Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bootstrap the root CA and the controller webhook server TLS certificate and remove the cert-manager dependency. #820

Closed
Tracked by #7
fabriziosestito opened this issue Jul 22, 2024 · 1 comment
Closed
Tracked by #7

Bootstrap the root CA and the controller webhook server TLS certificate and remove the cert-manager dependency. #820

fabriziosestito opened this issue Jul 22, 2024 · 1 comment
Assignees
@fabriziosestito
Labels
kind/enhancement kind/feature
Milestone
1.17

Comments

@fabriziosestito
Copy link
Contributor

fabriziosestito commented Jul 22, 2024
edited
Loading

We need to remove the cert-manager dependency.
Therefore, we need to bootstrap the root CA the first time the controller is installed and generate the controller's webhook TLS certificate.
Both the CA root and the controller webhook TLS certificate are stored in a secret.

This can be done directly in helm, by using the genCa and genSignedCert helper function.
Using helm is a good approach since it removes the complexity of bootstrapping certificates in the controller main function, which implies coordination with the leader election and generally slows down the initialization of the controller container.

See https://github.com/aquasecurity/aqua-helm/blob/d212befe175998b7d8a83a7b0a33080993f171e5/kube-enforcer/templates/auto-generate-tls.yaml as an example

Subtasks:

  • generate the CA certificate and the TLS cert. This must be done just once when the controller chart is installed, by using the lookup function.
  • inject the CA certificate into the Validating/Mutating webhook configuration directly in the helm chart
  • remove the policy server CA secret creation in the reconciliation loop. Use the CA from the helm initialized secret instead.
  • remove cert-manager dependency from the helm chart and the controller
@fabriziosestito fabriziosestito mentioned this issue Jul 22, 2024
Closed
13 tasks
@fabriziosestito fabriziosestito added this to the 1.16 milestone Jul 22, 2024
@fabriziosestito fabriziosestito self-assigned this Jul 22, 2024
This was referenced Jul 22, 2024
Closed
Closed
Merged
@viccuad viccuad modified the milestones: 1.16, 1.17 Aug 20, 2024
@viccuad
Copy link
Member

viccuad commented Aug 28, 2024

Closing as done, the only part missing is "remove cert-manager dependency from the helm chart and the controller" and that's tracked on #7.

@viccuad viccuad closed this as completed Aug 28, 2024
@fabriziosestito fabriziosestito mentioned this issue Sep 3, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fabriziosestito fabriziosestito

Labels
kind/enhancement kind/feature
Projects
Kubewarden
Archived in project
Milestone
1.17
Development

No branches or pull requests
2 participants
@fabriziosestito @viccuad