Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow overriding webhook secret data keys #2662

Merged
merged 8 commits into from
Aug 2, 2023
Merged

Allow overriding webhook secret data keys #2662

merged 8 commits into from
Aug 2, 2023

Conversation

skonto
Copy link
Contributor

@skonto skonto commented Dec 16, 2022

Changes

  • Downstream we are using knative operator's webhook that is passed in shared main for creation but does not utilize certificates from pkg. OLM manages the cert lifecycle and is generated due to webhook configuration at the csv. The generated secret has the following data:
data:
  olmCAKey: ...
  tls.crt: ..
  tls.key: ...

We would like to be able to override the default keys so in general any external webhook that extends
webhook.AdmissionController or webhook.ConversionController can be used.

  • The caCert is not used when constructing a new Webhook so no need to override. Webhooks usually fetch it in order inject it at the webhook configuration via the webhook's reconciler logic.
  • Making generic the setup of existing keys eg in MakeSecret is out of scope.

/kind enhancement

@knative-prow knative-prow bot added kind/enhancement size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Dec 16, 2022
@codecov
Copy link

codecov bot commented Dec 16, 2022
edited
Loading

Codecov Report

Patch coverage: 100.00% and project coverage change: +0.02% 🎉

Comparison is base (5ef4812) 81.75% compared to head (12544e2) 81.77%.
Report is 14 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2662      +/-   ##
==========================================
+ Coverage   81.75%   81.77%   +0.02%     
==========================================
  Files         167      167              
  Lines       10201    10214      +13     
==========================================
+ Hits         8340     8353      +13     
  Misses       1614     1614              
  Partials      247      247
Files Changed Coverage Δ
webhook/helper.go 100.00% <100.00%> (ø)
webhook/webhook.go 78.94% <100.00%> (+0.28%) ⬆️

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@skonto
Copy link
Contributor Author

skonto commented Dec 20, 2022

@dprotaso gentle ping

dprotaso
dprotaso reviewed Jan 5, 2023
View reviewed changes
webhook/webhook.go Outdated
Comment on lines 154 to 159
if val, ok := os.LookupEnv(certresources.ServerKeyEnv); ok {
sKey = val
}
if val, ok := os.LookupEnv(certresources.ServerCertEnv); ok {
sCert = val
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

test coverage?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure will add

webhook/certificates/resources/secret.go Outdated
@@ -26,9 +26,11 @@ import (

const (
// ServerKey is the name of the key associated with the secret's private key.
ServerKey = "server-key.pem"
ServerKey = "server-key.pem"
ServerKeyEnv = "KNATIVE_SECRET_WEBHOOK_SERVER_KEY"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add godoc for these new vars.

Suggested change
ServerKeyEnv = "KNATIVE_SECRET_WEBHOOK_SERVER_KEY"
ServerKeyEnvOverride = "KNATIVE_WEBHOOK_SERVER_KEY"

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about WEBHOOK_CERTS_SECRET_SERVER_KEY/CERT? Cause I use WEBHOOK_CERTS_SECRET_NAME in #2685

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the KNATIVE prefix tbh to separate from other env vars that could co-exist. Other than that its up to @dprotaso no strong preference.

Copy link
Member

@dprotaso dprotaso Feb 24, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't have KNATIVE_ prefixes for other environment variables ie. SYSTEM_NAMESPACE so I suggest dropping the prefix so that we remain consistent

webhook/certificates/resources/secret.go Outdated Show resolved Hide resolved
@knative-prow knative-prow bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Feb 20, 2023
@skonto
Copy link
Contributor Author

skonto commented Feb 20, 2023

/retest

@dprotaso dprotaso mentioned this pull request Feb 21, 2023
Merged
dprotaso
dprotaso reviewed Feb 24, 2023
View reviewed changes
webhook/certificates/resources/secret.go Outdated
Comment on lines 31 to 36
// ServerKeyEnv is the env var name for the webhook secret's key eg. `tls.key`.
ServerKeyEnv = "KNATIVE_WEBHOOK_SERVER_KEY"
// ServerCert is the name of the key associated with the secret's public key.
ServerCert = "server-cert.pem"
// ServerCertEnv is the env var name for the webhook secret's ca data key eg. `tls.crt`.
ServerCertEnv = "KNATIVE_WEBHOOK_SERVER_CERT"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I realize now the env vars don't influence the certificates & keys being created. Thus I don't think these overrides should be in this package.

This package is for creating and updating certificates

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok will do the webhook options approach thanks.

webhook/webhook.go Outdated
@@ -148,13 +148,13 @@ func New(
logger.Errorw("failed to fetch secret", zap.Error(err))
return nil, nil
}

serverKey, ok := secret.Data[certresources.ServerKey]
sKey, sCert := certresources.GetSecretDataKeyNamesOrDefault()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you creating custom webhooks binaries where you drop the certificate controller?

If so it might be better to add these overrides to the webhook.Options and when they're empty default them to the keys in the certificates/resources package.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense the env var thingy is a bit too intrusive.

@github-actions
Copy link
Contributor

This Pull Request is stale because it has been open for 90 days with
no activity. It will automatically close after 30 more days of
inactivity. Reopen with /reopen. Mark as fresh by adding the
comment /remove-lifecycle stale.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 26, 2023
@knative-prow-robot knative-prow-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 26, 2023
@github-actions github-actions bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 27, 2023
@skonto skonto changed the title Allow overriding webhook secret data keys [WIP] Allow overriding webhook secret data keys Jul 7, 2023
@knative-prow knative-prow bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 7, 2023
@knative-prow knative-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 7, 2023
@knative-prow-robot knative-prow-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 7, 2023
@skonto skonto mentioned this pull request Jul 11, 2023
Closed
@skonto skonto changed the title [WIP] Allow overriding webhook secret data keys Allow overriding webhook secret data keys Jul 11, 2023
@knative-prow knative-prow bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 11, 2023
@skonto
Copy link
Contributor Author

skonto commented Jul 11, 2023

@dprotaso gentle ping this is ready for review.

dprotaso
dprotaso reviewed Jul 11, 2023
View reviewed changes
webhook/webhook.go Outdated
Comment on lines 61 to 63
// ServerKeyEnv is the name for the webhook secret's data key eg. `tls.key`.
// Default value is `server-key.pem` if no value is passed.
ServerKey string
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment doesn't match the var name.

Maybe SecretPrivateKeyName ?

Copy link
Contributor Author

@skonto skonto Jul 17, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will change but to clarify the reason I kept that name is that I wanted to make explicit that I am overriding the same values here:

pkg/webhook/certificates/resources/secret.go

Line 29 in 7051d30

ServerKey = "server-key.pem"

webhook/webhook.go Outdated
Comment on lines 65 to 67
// ServerCertEnv is the name for the webhook secret's ca data key eg. `tls.crt`.
// Default value is `server-cert.pem` if no value is passed.
ServerCert string
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment doesn't match var name

Maybe SecretCertifcateName ?

webhook/certificates/resources/secret.go Outdated
Comment on lines 64 to 75
func GetSecretDataKeyNamesOrDefault(sKey string, sCert string) (serverKey string, serverCert string) {
serverKey = ServerKey
serverCert = ServerCert

if sKey != "" {
serverKey = sKey
}
if sCert != "" {
serverCert = sCert
}
return serverKey, serverCert
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems like this could be a private helper in the webhook package

webhook/webhook_integration_test.go Outdated
@@ -105,8 +105,69 @@ func TestMissingContentType(t *testing.T) {
metricstest.CheckStatsNotReported(t, requestCountName, requestLatenciesName)
}

func TestMissingContentTypeCustomSecret(t *testing.T) {
defaultOptions := newCustomOptions()
certresources.MakeSecret = customSecretWithOverrides
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might cause flakiness when running tests in parallel.

We should just have this test perform it's own setup (ie. create it's own cert etc)

Also the test name and assertions is a bit misleading TestMissingContentTypeCustomSecret - we really want to assert that the right certificate is presented. Thus we should skip stuff that's not relevant

Copy link
Contributor Author

@skonto skonto Jul 12, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dprotaso I copied the logic in certificates_test.go so probably that is unsafe too or is it that it always returns the default one and it worked so far? In any case I will take a look to separate it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Anyway I updated the test to be more compact and have its own setup.

@skonto
Copy link
Contributor Author

skonto commented Jul 17, 2023

@dprotaso gentle ping.

1 similar comment
@skonto
Copy link
Contributor Author

skonto commented Aug 2, 2023

@dprotaso gentle ping.

@dprotaso
Copy link
Member

dprotaso commented Aug 2, 2023

/lgtm
/approve

@knative-prow knative-prow bot added the lgtm Indicates that a PR is ready to be merged. label Aug 2, 2023
@knative-prow
Copy link

knative-prow bot commented Aug 2, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dprotaso, skonto

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow knative-prow bot merged commit 8d3f951 into knative:main Aug 2, 2023
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hhk7734 hhk7734 hhk7734 left review comments

@dprotaso dprotaso dprotaso left review comments

@tcnghia tcnghia Awaiting requested review from tcnghia

@whaught whaught Awaiting requested review from whaught

Assignees

@dprotaso dprotaso

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/enhancement lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@skonto @dprotaso @hhk7734 @knative-prow-robot