webhook: use cert-manager for self-signed cert

jtriley · jtriley · commit 03f0cda58a43 · 2025-11-19T12:11:15.000-05:00
This patch uses the cert-manager operator to automatically generate the
self-signed CA, cert, and key and mount it within the webhook
deployment. It also uses cert-manager to inject the CA cert into the
mutatatingwebhookconfiguration.
diff --git a/README.md b/README.md
@@ -142,57 +142,13 @@ In order to modify the deployment follow these steps:
 
 1. Modify the GROUPS env variable to contain the list of classes (openshift groups) of which you would like to assign class labels. This file is found here: webhooks/assign-class-label/deployment.yaml
 
-2. Generate a new OpenSSL certificate
+2. Change namespace variable in the kubernetes manifests to match namespace you want the webhook to be deployed to.
 
-    ```
-    openssl req -x509 -sha256 -newkey rsa:2048 -keyout webhook.key -out webhook.crt -days 1024 -nodes -addext "subjectAltName = DNS.1:service_name.namespace.svc"
-    ```
-
-    When deployed to rhods-notebooks the command was specified as such:
-
-    ```
-    openssl req -x509 -sha256 -newkey rsa:2048 -keyout webhook.key -out webhook.crt -days 1024 -nodes -addext "subjectAltName = DNS.1:assign-class-label-webhook.rhods-notebooks.svc"
-    ```
-
-3. Add the cert and key to the required resources:
-
-    ```
-    cat webhook.crt | base64 | tr -d '\n'
-    ```
-
-    ```
-    cat webhook.key | base64 | tr -d '\n'
-    ```
-
-    This will encode the certificate and key in base64 format which is required. Copy the output of the webhook.crt to the caBundle in webhooks/assign-class-label/webhook-config.yaml. Then create a secret.yaml that looks like this
-
-    ```
-    apiVersion: v1
-    kind: Secret
-    metadata:
-        name: webhook-cert
-    type: Opaque
-    data:
-        webhook.crt:
-        webhook.key:
-    ```
-
-    Copy and paste the output of the cat command to the respective fields for webhook.crt and webhook.key. Then execute
-
-    ```
-    oc apply -f secret.yaml --as system:admin
-    ```
-
-    within the same namespace that your webhook will be deployed to.
-
-
-4. Change namespace variable in the kubernetes manifests to match namespace you want the webhook to be deployed to.
-
-5. From webhooks/assign-class-label/ directory run:
+3. From webhooks/assign-class-label/ directory run:
 ```
     oc apply -k . --as system:admin
 ```
 
-***Steps 2, 3, and 4 are only required if you are deploying to a new namespace/environment.***
+***Step 2 is only required if you are deploying to a new namespace/environment.***
 
 The python script and docker image used for the webserver should not need changes made to it. But in the case that changes must be made, the Dockerfile and python script can be found at docker/src/python/assign-class-label/.
diff --git a/webhooks/assign-class-label/certificate.yaml b/webhooks/assign-class-label/certificate.yaml
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: assign-class-label-tls
+spec:
+  secretName: assign-class-label-tls
+  issuerRef:
+    name: assign-class-label-issuer
+    kind: Issuer
+  commonName: "rhods-notebooks.svc"
+  dnsNames:
+    - assign-class-label-webhook.rhods-notebooks.svc
diff --git a/webhooks/assign-class-label/deployment.yaml b/webhooks/assign-class-label/deployment.yaml
@@ -17,8 +17,13 @@ spec:
           ports:
             - containerPort: 443
           volumeMounts:
-            - name: cert
-              mountPath: /certs
+            - name: tls
+              mountPath: /certs/webhook.crt
+              subPath: tls.crt
+              readOnly: true
+            - name: tls
+              mountPath: /certs/webhook.key
+              subPath: tls.key
               readOnly: true
           resources:
             limits:
@@ -30,6 +35,6 @@ spec:
               value: "cs210,cs599-pmpp"
       serviceAccountName: webhook-sa
       volumes:
-        - name: cert
+        - name: tls
           secret:
-            secretName: webhook-cert
+            secretName: assign-class-label-tls
diff --git a/webhooks/assign-class-label/issuer.yaml b/webhooks/assign-class-label/issuer.yaml
@@ -0,0 +1,6 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: assign-class-label-issuer
+spec:
+  selfSigned: {}
diff --git a/webhooks/assign-class-label/kustomization.yaml b/webhooks/assign-class-label/kustomization.yaml
@@ -5,10 +5,11 @@ commonLabels:
   app: assign-class-label-webhook
 
 resources:
+  - issuer.yaml
+  - certificate.yaml
   - deployment.yaml
   - service.yaml
   - webhook-config.yaml
   - serviceaccount.yaml
   - role.yaml
   - rolebinding.yaml
-  - secret.yaml
diff --git a/webhooks/assign-class-label/webhook-config.yaml b/webhooks/assign-class-label/webhook-config.yaml
@@ -2,14 +2,15 @@ apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
   name: assign-class-label-webhook
+  annotations:
+    cert-manager.io/inject-ca-from: rhods-notebooks/assign-class-label-tls
 webhooks:
-- name: assign-class-label-webhook.nerc.com
+- name: assign-class-label-webhook.rhods-notebooks.svc
   clientConfig:
     service:
       namespace: rhods-notebooks
       name: assign-class-label-webhook
       path: /mutate
-    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURvakNDQW9xZ0F3SUJBZ0lVZjBXOXFOVS92OERkdjNKSktJVWV6Z1Z0YTJVd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1FqRUxNQWtHQTFVRUJoTUNXRmd4RlRBVEJnTlZCQWNNREVSbFptRjFiSFFnUTJsMGVURWNNQm9HQTFVRQpDZ3dUUkdWbVlYVnNkQ0JEYjIxd1lXNTVJRXgwWkRBZUZ3MHlOVEEyTVRFeE5qVXdOVGRhRncweU9EQXpNekV4Ck5qVXdOVGRhTUVJeEN6QUpCZ05WQkFZVEFsaFlNUlV3RXdZRFZRUUhEQXhFWldaaGRXeDBJRU5wZEhreEhEQWEKQmdOVkJBb01FMFJsWm1GMWJIUWdRMjl0Y0dGdWVTQk1kR1F3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQgpEd0F3Z2dFS0FvSUJBUUMweklTVkZLc2EyUWoxRmR3UE4rVkh2VnlyUnlRbWJycGgxVklRWWhOY21UaGpBenFaClFOQURMbXlyZzFrcnI4RysrQWhmVzlzYzhjMDFGckM1NHVRQ082K0dQbXBVaHpUd2tsVTUwQkdaS1hOV2ZJNFUKSjlRWklYT1YvUER1TFZyQVhMYzBnOFlGV1pENTFWNnhDcVN2cDdoUGNHNUJSUjNuUm53ZEQweXNnbVJnMExMQQp4VWg2eitEaE1ibkpRV2pRWmJIQ282djVVYkFSQkJOT0FTRWVkSHNqa2dxTXM2SVVDYzJHbnZWRXhRcWxMRWJtClFveVoyRS95L3cxc1JySTFXQTdQK3J5cEZMKzVZMTdXYVlmUnZYSW5MT29oRlRDc1A0cUJLekExYit2cFVUY1kKSnFlVGNGQ0xWVEtrVHR3T0JxY3Q0clBmUjBVT1NkSTdQT3hkQWdNQkFBR2pnWTh3Z1l3d0hRWURWUjBPQkJZRQpGSXUzM2pSbjVMZkJ6UjVYMldCaElCODU5clVXTUI4R0ExVWRJd1FZTUJhQUZJdTMzalJuNUxmQnpSNVgyV0JoCklCODU5clVXTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3T1FZRFZSMFJCREl3TUlJdVlYTnphV2R1TFdOc1lYTnoKTFd4aFltVnNMWGRsWW1odmIyc3VjbWh2WkhNdGJtOTBaV0p2YjJ0ekxuTjJZekFOQmdrcWhraUc5dzBCQVFzRgpBQU9DQVFFQWIwZHpJN3lwZnVWVFY1UXM2UHgzcDVPQVhMc0o3eUhoUWIvV1grN2ZTWWVwa1dCcmdNY09JemRyClovY0o5b3ZQWkRYZ0Y4OEtIMCtYSC9LaVZoYkFrZkVGWlNyNFN4WG5udFJkeHpNNjJDdml0bVIwTS81MzdoYWgKeFJEbVNEcHUvVnRBUUxRdzF6U2VtWG5MbnlkblVJWjZXODlxL2ZaNUpBZHRGNUFYU3U1L2cwNkIrcmtFRGNTVAoya2NhOG4zWWo0Y0pqa3RXbi9NaE1JS29oSUY0bWpJb3M5Q3Y5U1B4Smh5aUZwUCtyLzNPbGdKeVNlMFJibFJ2ClNVeHcxRVRDdmY5MXNER3YwZGJwTllXbDZ0WnVSdHlIaE93UXlrRWdickcxMnYwdk1qU2VwVHVTeW5mT3FGYkoKUGRvRWs3MDlsUGRWK0pFdllwUWVnVTA5S3ZaMlBRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
   rules:
     - operations: ["CREATE"]
       apiGroups: [""]
