Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding support for the webhook injector to be able to inject a cert into the mutated Pods using an environment var. #446

Closed
wants to merge 1 commit into from
Closed

Adding support for the webhook injector to be able to inject a cert into the mutated Pods using an environment var. #446

wants to merge 1 commit into from

Conversation

gdasson
Copy link

@gdasson gdasson commented Mar 18, 2023
edited
Loading

@gdasson
Adding support for the webhook injector to be able
ebf80a1 
to inject a cert into the mutated Pods using an environment var.
@hashicorp-cla
Copy link

hashicorp-cla commented Mar 18, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.

@gdasson
Copy link
Author

gdasson commented Apr 25, 2023

Hello @swenson, @jasonodonnell , @tvoran : Could you please review this PR? It has been pending review for a while. Thanks.

@aboukhal
Copy link

aboukhal commented Jul 3, 2023

Until this very desirable PR gets merged, this is a valid work-around.

Dockerfile:

FROM hashicorp/vault:1.12.1
ENV VAULT_CAPATH /vault/tls/ca-cert.pem
COPY my-vault-certificate-chain.pem /vault/tls/ca-cert.pem

And then using that image in the helm chart values at injector.agentImage.

@alnet
Copy link

alnet commented Jul 26, 2023

I would also like to see this merged as we've just run into this exact issue today when building out a k3s cluster that will use an externally hosted vault. We'll be looking into the work around, but it's a shame to have to maintain a local image for such a tiny change.

@tomhjp tomhjp mentioned this pull request Aug 2, 2023
Merged
@tomhjp
Copy link
Contributor

tomhjp commented Aug 2, 2023

👋 thanks for opening this PR and for all the +1s, I've been looking into whether we could use VAULT_CACERT_BYTES, which as has been mentioned elsewhere had the potential to simplify this feature by eliminating the need for the CA to be written to a file. Unfortunately my testing showed up that consul-template hasn't implemented support for that env var yet, so I ended up adding a very similar file step anyway. I've opened #507 which has a lot of the same ideas as in this PR (+ some extra testing automation work), but once consul-template supports VAULT_CACERT_BYTES there are a few bits of code that we can delete and the rest should continue working without needing to write a file.

I'd welcome any comments on #507 - my intention is that it should be very well aligned with the outcome of this PR.

@tomhjp tomhjp closed this Oct 24, 2023
@tomhjp
Copy link
Contributor

tomhjp commented Oct 24, 2023

Thanks again for the PR - #507 is merged now and should be released pretty soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@gdasson @hashicorp-cla @aboukhal @alnet @tomhjp