To facilitate TLS for webhooks it is common to rely on cert-manager APIs. It's easy to issue a certificate, mount it into one's controller and let cert-manager inject the CA bundle into the *WebhookConfiguration. However, often one doesn't want to depend on cert-manager APIs. Maybe the controller might get deployed to environments where cert-manager is not available or it's simply limit its dependencies.
As a solution, I can either write and maintain my own webhook controller (possibly with reconciler.io/runtime), or I use knative.dev/pkg’s. For example, github.com.vmware-tanzu/servicebinding use knative.dev/pkg for its webhooks. However, since this is a common, cross-cutting concern it would be nice if I could rely on a solution that supported and proven.
Knative’s webhook controllers aren’t straightforward to integrate with a kubebuilder-style controller manager. And knative.dev/pkg would be yet another dependency. Furthermore, iirc knative.dev/pkg has no stable/versioned public API.
Maybe such webhook controllers could be offered by reconciler.io/runtime itself or a sibling, say reconciler.io/webhooks. Furthermore, offering controller for webhooks (to eliminate a dependency of cert-manager) would present an additional adoption path for reconciler.io/runtime.
Like knative.dev/pkg webhook controllers the solution must play well with leader election. It should support defaulting and validating webhooks. Annoyingly the solution would have to absorb all the PKI problems which cert-manager solves like renewal etc.
Different levels of fidelity are conceivable with everything possible in between:
- Do the bare minimum to facilitate TLS; update a TLS
Secret and *WebhookConfiguration.webhooks.clientConfig.caBundle
- Also keep rules in-sync; updates TLS
Secret and *WebhookConfiguration.webhooks.{clientConfig.caBundle, rules}
- Manage all involved resources' complete lifecycle; create-update TLS
Secret and *WebhookConfiguration
To facilitate TLS for webhooks it is common to rely on cert-manager APIs. It's easy to issue a certificate, mount it into one's controller and let cert-manager inject the CA bundle into the
*WebhookConfiguration. However, often one doesn't want to depend on cert-manager APIs. Maybe the controller might get deployed to environments where cert-manager is not available or it's simply limit its dependencies.As a solution, I can either write and maintain my own webhook controller (possibly with
reconciler.io/runtime), or I useknative.dev/pkg’s. For example, github.com.vmware-tanzu/servicebinding useknative.dev/pkgfor its webhooks. However, since this is a common, cross-cutting concern it would be nice if I could rely on a solution that supported and proven.Knative’s webhook controllers aren’t straightforward to integrate with a kubebuilder-style controller manager. And
knative.dev/pkgwould be yet another dependency. Furthermore, iircknative.dev/pkghas no stable/versioned public API.Maybe such webhook controllers could be offered by
reconciler.io/runtimeitself or a sibling, sayreconciler.io/webhooks. Furthermore, offering controller for webhooks (to eliminate a dependency of cert-manager) would present an additional adoption path forreconciler.io/runtime.Like
knative.dev/pkgwebhook controllers the solution must play well with leader election. It should support defaulting and validating webhooks. Annoyingly the solution would have to absorb all the PKI problems which cert-manager solves like renewal etc.Different levels of fidelity are conceivable with everything possible in between:
Secretand*WebhookConfiguration.webhooks.clientConfig.caBundleSecretand*WebhookConfiguration.webhooks.{clientConfig.caBundle, rules}Secretand*WebhookConfiguration