Deploying the cert manager

We suggest using cert manager forprovisioning the certificates for the webhook server. Other solutions shouldalso work as long as they put the certificates in the desired location.

You can followthe cert manager documentto install it.

Cert manager also has a component called CA injector, which is responsible forinjecting the CA bundle into the Mutating|ValidatingWebhookConfiguration.

To accomplish that, you need to use an annotation with keycertmanager.k8s.io/inject-ca-fromin the Mutating|ValidatingWebhookConfiguration objects.The value of the annotation should point to an existing certificate CR instancein the format of <certificate-namespace>/<certificate-name>.

This is the kustomize patch weused for annotating the Mutating|ValidatingWebhookConfiguration objects.

  1. # This patch add annotation to admission webhook config and
  2. # the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize.
  3. apiVersion: admissionregistration.k8s.io/v1beta1
  4. kind: MutatingWebhookConfiguration
  5. metadata:
  6.   name: mutating-webhook-configuration
  7.   annotations:
  8.     certmanager.k8s.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
  9. ---
  10. apiVersion: admissionregistration.k8s.io/v1beta1
  11. kind: ValidatingWebhookConfiguration
  12. metadata:
  13.   name: validating-webhook-configuration
  14.   annotations:
  15.     certmanager.k8s.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)