Change Details

==== Use case ==== The Machine Learning team uses Kserve, a Kubernetes ML stack that leverages webhooks to validate new/changed configs. The Kubernetes API needs to be able to call the HTTPs endpoint exposed by the webhook when needed, and hence it needs to trust the correct CA certificate to validate the webhook's TLS cert correctly. We use cert-manager/cfssl-issuer to manage the webhook's certificate, using the PKI discovery intermediate. The main problem is that the CA cert is not inject as expected in the webhook's resources when needed. ==== The problem ==== In order to be able to inject the correct CA certificate, `cert-manager` needs to read a `ca.crt` field in the K8s Secret created by the Certificate resource. After a chat with Janis, it seems that our `cfssl-issuer` plugin/implementation needs to call a specific cfssl api to gather the CA certificate. ==== Proposed change ===== client: https://github.com/wikimedia/cfssl/pull/4 server: https://gerrit.wikimedia.org/r/c/operations/software/cfssl-issuer/+/756546 ==== Notes ==== We have forked (for the moment) cfssl-issuer and implemented https://github.com/cloudflare/cfssl/pull/1218, this use case is supported but the `bundle` flag needs to be true in the config to make everything working. Since this is not intuitive at first, we should also document it.

==== Use case ==== The Machine Learning team uses Kserve, a Kubernetes ML stack that leverages webhooks to validate new/changed configs. The Kubernetes API needs to be able to call the HTTPs endpoint exposed by the webhook when needed, and hence it needs to trust the correct CA certificate to validate the webhook's TLS cert correctly. We use cert-manager/cfssl-issuer to manage the webhook's certificate, using the PKI discovery intermediate. The main problem is that the CA cert is not inject as expected in the webhook's resources when needed. ==== The problem ==== In order to be able to inject the correct CA certificate, `cert-manager` (ca-injector) needs to read a `ca.crt` field in the K8s Secret created by the Certificate resource. After a chat with Janis, it seems that our `cfssl-issuer` plugin/implementation needs to call a specific cfssl api to gather the CA certificate. ==== Proposed change ===== client: https://github.com/wikimedia/cfssl/pull/4 server: https://gerrit.wikimedia.org/r/c/operations/software/cfssl-issuer/+/756546 ==== Notes ==== We have forked (for the moment) cfssl and implemented https://github.com/cloudflare/cfssl/pull/1218, this use case is supported but the `bundle` flag needs to be true in the config to make everything working. Since this is not intuitive at first, we should also document it.

==== Use case ==== The Machine Learning team uses Kserve, a Kubernetes ML stack that leverages webhooks to validate new/changed configs. The Kubernetes API needs to be able to call the HTTPs endpoint exposed by the webhook when needed, and hence it needs to trust the correct CA certificate to validate the webhook's TLS cert correctly. We use cert-manager/cfssl-issuer to manage the webhook's certificate, using the PKI discovery intermediate. The main problem is that the CA cert is not inject as expected in the webhook's resources when needed. ==== The problem ==== In order to be able to inject the correct CA certificate, `cert-manager` (ca-injector) needs to read a `ca.crt` field in the K8s Secret created by the Certificate resource. After a chat with Janis, it seems that our `cfssl-issuer` plugin/implementation needs to call a specific cfssl api to gather the CA certificate. ==== Proposed change ===== client: https://github.com/wikimedia/cfssl/pull/4 server: https://gerrit.wikimedia.org/r/c/operations/software/cfssl-issuer/+/756546 ==== Notes ==== We have forked (for the moment) cfssl-issuer and implemented https://github.com/cloudflare/cfssl/pull/1218, this use case is supported but the `bundle` flag needs to be true in the config to make everything working. Since this is not intuitive at first, we should also document it.