From ab7e18c07c3433a2cb6f011ad85a2420030d711a Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sun, 22 Mar 2026 23:47:29 +0200 Subject: [PATCH] fix registry auth: add Kyverno RBAC for Secrets + containerd TLS skip-verify MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Grant kyverno-admission-controller and kyverno-background-controller permissions to manage Secrets (required for generate clone rules) - Add containerd hosts.toml for 10.0.20.10:5050 with skip_verify=true (wildcard cert doesn't cover IP SANs) — applied to all nodes + template --- stacks/infra/main.tf | 4 ++ .../modules/kyverno/registry-credentials.tf | 49 +++++++++++++++++++ 2 files changed, 53 insertions(+) diff --git a/stacks/infra/main.tf b/stacks/infra/main.tf index a27778c2..fc8c915d 100644 --- a/stacks/infra/main.tf +++ b/stacks/infra/main.tf @@ -75,6 +75,10 @@ module "k8s-node-template" { mkdir -p /etc/containerd/certs.d/ghcr.io printf 'server = "https://ghcr.io"\n\n[host."http://10.0.20.10:5010"]\n capabilities = ["pull", "resolve"]\n' > /etc/containerd/certs.d/ghcr.io/hosts.toml + # Create hosts.toml for private registry (10.0.20.10:5050) — skip TLS verify (IP-based, wildcard cert) + mkdir -p /etc/containerd/certs.d/10.0.20.10:5050 + printf 'server = "https://10.0.20.10:5050"\n\n[host."https://10.0.20.10:5050"]\n capabilities = ["pull", "resolve", "push"]\n skip_verify = true\n' > /etc/containerd/certs.d/10.0.20.10:5050/hosts.toml + # Low-traffic registries (registry.k8s.io, quay.io, reg.kyverno.io) pull directly. # Pull-through cache removed: caused corrupted images (truncated downloads) # breaking VPA certgen and Kyverno image pulls. diff --git a/stacks/kyverno/modules/kyverno/registry-credentials.tf b/stacks/kyverno/modules/kyverno/registry-credentials.tf index feded5b3..0e079dbd 100644 --- a/stacks/kyverno/modules/kyverno/registry-credentials.tf +++ b/stacks/kyverno/modules/kyverno/registry-credentials.tf @@ -31,6 +31,53 @@ resource "kubernetes_secret" "registry_credentials" { } } +# Grant Kyverno controllers permission to manage Secrets (needed for generate clone rules) +resource "kubernetes_cluster_role" "kyverno_secret_manager" { + metadata { + name = "kyverno:secret-manager" + labels = { + "app.kubernetes.io/instance" = "kyverno" + } + } + rule { + api_groups = [""] + resources = ["secrets"] + verbs = ["get", "list", "watch", "create", "update", "patch", "delete"] + } +} + +resource "kubernetes_cluster_role_binding" "kyverno_admission_secret_manager" { + metadata { + name = "kyverno:admission-controller:secret-manager" + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = kubernetes_cluster_role.kyverno_secret_manager.metadata[0].name + } + subject { + kind = "ServiceAccount" + name = "kyverno-admission-controller" + namespace = "kyverno" + } +} + +resource "kubernetes_cluster_role_binding" "kyverno_background_secret_manager" { + metadata { + name = "kyverno:background-controller:secret-manager" + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = kubernetes_cluster_role.kyverno_secret_manager.metadata[0].name + } + subject { + kind = "ServiceAccount" + name = "kyverno-background-controller" + namespace = "kyverno" + } +} + resource "kubernetes_manifest" "sync_registry_credentials" { manifest = { apiVersion = "kyverno.io/v1" @@ -79,5 +126,7 @@ resource "kubernetes_manifest" "sync_registry_credentials" { depends_on = [ helm_release.kyverno, kubernetes_secret.registry_credentials, + kubernetes_cluster_role_binding.kyverno_admission_secret_manager, + kubernetes_cluster_role_binding.kyverno_background_secret_manager, ] }