Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(https): support https webhooks #98

Closed
wants to merge 1 commit into from
Closed

feat(https): support https webhooks #98

wants to merge 1 commit into from

Conversation

mattharr-is
Copy link

add optional caBundle attribute to composite and decorator controller hooks

add optional caBundle attribute to composite and decorator controller…
7e2d8a6 
… hooks

Signed-off-by: Matt Harris <mwharri@gmail.com>
Signed-off-by: Matt Harris <matthew.w.harris@walmart.com>
luisdavim
luisdavim requested changes Jan 31, 2020
View reviewed changes
Copy link
Collaborator

@luisdavim luisdavim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's a good idea to support https hook calls but I would prefer to use secrets instead of a string to pass the certs.

AmitKumarDas
AmitKumarDas reviewed Feb 3, 2020
View reviewed changes
controller/common/invoke_hook.go

// SetWebhookCABundleFromSchemaOrDefault evaluates webhook timeout and sets the
// evaluated timeout against WebhookCaller instance
func SetWebhookCABundleFromSchemaOrDefault(schema *v1alpha1.Webhook) webhook.InvokerOption {
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does not set any default. IMO we can rename the function to SetWebhookCABundleFromSchema

AmitKumarDas
AmitKumarDas reviewed Feb 3, 2020
View reviewed changes
hooks/webhook/webhook.go
client := &http.Client{Timeout: i.Timeout}
if i.CABundle != "" {
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This maybe the right place, where we explain how this CABundle will be made available to the binary.
We should also add PR message that explain the same.

@AmitKumarDas
Copy link
Owner

Thanks @mattharr-is for the PR. I have provided some suggestions. Would like to get this reviewed by @prateekpandey14 who has been working on webhooks & certificate management of the late.

AmitKumarDas
AmitKumarDas reviewed Feb 3, 2020
View reviewed changes
hooks/webhook/webhook.go
client := &http.Client{Timeout: i.Timeout}
if i.CABundle != "" {
caPool := x509.NewCertPool()
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It will be really great if we can add Unit Tests for these changes. Current code lacks UT & your additions will be helpful in this regard.

prateekpandey14
prateekpandey14 reviewed Feb 3, 2020
View reviewed changes
Copy link
Collaborator

@prateekpandey14 prateekpandey14 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am very much agree with @luisdavim, we should be using k8s secrets type instead of a string to pass the certs.

controller/common/invoke_hook.go

// SetWebhookCABundleFromSchemaOrDefault evaluates webhook timeout and sets the
// evaluated timeout against WebhookCaller instance
func SetWebhookCABundleFromSchemaOrDefault(schema *v1alpha1.Webhook) webhook.InvokerOption {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment has to be updated here, func sets the secret.

@AmitKumarDas
Copy link
Owner

@prateekpandey14 will it be possible to provide some sample repos/projects that has already done this. We might want to use it for reference.

@mattharr-is Do let us know your thoughts? I would be more interested to know the changes required to deploy metac binary with this PR.

@AmitKumarDas AmitKumarDas changed the title support https webhooks feat(https): support https webhooks Feb 7, 2020
@mikebryant
Copy link

I'd like to present an opposing view on using Secret objects to pass in the caBundle. This isn't in line with how similar core kubernetes objects act.

e.g. For MutatingWebhookConfiguration webhooks it has caBundle string, as does APIServiceSpec

Shouldn't this project follow the same pattern, for a more consistent user experience?

@luisdavim
Copy link
Collaborator

That's a good point @mikebryant

@AmitKumarDas
Copy link
Owner

closing this due to inactivity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AmitKumarDas AmitKumarDas AmitKumarDas left review comments

@prateekpandey14 prateekpandey14 prateekpandey14 left review comments

@luisdavim luisdavim luisdavim requested changes

@kmova kmova Awaiting requested review from kmova

@vishnuitta vishnuitta Awaiting requested review from vishnuitta

Assignees

@mattharr-is mattharr-is

Labels
hook ssl
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@mattharr-is @AmitKumarDas @mikebryant @luisdavim @prateekpandey14