Add helm flags for custom tls secret and caBundle in blueprint webhoo…

…k controller (#1712) * Initial commit * Add helm flags to accept custom tls secret and caBundle details required for blueprint validating webhook controller * Address Review comments * Add docs for new flags introduced * Update docs/install.rst Co-authored-by: Pavan Navarathna <6504783+pavannd1@users.noreply.github.com> * Minor Improvements * Minor improvement * Address review comments Signed-off-by: Akanksha Kumari <akankshakumari393@gmail.com> --------- Signed-off-by: Akanksha Kumari <akankshakumari393@gmail.com> Co-authored-by: Pavan Navarathna <6504783+pavannd1@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
kanisterio · Mar 9, 2023 · cd61459 · cd61459
1 parent 83ab689
commit cd61459
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 2 deletions.
diff --git a/docs/install.rst b/docs/install.rst
@@ -74,6 +74,36 @@ install Kanister with the ``--set controller.updateCRDs=false`` option:
 
 This option lets Helm manage the CRD resources.
 
+Using custom certificates with the Validating Webhook Controller
+================================================================
+
+Kanister installation also creates a validating admission webhook server
+that is invoked each time a new Blueprint is created.
+
+By default the Helm chart is configured to automatically generate a
+self-signed certificates for Admission Webhook Server.
+If your setup requires custom certificates to be configured, you will have
+to install kanister with ``--set bpValidatingWebhook.tls.mode=custom``
+option along with other certificate details.
+
+
+Create a Secret that stores the TLS key and certificate for webhook admission server:
+
+.. substitution-code-block:: bash
+
+  kubectl create secret tls my-tls-secret --cert /path/to/tls.crt --key /path/to/tls.key -n kansiter
+
+Install Kanister, providing the PEM-encoded CA bundle and the `tls` secret name
+like below:
+
+.. substitution-code-block:: bash
+
+  helm upgrade --install kanister kanister/kanister-operator --namespace kanister --create-namespace \
+    --set bpValidatingWebhook.tls.mode=custom \
+    --set bpValidatingWebhook.tls.caBundle=$(cat /path/to/ca.pem | base64 -w 0) \
+    --set bpValidatingWebhook.tls.secretName=tls-secret
+
+
 Building and Deploying from Source
 ==================================
 

diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt
@@ -40,6 +40,7 @@ observability
 outputArtifact
 param
 params
+PEM
 PersistentVolumeClaim
 pluggable
 pre

diff --git a/helm/kanister-operator/templates/deployment.yaml b/helm/kanister-operator/templates/deployment.yaml
@@ -19,7 +19,11 @@ spec:
       volumes:
         - name: webhook-certs
           secret:
+            {{- if eq (.Values.bpValidatingWebhook.tls.mode) "custom" }}
+            secretName: {{ .Values.bpValidatingWebhook.tls.secretName | required "Missing required TLS secretName containing cert details, Make sure to set `bpValidatingWebhook.tls.secretName`" }}
+            {{- else if eq (.Values.bpValidatingWebhook.tls.mode) "auto" }}
             secretName: kanister-webhook-certs
+            {{- end }}
 {{- end }}
       containers:
       - name: {{ template "kanister-operator.fullname" . }}

diff --git a/helm/kanister-operator/templates/validating-webhook.yaml b/helm/kanister-operator/templates/validating-webhook.yaml
@@ -1,7 +1,8 @@
 {{- if .Values.bpValidatingWebhook.enabled -}}
-{{ $altNames := list  ( printf "%s.%s" ( include "kanister-operator.fullname" . ) .Release.Namespace )  ( printf "%s.%s.svc" ( include "kanister-operator.fullname" . ) .Release.Namespace ) }}
 # generate ca cert with 365 days of validity
 {{ $ca := genCA ( printf "%s-ca" ( include "kanister-operator.fullname" . ) ) 365 }}
+{{- if eq (.Values.bpValidatingWebhook.tls.mode) "auto" }}
+{{ $altNames := list  ( printf "%s.%s" ( include "kanister-operator.fullname" . ) .Release.Namespace )  ( printf "%s.%s.svc" ( include "kanister-operator.fullname" . ) .Release.Namespace ) }}
 # generate cert with CN="component-svc", SAN=$altNames and with 365 days of validity
 {{ $cert := genSignedCert ( printf "%s" ( include "kanister-operator.fullname" . ) ) nil $altNames 365 $ca }}
 apiVersion: v1
@@ -13,6 +14,7 @@ data:
   tls.crt: {{ $cert.Cert | b64enc }}
   tls.key: {{ $cert.Key | b64enc }}
 ---
+{{- end }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
@@ -31,7 +33,11 @@ webhooks:
       name: {{ template "kanister-operator.fullname" . }}
       path: "/validate/v1alpha1/blueprint"
       port: {{ .Values.controller.service.port }}
-    caBundle: {{ b64enc $ca.Cert }}
+    {{- if eq (.Values.bpValidatingWebhook.tls.mode) "custom" }}
+    caBundle: {{ .Values.bpValidatingWebhook.tls.caBundle | required "Missing required caBundle, bpValidatingWebhook.tls.caBundle" }}
+    {{- else if eq (.Values.bpValidatingWebhook.tls.mode) "auto" }}
+    caBundle: {{ b64enc $ca.Cert }}    
+    {{- end }}
   admissionReviewVersions: ["v1", "v1beta1"]
   sideEffects: None
   timeoutSeconds: 5

diff --git a/helm/kanister-operator/values.yaml b/helm/kanister-operator/values.yaml
@@ -24,6 +24,10 @@ controller:
   updateCRDs: true
 bpValidatingWebhook:
   enabled: true
+  tls:
+    mode: auto # If set to `custom` then secretName and caBundle should be provided
+    secretName: '' # An already created Secret in kanister controller namespace having tls cert details
+    caBundle: '' # A valid, CA bundle which is a PEM-encoded CA bundle for validating the webhook's server certificate
 resources:
 # We usually recommend not to specify default resources and to leave this as a conscious
 # choice for the user. This also increases chances charts run on environments with little