Open qcattez opened 5 months ago
When looking into the cert-manager-ca-injector
documentation, I found this :
https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource
Thus allowing us to inject the CA bundle from a secret that would have been created by trust-manager
.
Sorry for the inconvenience 🙏
In the end, the use of the annotation cert-manager.io/inject-ca-from-secret
allows us to specify a secret to define the CA for admissions webhooks.
But the only thing missing for this feature to be achievable is to be able to add custom annotations on the secret created by the Bundle
. For now, only the key
can be specified : https://cert-manager.io/docs/trust/trust-manager/api-reference/#bundlespectargetsecret
It would be nice to be able to add the cert-manager.io/allow-direct-injection: "true"
annotation on the created secret.
It could make sense to add a feature similar to cert-manager secretTemplate. That should make the feature address more use cases, and not just this one specifically. It should also cover target configmaps if implemented.
When creating
ValidatingWebhookConfiguration
orMutatingWebhookConfiguration
, we can specify the CA bundle to use in theClientConfig
: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#webhookclientconfig-v1-admissionregistration-k8s-ioHowever, those ressources doesn't allow to specify the CA bundle from a
Secret
orConfigmap
(only inline).cert-manager
tackles this problem by injecting the CA bundle on resources annotated withcert-manager.io/inject-ca-from: <namespace>/<certificate>
.So in order to provide the same functionality as
cert-manager
, it would be nice to introduce atrust-manager-ca-injector
that would be responsible to inject the CA bundle on resources annotated withtrust.cert-manager.io/inject-ca-from: <namespace>/<bundle>
.