From caa6cd24b91cc4a8811262f18e6200ed0cf6d45e Mon Sep 17 00:00:00 2001 From: RamLavi Date: Thu, 7 Oct 2021 15:44:43 +0300 Subject: [PATCH] bump kube-admission-webhook to 0.17.0 (#337) Signed-off-by: Ram Lavi --- go.mod | 2 +- go.sum | 4 ++-- .../pkg/certificate/configuration.go | 2 +- .../pkg/certificate/secret.go | 2 +- .../pkg/certificate/triple/pem.go | 16 +++++++++++++++- vendor/modules.txt | 2 +- 6 files changed, 21 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index 8a0df506c..cc569b4c9 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/onsi/gomega v1.10.5 github.com/pkg/errors v0.9.1 github.com/prometheus/client_golang v1.7.1 - github.com/qinqon/kube-admission-webhook v0.16.0 + github.com/qinqon/kube-admission-webhook v0.17.0 gomodules.xyz/jsonpatch/v2 v2.1.0 k8s.io/api v0.20.2 k8s.io/apimachinery v0.20.2 diff --git a/go.sum b/go.sum index a05e48ba4..534e3837b 100644 --- a/go.sum +++ b/go.sum @@ -688,8 +688,8 @@ github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4O github.com/prometheus/prometheus v2.3.2+incompatible/go.mod h1:oAIUtOny2rjMX0OWN5vPR5/q/twIROJvdqnQKDdil/s= github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= github.com/prometheus/tsdb v0.8.0/go.mod h1:fSI0j+IUQrDd7+ZtR9WKIGtoYAYAJUKcKhYLG25tN4g= -github.com/qinqon/kube-admission-webhook v0.16.0 h1:Ew1nn8Tmip4iB+xebFjNvgVyVp88g4Aj5IQY1d/CxQg= -github.com/qinqon/kube-admission-webhook v0.16.0/go.mod h1:eYJw+S+JSprEMLzGNmE0GFIlSrBQw0lAVES/ZjgM2FI= +github.com/qinqon/kube-admission-webhook v0.17.0 h1:JeJ3mlFLoSdjT6NfNc8bLp4xDiBEgg51vgmyz0PSq/M= +github.com/qinqon/kube-admission-webhook v0.17.0/go.mod h1:eYJw+S+JSprEMLzGNmE0GFIlSrBQw0lAVES/ZjgM2FI= github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M= github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k= github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= diff --git a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/configuration.go b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/configuration.go index 28becfc72..8c059e501 100644 --- a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/configuration.go +++ b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/configuration.go @@ -83,7 +83,7 @@ func (m *Manager) readyWebhookConfiguration() (client.Object, error) { func (m *Manager) addCertificateToCABundle(caCert *x509.Certificate) error { m.log.Info("Reset CA bundle with one cert for webhook") _, err := m.updateWebhookCABundleWithFunc(func(currentCABundle []byte) ([]byte, error) { - return triple.AddCertToPEM(caCert, currentCABundle) + return triple.AddCertToPEM(caCert, currentCABundle, triple.CertsListSizeLimit) }) if err != nil { return errors.Wrap(err, "failed to update webhook CABundle") diff --git a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/secret.go b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/secret.go index 796043af0..eb98f34e3 100644 --- a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/secret.go +++ b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/secret.go @@ -39,7 +39,7 @@ func addTLSCertificate(data map[string][]byte, cert *x509.Certificate) error { certsPEM, hasCerts := data[corev1.TLSCertKey] if hasCerts { - certsPEMBytes, err := triple.AddCertToPEM(cert, []byte(certsPEM)) + certsPEMBytes, err := triple.AddCertToPEM(cert, []byte(certsPEM), triple.CertsListSizeLimit) if err != nil { return err } diff --git a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/triple/pem.go b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/triple/pem.go index 206fd57f4..edf2ce30f 100644 --- a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/triple/pem.go +++ b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/triple/pem.go @@ -38,6 +38,8 @@ const ( CertificateBlockType = "CERTIFICATE" // CertificateRequestBlockType is a possible value for pem.Block.Type. CertificateRequestBlockType = "CERTIFICATE REQUEST" + // CertsListSizeLimit sets the max size of a certs list + CertsListSizeLimit = 100 ) // EncodePublicKeyPEM returns PEM-encoded public data @@ -188,7 +190,7 @@ func ParseCertsPEM(pemCerts []byte) ([]*x509.Certificate, error) { return certs, nil } -func AddCertToPEM(cert *x509.Certificate, pemCerts []byte) ([]byte, error) { +func AddCertToPEM(cert *x509.Certificate, pemCerts []byte, maxListSize int) ([]byte, error) { certs := []*x509.Certificate{} if len(pemCerts) > 0 { var err error @@ -200,9 +202,21 @@ func AddCertToPEM(cert *x509.Certificate, pemCerts []byte) ([]byte, error) { // Prepend cert since it's what TLS expects [1] // [1] https://github.com/golang/go/blob/master/src/crypto/tls/tls.go#L292-L294 certs = append([]*x509.Certificate{cert}, certs...) + + certs = removeOldestCerts(certs, maxListSize) + return EncodeCertsPEM(certs), nil } +// removeOldestCerts removes old certs to avoid bloating +func removeOldestCerts(certs []*x509.Certificate, maxListSize int) []*x509.Certificate { + if len(certs) <= maxListSize { + return certs + } + // oldest certs are in the end + return certs[:maxListSize] +} + // parseRSAPublicKey parses a single RSA public key from the provided data func parseRSAPublicKey(data []byte) (*rsa.PublicKey, error) { var err error diff --git a/vendor/modules.txt b/vendor/modules.txt index 2eec924b4..b6024fd28 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -162,7 +162,7 @@ github.com/prometheus/common/model github.com/prometheus/procfs github.com/prometheus/procfs/internal/fs github.com/prometheus/procfs/internal/util -# github.com/qinqon/kube-admission-webhook v0.16.0 +# github.com/qinqon/kube-admission-webhook v0.17.0 ## explicit github.com/qinqon/kube-admission-webhook/pkg/certificate github.com/qinqon/kube-admission-webhook/pkg/certificate/triple