-
Notifications
You must be signed in to change notification settings - Fork 332
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Supporting reading TLS data from places other than Kubernetes Secrets #1972
Comments
Ack! I need the very same thing, where my cluster has already mechanisms to come up with certificates that I'd like to mount for the webhook to "just" pick up. I'd love to see those as commandline options for webhooks generically too, so existing webhooks (like in Knative Serving) can be altered to do things differently. |
I think defining an interface to encapsulate the webhook's needs and having something like the certificate controller implement that as one option would be a welcome refactor (I was talking about this a while back with someone 🤔 ). With that, it should be straightforward to add new strategies. cc @dprotaso for thoughts. |
This issue is stale because it has been open for 90 days with no |
/remove-lifecycle stale |
Imma going to take a whack at this one. /assign |
This issue is stale because it has been open for 90 days with no |
/lifecycle frozen |
/unassign not doing this rn. |
When deploying a webhook, it may be desirable to not make use of the
certificates
controller (for generating a TLS certificate for the webhook), nor reading the TLS data from a Kubernetes secret (e.g. in the case where some form of TLS certificate/identity document is already available within the webhook pod).It is already possible to not instantiate the certificate controller (by excluding it from the call to
sharedmain.WebhookMainWithConfig
, however thewebhook.Run
method explicitly sets the GetCertificate field on thehttp.Server
to one that requires a Secret lister to function:pkg/webhook/webhook.go
Lines 187 to 206 in b0c121f
Ideally, this would be one of a number of optional mechanisms for loading TLS certificate data. This would increase the flexibility of the
knative.dev/pkg
package.I'm considering whether we should simply allow setting
GetCertificate
directly, however changes are needed towebhook.New
which currently fetches the SecretInformer from the SharedInformerFactory (thereby causing the informer factory to require read permission on secrets to start):pkg/webhook/webhook.go
Lines 110 to 115 in b0c121f
I think we could introduce a new
NewWithCertificateSource
or something, which would allow a user to override this behaviour (and the existing behaviour of the New function could be retained without breaking Go API compatibility)./kind feature
The text was updated successfully, but these errors were encountered: