Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect behavior when using certificate.servingCertificate with disabled certificate generation and without use CertManager #389

Closed
3 tasks done
obsessionsys opened this issue Apr 11, 2024 · 0 comments · Fixed by #390
Closed
3 tasks done

Incorrect behavior when using certificate.servingCertificate with disabled certificate generation and without use CertManager #389

obsessionsys opened this issue Apr 11, 2024 · 0 comments · Fixed by #390
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@obsessionsys
Copy link
Contributor

obsessionsys commented Apr 11, 2024
edited
Loading

Preflight Checklist

  • I have searched the issue tracker for an issue that matches the one I want to file, without success.
  • I am not looking for support or already pursued the available support channels without success.
  • I agree to follow the Code of Conduct.

Vault Secrets Webhook Version

1.21.1

Installation Type

Official Helm chart

Bank-Vaults Version

No response

Kubernetes Version

1.29.2

Kubernetes Distribution/Provisioner

Vanilla Kubernetes

Expected Behavior

with the following values:

# custom-values.yaml
certificate:
  useCertManager: false                          # to disable useCertManager 
  servingCertificate: vault-secret-webhook-tls   # to set Certificate entity

  generate: false                                # to disable generate cert
    server:
      tls:
        crt: ""
        key: ""
    ca:
      crt: ""

the Certificate resource should not be created in this case because an external source is already being used

Actual Behavior

when the vault-secret-webhook is deployed, a Certificate resource is created

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: vault-secret-webhook-tls           <- the name certificate
  namespace: "default"
  labels:
    app: vault-secrets-webhook
    chart: vault-secrets-webhook-0.0.0
    release: vault-secret-webhook
    heritage: Helm
spec:
  secretName: vault-secret-webhook-tls
  duration: 8760h0m0s # 1y
  issuerRef:
    name: vault-secrets-webhook-ca        <- with an invalid issueref
  dnsNames:
  - vault-secrets-webhook
  - vault-secrets-webhook.default
  - vault-secrets-webhook.default.svc
  privateKey:
    rotationPolicy: Always

Steps To Reproduce

No response

Configuration

**Chart values**


certificate:
  useCertManager: false
  servingCertificate: vault-secret-webhook-tls   # To set Certificate entity

  generate: false
    server:
      tls:
        crt: ""
        key: ""
    ca:
      crt: ""


### Logs

_No response_

### Additional Information

1. We have a CA storage in Vault and create a Root CA in it, which is the root for all Kubernetes clusters
2. There is a mechanism that creates a Custom Resource ClusterIssuer and connects to the Vault pki RootCA with the appropriate CertManager setting
3. A Custom Resource Certificate is created in each cluster, which forms an Intermediate CA for the cluster
4. After that, ClusterIssuer is created for all applications with a link to intermediateCA 
5. Next, a kind Certificate is formed based on the Cluster Issuer from point 4
6. In the end, we need to deploy the Vault Secrets Webhook with servingCertificate from point5

**Proposed Solution:**

I suggest replace the line (number 1) in the `templates/webhook-cert-manager.yaml` template:

{{- if .Values.certificate.useCertManager }}

**replace with**

{{- if and (.Values.certificate.useCertManager) (not .Values.certificate.servingCertificate) }}


**and delete lines 57 and 58:**

{{- end }}
{{- if or .Values.certificate.useCertManager .Values.certificate.servingCertificate }}


This way, helm will correctly form templates during deployment.
@obsessionsys obsessionsys added the kind/bug Categorizes issue or PR as related to a bug. label Apr 11, 2024
obsessionsys added a commit to obsessionsys/vault-secrets-webhook that referenced this issue Apr 11, 2024
@obsessionsys
(Incorrect behavior when using certificate.servingCertificate with di…
070fa32 
…sabled certificate generation and without use CertManager bank-vaults#389) fix incorrect behavior
obsessionsys added a commit to obsessionsys/vault-secrets-webhook that referenced this issue Apr 12, 2024
@obsessionsys
(Incorrect behavior when using certificate.servingCertificate with di…
8f34242 
…sabled certificate generation and without use CertManager bank-vaults#389) fix incorrect behavior

Signed-off-by: Vitaly Fedorov <[email protected]>
Signed-off-by: Vitaly Fedorov <[email protected]>
@csatib02 csatib02 mentioned this issue Apr 15, 2024
Merged
ramizpolic pushed a commit that referenced this issue May 2, 2024
@obsessionsys
fix: incorrect behavior when using servingCertificate without CertMan…
bab53d2 
…ager #389 (#390)

Signed-off-by: Vitaly Fedorov <[email protected]>
Signed-off-by: Vitaly Fedorov <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
1 participant
@obsessionsys