I am developing a mutating webhook with kind and as I understand, the API end-point should be https
. The certificate and key of the API server should be signed with the CA of the cluster itself so as to get around issue of self-signed certificates. And, for that, the following are the recommended steps:
openssl genrsa -out app.key 2048
openssl req -new -key app.key -subj "/CN=${CSR_NAME}" -out app.csr -config csr.conf
kubectl create -f csr.yaml
kubectl certificate approve csr_name
kubectl get csr app.csr -o jsonpath='{.status.certificate}' | openssl base64 -d -A -out app.pem
Notes
1. The csr.conf
has details to set-up the CSR successfully.
2. The csr.yaml
is written for the kuberenetes kind CertificateSigningRequest
.
3. The csr_name
is defined in CertificateSigningRequest
.
4. The spec.request
in csr.yaml
is set to cat app.csr | base64 | tr -d '\n'
. 5. The app.pem
and app.key
are used to set-up the https
end-point.
The end-point is definitely reachable but errors out as:
Internal error occurred: failed calling webhook "com.me.webhooks.demo": Post https://webhook.sidecars.svc:443/mutate?timeout=10s: x509: certificate signed by unknown authority
How do I get around the certificate signed by unknown authority
issue?
References:
1. Writing a very basic kubernetes mutating admission webhook
2. Diving into Kubernetes MutatingAdmissionWebhook
It doesn't need to be signed with the cluster's CA root. It just needs to match the CA bundle in the webhook configuration.