Webhook certs patch 1 (#2739)

* Workaround for very short webhook certs.

Extension to PR #2514

* Workaround for very short webhook certs.

Extension to PR #2514

* Fix ShellCheck SC2004

* Fix ShellCheck SC2004

manifests/vanilla/deploy-csi-snapshot-components.sh

@@ -197,10 +197,13 @@ deploy_validation_webhook() {
 	DNS.3 = ${service}.${namespace}.svc
 EOF
 
-	openssl req -nodes -new -x509 -keyout "${tmpdir}"/ca.key -out "${tmpdir}"/ca.crt -subj "/CN=vSphere CSI Admission Controller Webhook CA"
+	# Default webhook server and ca certificate validity
+	validity=180
+
+	openssl req -nodes -new -x509 -keyout "${tmpdir}"/ca.key -days ${validity} -out "${tmpdir}"/ca.crt -subj "/CN=vSphere CSI Admission Controller Webhook CA"
 	openssl genrsa -out "${tmpdir}"/webhook-server-tls.key 2048
 	openssl req -new -key "${tmpdir}"/webhook-server-tls.key -subj "/CN=${service}.${namespace}.svc" -config "${tmpdir}"/server.conf \
-	| openssl x509 -req -CA "${tmpdir}"/ca.crt -CAkey "${tmpdir}"/ca.key -days 180 -CAcreateserial -out "${tmpdir}"/webhook-server-tls.crt -extensions v3_req -extfile "${tmpdir}"/server.conf
+	| openssl x509 -req -CA "${tmpdir}"/ca.crt -CAkey "${tmpdir}"/ca.key -days $((validity-1)) -CAcreateserial -out "${tmpdir}"/webhook-server-tls.crt -extensions v3_req -extfile "${tmpdir}"/server.conf
 	cat <<EOF >"${tmpdir}"/webhook.config
 	[WebHookConfig]
 	port = "8443"
@@ -322,4 +325,4 @@ else
 fi
 
 # Check if vSphere CSI Driver has the snapshotter sidecar, if not patch the deployment
-check_snapshotter_sidecar
+check_snapshotter_sidecar

manifests/vanilla/deploy-vsphere-csi-validation-webhook.sh

@@ -77,11 +77,14 @@ DNS.2 = ${service}.${namespace}
 DNS.3 = ${service}.${namespace}.svc
 EOF
 
+# Default webhook server and ca certificate validity
+validity=180
+
 # Generate the CA cert and private key
-openssl req -nodes -new -x509 -keyout "${tmpdir}"/ca.key -out "${tmpdir}"/ca.crt -subj "/CN=vSphere CSI Admission Controller Webhook CA"
+openssl req -nodes -new -x509 -keyout "${tmpdir}"/ca.key -days ${validity} -out "${tmpdir}"/ca.crt -subj "/CN=vSphere CSI Admission Controller Webhook CA"
 openssl genrsa -out "${tmpdir}"/webhook-server-tls.key 2048
 openssl req -new -key "${tmpdir}"/webhook-server-tls.key -subj "/CN=${service}.${namespace}.svc" -config "${tmpdir}"/server.conf \
-  | openssl x509 -req -CA "${tmpdir}"/ca.crt -CAkey "${tmpdir}"/ca.key -days 180 -CAcreateserial -out "${tmpdir}"/webhook-server-tls.crt -extensions v3_req -extfile "${tmpdir}"/server.conf
+  | openssl x509 -req -CA "${tmpdir}"/ca.crt -CAkey "${tmpdir}"/ca.key -days $((validity-1)) -CAcreateserial -out "${tmpdir}"/webhook-server-tls.crt -extensions v3_req -extfile "${tmpdir}"/server.conf
 
 cat <<eof >"${tmpdir}"/webhook.config
 [WebHookConfig]
@@ -114,4 +117,4 @@ kubectl delete clusterrolebinding.rbac.authorization.k8s.io vsphere-csi-webhook-
 kubectl delete deployment vsphere-csi-webhook --namespace "${namespace}" 2>/dev/null || true
 
 # patch validatingwebhook.yaml with CA_BUNDLE and create service and validatingwebhookconfiguration
-sed "s/caBundle: .*$/caBundle: ${CA_BUNDLE}/g" <validatingwebhook.yaml | kubectl apply -f -
+sed "s/caBundle: .*$/caBundle: ${CA_BUNDLE}/g" <validatingwebhook.yaml | kubectl apply -f -