Zora is an open source solution that helps you achieve compliance with Kubernetes best practices recommended by industry-leading frameworks. By scanning your cluster with multiple plugins, Zora identifies potential issues, misconfigurations, and vulnerabilities.
This PR sets up a webhook conversion for VulnerabilityReport CRD.
Now the operator is able to inject a webhook conversion in CRDs annotated with zora.undistro.io/inject-conversion: "true".
The spec.conversion.webhook.clientConfig.caBundle field in CRD, is set from a file ca.crt mounted as volume in operator, and generated by Helm.
A self-signed certificate is being generate by Helm, if it doesn't exist.
A Secret is also being created with three files: tls.crt,tls.key, and ca.crt. This Secret is mounted as volume in webhook server (operator) where tls.crt andtls.key files are used as server certificates and ca.crt is being set in CRD caBundle field on initialization.
Description
This PR sets up a webhook conversion for VulnerabilityReport CRD. Now the operator is able to inject a webhook conversion in CRDs annotated with
zora.undistro.io/inject-conversion: "true"
. Thespec.conversion.webhook.clientConfig.caBundle
field in CRD, is set from a fileca.crt
mounted as volume in operator, and generated by Helm.A self-signed certificate is being generate by Helm, if it doesn't exist. A Secret is also being created with three files:
tls.crt
,tls.key
, andca.crt
. This Secret is mounted as volume in webhook server (operator) wheretls.crt
andtls.key
files are used as server certificates andca.crt
is being set in CRD caBundle field on initialization.Most of files in
config/
directory are generated by kubebuilder. Documentation: https://book.kubebuilder.io/multiversion-tutorial/conversionLinked Issues
How has this been tested?
This is a script that I've used for testing:
Checklist