openyurtio
[feature request] use `kube-webhook-certgen` manage webhook certificate
What would you like to be added:
Use kube-webhook-certgen to generate webhook certificate, like [ingress-nginx](https://github.com/kubernetes/ingress-nginx/tree/main/charts/ingress-nginx/templates/admission-webhooks or kubevela.
Why is this needed: yurt-app-manager and raven-controller-manager implement generate certificate by themself, which is not easy to maintenance. Detail code show in file webhook_controller.go
others /kind feature
/assign @kadisi @zzguang @DrmagicE @njucjc
@huiwq1990 It looks like we will import a new component(kube-webhook-certgen) in OpenYurt cluster if we use kube-webhook-certgen to generate webhook certificate. so would you be able to introduce the differences and advantages of kube-webhook-certgen?
@rambohe-ch: GitHub didn't allow me to assign the following users: zzguang, DrmagicE, njucjc.
Note that only openyurtio members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. For more information please see the contributor guide
In response to this:
/assign @kadisi @zzguang @DrmagicE @njucjc
@huiwq1990 It looks like we will import a new component(kube-webhook-certgen) in OpenYurt cluster if we use kube-webhook-certgen to generate webhook certificate. so would you be able to introduce the differences and advantages of kube-webhook-certgen?
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
@huiwq1990 Maybe we can discuss this issue in the next community meeting.
@huiwq1990 Maybe we can discuss this issue in the next community meeting.
Ok, I will attend a meeting.
/assign @kadisi @zzguang @DrmagicE @njucjc
@huiwq1990 It looks like we will import a new component(kube-webhook-certgen) in OpenYurt cluster if we use kube-webhook-certgen to generate webhook certificate. so would you be able to introduce the differences and advantages of kube-webhook-certgen?
@rambohe-ch @huiwq1990 Sounds we would have at least four repo's in need of cert generation for webhook (openyurt, yurt-app-manager, raven, pool-coordinator). We do need a common API for this. How do we do that? We have theses choices:
- Use https://github.com/jet/kube-webhook-certgen
- Add a new certs repo under openyurt.io
- Expose this part from yurt-app-manager
- Add an API repo for the whole OpenYurt, then add certs related functions into this repo.
Which one is the best?
@gnunu @rambohe-ch I recommend the first one. As:
- kube-webhook-certgen could patch k8s webhooks and generate certs for https server;
- If we maintain the certs code, we need cover unit tests and there are not difference in implementing mechanisms;
- Some famous projects use it too, it's relatively mature;
https://github.com/kubevela/kubevela/discussions/4490 @rambohe-ch @gnunu the project alreay maintian the webhook patch function, we can follow it.
Someone post the admissionregistration/v1beta1 issue in https://github.com/jet/kube-webhook-certgen/issues/30 . jet/kube-webhook-certgen does not want to solve it and recommand use https://github.com/kubernetes/ingress-nginx/tree/main/images/kube-webhook-certgen. So does we maintain the code ourself?
@rambohe-ch @gnunu
kubevela/kubevela#4490 @rambohe-ch @gnunu the project alreay maintian the webhook patch function, we can follow it.
@huiwq1990 I think it's not good idea to maintain a kube-webhook-certgen repo in OpenYurt. If kubevela has maintained a repo, maybe we can use it or leverage it.
yurt-app-manager and yurt-edgex-manager have already used kube-webhook-certgen to manage webhook certificate.