Manage the webhook certificate with cert-manager

edit

Manage the webhook certificate with cert-manager

edit

If ECK is currently running you first must ensure that the automatic certificate management feature is disabled. This can be done by updating the operator deployment manifest and adding the --manage-webhook-certs=false flag.

Then, cert-manager v0.11+ must be installed as described in the cert-manager documentation.

The following example shows how to create all the resources that a webhook requires to function.

cat <<EOF | kubectl apply -f -
---
# this configures
# - a self signed cert-manager issuer
# - a service to point to the webhook
# - a self signed certificate for the webhook service
# - a validating webhook configuration
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  name: selfsigned-issuer
  namespace: elastic-system
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: elastic-webhook
  namespace: elastic-system
spec:
  commonName: elastic-webhook.elastic-system.svc
  dnsNames:
  - elastic-webhook.elastic-system.svc.cluster.local
  - elastic-webhook.elastic-system.svc
  issuerRef:
    kind: Issuer
    name: selfsigned-issuer
  secretName: elastic-webhook-server-cert
---
apiVersion: v1
kind: Service
metadata:
  name: elastic-webhook-server
  namespace: elastic-system
spec:
  ports:
  - port: 443
    protocol: TCP
    targetPort: 9443
  selector:
    control-plane: elastic-operator
  sessionAffinity: None
  type: ClusterIP
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
  name: elastic-webhook.k8s.elastic.co
  annotations:
    cert-manager.io/inject-ca-from: elastic-system/elastic-webhook
webhooks:
- clientConfig:
    caBundle: Cg==
    service:
      name: elastic-webhook
      namespace: elastic-system
      # this is the path controller-runtime automatically generates
      path: /validate-elasticsearch-k8s-elastic-co-v1-elasticsearch
  failurePolicy: Ignore
  name: elastic-es-validation-v1.k8s.elastic.co
  sideEffects: None
  rules:
  - apiGroups:
    - elasticsearch.k8s.elastic.co
    apiVersions:
    - v1
    operations:
    - CREATE
    - UPDATE
    resources:
    - elasticsearches
EOF

This example assumes that you have installed the operator in the elastic-system namespace.