 17 00:00:00 2001 From: Jorge Turrado Date: Thu, 12 Jan 2023 00:36:54 +0100 Subject: [PATCH 10/12] fix linting issues Signed-off-by: Jorge Turrado --- cmd/operator/main.go | 2 +- pkg/certificates/certificate_manager.go | 10 ++++------ 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/cmd/operator/main.go b/cmd/operator/main.go index 76d656f99b8..b0cc8327fa7 100644 --- a/cmd/operator/main.go +++ b/cmd/operator/main.go @@ -255,7 +255,7 @@ func main() { CAName: "KEDA", CAOrganization: "KEDAORG", ValidatingWebhookName: validatingWebhookName, - ApiServiceName: "v1beta1.external.metrics.k8s.io", + APIServiceName: "v1beta1.external.metrics.k8s.io", Logger: setupLog, Ready: certReady, } diff --git a/pkg/certificates/certificate_manager.go b/pkg/certificates/certificate_manager.go index 54ab092d858..9824ae20b16 100644 --- a/pkg/certificates/certificate_manager.go +++ b/pkg/certificates/certificate_manager.go @@ -22,16 +22,15 @@ import ( "fmt" "os" + "github.com/go-logr/logr" + "github.com/open-policy-agent/cert-controller/pkg/rotator" corev1 "k8s.io/api/core/v1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" - _ "k8s.io/client-go/plugin/pkg/client/auth" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/manager" - "github.com/go-logr/logr" kedautil "github.com/kedacore/keda/v2/pkg/util" - "github.com/open-policy-agent/cert-controller/pkg/rotator" ) // +kubebuilder:rbac:groups=apiregistration.k8s.io,resources=apiservices,verbs=get;list;watch;update;patch @@ -47,21 +46,20 @@ type CertManager struct { CAName string CAOrganization string ValidatingWebhookName string - ApiServiceName string + APIServiceName string Logger logr.Logger Ready chan struct{} } // AddCertificateRotation registers all needed services to generate the certificates and patches needed resources with the caBundle func (cm CertManager) AddCertificateRotation(ctx context.Context, mgr manager.Manager) error { - var rotatorHooks = []rotator.WebhookInfo{ { Name: cm.ValidatingWebhookName, Type: rotator.Validating, }, { - Name: cm.ApiServiceName, + Name: cm.APIServiceName, Type: rotator.APIService, }, } From c58e09f3ecba126c94fe8ca860c884508bed868d Mon Sep 17 00:00:00 2001 From: Jorge Turrado Date: Thu, 12 Jan 2023 11:45:32 +0100 Subject: [PATCH 11/12] return error instead of exiting the program Signed-off-by: Jorge Turrado --- pkg/certificates/certificate_manager.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pkg/certificates/certificate_manager.go b/pkg/certificates/certificate_manager.go index 9824ae20b16..3493aa9b2cf 100644 --- a/pkg/certificates/certificate_manager.go +++ b/pkg/certificates/certificate_manager.go @@ -20,7 +20,6 @@ import ( "context" "crypto/x509" "fmt" - "os" "github.com/go-logr/logr" "github.com/open-policy-agent/cert-controller/pkg/rotator" @@ -120,7 +119,7 @@ func (cm CertManager) ensureSecret(ctx context.Context, mgr manager.Manager, sec err := mgr.GetAPIReader().List(ctx, secrets, opt) if err != nil { cm.Logger.Error(err, "unable to check secrets") - os.Exit(1) + return err } exists := false From ad5de639bdbafde3f6fcfccbd08e643c1fb2519d Mon Sep 17 00:00:00 2001 From: Jorge Turrado Date: Thu, 12 Jan 2023 12:08:20 +0100 Subject: [PATCH 12/12] use full name for operator service Signed-off-by: Jorge Turrado --- cmd/adapter/main.go | 2 +- pkg/certificates/certificate_manager.go | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/cmd/adapter/main.go b/cmd/adapter/main.go index ab3ab4ee542..d5a2149bb2a 100644 --- a/cmd/adapter/main.go +++ b/cmd/adapter/main.go @@ -199,7 +199,7 @@ func runScaledObjectController(ctx context.Context, mgr manager.Manager, scaleHa // generateDefaultMetricsServiceAddr generates default Metrics Service gRPC Server address based on the current Namespace. // By default the Metrics Service gRPC Server runs in the same namespace on the keda-operator pod. func generateDefaultMetricsServiceAddr() string { - return fmt.Sprintf("keda-operator.%s:9666", kedautil.GetPodNamespace()) + return fmt.Sprintf("keda-operator.%s.svc.cluster.local:9666", kedautil.GetPodNamespace()) } func printVersion() { diff --git a/pkg/certificates/certificate_manager.go b/pkg/certificates/certificate_manager.go index 3493aa9b2cf..a7ccab5b49f 100644 --- a/pkg/certificates/certificate_manager.go +++ b/pkg/certificates/certificate_manager.go @@ -105,6 +105,7 @@ func getDNSNames(service string) []string { fmt.Sprintf("%s.%s", service, namespace), fmt.Sprintf("%s.%s.svc", service, namespace), fmt.Sprintf("%s.%s.svc.local", service, namespace), + fmt.Sprintf("%s.%s.svc.cluster.local", service, namespace), } }