Extend secret reading for webhook certificates #2303
Labels
kind/feature
lifecycle/stale
Denotes an issue or PR has remained open with no activity and has become stale.
Comments
|
This issue is stale because it has been open for 90 days with no |
github-actions
bot
added
the
lifecycle/stale
|
/reopen |
|
@skonto: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
github-actions
bot
removed
the
lifecycle/stale
|
This issue is stale because it has been open for 90 days with no |
github-actions
bot
added
the
lifecycle/stale
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Webhook Certificates reconciler's logic will update secrets contents if the secret is expired or if the secret is empty.
We start with an empty secret so the reconciler can generate its contents. This is an internal process. There is a hardcoded value for renewal (1 day).
However there are two candidate use cases we may want to consider extending this logic for:
a) users operate their infra with specific certificates for all their stuff. Examples:
b) developers may want to use this repo for generic webhook development
This relates to: #1972 but that ticket is focused beyond secrets and here the goal is to add support for using a secret that already contains a certificate and it is externally managed. There are some options wrt to what flexibility to provide (assuming the reconciler is not removed from the picture):
a) Some validation could happen at the reconciler side as it is now eg. expiration logic to warn users.
b) User provides a CA bundle and the reconciler creates the rest of the keys.
c) User provides all certificates CA/TLS keys and so the reconciler can be used for validation.
Older slack discussion on this topic here.
/kind feature
The text was updated successfully, but these errors were encountered: