You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It's related to the issue #1936 .
If Server.TLSOpts is set to change the tls.Config.GetCertificate , webhook.Server.CertDir seems to be redundant.
For now , no matter if we config webhook.Server.CertDir or not , webhook.Server.Start will always try to create a certwatcher which load tls certificates from disk files. It's convenient for most users to setup a WebhookServer with certificates are able to be auto rotated. But for some user explicitly override the configuration of tls.Config.GetCertificate , it can be confused.
It's not uncommon for users that set tls.Config.GetCertificate is intend to replace the certwatcher with other implements of managing certificates rotation. (For example , Integration with spire) . The problem is that the certwatcher cannot be replaced in the first start of webhook.Server
That is to say, user with tls.Config.GetCertificate given will still prepare a paire of tls certificate files to make the webhook.Server start successfully.
I'm prefer to make a pr to change the start procedure of webhook.Server to make certwatcher a must only when the user is not use his/her custom implement.
Thx , any suggestions is welcomed.
The text was updated successfully, but these errors were encountered:
It's related to the issue #1936 .
If Server.TLSOpts is set to change the tls.Config.GetCertificate , webhook.Server.CertDir seems to be redundant.
For now , no matter if we config webhook.Server.CertDir or not , webhook.Server.Start will always try to create a certwatcher which load tls certificates from disk files. It's convenient for most users to setup a WebhookServer with certificates are able to be auto rotated. But for some user explicitly override the configuration of tls.Config.GetCertificate , it can be confused.
It's not uncommon for users that set tls.Config.GetCertificate is intend to replace the certwatcher with other implements of managing certificates rotation. (For example , Integration with spire) . The problem is that the certwatcher cannot be replaced in the first start of webhook.Server
controller-runtime/pkg/webhook/server.go
Line 161 in 1c83ff6
That is to say, user with tls.Config.GetCertificate given will still prepare a paire of tls certificate files to make the webhook.Server start successfully.
I'm prefer to make a pr to change the start procedure of webhook.Server to make certwatcher a must only when the user is not use his/her custom implement.
Thx , any suggestions is welcomed.
The text was updated successfully, but these errors were encountered: