pkg icon indicating copy to clipboard operation
pkg copied to clipboard

Published 20 hours ago verified publisher icon knative

Supporting reading TLS data from places other than Kubernetes Secrets

Open munnerz opened this issue 4 years ago • 8 comments

When deploying a webhook, it may be desirable to not make use of the certificates controller (for generating a TLS certificate for the webhook), nor reading the TLS data from a Kubernetes secret (e.g. in the case where some form of TLS certificate/identity document is already available within the webhook pod).

It is already possible to not instantiate the certificate controller (by excluding it from the call to sharedmain.WebhookMainWithConfig, however the webhook.Run method explicitly sets the GetCertificate field on the http.Server to one that requires a Secret lister to function: https://github.com/knative/pkg/blob/b0c121fb667f02e7536b09790b2507842b7300dd/webhook/webhook.go#L187-L206

Ideally, this would be one of a number of optional mechanisms for loading TLS certificate data. This would increase the flexibility of the knative.dev/pkg package.

I'm considering whether we should simply allow setting GetCertificate directly, however changes are needed to webhook.New which currently fetches the SecretInformer from the SharedInformerFactory (thereby causing the informer factory to require read permission on secrets to start): https://github.com/knative/pkg/blob/b0c121fb667f02e7536b09790b2507842b7300dd/webhook/webhook.go#L110-L115

I think we could introduce a new NewWithCertificateSource or something, which would allow a user to override this behaviour (and the existing behaviour of the New function could be retained without breaking Go API compatibility).

/kind feature

munnerz avatar Dec 17 '20 11:12 munnerz

Ack! I need the very same thing, where my cluster has already mechanisms to come up with certificates that I'd like to mount for the webhook to "just" pick up.

I'd love to see those as commandline options for webhooks generically too, so existing webhooks (like in Knative Serving) can be altered to do things differently.

markusthoemmes avatar Dec 17 '20 11:12 markusthoemmes

I think defining an interface to encapsulate the webhook's needs and having something like the certificate controller implement that as one option would be a welcome refactor (I was talking about this a while back with someone 🤔 ). With that, it should be straightforward to add new strategies.

cc @dprotaso for thoughts.

mattmoor avatar Jan 22 '21 14:01 mattmoor

This issue is stale because it has been open for 90 days with no activity. It will automatically close after 30 more days of inactivity. Reopen the issue with /reopen. Mark the issue as fresh by adding the comment /remove-lifecycle stale.

github-actions[bot] avatar Apr 23 '21 01:04 github-actions[bot]

/remove-lifecycle stale

dprotaso avatar May 03 '21 17:05 dprotaso

Imma going to take a whack at this one.

/assign

markusthoemmes avatar May 25 '21 08:05 markusthoemmes

This issue is stale because it has been open for 90 days with no activity. It will automatically close after 30 more days of inactivity. Reopen the issue with /reopen. Mark the issue as fresh by adding the comment /remove-lifecycle stale.

github-actions[bot] avatar Aug 24 '21 01:08 github-actions[bot]

/lifecycle frozen

dprotaso avatar Sep 23 '21 01:09 dprotaso

/unassign

not doing this rn.

markusthoemmes avatar Oct 05 '21 13:10 markusthoemmes