chart: honour redisOperator.serviceDNSDomain in webhook cert SANs#1752
Open
SAY-5 wants to merge 1 commit intoOT-CONTAINER-KIT:mainfrom
Open
chart: honour redisOperator.serviceDNSDomain in webhook cert SANs#1752SAY-5 wants to merge 1 commit intoOT-CONTAINER-KIT:mainfrom
SAY-5 wants to merge 1 commit intoOT-CONTAINER-KIT:mainfrom
Conversation
Both the cert-manager-managed Certificate and the in-cluster self-signed webhook cert used a hard-coded .cluster.local suffix on the FQDN SAN. Operators who set redisOperator.serviceDNSDomain (for example, custom.domain) saw the webhook controller fail cert validation because the DNS name the kube-apiserver connects to is <svc>.<ns>.svc.custom.domain, which is not in the issued cert. Derive the suffix from redisOperator.serviceDNSDomain with a cluster.local default, so existing deployments are unaffected and custom DNS clusters work out of the box. Fixes OT-CONTAINER-KIT#1743. Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com>
SAY-5
requested review from
drivebyer,
iamabhishek-dubey and
shubham-cmyk
as code owners
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Both the cert-manager-managed
Certificate(charts/redis-operator/templates/cert-manager.yaml) and the in-cluster self-signed webhook cert (charts/redis-operator/templates/mutating-webhook-configuration.yaml) hard-coded a.cluster.localsuffix on the FQDN SAN. Operators who setredisOperator.serviceDNSDomain(for examplecustom.domain) saw the kube-apiserver fail webhook TLS validation because the DNS name it resolves,<svc>.<ns>.svc.custom.domain, is not in the issued cert.Fix
Derive the suffix from
redisOperator.serviceDNSDomainwith acluster.localdefault. Existing deployments are unaffected, custom-DNS clusters work out of the box.Fixes #1743.
Test
<svc>.<ns>.svc.cluster.localwhen serviceDNSDomain is unset /cluster.local,<svc>.<ns>.svc.custom.domainwhen set tocustom.domain.Signed-off-by: SAY-5 SAY-5@users.noreply.github.com