Simpler, more reliable webhook TLS via a cert-manager CSI mount#141
Merged
Conversation
…for TLS Provision the webhook serving certificate through the cert-manager CSI driver instead of a cert-manager Certificate + cainjection. The manager mounts the cert directly from a csi.cert-manager.io volume, so there is no standalone Certificate resource, no CA-injection wiring on the webhook configurations, and no cluster-wide cert-manager Certificate dependency in the production overlay. - Remove the config/base/certmanager base (Issuer/Certificate + kustomize name-reference + CA-injection replacements). - Add a generic config/components/csi-webhook-cert component that mounts the webhook-server-tls CSI volume on the manager Deployment. The issuer is intentionally left unset so each consuming overlay (or the infra repo) patches csi.cert-manager.io/issuer-kind and issuer-name for its environment. - Drop the optional compute-webhook-cert Secret volume/mount from the base manager Deployment; the CSI volume now supplies serving-certs. - single-cluster overlay: drop the certmanager base, the cainjection patch, and the dnsName/CA replacement blocks; wire in the csi-webhook-cert component instead. - dev overlay: keep an inline self-signed Issuer + Certificate for the local host.docker.internal webhook (no CSI driver in the dev kind/docker setup) and annotate the webhook configs with inject-ca-from directly. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ecv
approved these changes
Jun 4, 2026
scotwells
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Value
Operators get a simpler, more reliable webhook TLS setup. Webhook serving certificates are now mounted directly from a cert-manager CSI volume, which means:
Certificateresource to reconcile, and nocainjection/inject-ca-fromwiring on the webhook configurations for production.Certificatebefore the manager can serve — Milo trusts the configured issuer directly, so the CA bundle no longer has to be injected into each webhook config.This is a config-only change with no behavioral change to the webhook itself.
What
config/base/certmanagerbase (Issuer/Certificate, name-reference config, CA-injection replacements).config/components/csi-webhook-certcomponent that mounts thewebhook-server-tlsCSI volume on the manager Deployment. The issuer is intentionally left unset — each consuming overlay (or the infra repo) patchescsi.cert-manager.io/issuer-kind/issuer-namefor its environment, so different environments can use different issuers without forking the component.compute-webhook-certSecret volume/mount from the base manager Deployment.single-clusteroverlay: drop the certmanager base, the cainjection patch, and the dnsName/CA replacement blocks; wire in thecsi-webhook-certcomponent.devoverlay: keep an inline self-signed Issuer + Certificate for the localhost.docker.internalwebhook (the dev kind/docker setup has no CSI driver) and annotate the webhook configs withinject-ca-fromdirectly.Verification
kustomize buildpasses forconfig/overlays/single-cluster,config/overlays/dev, andconfig/base/manager. Rendered single-cluster output wires webhook TLS via the CSIwebhook-server-tlsvolume with no remainingCertificate/ cainjection.Coordination notes
main, the webhook-TLS refactor that also lives in feat: route workloads to city locations via distributed scheduling (foundation) #107. It de-duplicates the same refactor in feat: datumctl compute plugin — deploy and manage workloads from the CLI #113 — only one should land; landing this standalone lets both feat: route workloads to city locations via distributed scheduling (foundation) #107 and feat: datumctl compute plugin — deploy and manage workloads from the CLI #113 drop their copy on rebase.csi.cert-manager.io/issuer-kind/issuer-name); for this repo that is expected to come from the infra repo (there is nomanagement-planeoverlay onmain).🤖 Generated with Claude Code