Generate cert at startup

[stefanprodan]

To simplify the install, if no cert is provided by the user, the admission controller could generate a self signed cert at startup with MaybeDefaultWithSelfSignedCerts https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/server/options/serving.go#L271

Here is an example https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/sample-apiserver/pkg/cmd/server/start.go#L108

[jqmichael]

@stefanprodan
If I understand the implementation of MaybeDefaultWithSelfSignedCerts correctly, this replaces the code in the gen-cert.sh which uses openssl to create the cert and private key.

https://github.com/aws/aws-app-mesh-inject/blob/master/gen-cert.sh#L8-L29

But it is still required for customers to send CertificateSigningRequest to API server and approve the cert. So we can't completely get rid of gen-cert.sh.

Is my understanding correct?

[stefanprodan]

Yes indeed the apiserver package doesn't deal with cert approval, cert-manager has a nice utility called cainjector that automates that part without any scripts.

[jasonrichardsmith]

@stefanprodan I have just done some preliminary work with cert manager which handles the entire cert lifecycle. I also added the yaml to kustomize. I will submit a PR with the changes to the manifests, and the README. If the team wants to fall back on the cert-manager as the solution of choice for admission controllers?

[stefanprodan]

I think it would be great to have an alternative to Helm that doesn't involve bash scripts. In the Helm installer the cert is handled like this https://github.com/aws/eks-charts/blob/master/stable/appmesh-inject/templates/_helpers.tpl#L59

If we could have a kubectl apply -k github.com/aws/aws-app-mesh-inject//kustomize that installs cert-manager and the injector with the right cert, it would be awesome.

[M00nF1sh]

closing this as both cert-manager/bash script is supported in GA version