Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow for the opa webhooks in wiz-admission-controller to be installed as normal resources #315

Open
jandersen-plaid opened this issue Apr 18, 2024 · 0 comments · May be fixed by #316
Open

Comments

@jandersen-plaid
Copy link

The wiz-admission-controller currently unconditionally installs webhooks as helm hooks which means they are deleted and recreated on every installation (see https://github.com/wiz-sec/charts/blob/master/wiz-admission-controller/templates/opawebhook.yaml#L19-L21). This can be necessary, if the user is not using a custom certificate and the caBundle needs to continuously change.

However, if the user of the chart is using certManager or some other method to manage certificates and access from the API server to the webhook, then deleting and recreating the admission webhook on every change is a bit useless, and can lead to a lot of drift for any tooling that performs differences between some configuration and the existing configuration (e.g. terraform, argocd -- if the tooling includes hooks -- among other tools).

If possible, could we remove the hook annotations under a new boolean or when cert-manager is enabled? Is there a case that I am missing as to why they should be kept?

jandersen-plaid added a commit to jandersen-plaid/wiz-charts that referenced this issue Apr 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
1 participant