You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en/docs/advanced-tasks/adding-admission-and-conversion-webhooks.md
+21-9Lines changed: 21 additions & 9 deletions
Original file line number
Diff line number
Diff line change
@@ -15,30 +15,42 @@ In addition to these fields, OLM requires that you define:
15
15
- The `Type` of the Webhook, which must be set to `ValidatingAdmissionWebhook`, `MutatingAdmissionWebhook`, or `ConversionWebhook`
16
16
- The `DeploymentName` that OLM must mount the CA Cert information into, this should match the name of a deployment defined in the CSV
17
17
18
-
## Deploying an operator with webhooks using OLM
18
+
## Creating an Operator with a Webhook
19
+
20
+
This document will not cover the steps required to create an operator that includes an admission or conversion webhook. If you are interested in creating such an operator, please refer to the following documentation provided by the Operator-SDK and Kubebuilder projects:
19
21
20
-
### OLM Requirements for Operators with Webhooks
22
+
-[Creating an Admission Webhook](https://sdk.operatorframework.io/docs/building-operators/golang/webhooks/)
23
+
-[Creating a Conversion Webhook](https://book.kubebuilder.io/multiversion-tutorial/conversion.html)
24
+
25
+
## Deploying an operator with webhooks using OLM
21
26
22
27
OLM has a few constraints that must be considered when developing an operator featuring validating, mutating, or conversion webhooks.
23
28
24
-
#### Certificate Authority Requirements
29
+
### Certificate Authority Requirements
30
+
31
+
OLM will create and mount a self-signed Certificate Authority (CA) to each deployment that contains a webhook as defined in the CSV. The certificates generated by OLM will expire after 2 years, at which point OLM will generate new certificates and redeploy the operator. The logic that generates and mounts the CA into the deployment was originally developed for the [API Service](https://kubernetes.io/docs/tasks/access-kubernetes-api/setup-extension-api-server/) lifecycle logic and has been expanded for use with webhooks.
32
+
33
+
OLM will mount the certificates at the default location that operators built with Kubebuilder and the Operator-SDK expect the certificates, specifically
34
+
35
+
- The TLS Cert file will be mounted to the deployment at `/tmp/k8s-webhook-server/serving-certs/tls.cert`
36
+
- The TLS Key file will be mounted to the deployment at `/tmp/k8s-webhook-server/serving-certs/tls.key`
25
37
26
-
OLM is configured to create a single Certificate Authority (CA) for each webhook deployment. The logic that generates and mounts the CA into the deployment was originally used by the [API Service](https://kubernetes.io/docs/tasks/access-kubernetes-api/setup-extension-api-server/) lifecycle logic. As a result:
38
+
> Note: When OLM was released, the CAs meant for Webhooks were mounted to the same location as defined by the existing API Service Lifecycle code. In an effort to remain backwards compatible, the certificates are also mounted to the following locations:
27
39
28
-
- The TLS Cert file will be mounted to the deployment at `/apiserver.local.config/certificates/apiserver.crt`
29
-
- The TLS Key file will be mounted to the deployment at `/apiserver.local.config/certificates/apiserver.key`
40
+
- The TLS Cert file will also be mounted to the deployment at `/apiserver.local.config/certificates/apiserver.crt`
41
+
- The TLS Key file will also be mounted to the deployment at`/apiserver.local.config/certificates/apiserver.key`
30
42
31
-
If the operator was built with [Kubebuilder](https://book.kubebuilder.io/) or the [Operator-SDK](https://github.com/operator-framework/operator-sdk), [this commit](https://github.com/awgreene/webhook-operator/commit/3ef33a1b7090180bd873fb2ecbcddb9a92a79f0b) can be used as a reference to update where the operator's webhook expects the Certs mounted by OLM.
43
+
OLM does not allow users to specify a mount location or name for the certificates. This issue should be addressed once OLM makes the decision to offload the management of CAs to projects such as [Cert-Manager](https://github.com/jetstack/cert-manager) and the [Service-CA Operator](https://github.com/openshift/service-ca-operator), this work can be tracked [here](https://github.com/operator-framework/operator-lifecycle-manager/issues/1805).
32
44
33
-
####Admission Webhook Rule Requirements
45
+
### Admission Webhook Rule Requirements
34
46
35
47
When developing an admission webhook please be aware that in an attempt to prevent operator from configuring the cluster into an unrecoverable state, OLM will place the CSV in the failed phase if the Rules defined in an admission webhook:
36
48
37
49
- Intercept requests that target all groups
38
50
- Intercept requests that target the `operators.coreos.com` group
39
51
- Intercept requests that target the `ValidatingWebhookConfigurations` or `MutatingWebhookConfigurations` resources
40
52
41
-
####Conversion Webhook Rules Requirements
53
+
### Conversion Webhook Rules Requirements
42
54
43
55
- CSVs featuring a conversion webhook may only support the `AllNamespaces` installMode
44
56
- The CRD targeted by the Conversion webhook must have its `spec.preserveUnknownFields` field set to `false` or `nil`
0 commit comments