Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(M) - As a k8s Webhook developer, I need a WebHook Cert Provisioner pkg which can dynamically provision certs for my webhook. #216

Closed
grodrigues3 opened this issue May 24, 2018 · 2 comments
Closed

(M) - As a k8s Webhook developer, I need a WebHook Cert Provisioner pkg which can dynamically provision certs for my webhook. #216

grodrigues3 opened this issue May 24, 2018 · 2 comments
Assignees
@mengqiy
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
SDK Sprint Planning
Milestone
v0.1.?

Comments

@grodrigues3
Copy link

grodrigues3 commented May 24, 2018
edited by mengqiy
Loading

Story: I need a way to get Certificates for my webserver that are written to the webhookConfiguration and secrets.
@grodrigues3 grodrigues3 created this issue from a note in SDK Sprint Planning (Committed) May 24, 2018
@pwittrock pwittrock modified the milestones: v0.1.10, v0.1.11 May 30, 2018
@pwittrock pwittrock moved this from Committed to In progress in SDK Sprint Planning May 30, 2018
@pwittrock pwittrock moved this from In progress to To do in SDK Sprint Planning May 30, 2018
@pwittrock pwittrock modified the milestones: v0.1.11, v0.1.12, v0.1.16 May 30, 2018
@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. and removed enhancement labels Jun 5, 2018
@mengqiy mengqiy moved this from To do to In progress in SDK Sprint Planning Jun 6, 2018
@mengqiy mengqiy changed the title (M) - As a k8s Webhook developer, I need a WebHook pkg which I can use to implement and deploy K8s webhook. (M) - As a k8s Webhook developer, I need a WebHook Cert Provisioner pkg which can dynamically provision certs for my webhook. Jun 6, 2018
@munnerz
Copy link
Member

munnerz commented Jun 7, 2018

I have done some work on this using cert-manager, a PR is here: cert-manager/cert-manager#478

It is more complex in that PR ^ as I also perform some bootstrapping so that cert-manager can secure it's own webhook endpoints.

In short, you should be able to:

  1. Generate a CA using openssl (this is until cert-manager supports a 'self signed' Issuer type, which should be very soon) (this can also be done within a helm chart in the meantime)

  2. Create a secret containing the CA generated in (1)

  3. Create a cert-manager CA Issuer that uses the secret created in (2)

  4. Create a cert-manager Certificate resource for your webhook (i.e. a Certificate that specifies the appropriate dnsNames for your webhook). Set the issuerRef to the name of the Issuer you created in (3)

  5. Create your ValidatingWebhookConfiguration caBundle field to the CA certificate generated in (1) and configure it like normal.

You can then configure the Deployment for your webhook to mount in the Secret created by cert-manager (i.e. the one named in certificate.spec.secretName).

I have also put this small project together which helps copying a Secret resource into a Validating/Mutating webhook configuration or APIService resource's caBundle field - it is not required in order to follow the above steps, but it will be required if you want to use the to be created 'selfsigned' Issuer type to replace step (1) above: https://github.com/munnerz/apiextensions-ca-helper

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 24, 2019
@mengqiy mengqiy closed this as completed May 6, 2019
SDK Sprint Planning automation moved this from In progress to Done - Sprint 1 (05/02/2018) May 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mengqiy mengqiy

Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
No open projects
SDK Sprint Planning
  
Done - Sprint 1 (05/02/2018)
Milestone
v0.1.?
Development

No branches or pull requests
6 participants
@munnerz @mengqiy @grodrigues3 @pwittrock @k8s-ci-robot @fejta-bot