From 77a4e633c83d53e6434dc0c9f009607396396b8d Mon Sep 17 00:00:00 2001 From: Vince Prignano Date: Fri, 3 May 2024 06:55:49 -0700 Subject: [PATCH] :seedling: Allow users to specify webhook server cert and key name Signed-off-by: Vince Prignano --- bootstrap/kubeadm/main.go | 18 +++++++++++++---- controlplane/kubeadm/main.go | 18 +++++++++++++---- .../runtime-sdk/implement-extensions.md | 16 +++++++-------- exp/runtime/server/server.go | 20 +++++++++++++++++-- main.go | 18 +++++++++++++---- test/extension/main.go | 20 ++++++++++++++----- test/infrastructure/docker/main.go | 18 +++++++++++++---- test/infrastructure/inmemory/main.go | 18 +++++++++++++---- 8 files changed, 111 insertions(+), 35 deletions(-) diff --git a/bootstrap/kubeadm/main.go b/bootstrap/kubeadm/main.go index 4f2ae9464d9e..76afc270c963 100644 --- a/bootstrap/kubeadm/main.go +++ b/bootstrap/kubeadm/main.go @@ -75,6 +75,8 @@ var ( restConfigBurst int webhookPort int webhookCertDir string + webhookCertName string + webhookKeyName string healthAddr string tlsOptions = flags.TLSOptions{} diagnosticsOptions = flags.DiagnosticsOptions{} @@ -149,7 +151,13 @@ func InitFlags(fs *pflag.FlagSet) { "Webhook Server port") fs.StringVar(&webhookCertDir, "webhook-cert-dir", "/tmp/k8s-webhook-server/serving-certs/", - "Webhook cert dir, only used when webhook-port is specified.") + "Webhook cert dir.") + + fs.StringVar(&webhookCertName, "webhook-cert-name", "tls.crt", + "Webhook cert name, only used when webhook-port is specified.") + + fs.StringVar(&webhookKeyName, "webhook-key-name", "tls.key", + "Webhook key name, only used when webhook-port is specified.") fs.StringVar(&healthAddr, "health-addr", ":9440", "The address the health endpoint binds to.") @@ -243,9 +251,11 @@ func main() { }, WebhookServer: webhook.NewServer( webhook.Options{ - Port: webhookPort, - CertDir: webhookCertDir, - TLSOpts: tlsOptionOverrides, + Port: webhookPort, + CertDir: webhookCertDir, + CertName: webhookCertName, + KeyName: webhookKeyName, + TLSOpts: tlsOptionOverrides, }, ), } diff --git a/controlplane/kubeadm/main.go b/controlplane/kubeadm/main.go index cbb91cd1364d..310981489e3b 100644 --- a/controlplane/kubeadm/main.go +++ b/controlplane/kubeadm/main.go @@ -79,6 +79,8 @@ var ( restConfigBurst int webhookPort int webhookCertDir string + webhookCertName string + webhookKeyName string healthAddr string tlsOptions = flags.TLSOptions{} diagnosticsOptions = flags.DiagnosticsOptions{} @@ -148,7 +150,13 @@ func InitFlags(fs *pflag.FlagSet) { "Webhook Server port") fs.StringVar(&webhookCertDir, "webhook-cert-dir", "/tmp/k8s-webhook-server/serving-certs/", - "Webhook cert dir, only used when webhook-port is specified.") + "Webhook cert dir.") + + fs.StringVar(&webhookCertName, "webhook-cert-name", "tls.crt", + "Webhook cert name, only used when webhook-port is specified.") + + fs.StringVar(&webhookKeyName, "webhook-key-name", "tls.key", + "Webhook key name, only used when webhook-port is specified.") fs.StringVar(&healthAddr, "health-addr", ":9440", "The address the health endpoint binds to.") @@ -253,9 +261,11 @@ func main() { }, WebhookServer: webhook.NewServer( webhook.Options{ - Port: webhookPort, - CertDir: webhookCertDir, - TLSOpts: tlsOptionOverrides, + Port: webhookPort, + CertDir: webhookCertDir, + CertName: webhookCertName, + KeyName: webhookKeyName, + TLSOpts: tlsOptionOverrides, }, ), } diff --git a/docs/book/src/tasks/experimental-features/runtime-sdk/implement-extensions.md b/docs/book/src/tasks/experimental-features/runtime-sdk/implement-extensions.md index f51beed74622..d583d9ca0488 100644 --- a/docs/book/src/tasks/experimental-features/runtime-sdk/implement-extensions.md +++ b/docs/book/src/tasks/experimental-features/runtime-sdk/implement-extensions.md @@ -84,7 +84,7 @@ func InitFlags(fs *pflag.FlagSet) { "Webhook Server port") fs.StringVar(&webhookCertDir, "webhook-cert-dir", "/tmp/k8s-webhook-server/serving-certs/", - "Webhook cert dir, only used when webhook-port is specified.") + "Webhook cert dir.") } func main() { @@ -279,7 +279,7 @@ well with practices like unit testing and generally makes the entire system more ### Error messages -RuntimeExtension authors should be aware that error messages are surfaced as a conditions in Kubernetes resources +RuntimeExtension authors should be aware that error messages are surfaced as a conditions in Kubernetes resources and recorded in Cluster API controller's logs. As a consequence: - Error message must not contain any sensitive information. @@ -291,16 +291,16 @@ and recorded in Cluster API controller's logs. As a consequence:

Caution

If an error message is not deterministic and it changes at every call even if the problem is the same, it could -lead to to Kubernetes resources conditions continuously changing, and this generates a denial attack to +lead to to Kubernetes resources conditions continuously changing, and this generates a denial attack to controllers processing those resource that might impact system stability. ### ExtensionConfig -To register your runtime extension apply the ExtensionConfig resource in the management cluster, including your CA -certs, ClusterIP service associated with the app and namespace, and the target namespace for the given extension. Once -created, the extension will detect the associated service and discover the associated Hooks. For clarification, you can +To register your runtime extension apply the ExtensionConfig resource in the management cluster, including your CA +certs, ClusterIP service associated with the app and namespace, and the target namespace for the given extension. Once +created, the extension will detect the associated service and discover the associated Hooks. For clarification, you can check the status of the ExtensionConfig. Below is an example of `ExtensionConfig` - ```yaml @@ -328,7 +328,7 @@ spec: Settings can be added to the ExtensionConfig object in the form of a map with string keys and values. These settings are sent with each request to hooks registered by that ExtensionConfig. Extension developers can implement behavior in their -extensions to alter behavior based on these settings. Settings should be well documented by extension developers so that +extensions to alter behavior based on these settings. Settings should be well documented by extension developers so that ClusterClass authors can understand usage and expected behaviour. Settings can be provided for individual external patches by providing them in the ClusterClass `.spec.patches[*].external.settings`. @@ -382,7 +382,7 @@ curl -X 'POST' 'http://127.0.0.1:8001/api/v1/namespaces/default/services/https:w -d '{"apiVersion":"hooks.runtime.cluster.x-k8s.io/v1alpha1","kind":"DiscoveryRequest"}' | jq ``` -For more details about the API of the Runtime Extensions please see . +For more details about the API of the Runtime Extensions please see . For more details on proxy support please see [Proxies in Kubernetes](https://kubernetes.io/docs/concepts/cluster-administration/proxies/).