[cosigned] The webhook name is now configurable via --webhook-name flag

[vpnachev]

Summary

The webhook name is now configurable via --webhook-name flag for cosigned. This way, cosigned can be deployed multiple times in the same cluster with different webhook configurations, e.g. namespace and/or object selectors. Also, each webhook can be served by different instance of the cosigned using different public keys.

Ticket Link

Fixes

Release Note

The name of the cosigned webhook can be now configured via the flag `--webhook-name`, the default value is `cosigned.sigstore.dev`.

[codecov-commenter]

Codecov Report

Merging #1726 (62e6028) into main (f983706) will not change coverage.
The diff coverage is 0.00%.

@@           Coverage Diff           @@
##             main    #1726   +/-   ##
=======================================
  Coverage   29.48%   29.48%           
=======================================
  Files         141      141           
  Lines        8505     8505           
=======================================
  Hits         2508     2508           
  Misses       5726     5726           
  Partials      271      271           

Impacted Files	Coverage Δ
cmd/cosign/webhook/main.go	0.00% <0.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f983706...62e6028. Read the comment docs.

[hectorj2f]

Note: If you change this, you will to change on the scripts too.

[vpnachev]

Do you mean the helm templates and config files? If yes, I rely on this comment

cosign/cmd/cosign/webhook/main.go

Lines 47 to 49 in 56af7f3

	// webhookName holds the name of the validating webhook to set up with the
	// types we are watching. If this changes, you must also change:
	// ./config/500-webhook-configuration.yaml

to get the attention to whomever tries to change it. Do you suggest to enhance the help string of the flag?

[hectorj2f]

Yes, we'll need to update the comment in that piece of code accordingly.
Also we'll need to add that field in the values.yaml of the helm-chart, so everything gets changed based on the value of the field. I could take care of that.

[vpnachev]

I have updated the comment and the flag doc with 62e6028.
Looking in the webhook initialization in [1] and [2] there is a lot of configurations that can be injected, but also skipped in different conditions, or even fail when URL is used instead of in-cluster service. I doubt I can describe all of them with just few words, and I don't think here is the right place for detailed documentation.
If you have better suggestion/wording, please let me know and I will contribute it.

[1] https://github.com/knative/pkg/blob/e325df66cb51d341b5d1142fa42f75539dfe290a/webhook/resourcesemantics/validation/reconcile_config.go#L99
[2] https://github.com/knative/pkg/blob/e325df66cb51d341b5d1142fa42f75539dfe290a/webhook/resourcesemantics/defaulting/defaulting.go#L170

[hectorj2f]

We'll get some documentation for cosigned new changes soon.

[dlorenc]

@hectorj2f is this ready to merge?

[hectorj2f]

@dlorenc Yes.
@vpnachev Could you add the flag and respective changes to the webhook configuration if the flag is set in sigstore/helm-charts/cosigned ?

[vpnachev]

Yes, I can open a PR in the next days about it.