diff --git a/charts/admission-controller/Chart.yaml b/charts/admission-controller/Chart.yaml
index feafb5cb2..5df3b1e70 100644
--- a/charts/admission-controller/Chart.yaml
+++ b/charts/admission-controller/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
name: admission-controller
description: Sysdig Admission Controller using Sysdig Secure inline image scanner
type: application
-version: 0.11.4
+version: 0.11.5
appVersion: 3.9.24
home: https://sysdiglabs.github.io/admission-controller/
icon: https://avatars.githubusercontent.com/u/5068817?s=200&v=4
diff --git a/charts/admission-controller/README.md b/charts/admission-controller/README.md
index 81a55d3fe..67c757ed5 100644
--- a/charts/admission-controller/README.md
+++ b/charts/admission-controller/README.md
@@ -23,7 +23,7 @@ $ pre-commit run -a
$ helm repo add sysdig https://charts.sysdig.com
$ helm repo update
$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \
- --create-namespace -n sysdig-admission-controller --version=0.11.4 \
+ --create-namespace -n sysdig-admission-controller --version=0.11.5 \
--set clusterName=CLUSTER_NAME \
--set sysdig.secureAPIToken=SECURE_API_TOKEN
```
@@ -55,7 +55,7 @@ This chart deploys the Sysdig Admission Controller on a [Kubernetes](http://kube
To install the chart with the release name `admission-controller`:
```console
-$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller -n sysdig-admission-controller --version=0.11.4
+$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller -n sysdig-admission-controller --version=0.11.5
```
The command deploys the Sysdig Admission Controller on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
@@ -143,10 +143,7 @@ The following table lists the configurable parameters of the `admission-controll
| webhook.dryRun | Dry Run request | false
|
| webhook.logLevel | Log Level - Valid Values are: error, info, debug, trace | info
|
| webhook.ssl.reuseTLSSecret | Reuse existing TLS Secret during chart upgrade | false
|
-| webhook.ssl.ca.cert | For outbound connections (secure backend, proxy,...)
And inbound connections to serve HttpRequests as Kubernetes Webhook.
A PEM-encoded x509 certificate authority.
If empty, a new CA will be autogenerated. | ""
|
-| webhook.ssl.ca.key | For outbound connections (secure backend, proxy,...)
A PEM-encoded private key of the certificate authority to use in the certificate generation.
If empty, a new CA will be autogenerated. | ""
|
-| webhook.ssl.cert | For inbound connections to serve HttpRequests as Kubernetes Webhook.
A PEM-encoded x509 certificate signed by the CA.
If empty, a new cert will be generated.
If provided, it must be valid with the `webhook.ssl.ca`.
If this is set, the key must also be provided. | ""
|
-| webhook.ssl.key | For inbound connections to serve HttpRequests as Kubernetes Webhook.
A PEM-encoded private key signed by the CA.
If empty, a new key will be generated.
If provided, it must be valid with the `webhook.ssl.ca`.
If this is set, the cert must also be provided. | ""
|
+| webhook.ssl.ca.cert | For outbound connections (secure backend, proxy,...)
A PEM-encoded x509 certificate authority. | ""
|
| webhook.customEntryPoint | Custom entrypoint for the webhook
Remember to provide the webhook valid arguments with `--tls_cert_file` and `--tls_private_key_file`.
default: /bin/webhook --tls_cert_file /cert/tls.crt --tls_private_key_file /cert/tls.key | []
|
| webhook.http.port | HTTP serve port where the requests will be served from | 5000
|
| scc.create | Enable the creation of Security Context Constraints in Openshift | true
|
@@ -176,7 +173,7 @@ The following table lists the configurable parameters of the `admission-controll
| scanner.priorityClassName | priorityClassName config for the scanner |
|
| scanner.tolerations | Tolerations for scheduling for the scanner | []
|
| scanner.affinity | Configure affinity rules for the scanner | {}
|
-| scanner.ssl.ca.cert | For outbound connections (secure backend, proxy,...).
A PEM-encoded x509 certificate authority.
If empty, a new CA will be autogenerated. | ""
|
+| scanner.ssl.ca.cert | For outbound connections (secure backend, proxy,...).
A PEM-encoded x509 certificate authority. | ""
|
| scanner.customEntryPoint | Custom entrypoint for the scanner.
Remember to provide the scanner valid arguments with `--server_port` and optionally `--auth_secure_token`
default: /inline-scan-service --server_port=8080 | []
|
@@ -184,7 +181,7 @@ Specify each parameter using the **`--set key=value[,key=value]`** argument to `
```console
$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \
- --create-namespace -n sysdig-admission-controller --version=0.11.4 \
+ --create-namespace -n sysdig-admission-controller --version=0.11.5 \
--set sysdig.secureAPIToken=YOUR-KEY-HERE,clusterName=YOUR-CLUSTER-NAME
```
@@ -193,7 +190,7 @@ installing the chart. For example:
```console
$ helm upgrade --install sysdig-admission-controller sysdig/admission-controller \
- --create-namespace -n sysdig-admission-controller --version=0.11.4 \
+ --create-namespace -n sysdig-admission-controller --version=0.11.5 \
--values values.yaml
```
diff --git a/charts/admission-controller/ci/custom-ca-and-certs-values.yaml.template b/charts/admission-controller/ci/custom-ca-and-certs-values.yaml.template
deleted file mode 100644
index 124188850..000000000
--- a/charts/admission-controller/ci/custom-ca-and-certs-values.yaml.template
+++ /dev/null
@@ -1,102 +0,0 @@
-sysdig:
- secureAPIToken: ${SECURE_API_TOKEN}
-clusterName: CI-Cluster
-webhook:
- ssl:
- ca:
- cert: |
- -----BEGIN CERTIFICATE-----
- MIIC5zCCAc+gAwIBAgIJAPzgoOe8gf7eMA0GCSqGSIb3DQEBBQUAMCAxHjAcBgNV
- BAMTFXN5c2RpZy1leGFtcGxlLWNoYXJ0czAeFw0yMjAxMjEwOTQxMzVaFw0zMjAx
- MTkwOTQxMzVaMCAxHjAcBgNVBAMTFXN5c2RpZy1leGFtcGxlLWNoYXJ0czCCASIw
- DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMhqr9oTv+AD7wP1RoBu3RPdthYK
- 4BEizy4+Eh2lSCNnbSWTy172V181I7mEcDvnddTWz895BkVTRrSwyjCh25/pNxJJ
- 7mKAT4Xo11X5d8gbKXJoR8kutFVoAsY0bHi5TQ1uCIC6w67GQVsphmaSanfrD06z
- dYbyuRmGuHaffECp7RvOrAuaxyG4jOgDRk7e9SV38Rs4knv7cDT9C91kpVlZEEDv
- 7wCOgLPEdxddClLB1OCRNQERXaAHfz18yWtUQW5ZWS8PuCTlNhC8g5PghqHDobhf
- Fc9zD6BoK+YO8TSVWNOIll+1RlOEBtEsCGHZ3RcvXNDu+wBaYP1MqtG2vFUCAwEA
- AaMkMCIwIAYDVR0RBBkwF4IVc3lzZGlnLWV4YW1wbGUtY2hhcnRzMA0GCSqGSIb3
- DQEBBQUAA4IBAQC3DHjxyWKwtqzU2KfJc+wVqsTPdyzc/fQUpvkkD84avNycmiZP
- mJALph/IMlZ8leYi+kbH4egMHmRutmpLV2cOjozYKEBeqBhPesKbFSxRHW2iNJSr
- l4lFyg1Y8TTMdr9wjxu8TkIzP9p4NQgajPLD8VsxSKSe5azRA5i3oUzk5Edn13Yj
- WirNI49DZYXaxrx5xGkKLZ6++IFwQFXOit7yvE1eQQIsZrDAEyU/KXp9kbyxlQwZ
- gfE2elzgom9LZuSB33qIPASwtunelTHnKJPadBbYL3V7W33+DtGl2NhK1pGn07w2
- HKqPVSj3/vnCWV/miAs8BgJz+RrphtegNnAd
- -----END CERTIFICATE-----
- key: |
- -----BEGIN RSA PRIVATE KEY-----
- MIIEowIBAAKCAQEAyGqv2hO/4APvA/VGgG7dE922FgrgESLPLj4SHaVII2dtJZPL
- XvZXXzUjuYRwO+d11NbPz3kGRVNGtLDKMKHbn+k3EknuYoBPhejXVfl3yBspcmhH
- yS60VWgCxjRseLlNDW4IgLrDrsZBWymGZpJqd+sPTrN1hvK5GYa4dp98QKntG86s
- C5rHIbiM6ANGTt71JXfxGziSe/twNP0L3WSlWVkQQO/vAI6As8R3F10KUsHU4JE1
- ARFdoAd/PXzJa1RBbllZLw+4JOU2ELyDk+CGocOhuF8Vz3MPoGgr5g7xNJVY04iW
- X7VGU4QG0SwIYdndFy9c0O77AFpg/Uyq0ba8VQIDAQABAoIBADBEwaWcLBIf4Gjr
- odc83DH0q+4TIHQAFjXk7SgGrqEYP8lVFx3/5nsfqUL9CqrizBY+xj4Jv+DidZz/
- FzMvSF3zJThaZfeDP6PYuEQUmSywngLX6rIhdX08V6604YsR1eTuI04drRNi3ErA
- bYY2rT3EdyNVRXEC9GGZeMPZFWvdFAoiLYud+hVcBNiBGvgvg1eSleXMlJnG0PN6
- Mw6FYXKRKvaI1yWwY/O2SCBf+/kn60Bd3K4uMNDCALZcx6oMxLPg14jWCMwN8bqE
- QrG7eu7VE+6ZJr5YtS9PVI3f8YjYPz+ipq6ZXZ/AXKtACjw/DUlM5UOiVUCJMyxq
- VJIPAuECgYEA4+gLd+5+6pzqG8Um9Qyk7GIOvaTjDTy3aSrdqygWXkkPEBjOxiQz
- yxY3sA7TwSIwO6eVDXGXjMyuhxdJDFrKwvTdJE2wRS281YoObb3OKJBb4kAzij8M
- jmPooT1kSHzym+7fKI7Ipwq8NLydOpVa+qEe6FVbabsCzvVzPDKEMfsCgYEA4R8p
- MY3vhgzRIYZp0fOOkzkhGaKrP1ZvlG5/zpifoeQAV3wEZHDMNyu4s3ZvIqKOrCll
- j45C8nLEQAaVWAHNokaIWQ3JjzeqKicV7o3UZnbe8eIYQVqxLzulfwbLG0Z2nuwo
- GAetwQBpa2Ne1inEJaq1Q0xadl2hd/1ADLfKye8CgYBU31dWBHUzPdhZGySU4W6R
- sTq4GS2NAm1zNslyMe2SkzaO0g4+78ByAwYeBIeLRwYbUR9K8GB1yMu990f21+Dm
- lXW9TUk1mgDWrSEOcT7TEF+HdE09UJmGdWJumYQ9Enru4xgr7HCA9Jh+MzeCV5iX
- +WSfNRpj14cGN5YAdveP/QKBgQDYMM2lijIBIOPhdyy+dFBycAWqkb41CDQFboyM
- gaOjm8r8ONwa/PwQ64rnxY/6yfOLwAGJeEwweyied/QJ3Ul2Upf0NbpgMEvZSUnV
- mxzj/boivkce1BKeUoCfWY3JtsSJ4C6szQr+8v9KItbbgqacqbCDXZruWwKKsYlF
- 7WbwvwKBgE+YoUGm6A5bnIZDK6ak/Ln0Md4vHJe5NFqBqJIaOv2tkibTlMPkYr7U
- KVl9Td1idmSvscgNJsbKacwQ6VmCj6juaLS+dFjKmJxyr6XleH4Bzy47WgBFLTt/
- hm767Sr8DUbKmVQfDACehweVvqC/wKKVc2Y0FCAvt90IQfMsF5sk
- -----END RSA PRIVATE KEY-----
- cert: |
- -----BEGIN CERTIFICATE-----
- MIIDWjCCAkKgAwIBAgIRAP2yMVPZm0hoIbHvPT5R7RAwDQYJKoZIhvcNAQELBQAw
- IDEeMBwGA1UEAxMVc3lzZGlnLWV4YW1wbGUtY2hhcnRzMB4XDTIyMDEyMTA5NTAx
- MloXDTMyMDExOTA5NTAxMlowNzE1MDMGA1UEAxMsZm9vLWFkbWlzc2lvbi1jb250
- cm9sbGVyLXdlYmhvb2suZGVmYXVsdC5zdmMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
- DwAwggEKAoIBAQDabzF6z6K6rxIFp8zp0VzGxzOpKl1b5oXwRP9JE1kh/LHH4bHO
- KxJnQBA2PsYXiM2NC7JNI1oMsEEb/wZA2O54V/wNO+M0shIDJ/gwFavIreAfEX2H
- SRWO4Eqqhes7XzTbStSzCNp7DU1ganeRx3L3kxDXa5oW5EYW6NtHWBdn6+bUnI5A
- zDI4uY+F7Mfw/UiZno5X4BMC6jSMiY64+S2Neal096kzRvKlvZ5L+gn0ILZdjmnM
- MCQ4Ek7ZmFbbVSgxnsi1chSuQLTkexBsq8Gin172z+metyxDcB2oD/AOTT+5TnLf
- WDC5NXwOt17v3JH0ZL+7HduaTlzRZUhrzSy9AgMBAAGjeDB2MA4GA1UdDwEB/wQE
- AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIw
- ADA3BgNVHREEMDAugixmb28tYWRtaXNzaW9uLWNvbnRyb2xsZXItd2ViaG9vay5k
- ZWZhdWx0LnN2YzANBgkqhkiG9w0BAQsFAAOCAQEArTArbCNfcqQ9pXn0sLd84y7b
- ilw7xklKtgLJXRvB/ZuL/7j2OVBx0qcwBK+EXOBXk8oeExDF8tgJkH9c4zdxXQOM
- Vcz2XRdYsvDEel5CIzf35o1Zym1gEHXtyz1cg98bvIQ7uNhbn22gOpcMTqz6nyjp
- RrY+Sllb3bu8yN6l4Pu+/vBFhVFCekC5rcljpyQDhPyb9SIlt9AURzBr2XBYk4xW
- IRPxAMt8OV1R9Tynjhl0poat0CoWup8KfCMpDMu8K2hZXz4T9bDW9F/EKSqf3crA
- /tnNN7uCcmsJETyj0nACklRqIb4LpodKDIlJjctzCGp4AcUFjhmotpQUG/+v+A==
- -----END CERTIFICATE-----
- key: |
- -----BEGIN RSA PRIVATE KEY-----
- MIIEowIBAAKCAQEA2m8xes+iuq8SBafM6dFcxsczqSpdW+aF8ET/SRNZIfyxx+Gx
- zisSZ0AQNj7GF4jNjQuyTSNaDLBBG/8GQNjueFf8DTvjNLISAyf4MBWryK3gHxF9
- h0kVjuBKqoXrO18020rUswjaew1NYGp3kcdy95MQ12uaFuRGFujbR1gXZ+vm1JyO
- QMwyOLmPhezH8P1ImZ6OV+ATAuo0jImOuPktjXmpdPepM0bypb2eS/oJ9CC2XY5p
- zDAkOBJO2ZhW21UoMZ7ItXIUrkC05HsQbKvBop9e9s/pnrcsQ3AdqA/wDk0/uU5y
- 31gwuTV8Drde79yR9GS/ux3bmk5c0WVIa80svQIDAQABAoIBAQDV9G4xziml1A/C
- DF+Rcyn95ma6vy1c9AqjkuG+8T2wJbT5hR9FQzkuezil+YzMxooYKqnGFueAYDAW
- PREh+ZpztDLFv7BIEFfGUaMvbjqqQW2y4M3k8ng0T4uzRaNor1O1rLF0gCqItzng
- Q8jEuOjqiVnIt7Ph0ky46fLHCgk7Fq28blpvfJ8Mpv7ECF3KdtweQgK2csOiD30n
- yaujST/g+Y9jUfXX2ufCUBzbTdWUoMqOFamNe7Vk0u9vvwYnnh/HqJPDeG/U/L0Z
- sszk7sujiMWEAYfIXF6HMNpk39ztBGft4sF8/TAcaw9WvioHXzZgQ6QSG/fnrV/a
- DMtM6VQ9AoGBAPNagbmTmw9qzu3CqAvlzRLNBg87V1haZSnt5oqSHdrp2YHG6j8O
- qLkayJ2t81Y7ar9VXvEzkt/wUruGlMWZcxNJ9Be7XmyI3vG3Wv6W0fdyY6zxSOfI
- WMbm9kD0FaAs4fSHVI3GoZmMCro8qgsXoR1sanT8EJvTlH/8HNS/dx7PAoGBAOXJ
- K4ZjpkTBwtF6kC8ImwJ/WBlN/K/nRiJjC5E16GUM/XfYu/rDfvbvTpNba5cbIObZ
- aeJmhz/mO6wWPUccQmzvtIEIgy/xXEhXSFRzl6CFT5xzl13fTRrCjPlhs2wwCmsH
- sWNYR2KvLqiHkhaMH/J5NMhBvdISkG/70v8kS76zAoGANhoHASTpsjHCs2U1Sv/Z
- 6bYfBL/imUfvebTkLiZx8LtQmeOJLF+r7wsfUr7bfG5VOxhVtTYMDzE0k3BGHvAQ
- f1dPpv8G7QY42nAzEKqjH2oU8tvpo24NHps2YBZjwGp6CY0UpThlsOdLc0ANZc3p
- CcuSl1N6tcoCF7oLBtlSOE0CgYAAweD62Gk74MebmSPQg96+61yG+NLUYZbBlkH7
- gIn7i0dqlbRI50wL1E4V/j8kiFpbaGwI6v2XIFMiBhC9o0I0ybV2l2iXR9xeAKuk
- W50sUkQo59if3pSKegms6L2GpcHjCGt1QF073gfxVkENAfk4+11JK65MevMu602O
- ubfmMQKBgC2hLEXizXZ0TO6F2RgFD0pvSbGnpa+00TflowXKMdPNA4tDIlhTtZ/x
- NIs1ZDu6T8ZgD/eOFm+/gWrbNK/K6ykLyFrKld8luR9q8I2JMuP+iZRaDUIHyYSm
- W/ODsrxtCp/4n2herlzqLYufC4dFnrp5nFM8ekoAru53flNPvsCh
- -----END RSA PRIVATE KEY-----
diff --git a/charts/admission-controller/ci/custom-ca-values.yaml.template b/charts/admission-controller/ci/custom-ca-values.yaml.template
index 564af81b5..0abaa47b0 100644
--- a/charts/admission-controller/ci/custom-ca-values.yaml.template
+++ b/charts/admission-controller/ci/custom-ca-values.yaml.template
@@ -23,31 +23,3 @@ webhook:
gfE2elzgom9LZuSB33qIPASwtunelTHnKJPadBbYL3V7W33+DtGl2NhK1pGn07w2
HKqPVSj3/vnCWV/miAs8BgJz+RrphtegNnAd
-----END CERTIFICATE-----
- key: |
- -----BEGIN RSA PRIVATE KEY-----
- MIIEowIBAAKCAQEAyGqv2hO/4APvA/VGgG7dE922FgrgESLPLj4SHaVII2dtJZPL
- XvZXXzUjuYRwO+d11NbPz3kGRVNGtLDKMKHbn+k3EknuYoBPhejXVfl3yBspcmhH
- yS60VWgCxjRseLlNDW4IgLrDrsZBWymGZpJqd+sPTrN1hvK5GYa4dp98QKntG86s
- C5rHIbiM6ANGTt71JXfxGziSe/twNP0L3WSlWVkQQO/vAI6As8R3F10KUsHU4JE1
- ARFdoAd/PXzJa1RBbllZLw+4JOU2ELyDk+CGocOhuF8Vz3MPoGgr5g7xNJVY04iW
- X7VGU4QG0SwIYdndFy9c0O77AFpg/Uyq0ba8VQIDAQABAoIBADBEwaWcLBIf4Gjr
- odc83DH0q+4TIHQAFjXk7SgGrqEYP8lVFx3/5nsfqUL9CqrizBY+xj4Jv+DidZz/
- FzMvSF3zJThaZfeDP6PYuEQUmSywngLX6rIhdX08V6604YsR1eTuI04drRNi3ErA
- bYY2rT3EdyNVRXEC9GGZeMPZFWvdFAoiLYud+hVcBNiBGvgvg1eSleXMlJnG0PN6
- Mw6FYXKRKvaI1yWwY/O2SCBf+/kn60Bd3K4uMNDCALZcx6oMxLPg14jWCMwN8bqE
- QrG7eu7VE+6ZJr5YtS9PVI3f8YjYPz+ipq6ZXZ/AXKtACjw/DUlM5UOiVUCJMyxq
- VJIPAuECgYEA4+gLd+5+6pzqG8Um9Qyk7GIOvaTjDTy3aSrdqygWXkkPEBjOxiQz
- yxY3sA7TwSIwO6eVDXGXjMyuhxdJDFrKwvTdJE2wRS281YoObb3OKJBb4kAzij8M
- jmPooT1kSHzym+7fKI7Ipwq8NLydOpVa+qEe6FVbabsCzvVzPDKEMfsCgYEA4R8p
- MY3vhgzRIYZp0fOOkzkhGaKrP1ZvlG5/zpifoeQAV3wEZHDMNyu4s3ZvIqKOrCll
- j45C8nLEQAaVWAHNokaIWQ3JjzeqKicV7o3UZnbe8eIYQVqxLzulfwbLG0Z2nuwo
- GAetwQBpa2Ne1inEJaq1Q0xadl2hd/1ADLfKye8CgYBU31dWBHUzPdhZGySU4W6R
- sTq4GS2NAm1zNslyMe2SkzaO0g4+78ByAwYeBIeLRwYbUR9K8GB1yMu990f21+Dm
- lXW9TUk1mgDWrSEOcT7TEF+HdE09UJmGdWJumYQ9Enru4xgr7HCA9Jh+MzeCV5iX
- +WSfNRpj14cGN5YAdveP/QKBgQDYMM2lijIBIOPhdyy+dFBycAWqkb41CDQFboyM
- gaOjm8r8ONwa/PwQ64rnxY/6yfOLwAGJeEwweyied/QJ3Ul2Upf0NbpgMEvZSUnV
- mxzj/boivkce1BKeUoCfWY3JtsSJ4C6szQr+8v9KItbbgqacqbCDXZruWwKKsYlF
- 7WbwvwKBgE+YoUGm6A5bnIZDK6ak/Ln0Md4vHJe5NFqBqJIaOv2tkibTlMPkYr7U
- KVl9Td1idmSvscgNJsbKacwQ6VmCj6juaLS+dFjKmJxyr6XleH4Bzy47WgBFLTt/
- hm767Sr8DUbKmVQfDACehweVvqC/wKKVc2Y0FCAvt90IQfMsF5sk
- -----END RSA PRIVATE KEY-----
diff --git a/charts/admission-controller/templates/_helpers.tpl b/charts/admission-controller/templates/_helpers.tpl
index 633c39b32..7ff74cdf1 100644
--- a/charts/admission-controller/templates/_helpers.tpl
+++ b/charts/admission-controller/templates/_helpers.tpl
@@ -161,25 +161,17 @@ Create the name of the service account to use
Generate certificates for aggregated api server
*/}}
-{{- $cert := genCA ( printf "%s.%s.svc" (include "admissionController.webhook.fullname" .) .Release.Namespace ) 3650 -}}
-
{{- define "admissionController.webhook.gen-certs" -}}
{{- $secretName := printf "%s-tls" (include "admissionController.webhook.fullname" .) -}}
{{- $secret := lookup "v1" "Secret" .Release.Namespace $secretName -}}
- {{- $ca := genCA (include "admissionController.webhook.fullname" .) 3650 -}}
- {{- if (and .Values.webhook.ssl.ca.cert .Values.webhook.ssl.ca.key) -}}
- {{- $ca = buildCustomCert (.Values.webhook.ssl.ca.cert | b64enc) (.Values.webhook.ssl.ca.key | b64enc) -}}
- {{- end -}}
-
- {{- $cn := printf "%s.%s.svc" (include "admissionController.webhook.fullname" .) .Release.Namespace -}}
- {{- $san := list $cn -}}
- {{- $cert := genSignedCert $cn nil $san 3650 $ca -}}
- {{- if (and .Values.webhook.ssl.cert .Values.webhook.ssl.key) -}}
- {{- printf "%s$%s$%s" (.Values.webhook.ssl.cert | b64enc) (.Values.webhook.ssl.key | b64enc) ($ca.Cert | b64enc) -}}
- {{- else if and .Values.webhook.ssl.reuseTLSSecret $secret -}}
+ {{- if and .Values.webhook.ssl.reuseTLSSecret $secret -}}
{{- printf "%s$%s$%s" (index $secret.data "tls.crt") (index $secret.data "tls.key") (index $secret.data "ca.crt") -}}
{{- else -}}
+ {{- $ca := genCA (include "admissionController.webhook.fullname" .) 3650 -}}
+ {{- $cn := printf "%s.%s.svc" (include "admissionController.webhook.fullname" .) .Release.Namespace -}}
+ {{- $san := list $cn -}}
+ {{- $cert := genSignedCert $cn nil $san 3650 $ca -}}
{{- printf "%s$%s$%s" ($cert.Cert | b64enc) ($cert.Key | b64enc) ($ca.Cert | b64enc) -}}
{{- end -}}
{{- end -}}
@@ -257,20 +249,6 @@ Create the name of the service account to use
{{ default (include "admissionController.scanner.fullname" .) .Values.serviceAccounts.scanner.name }}
{{- end -}}
-{{/*
-Generate certificates for aggregated api server
-*/}}
-
-{{- $cert := genCA ( printf "%s.%s.svc" (include "admissionController.scanner.fullname" .) .Release.Namespace ) 3650 -}}
-
-{{- define "admissionController.scanner.gen-certs" -}}
-{{- $ca := genCA (include "admissionController.scanner.fullname" .) 3650 -}}
-{{- $cn := printf "%s.%s.svc" (include "admissionController.scanner.fullname" .) .Release.Namespace -}}
-{{- $san := list $cn -}}
-{{- $cert := genSignedCert $cn nil $san 3650 $ca -}}
-{{- printf "%s$%s$%s" ($cert.Cert | b64enc) ($cert.Key | b64enc) ($ca.Cert | b64enc) -}}
-{{- end -}}
-
{{/*
Allow overriding registry and repository for air-gapped environments
*/}}
diff --git a/charts/admission-controller/values.yaml b/charts/admission-controller/values.yaml
index a8659473d..1149211af 100644
--- a/charts/admission-controller/values.yaml
+++ b/charts/admission-controller/values.yaml
@@ -220,26 +220,8 @@ webhook:
reuseTLSSecret: false
ca:
# For outbound connections (secure backend, proxy,...)
- #
And inbound connections to serve HttpRequests as Kubernetes Webhook.
#
A PEM-encoded x509 certificate authority.
- #
If empty, a new CA will be autogenerated.
cert: ""
- # For outbound connections (secure backend, proxy,...)
- #
A PEM-encoded private key of the certificate authority to use in the certificate generation.
- #
If empty, a new CA will be autogenerated.
- key: ""
- # For inbound connections to serve HttpRequests as Kubernetes Webhook.
- #
A PEM-encoded x509 certificate signed by the CA.
- #
If empty, a new cert will be generated.
- #
If provided, it must be valid with the `webhook.ssl.ca`.
- #
If this is set, the key must also be provided.
- cert: ""
- # For inbound connections to serve HttpRequests as Kubernetes Webhook.
- #
A PEM-encoded private key signed by the CA.
- #
If empty, a new key will be generated.
- #
If provided, it must be valid with the `webhook.ssl.ca`.
- #
If this is set, the cert must also be provided.
- key: ""
# Custom entrypoint for the webhook
#
Remember to provide the webhook valid arguments with `--tls_cert_file` and `--tls_private_key_file`.
@@ -348,7 +330,6 @@ scanner:
ca:
# For outbound connections (secure backend, proxy,...).
#
A PEM-encoded x509 certificate authority.
- #
If empty, a new CA will be autogenerated.
cert: ""
# Custom entrypoint for the scanner.