Skip to content

Add cert-manager CA injection annotation to DevWorkspace validating webhook #1668

Description

@simxr

Problem

DevWorkspace has a known unresolved webhook certificate / caBundle drift issue.

The failure is documented in devfile/devworkspace-operator#1157. In that issue, GitLab Runner calls the DevWorkspace admission webhook:

validate-exec.devworkspace-controller.svc
devworkspace-webhookserver.devworkspace-controller.svc:443/validate

and TLS verification fails. Restarting devworkspace-webhook-server temporarily fixes the issue, which suggests the webhook serving certificate and the Kubernetes webhook caBundle can drift out of sync.

Related upstream discussion

A related Che issue, eclipse-che/che#23184, discusses the cleaner fix: add cert-manager CA injection metadata to CRDs and mutating/validating webhooks so cert-manager cainjector keeps webhook caBundle fields updated automatically.

That discussion explicitly mentions applying the same approach to DevWorkspace. A DWO maintainer commented that adding this annotation to the webhook should hopefully resolve the issue, but the issue later went stale/closed without the DWO fix being completed.

Current gap

The dynamically generated DevWorkspace ValidatingWebhookConfiguration does not include the cert-manager CA injection annotation:

cert-manager.io/inject-ca-from: <namespace>/devworkspace-controller-serving-cert

Without this annotation, cert-manager may renew the serving certificate Secret, but Kubernetes can continue using a stale or incorrect webhook caBundle.

Proposed fix

Apply the same cainjector pattern used by Che: annotate the DevWorkspace validating webhook so cert-manager keeps the webhook caBundle synchronized with the cert-manager-managed serving certificate.

The generated DevWorkspace validating webhook should include:

metadata:
  annotations:
    cert-manager.io/inject-ca-from: <namespace>/devworkspace-controller-serving-cert

This allows cert-manager cainjector to keep:

webhooks:
  - clientConfig:
      caBundle: ...

updated automatically when the referenced certificate changes.

Expected result

The Kubernetes API server should continue to trust the DevWorkspace webhook after cert-manager certificate renewal, without requiring manual deletion or restart of devworkspace-webhook-server.

Related issues

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions