Allow for the opa webhooks in wiz-admission-controller to be installed as normal resources #315
Comments
jandersen-plaid
added a commit
to jandersen-plaid/wiz-charts
that referenced
this issue
Apr 18, 2024
…f helm hooks (fixes wiz-sec#315) Signed-off-by: Jack Andersen <jandersen@plaid.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The
wiz-admission-controllercurrently unconditionally installs webhooks as helm hooks which means they are deleted and recreated on every installation (see https://github.com/wiz-sec/charts/blob/master/wiz-admission-controller/templates/opawebhook.yaml#L19-L21). This can be necessary, if the user is not using a custom certificate and thecaBundleneeds to continuously change.However, if the user of the chart is using
certManageror some other method to manage certificates and access from the API server to the webhook, then deleting and recreating the admission webhook on every change is a bit useless, and can lead to a lot of drift for any tooling that performs differences between some configuration and the existing configuration (e.g. terraform, argocd -- if the tooling includes hooks -- among other tools).If possible, could we remove the hook annotations under a new boolean or when cert-manager is enabled? Is there a case that I am missing as to why they should be kept?
The text was updated successfully, but these errors were encountered: