New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add validating webhook and webhook tls autoconfiguration #478
Conversation
So a few more notes on the status of this:
|
c4a5226
to
3e54d3e
Compare
e1c1cab
to
b142850
Compare
I am currently blocked on helm/helm#4231 being merged, and helm/helm#3982 making it into a tagged release. |
Signed-off-by: James Munnelly <james.munnelly@jetstack.io>
Update docs Signed-off-by: James Munnelly <james.munnelly@jetstack.io>
Signed-off-by: James Munnelly <james.munnelly@jetstack.io>
Signed-off-by: James Munnelly <james.munnelly@jetstack.io>
Signed-off-by: James Munnelly <james.munnelly@jetstack.io>
@munnerz: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
I've tested this locally and it worked well for me. Releasing v0.5 with this turned off by default (and a note in the release notes of how to opt in), maybe defaulting it to on in v0.6 sounds like a good idea. I got this error when deploying with helm:
I moved |
Sorry @kragniz - didn't see your review of this PR until now! Thanks for taking a look 😄
Yes, if you run |
/check-dco |
As this is disabled by default, I'm going to go ahead and merge this so we can start gathering feedback from users 😄 There may be changes still to make, but let's see what the world thinks first! |
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
* Update version numbers for v0.5.0 (cert-manager/cert-manager#885) * added affinity and tolerations (cert-manager/cert-manager#869) * Add validating webhook and webhook tls autoconfiguration (cert-manager/cert-manager#478) * chart: annotate all CRDs with "crd-install" hook (cert-manager/cert-manager#823) * helm chart: remove endpoints from rbac resources (cert-manager/cert-manager#769) Signed-off-by: James Munnelly <james@munnelly.eu>
* cert-manager: fast-forward to upstream bcffc635 * Update version numbers for v0.5.0 (cert-manager/cert-manager#885) * added affinity and tolerations (cert-manager/cert-manager#869) * Add validating webhook and webhook tls autoconfiguration (cert-manager/cert-manager#478) * chart: annotate all CRDs with "crd-install" hook (cert-manager/cert-manager#823) * helm chart: remove endpoints from rbac resources (cert-manager/cert-manager#769) Signed-off-by: James Munnelly <james@munnelly.eu> * Update image tag and add description Signed-off-by: James Munnelly <james@munnelly.eu>
* cert-manager: fast-forward to upstream bcffc635 * Update version numbers for v0.5.0 (cert-manager/cert-manager#885) * added affinity and tolerations (cert-manager/cert-manager#869) * Add validating webhook and webhook tls autoconfiguration (cert-manager/cert-manager#478) * chart: annotate all CRDs with "crd-install" hook (cert-manager/cert-manager#823) * helm chart: remove endpoints from rbac resources (cert-manager/cert-manager#769) Signed-off-by: James Munnelly <james@munnelly.eu> * Update image tag and add description Signed-off-by: James Munnelly <james@munnelly.eu> Signed-off-by: jenkin-x <jicowan@hotmail.com>
* cert-manager: fast-forward to upstream bcffc635 * Update version numbers for v0.5.0 (cert-manager/cert-manager#885) * added affinity and tolerations (cert-manager/cert-manager#869) * Add validating webhook and webhook tls autoconfiguration (cert-manager/cert-manager#478) * chart: annotate all CRDs with "crd-install" hook (cert-manager/cert-manager#823) * helm chart: remove endpoints from rbac resources (cert-manager/cert-manager#769) Signed-off-by: James Munnelly <james@munnelly.eu> * Update image tag and add description Signed-off-by: James Munnelly <james@munnelly.eu> Signed-off-by: Jakob Niggel <info@jakobniggel.de>
* cert-manager: fast-forward to upstream bcffc635 * Update version numbers for v0.5.0 (cert-manager/cert-manager#885) * added affinity and tolerations (cert-manager/cert-manager#869) * Add validating webhook and webhook tls autoconfiguration (cert-manager/cert-manager#478) * chart: annotate all CRDs with "crd-install" hook (cert-manager/cert-manager#823) * helm chart: remove endpoints from rbac resources (cert-manager/cert-manager#769) Signed-off-by: James Munnelly <james@munnelly.eu> * Update image tag and add description Signed-off-by: James Munnelly <james@munnelly.eu>
What this PR does / why we need it:
This PR adds support for ValidatingWebhookConfiguration for cert-manager resources.
This is comprised of a few parts that make it more complex, mostly around securing the TLS endpoint for the webhooks.
Roughly:
failurePolice: Fail
, meaning we cannot create real Issuers or Certificates.Once the secret resource has been provisioned, the webhook will be able to start, and cert-manager will then create the Issuer and Certificate resource in the apiserver, allowing standard renewal to take place from then on.
This lays out a general pattern for how webhook TLS can be configured in Kubernetes more generally. I have a doc I'm putting together that details a recommendation for how to secure webhooks other than cert-manager's own webhooks.
Release note: