Skip to content

webhook: use cert-manager for self-signed cert #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jtriley merged 1 commit into from
Nov 19, 2025
Merged

webhook: use cert-manager for self-signed cert #28

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 3 additions & 47 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,57 +142,13 @@ In order to modify the deployment follow these steps:

1. Modify the GROUPS env variable to contain the list of classes (openshift groups) of which you would like to assign class labels. This file is found here: webhooks/assign-class-label/deployment.yaml

2. Generate a new OpenSSL certificate
2. Change namespace variable in the kubernetes manifests to match namespace you want the webhook to be deployed to.

```
openssl req -x509 -sha256 -newkey rsa:2048 -keyout webhook.key -out webhook.crt -days 1024 -nodes -addext "subjectAltName = DNS.1:service_name.namespace.svc"
```

When deployed to rhods-notebooks the command was specified as such:

```
openssl req -x509 -sha256 -newkey rsa:2048 -keyout webhook.key -out webhook.crt -days 1024 -nodes -addext "subjectAltName = DNS.1:assign-class-label-webhook.rhods-notebooks.svc"
```

3. Add the cert and key to the required resources:

```
cat webhook.crt | base64 | tr -d '\n'
```

```
cat webhook.key | base64 | tr -d '\n'
```

This will encode the certificate and key in base64 format which is required. Copy the output of the webhook.crt to the caBundle in webhooks/assign-class-label/webhook-config.yaml. Then create a secret.yaml that looks like this

```
apiVersion: v1
kind: Secret
metadata:
name: webhook-cert
type: Opaque
data:
webhook.crt:
webhook.key:
```

Copy and paste the output of the cat command to the respective fields for webhook.crt and webhook.key. Then execute

```
oc apply -f secret.yaml --as system:admin
```

within the same namespace that your webhook will be deployed to.


4. Change namespace variable in the kubernetes manifests to match namespace you want the webhook to be deployed to.

5. From webhooks/assign-class-label/ directory run:
3. From webhooks/assign-class-label/ directory run:
```
oc apply -k . --as system:admin
```

***Steps 2, 3, and 4 are only required if you are deploying to a new namespace/environment.***
***Step 2 is only required if you are deploying to a new namespace/environment.***

The python script and docker image used for the webserver should not need changes made to it. But in the case that changes must be made, the Dockerfile and python script can be found at docker/src/python/assign-class-label/.
12 changes: 12 additions & 0 deletions webhooks/assign-class-label/certificate.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: assign-class-label-tls
spec:
secretName: assign-class-label-tls
issuerRef:
name: assign-class-label-issuer
kind: Issuer
commonName: "rhods-notebooks.svc"
dnsNames:
- assign-class-label-webhook.rhods-notebooks.svc
13 changes: 9 additions & 4 deletions webhooks/assign-class-label/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,13 @@ spec:
ports:
- containerPort: 443
volumeMounts:
- name: cert
mountPath: /certs
- name: tls
mountPath: /certs/webhook.crt
subPath: tls.crt
readOnly: true
- name: tls
mountPath: /certs/webhook.key
subPath: tls.key
readOnly: true
resources:
limits:
Expand All @@ -30,6 +35,6 @@ spec:
value: "cs210,cs599-pmpp"
serviceAccountName: webhook-sa
volumes:
- name: cert
- name: tls
secret:
secretName: webhook-cert
secretName: assign-class-label-tls
6 changes: 6 additions & 0 deletions webhooks/assign-class-label/issuer.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: assign-class-label-issuer
spec:
selfSigned: {}
3 changes: 2 additions & 1 deletion webhooks/assign-class-label/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,11 @@ commonLabels:
app: assign-class-label-webhook

resources:
- issuer.yaml
- certificate.yaml
- deployment.yaml
- service.yaml
- webhook-config.yaml
- serviceaccount.yaml
- role.yaml
- rolebinding.yaml
- secret.yaml
5 changes: 3 additions & 2 deletions webhooks/assign-class-label/webhook-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,15 @@ apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: assign-class-label-webhook
annotations:
cert-manager.io/inject-ca-from: rhods-notebooks/assign-class-label-tls
webhooks:
- name: assign-class-label-webhook.nerc.com
- name: assign-class-label-webhook.rhods-notebooks.svc
clientConfig:
service:
namespace: rhods-notebooks
name: assign-class-label-webhook
path: /mutate
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURvakNDQW9xZ0F3SUJBZ0lVZjBXOXFOVS92OERkdjNKSktJVWV6Z1Z0YTJVd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1FqRUxNQWtHQTFVRUJoTUNXRmd4RlRBVEJnTlZCQWNNREVSbFptRjFiSFFnUTJsMGVURWNNQm9HQTFVRQpDZ3dUUkdWbVlYVnNkQ0JEYjIxd1lXNTVJRXgwWkRBZUZ3MHlOVEEyTVRFeE5qVXdOVGRhRncweU9EQXpNekV4Ck5qVXdOVGRhTUVJeEN6QUpCZ05WQkFZVEFsaFlNUlV3RXdZRFZRUUhEQXhFWldaaGRXeDBJRU5wZEhreEhEQWEKQmdOVkJBb01FMFJsWm1GMWJIUWdRMjl0Y0dGdWVTQk1kR1F3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQgpEd0F3Z2dFS0FvSUJBUUMweklTVkZLc2EyUWoxRmR3UE4rVkh2VnlyUnlRbWJycGgxVklRWWhOY21UaGpBenFaClFOQURMbXlyZzFrcnI4RysrQWhmVzlzYzhjMDFGckM1NHVRQ082K0dQbXBVaHpUd2tsVTUwQkdaS1hOV2ZJNFUKSjlRWklYT1YvUER1TFZyQVhMYzBnOFlGV1pENTFWNnhDcVN2cDdoUGNHNUJSUjNuUm53ZEQweXNnbVJnMExMQQp4VWg2eitEaE1ibkpRV2pRWmJIQ282djVVYkFSQkJOT0FTRWVkSHNqa2dxTXM2SVVDYzJHbnZWRXhRcWxMRWJtClFveVoyRS95L3cxc1JySTFXQTdQK3J5cEZMKzVZMTdXYVlmUnZYSW5MT29oRlRDc1A0cUJLekExYit2cFVUY1kKSnFlVGNGQ0xWVEtrVHR3T0JxY3Q0clBmUjBVT1NkSTdQT3hkQWdNQkFBR2pnWTh3Z1l3d0hRWURWUjBPQkJZRQpGSXUzM2pSbjVMZkJ6UjVYMldCaElCODU5clVXTUI4R0ExVWRJd1FZTUJhQUZJdTMzalJuNUxmQnpSNVgyV0JoCklCODU5clVXTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3T1FZRFZSMFJCREl3TUlJdVlYTnphV2R1TFdOc1lYTnoKTFd4aFltVnNMWGRsWW1odmIyc3VjbWh2WkhNdGJtOTBaV0p2YjJ0ekxuTjJZekFOQmdrcWhraUc5dzBCQVFzRgpBQU9DQVFFQWIwZHpJN3lwZnVWVFY1UXM2UHgzcDVPQVhMc0o3eUhoUWIvV1grN2ZTWWVwa1dCcmdNY09JemRyClovY0o5b3ZQWkRYZ0Y4OEtIMCtYSC9LaVZoYkFrZkVGWlNyNFN4WG5udFJkeHpNNjJDdml0bVIwTS81MzdoYWgKeFJEbVNEcHUvVnRBUUxRdzF6U2VtWG5MbnlkblVJWjZXODlxL2ZaNUpBZHRGNUFYU3U1L2cwNkIrcmtFRGNTVAoya2NhOG4zWWo0Y0pqa3RXbi9NaE1JS29oSUY0bWpJb3M5Q3Y5U1B4Smh5aUZwUCtyLzNPbGdKeVNlMFJibFJ2ClNVeHcxRVRDdmY5MXNER3YwZGJwTllXbDZ0WnVSdHlIaE93UXlrRWdickcxMnYwdk1qU2VwVHVTeW5mT3FGYkoKUGRvRWs3MDlsUGRWK0pFdllwUWVnVTA5S3ZaMlBRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
rules:
- operations: ["CREATE"]
apiGroups: [""]
Expand Down