Open qcattez opened 5 months ago
qcattez
commented
5 months ago When looking into the cert-manager-ca-injector documentation, I found this :
https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource
Thus allowing us to inject the CA bundle from a secret that would have been created by trust-manager.
Sorry for the inconvenience 🙏
qcattez
commented
5 months ago In the end, the use of the annotation cert-manager.io/inject-ca-from-secret allows us to specify a secret to define the CA for admissions webhooks.
But the only thing missing for this feature to be achievable is to be able to add custom annotations on the secret created by the Bundle. For now, only the key can be specified : https://cert-manager.io/docs/trust/trust-manager/api-reference/#bundlespectargetsecret
It would be nice to be able to add the cert-manager.io/allow-direct-injection: "true" annotation on the created secret.
erikgb
commented
5 months ago It could make sense to add a feature similar to cert-manager secretTemplate. That should make the feature address more use cases, and not just this one specifically. It should also cover target configmaps if implemented.
When creating
ValidatingWebhookConfigurationorMutatingWebhookConfiguration, we can specify the CA bundle to use in theClientConfig: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#webhookclientconfig-v1-admissionregistration-k8s-ioHowever, those ressources doesn't allow to specify the CA bundle from a
SecretorConfigmap(only inline).cert-managertackles this problem by injecting the CA bundle on resources annotated withcert-manager.io/inject-ca-from: <namespace>/<certificate>.So in order to provide the same functionality as
cert-manager, it would be nice to introduce atrust-manager-ca-injectorthat would be responsible to inject the CA bundle on resources annotated withtrust.cert-manager.io/inject-ca-from: <namespace>/<bundle>.