Description
To enable webhooks for API upgrades, we need to investigate an alternative for automatic ca-injection provided by certmanager.
Since we have another use case with GCM instead of certmanager, where an equivalent feature of a cert-manager.io/inject-ca-from does not exist, API upgrades are currently blocked. GCM team unfortunately has their hands full, so we need to come up with a solution ourselves.
Conversion webhooks between resource API versions are needed during API migration and we need to investigate an alternative for providing said ca bundle:
spec:
conversion:
strategy: Webhook
webhook:
clientConfig:
service:
name: my-conversion-webhook
namespace: default
path: /convert
caBundle: <base64 encoded CA cert>
instead of relying on:
metadata:
annotations:
cert-manager.io/inject-ca-from: my-namespace/my-certificate
We need to embed the CA manually somehow. During installation, considering kustomize patches or install script if even possible.
Other ideas would be a bootstrap job, after deployment of webhook service and Secret, wait until the serving cert / CA exists, then run a Job or init step that patches the CRD manually.
Or our operator patches its own CRD on startup, probably the cleanest option if we want to remove a cert-manager cainjector dependency.
Timebox
2d
Outcome
DEV Notes
- SKR watcher should have some related setup already, may be clarified how we do it there
- Some resources live on both, KCP and SKR, e.g. ModuleTemplate and ModuleReleaseMeta
- we may need to find individual approaches for each
Description
To enable webhooks for API upgrades, we need to investigate an alternative for automatic ca-injection provided by certmanager.
Since we have another use case with GCM instead of certmanager, where an equivalent feature of a
cert-manager.io/inject-ca-fromdoes not exist, API upgrades are currently blocked. GCM team unfortunately has their hands full, so we need to come up with a solution ourselves.Conversion webhooks between resource API versions are needed during API migration and we need to investigate an alternative for providing said ca bundle:
instead of relying on:
We need to embed the CA manually somehow. During installation, considering kustomize patches or install script if even possible.
Other ideas would be a bootstrap job, after deployment of webhook service and Secret, wait until the serving cert / CA exists, then run a Job or init step that patches the CRD manually.
Or our operator patches its own CRD on startup, probably the cleanest option if we want to remove a cert-manager cainjector dependency.
Timebox
2d
Outcome
DEV Notes