Allow overriding webhook secret data keys

[skonto]

Changes

• Downstream we are using knative operator's webhook that is passed in shared main for creation but does not utilize certificates from pkg. OLM manages the cert lifecycle and is generated due to webhook configuration at the csv. The generated secret has the following data:

data:
  olmCAKey: ...
  tls.crt: ..
  tls.key: ... 

We would like to be able to override the default keys so in general any external webhook that extends
webhook.AdmissionController or webhook.ConversionController can be used.

• The caCert is not used when constructing a new Webhook so no need to override. Webhooks usually fetch it in order inject it at the webhook configuration via the webhook's reconciler logic.
• Making generic the setup of existing keys eg in MakeSecret is out of scope.

/kind enhancement

[codecov]

Codecov Report

Patch coverage: 100.00% and project coverage change: +0.02% 🎉

Comparison is base (5ef4812) 81.75% compared to head (12544e2) 81.77%.
Report is 14 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2662      +/-   ##
==========================================
+ Coverage   81.75%   81.77%   +0.02%     
==========================================
  Files         167      167              
  Lines       10201    10214      +13     
==========================================
+ Hits         8340     8353      +13     
  Misses       1614     1614              
  Partials      247      247              

Files Changed	Coverage Δ
webhook/helper.go	100.00% <100.00%> (ø)
webhook/webhook.go	78.94% <100.00%> (+0.28%)	⬆️

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[skonto]

@dprotaso gentle ping

[dprotaso]

test coverage?

[skonto]

Sure will add

[dprotaso]

add godoc for these new vars.

Suggested change

	ServerKeyEnv = "KNATIVE_SECRET_WEBHOOK_SERVER_KEY"
	ServerKeyEnvOverride = "KNATIVE_WEBHOOK_SERVER_KEY"

[hhk7734]

How about WEBHOOK_CERTS_SECRET_SERVER_KEY/CERT? Cause I use WEBHOOK_CERTS_SECRET_NAME in #2685

[skonto]

I like the KNATIVE prefix tbh to separate from other env vars that could co-exist. Other than that its up to @dprotaso no strong preference.

[dprotaso]

We don't have KNATIVE_ prefixes for other environment variables ie. SYSTEM_NAMESPACE so I suggest dropping the prefix so that we remain consistent

[skonto]

/retest

[dprotaso]

I realize now the env vars don't influence the certificates & keys being created. Thus I don't think these overrides should be in this package.

This package is for creating and updating certificates

[skonto]

Ok will do the webhook options approach thanks.

[dprotaso]

Are you creating custom webhooks binaries where you drop the certificate controller?

If so it might be better to add these overrides to the webhook.Options and when they're empty default them to the keys in the certificates/resources package.

[skonto]

Makes sense the env var thingy is a bit too intrusive.

[github-actions]

This Pull Request is stale because it has been open for 90 days with
no activity. It will automatically close after 30 more days of
inactivity. Reopen with /reopen. Mark as fresh by adding the
comment /remove-lifecycle stale.

[skonto]

@dprotaso gentle ping this is ready for review.

[dprotaso]

Comment doesn't match the var name.

Maybe SecretPrivateKeyName ?

[skonto]

I will change but to clarify the reason I kept that name is that I wanted to make explicit that I am overriding the same values here:

pkg/webhook/certificates/resources/secret.go

Line 29 in 7051d30

ServerKey = "server-key.pem"

[dprotaso]

Comment doesn't match var name

Maybe SecretCertifcateName ?

[dprotaso]

seems like this could be a private helper in the webhook package

[dprotaso]

This might cause flakiness when running tests in parallel.

We should just have this test perform it's own setup (ie. create it's own cert etc)

Also the test name and assertions is a bit misleading TestMissingContentTypeCustomSecret - we really want to assert that the right certificate is presented. Thus we should skip stuff that's not relevant

[skonto]

@dprotaso I copied the logic in certificates_test.go so probably that is unsafe too or is it that it always returns the default one and it worked so far? In any case I will take a look to separate it.

[skonto]

Anyway I updated the test to be more compact and have its own setup.

[skonto]

@dprotaso gentle ping.

[skonto]

@dprotaso gentle ping.

[dprotaso]

/lgtm
/approve

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dprotaso, skonto

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• webhook/OWNERS [dprotaso,skonto]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment