You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, certificate management is fragmented across multiple areas. The process can be described as follows:
In the main function, a CA certificate is initialized and stored in a newly created secret. If the secret already exists, the system checks whether the certificate is still valid, ensuring it hasn't expired and that the key meets the required length. Additionally, a server certificate is generated and signed with the CA certificate. A validating webhook configuration is created, and the CRD conversion webhook configuration is patched accordingly.
In the telemetry reconciler, the secret is updated with telemetry as the owner. The validating webhook configuration is invalidated when necessary. If telemetry is about to be deleted (guarded by a finalizer), the validating webhook configuration is cleaned up.
To summarize, the following issues exist:
The workflow is fragmented across multiple areas, making it difficult to maintain a clear overview.
Certificate management is unnecessarily coupled to the Telemetry CR lifecycle, even though the two are unrelated.
This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs.
Thank you for your contributions.
Description
Currently, certificate management is fragmented across multiple areas. The process can be described as follows:
In the main function, a CA certificate is initialized and stored in a newly created secret. If the secret already exists, the system checks whether the certificate is still valid, ensuring it hasn't expired and that the key meets the required length. Additionally, a server certificate is generated and signed with the CA certificate. A validating webhook configuration is created, and the CRD conversion webhook configuration is patched accordingly.
In the telemetry reconciler, the secret is updated with telemetry as the owner. The validating webhook configuration is invalidated when necessary. If telemetry is about to be deleted (guarded by a finalizer), the validating webhook configuration is cleaned up.
To summarize, the following issues exist:
As an alternative, it is a common practice to introduce a separate controller that takes care of certificate lifetime. Here are some examples:
https://github.com/kyma-project/api-gateway/blob/main/controllers/certificate/certificate_controller.go
https://github.com/knative/pkg/blob/main/webhook/certificates/certificates.go
The text was updated successfully, but these errors were encountered: