-
Notifications
You must be signed in to change notification settings - Fork 152
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add helm flags for custom tls secret and caBundle in blueprint webhook controller #1712
Conversation
Thanks for submitting this pull request 🎉. The team will review it soon and get back to you. If you haven't already, please take a moment to review our project contributing guideline and Code of Conduct document. |
…red for blueprint validating webhook controller
Hi @akankshakumari393 , |
@viveksinghggits I did those steps manually, I used a self signed certificate, got out the required field values, created TLS secret from private key and certs. and populated the values of CA bundle during helm install. I was trying to put that in the description but the fields values were too big to be described here. |
Can you write the test steps in a way that you can someone can follow them if they want to? If the certs are too big you can just replace them with |
This PR is marked as stale due to inactivity. Add a new comment to reactivate it. |
Relevant |
I have updated the test plan to use a self signed certificate. PTAL. |
@akankshakumari393 can we not have caBundle also, in the secret so that we have to just pass the secret name in the install command? That would make the install command significantly easier for users.
|
Let's document this in the kanister docs as well. |
@viveksinghggits we can do it, but that's not a ideal way. The certs information are in a I somehow agree that it would not be a user friendly process to add ca-bundle, but we would have to consider it, if we want to enforce |
Can we not have another key in the secret? even if it's of type
are they doing the same thing that we are doing and not specifying caBundle is secret? If not, in that case we not say this is the reason because of which we should have caBundle separately, right? |
I don't think |
I strongly believe we should not bind ca-cert into the same secret. let's say later on we choose to keep validating webhook server separately, then the tls secrets should only be restricted to that component using rbac but having cacert in it would not allow us to do that. Either we can ask users to create a new opaque secret with ca bundle information or we can keep the flag as it is. |
@pavannd1 need your opinion on how we are using cabundle to populate vwc. We can have it as flag or we can ask users to create another generic secret with cacert in it, and pass as helm flag. cc @viveksinghggits |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@akankshakumari393 @viveksinghggits Can we recommend using a config map or secret for the CA certificate? We can do the decoding in the helm template right?
We can use configmap as well, to store the caBundle. It's just, we will have to see how we can use that in ValidatingWebhookConfiguration. |
@viveksinghggits You are right! There isn't an easy solution for this. The solutions I found were using |
ok |
@viveksinghggits @pavannd1 It wasn't clear from that conversation. Did we decide on using Secret or configMap? |
I think Pavan is recommending that we should move ahead with the PR as it is. We can wait for him to confirm. |
@pavannd1 do we need modification in this PR? |
Co-authored-by: Pavan Navarathna <6504783+pavannd1@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, can approve after comments are addressed.
No. We can move forward with this approach. |
Signed-off-by: Akanksha Kumari <akankshakumari393@gmail.com>
Change Overview
Add helm flags for accepting tls certs in k8s secret for Blueprint validation webhook controller. Also modified the chart accordingly
Pull request type
Please check the type of change your PR introduces:
Issues
Test Plan
auto
. This would create the secret and use self signed certificatehelm install kanister ./helm/kanister-operator/ --namespace kanister --create-namespace --set bpValidatingWebhook.tls.mode=auto
custom
. we would have to create a tls secret containing cert details.``