K
Q

Validatingwebhookconfigurations caBundle value reference from Azure secret mounted in kubernetes

4/13/2020

I am deploying OPA on AKS cluster using the official helm chart. In order to get the cert and key I have added aad-pod-identity and also keyvault flexvol to fetch the secret from Azure KV to the Kubernetes volume as a secret. I am able to use the cert and key separately but not able to reference the mounted cert in Validatingwebhookconfigurations>>caBundle. I am pretty new to kubernetes so need some help how can I reference the volume secret in caBundle so that it reads the dynamic value rather then me providing the cert as base64 encoded string. Have read about CAInjector but need to know more cleaner way. It would be helpful if someone can guide me through example implementation. deployment.yaml

            - "--config-file=/config/config.yaml"
{{- end }}
            - "--tls-cert-file=/certs/tls-crt"
            - "--tls-private-key-file=/certs/tls-key"
            - "--addr=0.0.0.0:{{ .Values.port }}"
            - "--log-level={{ .Values.logLevel }}"
            - "--log-format={{ .Values.logFormat }}"
{{- if .Values.authz.enabled }}
            - "--authentication=token"
            - "--authorization=basic"
            - "--ignore=.*"
---
   volumes:
        - name: certs
          flexVolume:
            driver: "azure/kv"
            options:
              usepodidentity: "true"
              keyvaultname: {{ .Values.azure.stratusKeyVault }}
              keyvaultobjectnames: tls-crt;tls-key
              keyvaultobjecttypes: secret;secret
              tenantid: {{ .Values.azure.tenantId }}

webhookconfiguration.yaml

apiVersion: admissionregistration.k8s.io/v1beta1
metadata:
  name: {{ template "opa.fullname" . }}
  annotations:
{{- if .Values.certManager.enabled }}
    certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s" .Release.Namespace (include "opa.rootCACertificate" .) | quote }}
{{- end }}
  labels:
{{ include "opa.labels.standard" . | indent 4 }}
webhooks:
  - name: webhook.openpolicyagent.org
{{- with .Values.admissionControllerNamespaceSelector }}
    namespaceSelector:
{{ toYaml . | indent 6 }}
{{ end }}
    failurePolicy: {{ .Values.admissionControllerFailurePolicy }}
    rules:
{{ toYaml .Values.admissionControllerRules | indent 6 }}
    clientConfig:
{{ if not .Values.certManager.enabled }}
{{ if .Values.generateAdmissionControllerCerts }}
      caBundle: {{ b64enc $ca.Cert }}
{{ else }}
      caBundle: ""
{{ end }}
{{ end }}
      service:
        name: {{ template "opa.fullname" . }}
        namespace: {{ .Release.Namespace }}
    sideEffects: {{ .Values.admissionControllerSideEffect }}
-- user3616775
kubernetes
kubernetes-apiserver
opa

Similar Questions

Kubernetes Configure Job To Fail on Certain Exit Codes
Cannot access Load Banalcer IP from Google Cloud Shell after creating GKE Cluster
Istio ServiceEntry ignored in kiali
Kubernetes IP conflict

0 Answers