Question about the operator clientConfig caBundle of webhooks

Hello!

I'm trying to update a manifest of a ValidatingWebhookConfiguration deployed with our elastic operator. More precisely I want to update the caBundle field in the clientConfig webhooks.

I can see that a dummy value is set on our infra as code manifests caBundle: Cg== but I noticed that it's effectively replaced with an actual value (by the operator I guess?), and our CD tool keeps setting it back to the dummy one.

I would like to know if it's safe to get rid of that dummy value and completely remove that config from the manifest? Knowing that we don't want to provide our own certificates.

In the manifest spec, it is mentioned that

caBundle: string

caBundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used

I don't understand the last part If unspecified, system trust roots on the apiserver are used

Thanks!!

When a server certificate is issued by a well know CA authority, you don't have to provide a CA to the client, it can use the "system trust roots" (trusted root certificates that are preinstalled with the OS).

ECK takes care of configuring the webhook certificates. It manages a self signed certificate with a custom CA and then configures the caBundle for the client accordingly as you seen.

I would like to know if it's safe to get rid of that dummy value and completely remove that config from the manifest? Knowing that we don't want to provide our own certificates.

You don't want but ECK provides its own certificates for you. When caBundle: XXXXX is modified or deleted, ECK takes care of reconfiguring it.

So it is pretty harmless that your CD tool keeps resetting it. I have to double check but it seems to me that the only consequence should be a very very short webhook downtime.

Thanks a lot @Thibault_Richard for the explanation.
I think that that dummy value was set by someone else before because of an issue similar to this one kubernetes-sigs/kubebuilder#1684.
These dummy caBundle are required for old Kubernetes versions (which are still supported by the ECK Operator Helm Chart apparently).

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.