Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable configure Connect Injector and Controller Webhooks to be managed by Vault #1191

Merged
merged 80 commits into from
Jun 13, 2022
Merged

Enable configure Connect Injector and Controller Webhooks to be managed by Vault #1191

merged 80 commits into from
Jun 13, 2022

Conversation

jmurret
Copy link
Contributor

@jmurret jmurret commented Apr 27, 2022
edited
Loading

Changes proposed in this PR:

  • Managing mutating webhook certs for controller and connect injector locally within those components when configured with Vault.
  • Not deploying webhook-cert-manager when webhook certs have been configured with Vault
  • To turn on this configuration, this will not just be turned on when Vault is turned on. Users will have to configure the below properties that effect both connect inject webhooks and controller webhooks (the reason being that the systemdoes not deploy webhook-cert-manager entirely which normally manages the certs with k8s secrets):
    • global.secretsBackend.vault.enabled
    • global.secretsBackend.vault.consulConnectInjectCARole
    • global.secretsBackend.vault.connectInject.tlsCert.secretName
    • global.secretsBackend.vault.connectInject.caCert.secretName
    • global.secretsBackend.vault.consulControllerCARole
    • global.secretsBackend.vault.controller.tlsCert.secretName
    • global.secretsBackend.vault.controller.caCert.secretName

How to read this PR:

  • start with charts/consul/values.yaml to get a sense of what is exposed
  • check out acceptance/tests/vault/vault_webhook_certs_test.go and the comments left there
  • view charts/consul/templates/connect-inject-deployment.yaml and charts/consul/templates/controller-deployment.yaml to see how configuration is passed
  • then view the below commands to see how the managing of webhook certs got implemented locally (and bypassed inwebhook-cert-manager):
    • control-plane/subcommand/controller/command.go
    • control-plane/subcommand/inject-connect/command.go
    • control-plane/subcommand/webhook-cert-manager/command.go

How I've tested this PR:

  • manual testing and acceptance tests

How I expect reviewers to test this PR:
👀

Checklist:

  • Tests added
  • CHANGELOG entry added

    HashiCorp engineers only, community PRs should not add a changelog entry.
    Entries should use present tense (e.g. Add support for...)

@jmurret jmurret force-pushed the jm/webhook-certs branch 3 times, most recently from 0f8b32b to a86a5d5 Compare May 9, 2022 16:45
@jmurret jmurret mentioned this pull request May 12, 2022
Merged
1 task
@jmurret jmurret force-pushed the jm/webhook-certs branch 2 times, most recently from a77cdce to 2990896 Compare May 19, 2022 21:28
@jmurret jmurret changed the base branch from main to jm/refactor-vault-tests May 19, 2022 21:29
@jmurret jmurret changed the base branch from jm/refactor-vault-tests to jm/vault-test-refactor May 19, 2022 21:29
Base automatically changed from jm/vault-test-refactor to main May 21, 2022 02:06
jmurret and others added 24 commits June 13, 2022 11:54
@jmurret
Updating wbhook vault test to make sure that webhook-cert-manager is …
91b432c 
…not deployed.
@jmurret
Fixing the validation that webhook-cert-manager is not running in the…
23d30b8 
… TestVault_WebhookCerts test
@jmurret
Renamed consulControllerCARole to consulControllerRole and consulCont…
914dfa5 
…ronnectInjectCARole to consulConnectInjectRole
@jmurret
fixing linting
b2db4f1
@jmurret
Renamed configureCABundleUpdate() to updateWebhookCABundle()
130360f
@jmurret
Make ca.crt a constant
f7c5023
@jmurret
Adding doc strings for webhook certs secretName
8db287f
@jmurret
updated alt_names for controller and connect inject deployments to be…
ff519a1 
… the same as they are under web-cert-manager. updated path of where webhook certs get saved.
@jmurret
Change mutatingwebhookconfigurationswhen to mutatingwebhookconfigurat…
a97e041 
…ions when
@jmurret
added test cases for vault to controller test
31884b0
@jmurret
Webhook certs vault test - checking cert rotation. currently failing.
687b99e
@jmurret
moved vault webhook stuff into main vault test and deleted the webhoo…
282057d 
…k cert specific test.
@jmurret
getting rid of lint error
26e2c34
@jmurret
refactoring long conditional in webhook-cert-manager files into a var…
dffe549 
…iable for readability
@jmurret
addressing PR feedback
5ea8b94
@jmurret @ishustava
Apply suggestions from code review
fcf5cac 
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
@jmurret
Fixing broken test with retry change
ea52b4e
@jmurret @ishustava
Update charts/consul/templates/_helpers.tpl
43e238a 
Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
@jmurret
Removing 127.0.0.1 from ip_sans
04ead9c
@jmurret
Removing reference to common_name: Consul Webhook Certificates Service
afe0288
@jmurret
Removing a dangle reference to Consul Webhook Certificates Service
fae8c2f
@jmurret
adding 127.0.0.1 back into server ip_sans
04bd8d9
@jmurret
making common name the name of the service for connect-inject and con…
81cde1b 
…troller
@jmurret @ishustava
Update the description for enable-webhook-ca-update flag in control-p…
21c2ee7 
…lane/subcommand/controller/command.go

Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com>
@jmurret jmurret merged commit a16c4ee into main Jun 13, 2022
@jmurret jmurret deleted the jm/webhook-certs branch June 13, 2022 19:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kschoche kschoche kschoche approved these changes

@ishustava ishustava ishustava approved these changes

@ndhanushkodi ndhanushkodi Awaiting requested review from ndhanushkodi

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jmurret @kschoche @ishustava