|
|
@@ -83,6 +83,32 @@ Events:
|
|
|
|
|
|
If everything looks normal so far, please go ahead and ensure that the created secret has the expected value. Also, take a look at the logs of the controller.
|
|
|
|
|
|
+## How to bring existing certificates for the webhook?
|
|
|
+
|
|
|
+The Helm chart defaults to automatically creating the webhook certificates. But it's possible, with the Helm chart values, to use certificates previously stored in a Secret resource. There's two ways to do it:
|
|
|
+
|
|
|
+The first way is to use cert-controller (default built-in solution). In the following example, every 12h (as specified with `certController.requeueInterval`), it would check whether the public certificate changed.
|
|
|
+
|
|
|
+```
|
|
|
+helm install (...) \
|
|
|
+ --set webhook.createWebhookSecret=false \
|
|
|
+ --set webhook.certSecretNameOverride="which-existing-secret-resource-to-bind-to" \
|
|
|
+ --set certController.enableCertRenewal=false \
|
|
|
+ --set certController.requeueInterval="12h"
|
|
|
+```
|
|
|
+
|
|
|
+The second way is to use cert-manager (optional third-party dependency). The existing Secret resource must have an `cert-manager.io/allow-direct-injection: "true"` annotation. See <https://cert-manager.io/docs/concepts/ca-injector/>
|
|
|
+
|
|
|
+```
|
|
|
+helm install (...) \
|
|
|
+ --set webhook.createWebhookSecret=false \
|
|
|
+ --set webhook.certSecretNameOverride="which-existing-secret-resource-to-bind-to" \
|
|
|
+ --set certController.create=false \
|
|
|
+ --set webhook.certManager.enabled=true \
|
|
|
+ --set webhook.certManager.cert.create=false \
|
|
|
+ --set webhook.certManager.addInjectorAnnotationsFromSecret=true
|
|
|
+```
|
|
|
+
|
|
|
## Upgrading from KES to ESO
|
|
|
|
|
|
Migrating from KES to ESO is quite tricky! There is a tool we built to help users out available [here](https://github.com/external-secrets/kes-to-eso), and there is a small migration procedure.
|
Leonardo M. Miranda