Comments (7)
Self-generated certs are goverened by the Kubebuilder code. Here is the source for the most recent release:
Getting this bug addressed in that central library should go a lot farther in addressing the cross-compatibility issues generally. Please link any filed bugs back to this one and we'll upgrade our libraries to include published fixes as we are able.
In the interim, is it possible to have cert-management projects create the cert prior to start up? As long as the cert remains valid the self-management shouldn't overwrite it.
Another feature request you may want against the controller-runtime library is to disable the automatic overwriting of expired/incompatible certs, as that could interfere with the functioning of external cert generation systems.
from gatekeeper.
You can also use the enable-manual-deploy
flag to deploy the secret, service, webhook config manually instead of having kubebuilder do it. https://github.com/open-policy-agent/gatekeeper/blob/master/pkg/webhook/policy.go#L46
from gatekeeper.
@maxsmythe I opened an issue in that project: kubernetes-sigs/controller-runtime#430
@ritazh that's exactly where the issue lies, if I do that what do I use then to automatically generate secrets? The keys expected by the code are the standard keys that other certificate operators generate
from gatekeeper.
@raffaelespazzoli thanks!
one thing about enable-manual-deploy is that it disables automatic generation of the webhook config, it does not disable automatic generation of the secrets themselves.
To have that feature, controller-runtime would need to implement the feature mentioned above:
Another feature request you may want against the controller-runtime library is to disable the automatic overwriting of expired/incompatible certs, as that could interfere with the functioning of external cert generation systems.
from gatekeeper.
@maxsmythe Today we are using the DisableWebhookConfigInstaller
flag which
controls if the server will automatically create webhook related objects during bootstrapping. e.g. webhookConfiguration, service and secret.
But looks like this flag and the ability to generate your own webhook related objects were dropped in this commit: kubernetes-sigs/controller-runtime@81b48be#diff-fbc18bb07cdd05391b7081acc1dfe170
from gatekeeper.
@ritazh DisableWebhookConfigInstaller
is half the battle here. The other issue is the cert which the server uses to sign its responses, which is currently unaffected.
ValidatingWebhookConfiguration
configures the API server and which public/authority certs it expects. The server itself either mounts a secret or maintains one on local disk and will rotate as needed. This locally mounted cert is the one used to sign responses. If the two configurations don't agree, then the mTLS handshake will fail.
Currently, I know of no levers to control secret generation other than making sure a pre-existing valid secret is installed.
re: removal of DisableWebhookConfigInstaller
. From what I can tell there is a major refactoring going on related to how the server is generated. I haven't seen any documentation, so I can't say for sure whether that option has been removed completely or just relocated.
from gatekeeper.
I think this has been fixed with the migration to Kubebuilder V2. Re-open if not.
from gatekeeper.
Related Issues (20)
- some ready tracker refactor HOT 2
- doc: gator.md `go get` gator cli from source erroring out HOT 2
- Add request count / duration metrics for external data providers HOT 1
- Incorrect operation of ExpansionTemplate for batch/v1 CronJob resources
- gatekeeper audit reporting on workloads in kube-system although excluded HOT 6
- Stable doc pointing to image tag v3.15.0-beta.0 HOT 3
- log-level=Debug cause error
- Copy namespace labels to pod labels HOT 1
- AssignImage mutation to prepend string to existing image path HOT 3
- Broken Install Manifest (using 3.15) HOT 2
- migrate to stale action
- External Data Mutations on objects in request HOT 3
- Failure of Kubernetes Cluster Startup Due to `FailurePolicy=Fail` Parameter in Webhook HOT 5
- [docs] Update release guide after verifying recent release process changes in next release HOT 1
- cant seem to apply mutations HOT 1
- support - mutation or validation for custom policies? HOT 3
- order of evaluation for constraints and mutations HOT 1
- does it make sense to create customized rulesets for specific applications such as service meshes? HOT 2
- Exposing Prometheus metrics endpoint with HTTPS HOT 1
- ApiVersion update HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gatekeeper.