From c05b21b5f8710e4171975b1fe57fca68933fdd6f Mon Sep 17 00:00:00 2001 From: Vince Prignano Date: Fri, 3 May 2024 06:55:49 -0700 Subject: [PATCH] seedling: Allow users to specify webhook server cert and key name Signed-off-by: Vince Prignano --- bootstrap/kubeadm/main.go | 18 +++++++++++++---- controlplane/kubeadm/main.go | 18 +++++++++++++---- .../runtime-sdk/implement-extensions.md | 16 +++++++-------- exp/runtime/server/server.go | 20 +++++++++++++++++-- main.go | 18 +++++++++++++---- test/extension/main.go | 20 ++++++++++++++----- test/infrastructure/docker/main.go | 18 +++++++++++++---- test/infrastructure/inmemory/main.go | 18 +++++++++++++---- 8 files changed, 111 insertions(+), 35 deletions(-) diff --git a/bootstrap/kubeadm/main.go b/bootstrap/kubeadm/main.go index 4f2ae9464d9e..4ef2ed5bf08c 100644 --- a/bootstrap/kubeadm/main.go +++ b/bootstrap/kubeadm/main.go @@ -75,6 +75,8 @@ var ( restConfigBurst int webhookPort int webhookCertDir string + webhookCertName string + webhookKeyName string healthAddr string tlsOptions = flags.TLSOptions{} diagnosticsOptions = flags.DiagnosticsOptions{} @@ -149,7 +151,13 @@ func InitFlags(fs *pflag.FlagSet) { "Webhook Server port") fs.StringVar(&webhookCertDir, "webhook-cert-dir", "/tmp/k8s-webhook-server/serving-certs/", - "Webhook cert dir, only used when webhook-port is specified.") + "Webhook cert dir.") + + fs.StringVar(&webhookCertName, "webhook-cert-name", "tls.crt", + "Webhook cert name.") + + fs.StringVar(&webhookKeyName, "webhook-key-name", "tls.key", + "Webhook key name.") fs.StringVar(&healthAddr, "health-addr", ":9440", "The address the health endpoint binds to.") @@ -243,9 +251,11 @@ func main() { }, WebhookServer: webhook.NewServer( webhook.Options{ - Port: webhookPort, - CertDir: webhookCertDir, - TLSOpts: tlsOptionOverrides, + Port: webhookPort, + CertDir: webhookCertDir, + CertName: webhookCertName, + KeyName: webhookKeyName, + TLSOpts: tlsOptionOverrides, }, ), } diff --git a/controlplane/kubeadm/main.go b/controlplane/kubeadm/main.go index cbb91cd1364d..53ccad2e95f9 100644 --- a/controlplane/kubeadm/main.go +++ b/controlplane/kubeadm/main.go @@ -79,6 +79,8 @@ var ( restConfigBurst int webhookPort int webhookCertDir string + webhookCertName string + webhookKeyName string healthAddr string tlsOptions = flags.TLSOptions{} diagnosticsOptions = flags.DiagnosticsOptions{} @@ -148,7 +150,13 @@ func InitFlags(fs *pflag.FlagSet) { "Webhook Server port") fs.StringVar(&webhookCertDir, "webhook-cert-dir", "/tmp/k8s-webhook-server/serving-certs/", - "Webhook cert dir, only used when webhook-port is specified.") + "Webhook cert dir.") + + fs.StringVar(&webhookCertName, "webhook-cert-name", "tls.crt", + "Webhook cert name.") + + fs.StringVar(&webhookKeyName, "webhook-key-name", "tls.key", + "Webhook key name.") fs.StringVar(&healthAddr, "health-addr", ":9440", "The address the health endpoint binds to.") @@ -253,9 +261,11 @@ func main() { }, WebhookServer: webhook.NewServer( webhook.Options{ - Port: webhookPort, - CertDir: webhookCertDir, - TLSOpts: tlsOptionOverrides, + Port: webhookPort, + CertDir: webhookCertDir, + CertName: webhookCertName, + KeyName: webhookKeyName, + TLSOpts: tlsOptionOverrides, }, ), } diff --git a/docs/book/src/tasks/experimental-features/runtime-sdk/implement-extensions.md b/docs/book/src/tasks/experimental-features/runtime-sdk/implement-extensions.md index 275ed022a6d1..5771acf0cc0d 100644 --- a/docs/book/src/tasks/experimental-features/runtime-sdk/implement-extensions.md +++ b/docs/book/src/tasks/experimental-features/runtime-sdk/implement-extensions.md @@ -84,7 +84,7 @@ func InitFlags(fs *pflag.FlagSet) { "Webhook Server port") fs.StringVar(&webhookCertDir, "webhook-cert-dir", "/tmp/k8s-webhook-server/serving-certs/", - "Webhook cert dir, only used when webhook-port is specified.") + "Webhook cert dir.") } func main() { @@ -279,7 +279,7 @@ well with practices like unit testing and generally makes the entire system more ### Error messages -RuntimeExtension authors should be aware that error messages are surfaced as a conditions in Kubernetes resources +RuntimeExtension authors should be aware that error messages are surfaced as a conditions in Kubernetes resources and recorded in Cluster API controller's logs. As a consequence: - Error message must not contain any sensitive information. @@ -291,16 +291,16 @@ and recorded in Cluster API controller's logs. As a consequence:

Caution

If an error message is not deterministic and it changes at every call even if the problem is the same, it could -lead to to Kubernetes resources conditions continuously changing, and this generates a denial attack to +lead to to Kubernetes resources conditions continuously changing, and this generates a denial attack to controllers processing those resource that might impact system stability. ### ExtensionConfig -To register your runtime extension apply the ExtensionConfig resource in the management cluster, including your CA -certs, ClusterIP service associated with the app and namespace, and the target namespace for the given extension. Once -created, the extension will detect the associated service and discover the associated Hooks. For clarification, you can +To register your runtime extension apply the ExtensionConfig resource in the management cluster, including your CA +certs, ClusterIP service associated with the app and namespace, and the target namespace for the given extension. Once +created, the extension will detect the associated service and discover the associated Hooks. For clarification, you can check the status of the ExtensionConfig. Below is an example of `ExtensionConfig` - ```yaml @@ -328,7 +328,7 @@ spec: Settings can be added to the ExtensionConfig object in the form of a map with string keys and values. These settings are sent with each request to hooks registered by that ExtensionConfig. Extension developers can implement behavior in their -extensions to alter behavior based on these settings. Settings should be well documented by extension developers so that +extensions to alter behavior based on these settings. Settings should be well documented by extension developers so that ClusterClass authors can understand usage and expected behaviour. Settings can be provided for individual external patches by providing them in the ClusterClass `.spec.patches[*].external.settings`. @@ -380,7 +380,7 @@ curl -X 'POST' 'http://127.0.0.1:8001/api/v1/namespaces/default/services/https:w -d '{"apiVersion":"hooks.runtime.cluster.x-k8s.io/v1alpha1","kind":"DiscoveryRequest"}' | jq ``` -For more details about the API of the Runtime Extensions please see . +For more details about the API of the Runtime Extensions please see . For more details on proxy support please see [Proxies in Kubernetes](https://kubernetes.io/docs/concepts/cluster-administration/proxies/).