@@ -173,6 +173,7 @@ func AddRotator(mgr manager.Manager, cr *CertRotator) error {
173173 needLeaderElection : cr .RequireLeaderElection ,
174174 refreshCertIfNeededDelegate : cr .refreshCertIfNeeded ,
175175 fieldOwner : cr .FieldOwner ,
176+ removeInsecureSkipTLSVerify : cr .RemoveInsecureSkipTLSVerify ,
176177 }
177178 if err := addController (mgr , reconciler ); err != nil {
178179 return err
@@ -247,6 +248,9 @@ type CertRotator struct {
247248 // CertName and Keyname override certificate path
248249 CertName string
249250 KeyName string
251+ // RemoveInsecureSkipTLSVerify sets if InsecureSkipTLSVerify has to
252+ // be removed from apiservices during the patch process
253+ RemoveInsecureSkipTLSVerify bool
250254
251255 certsMounted chan struct {}
252256 certsNotMounted chan struct {}
@@ -387,7 +391,7 @@ func (cr *CertRotator) refreshCerts(refreshCA bool, secret *corev1.Secret) error
387391 return nil
388392}
389393
390- func injectCert (updatedResource * unstructured.Unstructured , certPem []byte , webhookType WebhookType ) error {
394+ func injectCert (updatedResource * unstructured.Unstructured , certPem []byte , webhookType WebhookType , removeInsecureSkipTLSVerify bool ) error {
391395 switch webhookType {
392396 case Validating :
393397 return injectCertToWebhook (updatedResource , certPem )
@@ -396,7 +400,7 @@ func injectCert(updatedResource *unstructured.Unstructured, certPem []byte, webh
396400 case CRDConversion :
397401 return injectCertToConversionWebhook (updatedResource , certPem )
398402 case APIService :
399- return injectCertToApiService (updatedResource , certPem )
403+ return injectCertToApiService (updatedResource , certPem , removeInsecureSkipTLSVerify )
400404 case ExternalDataProvider :
401405 return injectCertToExternalDataProvider (updatedResource , certPem )
402406 }
@@ -442,16 +446,18 @@ func injectCertToConversionWebhook(crd *unstructured.Unstructured, certPem []byt
442446 return nil
443447}
444448
445- func injectCertToApiService (apiService * unstructured.Unstructured , certPem []byte ) error {
449+ func injectCertToApiService (apiService * unstructured.Unstructured , certPem []byte , removeInsecureSkipTLSVerify bool ) error {
446450 _ , found , err := unstructured .NestedMap (apiService .Object , "spec" )
447451 if err != nil {
448452 return err
449453 }
450454 if ! found {
451455 return errors .New ("`spec` field not found in APIService" )
452456 }
453- if err := unstructured .SetNestedField (apiService .Object , false , "spec" , "insecureSkipTLSVerify" ); err != nil {
454- return err
457+ if removeInsecureSkipTLSVerify {
458+ if err := unstructured .SetNestedField (apiService .Object , false , "spec" , "insecureSkipTLSVerify" ); err != nil {
459+ return err
460+ }
455461 }
456462 if err := unstructured .SetNestedField (apiService .Object , base64 .StdEncoding .EncodeToString (certPem ), "spec" , "caBundle" ); err != nil {
457463 return err
@@ -736,6 +742,7 @@ type ReconcileWH struct {
736742 ctx context.Context
737743 secretKey types.NamespacedName
738744 webhooks []WebhookInfo
745+ removeInsecureSkipTLSVerify bool
739746 wasCAInjected * atomic.Bool
740747 needLeaderElection bool
741748 refreshCertIfNeededDelegate func () (bool , error )
@@ -829,7 +836,7 @@ func (r *ReconcileWH) ensureCerts(certPem []byte) error {
829836 }
830837
831838 log .Info ("Ensuring CA cert" , "name" , webhook .Name , "gvk" , gvk )
832- if err := injectCert (updatedResource , certPem , webhook .Type ); err != nil {
839+ if err := injectCert (updatedResource , certPem , webhook .Type , r . removeInsecureSkipTLSVerify ); err != nil {
833840 log .Error (err , "Unable to inject cert to webhook." )
834841 anyError = err
835842 continue
0 commit comments