-
Notifications
You must be signed in to change notification settings - Fork 153
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Disabling webhook breaks metrics- and health-endpoints #1376
Comments
Sounds like the |
One can set |
This issue is marked as stale due to inactivity. Add a new comment to reactivate it. |
Still relevant. |
Thank you for fixing this! I took a deeper look and am having these concerns: These are the solutions I am thinking of:
I would prefer solution 1, cause we really don’t need https for metrics or health, removing the need to ignore the „invalid“ certificate when scraping the metrics with prometheus. What do you think? |
I think ultimately, the metrics/health endpoints should be separated from the webhook. In addition, i. the webhook should be a required component - what's the point of having it if I can just disable it |
Created #1500 to track webhook hardening improvements. |
When setting
the webhook server is not started. Instead the "normal" server is started, serving these endpoints
See
kanister/pkg/kancontroller/kancontroller.go
Lines 60 to 80 in 4e590f0
Unfortunately, disabling the bpValidatingWebhook does not adjust the service created in https://github.com/kanisterio/kanister/blob/master/helm/kanister-operator/templates/service.yaml
So disabling the ValidatingWebhook actually breaks accessing /metrics via the service.
It also would break the health-checks (if there were any) cause the port has changed:
To Reproduce
bpValidatingWebhook
enabledbpValidatingWebhook
disabledConnection refused
Expected behavior
Enabling/disabling the webhook should allow the metrics to be accessed. Also, it should not change the URL they can be reached at.
I would propose to decouple serving the webhook and the other endpoints. On the one hand, there is no need to serve the other endpoints via https. Also, as the certificate is self-signed, one would have to allow this self-signed certificate to be accepted when accessing the metrics. When accessing health-checks via https, kubernetes automatically accepts all certificates.
The text was updated successfully, but these errors were encountered: