The caBundle for MutatingWebhookConfiguration is defined here as:
caBundleis a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.
I am getting the PEM encoded CA bundle with this command.
kubectl config view --raw --minify --flatten \
-o jsonpath='{.clusters[].cluster.certificate-authority-data}'The resulting value is saved in a variable that is used in a sed command to replace the CA_BUNDLE string in a 'template' YAML as shown below.
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: WEBHOOK_APP
labels:
app: WEBHOOK_APP
webhooks:
- name: com.demo.NAMESPACE.WEBHOOK_APP
sideEffects: None
admissionReviewVersions: ["v1", "v1beta1"]
matchPolicy: Equivalent
failurePolicy: Fail
clientConfig:
caBundle: CA_BUNDLE
service:
name: WEBHOOK_APP
namespace: NAMESPACE
path: "/mutate"
rules:
- operations: [ "CREATE", "UPDATE" ]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
scope: "*"What is the way in Helm chart to pass on the CA_BUNDLE?
Reading variable dirctly from env variable in your helm chart is not possible due to security reasons and this functionality was not implemented as states in this document.
In helm chart you can always create a variable e.g. myCAbundleVariable in values.yaml file that will be holding your PEM encoded CA and then use value from this variable in chart like this:
webhooks:
- ...
clientConfig:
caBundle: {{ .myCAbundleVariable }}If you want to pass the value 'in runtime' when running helm command you can use --set parameter.
So your helm command would look like this:
helm install ... --set myCAbundleVariable=$(kubectl config view --raw --minify --flatten \
-o jsonpath='{.clusters[].cluster.certificate-authority-data}')`Let me know if it was helpful.