helm upgrade chart repeat exec genCA function

[Ghostbaby]

Helm chart:

{{- $ca := genCA "webhook-change-group-webhook-ca" 3650 }}
{{- $cn := "webhook-change-group-webhook-svc" }}
{{- $dns1 := printf "%s.%s" $cn .Values.namespace }}
{{- $dns2 := printf "%s.%s.svc" $cn .Values.namespace }}
{{- $cert := genSignedCert $cn nil (list $dns1 $dns2) 3650 $ca }}



apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: {{ .Values.name }}-webhook-cfg
  namespace: {{ .Values.namespace }}
  labels:
    app: {{ .Values.name }}
webhooks:
  - name: {{ .Values.name }}.sheincorp.cn
    clientConfig:
      service:
        name: {{ .Values.name }}-webhook-svc
        namespace: {{ .Values.namespace }}
        path: "/mutate"
      caBundle: {{ $ca.Cert | b64enc | quote }}
    rules:
      - operations: ["CREATE"]
        apiGroups: [""]
        apiVersions: ["v1"]
        resources: ["pods"]
    admissionReviewVersions: ["v1", "v1beta1"]
    sideEffects: None
    timeoutSeconds: 5
    namespaceSelector:
      {{- with .Values.namespaceSelector.matchExpressions }}
      matchExpressions:
{{ toYaml . | indent 8 }}
      {{- end }}

---
apiVersion: v1
kind: Secret
metadata:
  name: {{ .Values.name }}-webhook-certs
  namespace: {{ .Values.namespace }}
  labels:
    app: {{ .Values.name }}
    paas/component: {{ .Values.name }}
type: kubernetes.io/tls
data:
  tls.crt: {{ $cert.Cert | b64enc | quote }}
  tls.key: {{ $cert.Key | b64enc | quote }}
  ca.crt: {{ $ca.Cert | b64enc | quote }}

A new certificate will be generated when we exec helm upgrade, if the pod not be restarted, webhook output error info:

2022/03/07 09:19:17 http: TLS handshake error from 10.244.0.1:1030: remote error: tls: bad certificate

Output of helm version:

version.BuildInfo{Version:"v3.7.0", GitCommit:"eeac83883cb4014fe60267ec6373570374ce770b", GitTreeState:"clean", GoVersion:"go1.17"}

Output of kubectl version:

Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.5", GitCommit:"aea7bbadd2fc0cd689de94a54e5b7b758869d691", GitTreeState:"clean", BuildDate:"2021-09-15T21:10:45Z", GoVersion:"go1.16.8", Compiler:"gc", Platform:"darwin/arm64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.1", GitCommit:"5e58841cce77d4bc13713ad2b91fa0d961e69192", GitTreeState:"clean", BuildDate:"2021-05-21T23:06:30Z", GoVersion:"go1.16.4", Compiler:"gc", Platform:"linux/arm64"}

Cloud Provider/Platform (AKS, GKE, Minikube etc.): kind

[bacongobbler]

This is expected. Every time helm upgrade is called, the templates are re-generated. That is to say, functions like genCA will generate a new certificate each time.

In practice, most chart authors pass it as a value or write a hook to load a ConfigMap or Secret containing the certificate before the rest of the chart is loaded.

[Ghostbaby]

@bacongobbler thx a lot