Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extend secret reading for webhook certificates #2303

Closed
skonto opened this issue Oct 5, 2021 · 4 comments
Closed

Extend secret reading for webhook certificates #2303

skonto opened this issue Oct 5, 2021 · 4 comments
Labels
kind/feature lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@skonto
Copy link
Contributor

skonto commented Oct 5, 2021

Webhook Certificates reconciler's logic will update secrets contents if the secret is expired or if the secret is empty.
We start with an empty secret so the reconciler can generate its contents. This is an internal process. There is a hardcoded value for renewal (1 day).

However there are two candidate use cases we may want to consider extending this logic for:

a) users operate their infra with specific certificates for all their stuff. Examples:

b) developers may want to use this repo for generic webhook development

This relates to: #1972 but that ticket is focused beyond secrets and here the goal is to add support for using a secret that already contains a certificate and it is externally managed. There are some options wrt to what flexibility to provide (assuming the reconciler is not removed from the picture):

a) Some validation could happen at the reconciler side as it is now eg. expiration logic to warn users.
b) User provides a CA bundle and the reconciler creates the rest of the keys.
c) User provides all certificates CA/TLS keys and so the reconciler can be used for validation.

Older slack discussion on this topic here.

/kind feature

@github-actions
Copy link
Contributor

github-actions bot commented Jan 4, 2022

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 4, 2022
@skonto
Copy link
Contributor Author

skonto commented Mar 8, 2024

/reopen

Copy link

knative-prow bot commented Mar 8, 2024

@skonto: Reopened this issue.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@knative-prow knative-prow bot reopened this Mar 8, 2024
@github-actions github-actions bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 9, 2024
Copy link
Contributor

github-actions bot commented Jun 7, 2024

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 7, 2024
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Jul 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Development

No branches or pull requests

2 participants