[feature request] use kube-webhook-certgen manage webhook certificate

[huiwq1990]

What would you like to be added:

Use kube-webhook-certgen to generate webhook certificate, like [ingress-nginx](https://github.com/kubernetes/ingress-nginx/tree/main/charts/ingress-nginx/templates/admission-webhooks or kubevela.

Why is this needed:
yurt-app-manager and raven-controller-manager implement generate certificate by themself, which is not easy to maintenance. Detail code show in file webhook_controller.go

others
/kind feature

[rambohe-ch]

/assign @kadisi @zzguang @DrmagicE @njucjc

@huiwq1990 It looks like we will import a new component(kube-webhook-certgen) in OpenYurt cluster if we use kube-webhook-certgen to generate webhook certificate. so would you be able to introduce the differences and advantages of kube-webhook-certgen?

[openyurt-bot]

@rambohe-ch: GitHub didn't allow me to assign the following users: zzguang, DrmagicE, njucjc.

Note that only openyurtio members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/assign @kadisi @zzguang @DrmagicE @njucjc

@huiwq1990 It looks like we will import a new component(kube-webhook-certgen) in OpenYurt cluster if we use kube-webhook-certgen to generate webhook certificate. so would you be able to introduce the differences and advantages of kube-webhook-certgen?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rambohe-ch]

@huiwq1990 Maybe we can discuss this issue in the next community meeting.

[huiwq1990]

@huiwq1990 Maybe we can discuss this issue in the next community meeting.

Ok, I will attend a meeting.

[gnunu]

/assign @kadisi @zzguang @DrmagicE @njucjc

@huiwq1990 It looks like we will import a new component(kube-webhook-certgen) in OpenYurt cluster if we use kube-webhook-certgen to generate webhook certificate. so would you be able to introduce the differences and advantages of kube-webhook-certgen?

@rambohe-ch @huiwq1990 Sounds we would have at least four repo's in need of cert generation for webhook (openyurt, yurt-app-manager, raven, pool-coordinator). We do need a common API for this. How do we do that? We have theses choices:

1. Use https://github.com/jet/kube-webhook-certgen
2. Add a new certs repo under openyurt.io
3. Expose this part from yurt-app-manager
4. Add an API repo for the whole OpenYurt, then add certs related functions into this repo.

Which one is the best?

[huiwq1990]

@gnunu @rambohe-ch I recommend the first one. As:

1. kube-webhook-certgen could patch k8s webhooks and generate certs for https server;
2. If we maintain the certs code, we need cover unit tests and there are not difference in implementing mechanisms;
3. Some famous projects use it too, it's relatively mature;

[huiwq1990]

kubevela/kubevela#4490
@rambohe-ch @gnunu the project alreay maintian the webhook patch function, we can follow it.

[huiwq1990]

Someone post the admissionregistration/v1beta1 issue in jet/kube-webhook-certgen#30 . jet/kube-webhook-certgen does not want to solve it and recommand use https://github.com/kubernetes/ingress-nginx/tree/main/images/kube-webhook-certgen. So does we maintain the code ourself?
@rambohe-ch @gnunu

[rambohe-ch]

kubevela/kubevela#4490 @rambohe-ch @gnunu the project alreay maintian the webhook patch function, we can follow it.

@huiwq1990 I think it's not good idea to maintain a kube-webhook-certgen repo in OpenYurt. If kubevela has maintained a repo, maybe we can use it or leverage it.

[rambohe-ch]

yurt-app-manager and yurt-edgex-manager have already used kube-webhook-certgen to manage webhook certificate.