Skip to content

Commit

Permalink
feat(admission-controller): simplify certificate options
Browse files Browse the repository at this point in the history
  • Loading branch information
@airadier
airadier committed Jul 20, 2023
1 parent 0dcb7c2 commit 01fb5ad
Show file tree
Hide file tree
Showing 3 changed files with 2 additions and 43 deletions.
7 changes: 2 additions & 5 deletions charts/admission-controller/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -143,10 +143,7 @@ The following table lists the configurable parameters of the `admission-controll
| webhook.dryRun | Dry Run request | <code>false</code> |
| webhook.logLevel | Log Level - Valid Values are: error, info, debug, trace | <code>info</code> |
| webhook.ssl.reuseTLSSecret | Reuse existing TLS Secret during chart upgrade | <code>false</code> |
| webhook.ssl.ca.cert | For outbound connections (secure backend, proxy,...) <br/>And inbound connections to serve HttpRequests as Kubernetes Webhook. <br/>A PEM-encoded x509 certificate authority. <br/>If empty, a new CA will be autogenerated. | <code>""</code> |
| webhook.ssl.ca.key | For outbound connections (secure backend, proxy,...) <br/>A PEM-encoded private key of the certificate authority to use in the certificate generation. <br/>If empty, a new CA will be autogenerated. | <code>""</code> |
| webhook.ssl.cert | For inbound connections to serve HttpRequests as Kubernetes Webhook. <br/>A PEM-encoded x509 certificate signed by the CA. <br/>If empty, a new cert will be generated. <br/>If provided, it must be valid with the `webhook.ssl.ca`. <br/>If this is set, the key must also be provided. | <code>""</code> |
| webhook.ssl.key | For inbound connections to serve HttpRequests as Kubernetes Webhook. <br/>A PEM-encoded private key signed by the CA. <br/>If empty, a new key will be generated. <br/>If provided, it must be valid with the `webhook.ssl.ca`. <br/>If this is set, the cert must also be provided. | <code>""</code> |
| webhook.ssl.ca.cert | For outbound connections (secure backend, proxy,...) <br/>A PEM-encoded x509 certificate authority. | <code>""</code> |
| webhook.customEntryPoint | Custom entrypoint for the webhook <br/>Remember to provide the webhook valid arguments with `--tls_cert_file` and `--tls_private_key_file`. <br/>default: /bin/webhook --tls_cert_file /cert/tls.crt --tls_private_key_file /cert/tls.key | <code>[]</code> |
| webhook.http.port | HTTP serve port where the requests will be served from | <code>5000</code> |
| scc.create | Enable the creation of Security Context Constraints in Openshift | <code>true</code> |
Expand Down Expand Up @@ -176,7 +173,7 @@ The following table lists the configurable parameters of the `admission-controll
| scanner.priorityClassName | priorityClassName config for the scanner | <code></code> |
| scanner.tolerations | Tolerations for scheduling for the scanner | <code>[]</code> |
| scanner.affinity | Configure affinity rules for the scanner | <code>{}</code> |
| scanner.ssl.ca.cert | For outbound connections (secure backend, proxy,...). <br/>A PEM-encoded x509 certificate authority. <br/>If empty, a new CA will be autogenerated. | <code>""</code> |
| scanner.ssl.ca.cert | For outbound connections (secure backend, proxy,...). <br/>A PEM-encoded x509 certificate authority. | <code>""</code> |
| scanner.customEntryPoint | Custom entrypoint for the scanner. <br/>Remember to provide the scanner valid arguments with `--server_port` and optionally `--auth_secure_token` <br/>default: /inline-scan-service --server_port=8080 | <code>[]</code> |


Expand Down
19 changes: 0 additions & 19 deletions charts/admission-controller/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,15 +161,10 @@ Create the name of the service account to use
Generate certificates for aggregated api server
*/}}

{{- $cert := genCA ( printf "%s.%s.svc" (include "admissionController.webhook.fullname" .) .Release.Namespace ) 3650 -}}

{{- define "admissionController.webhook.gen-certs" -}}
{{- $secretName := printf "%s-tls" (include "admissionController.webhook.fullname" .) -}}
{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName -}}
{{- $ca := genCA (include "admissionController.webhook.fullname" .) 3650 -}}
{{- if (and .Values.webhook.ssl.ca.cert .Values.webhook.ssl.ca.key) -}}
{{- $ca = buildCustomCert (.Values.webhook.ssl.ca.cert | b64enc) (.Values.webhook.ssl.ca.key | b64enc) -}}
{{- end -}}

{{- $cn := printf "%s.%s.svc" (include "admissionController.webhook.fullname" .) .Release.Namespace -}}
{{- $san := list $cn -}}
Expand Down Expand Up @@ -257,20 +252,6 @@ Create the name of the service account to use
{{ default (include "admissionController.scanner.fullname" .) .Values.serviceAccounts.scanner.name }}
{{- end -}}

{{/*
Generate certificates for aggregated api server
*/}}

{{- $cert := genCA ( printf "%s.%s.svc" (include "admissionController.scanner.fullname" .) .Release.Namespace ) 3650 -}}

{{- define "admissionController.scanner.gen-certs" -}}
{{- $ca := genCA (include "admissionController.scanner.fullname" .) 3650 -}}
{{- $cn := printf "%s.%s.svc" (include "admissionController.scanner.fullname" .) .Release.Namespace -}}
{{- $san := list $cn -}}
{{- $cert := genSignedCert $cn nil $san 3650 $ca -}}
{{- printf "%s$%s$%s" ($cert.Cert | b64enc) ($cert.Key | b64enc) ($ca.Cert | b64enc) -}}
{{- end -}}

{{/*
Allow overriding registry and repository for air-gapped environments
*/}}
Expand Down
19 changes: 0 additions & 19 deletions charts/admission-controller/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -220,26 +220,8 @@ webhook:
reuseTLSSecret: false
ca:
# For outbound connections (secure backend, proxy,...)
# <br/>And inbound connections to serve HttpRequests as Kubernetes Webhook.
# <br/>A PEM-encoded x509 certificate authority.
# <br/>If empty, a new CA will be autogenerated.
cert: ""
# For outbound connections (secure backend, proxy,...)
# <br/>A PEM-encoded private key of the certificate authority to use in the certificate generation.
# <br/>If empty, a new CA will be autogenerated.
key: ""
# For inbound connections to serve HttpRequests as Kubernetes Webhook.
# <br/>A PEM-encoded x509 certificate signed by the CA.
# <br/>If empty, a new cert will be generated.
# <br/>If provided, it must be valid with the `webhook.ssl.ca`.
# <br/>If this is set, the key must also be provided.
cert: ""
# For inbound connections to serve HttpRequests as Kubernetes Webhook.
# <br/>A PEM-encoded private key signed by the CA.
# <br/>If empty, a new key will be generated.
# <br/>If provided, it must be valid with the `webhook.ssl.ca`.
# <br/>If this is set, the cert must also be provided.
key: ""

# Custom entrypoint for the webhook
# <br/>Remember to provide the webhook valid arguments with `--tls_cert_file` and `--tls_private_key_file`.
Expand Down Expand Up @@ -348,7 +330,6 @@ scanner:
ca:
# For outbound connections (secure backend, proxy,...).
# <br/>A PEM-encoded x509 certificate authority.
# <br/>If empty, a new CA will be autogenerated.
cert: ""

# Custom entrypoint for the scanner.
Expand Down

0 comments on commit 01fb5ad

Please sign in to comment.