Added support for reusing the webhook TLS certificate across different deployments to prevent cases where operator takes too long to start up (#180)

Author: omris94

src/operator/config/rbac/role.yaml

@@ -25,6 +25,17 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+    - ""
+  resourceNames:
+    - credentials-operator-webhook-cert
+  resources:
+    - secrets
+  verbs:
+    - get
+    - list
+    - update
+    - watch
 - apiGroups:
   - ""
   resources:

src/operator/go.mod

@@ -231,9 +231,25 @@ func main() {
 	// setup webhook
 	if viper.GetBool(operatorconfig.SelfSignedCertKey) {
 		logrus.Infoln("Creating self signing certs")
-		certBundle, err := operatorwebhooks.GenerateSelfSignedCertificate("credentials-operator-webhook-service", podNamespace)
+		secretName := viper.GetString(operatorconfig.WebhookCertSecretNameKey)
+		certBundle, ok, err := operatorwebhooks.ReadCertBundleFromSecret(signalHandlerCtx, directClient, secretName, podNamespace)
 		if err != nil {
-			logrus.WithError(err).Panic("unable to create self signed certs for webhook")
+			logrus.WithError(err).Warn("unable to read existing certs from secret, generating new ones")
+		}
+		if !ok {
+			logrus.Info("webhook certs uninitialized, generating new certs")
+		}
+		if !ok || err != nil {
+			certBundleNew, err :=
+				operatorwebhooks.GenerateSelfSignedCertificate("intents-operator-webhook-service", podNamespace)
+			if err != nil {
+				logrus.WithError(err).Panic("unable to create self signed certs for webhook")
+			}
+			err = operatorwebhooks.PersistCertBundleToSecret(signalHandlerCtx, directClient, secretName, podNamespace, certBundleNew)
+			if err != nil {
+				logrus.WithError(err).Panic("unable to persist certs to secret")
+			}
+			certBundle = certBundleNew
 		}
 		err = operatorwebhooks.WriteCertToFiles(certBundle)
 		if err != nil {

src/operator/go.sum

@@ -57,6 +57,8 @@ const (
 	EnableSecretRotationDefault                = false
 	DatabasePasswordRotationIntervalKey        = "database-password-rotation-interval"
 	DatabasePasswordRotationIntervalDefault    = time.Hour * 8
+	WebhookCertSecretNameKey                   = "webhook-cert-secret-name"
+	WebhookCertSecretNameDefault               = "credentials-operator-webhook-cert"
 )
 
 const (
@@ -86,6 +88,7 @@ func init() {
 	viper.SetDefault(AWSUseSoftDeleteStrategyKey, AWSUseSoftDeleteStrategyDefault)
 	viper.SetDefault(EnableSecretRotationKey, EnableSecretRotationDefault)
 	viper.SetDefault(DebugKey, DebugDefault)
+	viper.SetDefault(WebhookCertSecretNameKey, WebhookCertSecretNameDefault)
 	viper.SetEnvPrefix(EnvPrefix)
 	viper.SetEnvKeyReplacer(strings.NewReplacer("-", "_"))
 	viper.AutomaticEnv()