Allow webhook CA bundle to be taken from secret #273
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 4 commits
October 20, 2022 14:39
Previously, if you are providing your own certs for the webhook, the CA bundle had to be specified as a helm chart parameter. This made it harder to deploy the operator if the cert was generated through a helm chart too because you won't know what the cert is when you deploy your app. This change is to allow the CA cert to be read from the webhook.tlsSecret. If that secret has the key ca.crt, then it will be patched in the webhook config by the operator. The secret that contains the tlsSecret has to provided to the operator now. An empty string implies the operator will generate the certificate internally. Support for deploying without the webhook had to fixed as it was broken in the prior change that relaxed the cert-manager dependency. The default name of the tls secret when using cert-manager was updated to reflect the name chosen when installing with olm. Some e2e cleanup was added. The custom-cert-webhook had some logging testing that was moved to its own test. Then I created a copy of custom-cert-webhook for when the CA bundle is in the secret.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously, if you are providing your own certs for the webhook, the CA bundle had to be specified as a helm chart parameter. This made it harder to deploy the operator if the cert was generated through a helm chart too because you won't know what the cert is when you deploy your app.
This change is to allow the CA cert to be read from the webhook.tlsSecret. If that secret has the key ca.crt, then it will be patched in the webhook config by the operator.
The secret that contains the tlsSecret has to be provided to the operator now. An empty string implies the operator will generate the certificate internally.
Support for deploying without the webhook had to be fixed as it was broken in the prior change that relaxed the cert-manager dependency.
The default name of the tls secret when using cert-manager was updated to reflect the name chosen when installing with olm.
Some e2e cleanup was added. The custom-cert-webhook had some logging testing that was moved to its own test. Then I created a copy of custom-cert-webhook for when the CA bundle is in the secret.
I'm also removing the 'wait for webhook' logic when we deploy the operator. This should not be needed anymore due to a previous operator-sdk update. But we did see some tests failing (see #30). I am removing that wait logic again so that we can debug any webhook issues that may arise in the e2e tests.I had to add this back in and update the disable-webhook test. I got an e2e failure because of this. This gave me some important context, which I hope to use for a proper fix for #30, but I'll leave that for a separate PR.