fix(admission): always return existing tls certs on reconciliation

CrowdStrike · Mar 7, 2024 · 9d6a7d3 · 9d6a7d3
1 parent f3615ed
commit 9d6a7d3
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 22 deletions.
diff --git a/controllers/admission/falconadmission_controller.go b/controllers/admission/falconadmission_controller.go
@@ -320,11 +320,12 @@ func (r *FalconAdmissionReconciler) reconcileTLSSecret(ctx context.Context, req
 		}
 
 		certInfo := tls.CertInfo{
-			CommonName: fmt.Sprintf("%s.%s.svc", name, falconAdmission.Spec.InstallNamespace),
-			DNSNames:   []string{fmt.Sprintf("%s.%s.svc", name, falconAdmission.Spec.InstallNamespace), fmt.Sprintf("%s.%s.svc.cluster.local", name, falconAdmission.Spec.InstallNamespace)},
+			CommonName: fmt.Sprintf("%s.%s.svc", falconAdmission.Name, falconAdmission.Spec.InstallNamespace),
+			DNSNames: []string{fmt.Sprintf("%s.%s.svc", falconAdmission.Name, falconAdmission.Spec.InstallNamespace), fmt.Sprintf("%s.%s.svc.cluster.local", falconAdmission.Name, falconAdmission.Spec.InstallNamespace),
+				fmt.Sprintf("%s.%s", falconAdmission.Name, falconAdmission.Spec.InstallNamespace), falconAdmission.Name},
 		}
 
-		c, k, b, err := tls.CertSetup(validity, certInfo)
+		c, k, b, err := tls.CertSetup(falconAdmission.Spec.InstallNamespace, validity, certInfo)
 		if err != nil {
 			log.Error(err, "Failed to generate FalconAdmission PKI")
 			return &corev1.Secret{}, err
@@ -347,7 +348,7 @@ func (r *FalconAdmissionReconciler) reconcileTLSSecret(ctx context.Context, req
 		return &corev1.Secret{}, err
 	}
 
-	return &corev1.Secret{}, nil
+	return existingTLSSecret, nil
 }
 
 func (r *FalconAdmissionReconciler) reconcileService(ctx context.Context, req ctrl.Request, log logr.Logger, falconAdmission *falconv1alpha1.FalconAdmission) (bool, error) {
@@ -389,7 +390,7 @@ func (r *FalconAdmissionReconciler) reconcileService(ctx context.Context, req ct
 func (r *FalconAdmissionReconciler) reconcileAdmissionValidatingWebHook(ctx context.Context, req ctrl.Request, log logr.Logger, falconAdmission *falconv1alpha1.FalconAdmission, cabundle []byte) (bool, error) {
 	existingWebhook := &arv1.ValidatingWebhookConfiguration{}
 	disabledNamespaces := append(common.DefaultDisabledNamespaces, falconAdmission.Spec.AdmissionConfig.DisabledNamespaces.Namespaces...)
-	const name = "validating.admission.falcon.crowdstrike.com"
+	const webhookName = "validating.admission.falcon.crowdstrike.com"
 	failPolicy := arv1.Ignore
 	port := int32(443)
 
@@ -409,10 +410,10 @@ func (r *FalconAdmissionReconciler) reconcileAdmissionValidatingWebHook(ctx cont
 		port = *falconAdmission.Spec.AdmissionConfig.Port
 	}
 
-	webhook := assets.ValidatingWebhook(name, falconAdmission.Spec.InstallNamespace, name, cabundle, port, failPolicy, disabledNamespaces)
+	webhook := assets.ValidatingWebhook(falconAdmission.Name, falconAdmission.Spec.InstallNamespace, webhookName, cabundle, port, failPolicy, disabledNamespaces)
 	updated := false
 
-	err := r.Get(ctx, types.NamespacedName{Name: name}, existingWebhook)
+	err := r.Get(ctx, types.NamespacedName{Name: webhookName}, existingWebhook)
 	if err != nil && apierrors.IsNotFound(err) {
 		err = k8sutils.Create(r.Client, r.Scheme, ctx, req, log, falconAdmission, &falconAdmission.Status, webhook)
 		if err != nil {

diff --git a/controllers/falcon_container/injector.go b/controllers/falcon_container/injector.go
@@ -42,7 +42,7 @@ func (r *FalconContainerReconciler) reconcileInjectorTLSSecret(ctx context.Conte
 				DNSNames:   []string{fmt.Sprintf("%s.%s.svc", injectorName, r.Namespace()), fmt.Sprintf("%s.%s.svc.cluster.local", injectorName, r.Namespace())},
 			}
 
-			c, k, b, err := tls.CertSetup(validity, certInfo)
+			c, k, b, err := tls.CertSetup(r.Namespace(), validity, certInfo)
 			if err != nil {
 				return &corev1.Secret{}, fmt.Errorf("failed to generate Falcon Container PKI: %v", err)
 			}

diff --git a/internal/controller/assets/deployment.go b/internal/controller/assets/deployment.go
@@ -439,7 +439,7 @@ func AdmissionDeployment(name string, namespace string, component string, imageU
 							Ports: []corev1.ContainerPort{
 								{
 									ContainerPort: *falconAdmission.Spec.AdmissionConfig.ContainerPort,
-									Name:          common.FalconAdmissionServiceHTTPSName,
+									Name:          common.FalconServiceHTTPSName,
 									Protocol:      corev1.ProtocolTCP,
 								},
 							},

diff --git a/internal/controller/assets/validatingwebhook.go b/internal/controller/assets/validatingwebhook.go
@@ -11,7 +11,7 @@ func ValidatingWebhook(name string, namespace string, webhookName string, caBund
 	failurePolicy := arv1.Ignore
 	matchPolicy := arv1.Equivalent
 	sideEffects := arv1.SideEffectClassNone
-	timeoutSeconds := int32(5)
+	timeoutSeconds := int32(10)
 	operatorSelector := metav1.LabelSelectorOpNotIn
 	path := "/validate"
 	scope := arv1.AllScopes
@@ -24,9 +24,12 @@ func ValidatingWebhook(name string, namespace string, webhookName string, caBund
 			Kind:       "ValidatingWebhookConfiguration",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      name,
+			Name:      webhookName,
 			Namespace: namespace,
 			Labels:    labels,
+			Annotations: map[string]string{
+				"admissions.enforcer/disabled": "true",
+			},
 		},
 		Webhooks: []arv1.ValidatingWebhook{
 			{

diff --git a/internal/controller/assets/validatingwebhook_test.go b/internal/controller/assets/validatingwebhook_test.go
@@ -24,7 +24,7 @@ func testValidatingWebhook(name string, namespace string, webhookName string, ca
 	failurePolicy := arv1.Ignore
 	matchPolicy := arv1.Equivalent
 	sideEffects := arv1.SideEffectClassNone
-	timeoutSeconds := int32(5)
+	timeoutSeconds := int32(10)
 	operatorSelector := metav1.LabelSelectorOpNotIn
 	path := "/validate"
 	scope := arv1.AllScopes

diff --git a/pkg/tls/certs.go b/pkg/tls/certs.go
@@ -17,18 +17,18 @@ type CertInfo struct {
 }
 
 // CertSetup will generate and return tls certs
-func CertSetup(days int, certInfo CertInfo) ([]byte, []byte, []byte, error) {
+func CertSetup(namespace string, days int, certInfo CertInfo) ([]byte, []byte, []byte, error) {
 	// set up our CA certificate
 	ca := &x509.Certificate{
 		SerialNumber: new(big.Int).Lsh(big.NewInt(1), 128),
 		Subject: pkix.Name{
-			CommonName: "falcon-system ca",
+			CommonName: namespace + " ca",
 		},
 		NotBefore:             time.Now(),
 		NotAfter:              time.Now().AddDate(0, 0, days),
 		IsCA:                  true,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
-		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageCertSign,
 		BasicConstraintsValid: true,
 	}
 
@@ -67,12 +67,13 @@ func CertSetup(days int, certInfo CertInfo) ([]byte, []byte, []byte, error) {
 		Subject: pkix.Name{
 			CommonName: certInfo.CommonName,
 		},
-		NotBefore:    time.Now(),
-		NotAfter:     time.Now().AddDate(0, 0, days),
-		SubjectKeyId: []byte("234567"),
-		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
-		KeyUsage:     x509.KeyUsageDigitalSignature,
-		DNSNames:     certInfo.DNSNames,
+		NotBefore:      time.Now(),
+		NotAfter:       time.Now().AddDate(0, 0, days),
+		AuthorityKeyId: ca.SubjectKeyId,
+		ExtKeyUsage:    []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+		KeyUsage:       x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		IsCA:           false,
+		DNSNames:       certInfo.DNSNames,
 	}
 
 	certPrivKey, err := rsa.GenerateKey(rand.Reader, 2048)