Webhook Custom CA #169
Description
Is there any way to inject a custom CA for the webhook ? I can see these in the values.yaml:
...
# -- Optional extra volume mounts. Useful for mounting custom root CAs
volumeMounts: []
#- name: my-volume-mount
# mountPath: /etc/approver-policy/secrets
# -- Optional extra volumes.
volumes: []
#- name: my-volume
# secret:
# secretName: my-secret
...Then these volumes are mounted in the webhook container, here:
...
{{- if .Values.volumeMounts }}
volumeMounts:
{{ toYaml .Values.volumeMounts | indent 10 }}
{{- end }}
resources:
{{- toYaml .Values.resources | indent 12 }}
{{- if .Values.volumes }}
volumes:
{{ toYaml .Values.volumes | indent 6 }}
{{- end }}But the mounted volumes are never taken into account. In case of an extra arg which would be available to take into account the mounted CAs, I checked the cert-manager-approver-policy bin options available here, but I don't see anything for this purpose.
Instead in the Go code, it uses the default and unique behaviour, which is currently to generate a self-signed CA dynamically, see the cert-manager authority pkg.
Am I missing something obvious or there is currently no mechanism to assign a custom webhook CA ? (It must feed secret cert-manager-approver-policy-tls as the ValidatingWebhookConfiguration is injecting the CA from the secret thanks to cert-manager-cainjector, see here).