redhat-cop
enableCertManager to false no working, and no way to inject custom certificates
The Helm chart does not work with enableCertManager set to false in values.yaml:
...
44 enableCertManager: false
Certificates are logically created only if enableCertManager is set to true in certificate.yaml:
1 {{ if .Values.enableCertManager }}
...
Indeed, volumes are defined in the manager.yaml even when cert-manager is not defined ( so when no secret are created):
88 volumes:
89 - name: patch-operator-certs
90 secret:
91 defaultMode: 420
92 secretName: patch-operator-certs
93 - name: webhook-server-cert
94 secret:
95 secretName: webhook-server-cert
96 defaultMode: 420
Also, it would be nice if we could use our own certificates, instead of having certificates from a self-signed issuer when enabling cert-manager.... Cert-manager itself strongly advised not to use self-signed issuers in production for example.
Notes: 1] Currently, both the root CA of the webhook and the CA of the kube-rcbac-proxy are self-signed certificates... 2] Both cannot not having these certs according to the kube-rbac-proxy and Kubernetes (for webhooks) doc. So it seems fair not to be able not to use tls certs, but we should be able to choose ourself how to inject these certs. Especially for kube-rbac-proxy.. because the webhook container could create and manage its CA as cert-manager does for its webhooks, but it would be more complicated to implement.
I can make a pull request for this purpose, but can you confirm that the repo is actively monitored and that the PR will be reviewed ?