K8s Webhook Cert Manager Versions Save

Changed

• Multiarch support was added

Test release, internal only

Fix a bug breakig the behaviour of the script when running on k8s 1.19.x https://github.com/newrelic/k8s-webhook-cert-manager/issues/31

The ci/cd has been refactored, no real change to the product

• Update to alpine 3.12.0

• Revert to using the full service name for the CN. There is an open issue in EKS in which the SAN is not added to the signed certificates, making the TLS requests from the apiserver to the webhook fail. https://github.com/awslabs/amazon-eks-ami/issues/341
• Validate that the length of the string "${service}.${namespace}.svc", which is used for the CN, is not greater than 64 characters as specified in the x509 spec.
• Use ca bundle to patch the webhook from the service account secret instead of fetching via kubectl.
• Set the number of retries for retrieving the issued certificate to 10 like the error message.
• Add the --webhook-kind option to specified between MutatingWebhookConfiguration or ValidatingWebhookConfiguration. Defaults to MutatingWebhookConfiguration

Changed

• Use a much shorter common name for the certificate (only the Service's name) to avoid problems due to the character limit in CNs.

Changed

• Updated musl library to avoid security vulnerability https://app.snyk.io/vuln/SNYK-LINUX-MUSL-458116

Changed

• Container user is now is 1000 instead of root

Added

• Better compatibility with Openshift by patching the webhook configuration json with an add operation instead of replace.