munnerz
commented
5 years ago A similar approach to the validation webhook is taken, where an APIService resource is created that exposes the DNS01 webhook as a Kubernetes aggregated API resource. You can see some details of the trust here: http://docs.cert-manager.io/en/latest/getting-started/webhook.html (although do note that the DNS01 webhooks do not create a ValidatingWebhookConfiguration resource, nor does it utilise the PKI mentioned in that document for the ValidatingWebhook, only the APIService).
You can see the actual PKI manifests used for this here: https://github.com/jetstack/cert-manager-webhook-example/blob/master/deploy/example-webhook/templates/pki.yaml
The readme mentions its plugged into the apiserver for security reasons. I can see that resource, but I don't see anything on how trust is established/enforced between the apiserver and plugin. Is there a document somewhere that describes this?