In order to make my ValidatingWebhookConfiguration works, I have to do a bunch of openssl commands, and then I copy paste (or sed) the certificate authority in my deploy.yaml file where my webhook is defined. But this is not really clean. I know I can put my CA in a Secret, but how can I assess this secret in the ValidatingWebhookConfiguration please ?
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: webhook-test
webhooks:
- name: my.webhook.frick
failurePolicy: Fail
clientConfig:
caBundle: CA_BUNDLE_THAT_I_HAVE_TO_PASTE_BY_HAND
service:
name: validating-svc
namespace: default
path: /services/validate
rules:
...
All the openssl commands :
openssl genrsa -out certs/ca.key 2048;
openssl req -new -x509 -key certs/ca.key -out certs/ca.crt -config certs/ca_config.txt
openssl genrsa -out certs/chris.pem 2048;
openssl req -new -key certs/chris.pem -subj "/CN=validating-svc.default.svc" -out certs/chris.csr -config certs/chris_config.txt;
openssl x509 -req -in certs/chris.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/chris-crt.pem;
export CA_BUNDLE=$(cat certs/ca.crt | base64 | tr -d '\n'); # Copy paste in deploy.yaml
The goal in the long run is to package my webhook project with helm.
You can have a controller for injecting the CA bundle into the webhook’s ValidatingWebhookConfiguration and MutatingWebhookConfiguration resources in order to allow the Kubernetes API server to ‘trust’ the webhook API server. The ca injector of cert manager does exactly that and you can use it as a reference because the source code is open source.