pkg icon indicating copy to clipboard operation
pkg copied to clipboard

Published 20 hours ago verified publisher icon knative

Extend secret reading for webhook certificates

Open skonto opened this issue 4 years ago • 4 comments

Webhook Certificates reconciler's logic will update secrets contents if the secret is expired or if the secret is empty. We start with an empty secret so the reconciler can generate its contents. This is an internal process. There is a hardcoded value for renewal (1 day).

However there are two candidate use cases we may want to consider extending this logic for:

a) users operate their infra with specific certificates for all their stuff. Examples:

b) developers may want to use this repo for generic webhook development

This relates to: https://github.com/knative/pkg/issues/1972 but that ticket is focused beyond secrets and here the goal is to add support for using a secret that already contains a certificate and it is externally managed. There are some options wrt to what flexibility to provide (assuming the reconciler is not removed from the picture):

a) Some validation could happen at the reconciler side as it is now eg. expiration logic to warn users. b) User provides a CA bundle and the reconciler creates the rest of the keys. c) User provides all certificates CA/TLS keys and so the reconciler can be used for validation.

Older slack discussion on this topic here.

/kind feature

skonto avatar Oct 05 '21 13:10 skonto

This issue is stale because it has been open for 90 days with no activity. It will automatically close after 30 more days of inactivity. Reopen the issue with /reopen. Mark the issue as fresh by adding the comment /remove-lifecycle stale.

github-actions[bot] avatar Jan 04 '22 01:01 github-actions[bot]

/reopen

skonto avatar Mar 08 '24 12:03 skonto

@skonto: Reopened this issue.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

knative-prow[bot] avatar Mar 08 '24 12:03 knative-prow[bot]

This issue is stale because it has been open for 90 days with no activity. It will automatically close after 30 more days of inactivity. Reopen the issue with /reopen. Mark the issue as fresh by adding the comment /remove-lifecycle stale.

github-actions[bot] avatar Jun 07 '24 01:06 github-actions[bot]