Validating Webhook should accept TLS cert in K8s Secret

[pavannd1]

The validating webhook component gets its TLS cert and private key from the kanister-webhook-certs secret. These self-signed cert and key aren't always suitable for production environment, where users have their own PKI infrastructure set up.

The goal of this issue is to add an new Helm option to:

• disable the auto-creation of the TLS secret during Kanister installation, so that users can bring their own TLS secret
• allow user to insert their own organization-owned CA cert into the caBundle option of the blueprints.cr.kanister.io validating webhook configuration

helm install myrelease --namespace kanister --create-namespace kanister/kanister-operator \
   --set webhook.caBundle="<user-provided base64 encoded CA cert>" \
   --set webhook.tls.mode="custom" # implies user uses something like cert-manager to pre-create the TLS secret

When webhook.tls.mode is set to custom, webhook.caBundle must be provided. Otherwise, installation should fail.

When webhook.tls.mode is unspecified, it should be set to auto, reverting back to the current behaviour.

Documentation follow-up in #1516.

Reference: #1345 (comment)

[github-actions]

Thanks for opening this issue 👍. The team will review it shortly.

If this is a bug report, make sure to include clear instructions how on to reproduce the problem with minimal reproducible examples, where possible. If this is a security report, please review our security policy as outlined in SECURITY.md.

If you haven't already, please take a moment to review our project's Code of Conduct document.

[github-actions]

This issue is marked as stale due to inactivity. Add a new comment to reactivate it.

[pavannd1]

Valid

[akankshakumari393]

If we plan to use cert-manager along with kanister as mentioned in #1516, we can TLS Secret with a certificate and inject it to WebhookConfiguration using the annotations cert-manager.io/inject-ca-from-secret. This way we would not need webhook.caBundle flag.

Also with the new option, I think we would need another helm flag to specify tls secret name which user would need to pre-create in the controller namespace.

[github-actions]

This issue is marked as stale due to inactivity. Add a new comment to reactivate it.

[github-actions]

This issue is closed due to inactivity. Feel free to reopen it, if it's still relevant.

[akankshakumari393]

valid