cert-manager support for spire-controller-manager webhooks #44
Comments
|
FYI, spire itself can manage webhooks: https://github.com/spiffe/spire/blob/main/doc/plugin_server_notifier_k8sbundle.md#:~:text=webhook_label,to%20true. |
|
I rarely trust random webhooks to deal properly with certificate issuance for their webhooks. They usually get it wrong. Spire may be the exception, but I'd rather use the same cert-manager managed webhook certificates on all the webhooks on my clusters for consistency. |
|
I also prefer to have a single component responsible for my webhooks, though @faisal-memon we might want to file your suggestion as an alternative option for people who don't run cert-manager on their cluster. Could you put that as a separate issue? |
|
Oh, yeah. Not saying it should be required or even a default to use cert-manager. I just want the option to use it. |
|
I think i misunderstood this one, are you saying the webhook for controller-manager? |
|
I believe this will need some controller-manager changes. |
marcofranssen
changed the title
|
Not sure. they seem to have some parts of it in their tree: |
|
After reviewing the spire-controller-manager code, I think @faisal-memon is correct. It does look currently impossible to configure it to support cert-manager. I filed spiffe/spire-controller-manager#118 and this issues is blocked on it. |
cert-manager should be an option to get certificates for the spire-controller-manager webhook so they can be standardized over all the webhooks on the cluster.
The text was updated successfully, but these errors were encountered: