make some configurable and add validation and document

Signed-off-by: Wei Weng <Wei.Weng@microsoft.com>

Author: Wei Weng

charts/hub-agent/README.md

@@ -24,7 +24,7 @@ helm install cert-manager jetstack/cert-manager \
   --set crds.enabled=true
 
 # Then install hub-agent with cert-manager enabled
-helm install hub-agent ./charts/hub-agent --set useCertManager=true
+helm install hub-agent ./charts/hub-agent --set useCertManager=true --set enableWorkload=true --set enableWebhook=true
 ```
 
 This configures cert-manager to manage webhook certificates.
@@ -58,7 +58,9 @@ _See [helm install](https://helm.sh/docs/helm/helm_install/) for command documen
 | `webhookServiceName`                      | Webhook service name                                                                       | `fleetwebhook`                                   |
 | `enableGuardRail`                         | Enable guard rail webhook configurations                                                   | `true`                                           |
 | `webhookClientConnectionType`             | Connection type for webhook client (service or url)                                        | `service`                                        |
-| `useCertManager`                          | Use cert-manager for webhook certificate management                                        | `false`                                          |
+| `useCertManager`                          | Use cert-manager for webhook certificate management (requires `enableWebhook=true` and `enableWorkload=true`) | `false`                                          |
+| `webhookCertDir`                          | Directory where webhook certificates are stored/mounted                                    | `/tmp/k8s-webhook-server/serving-certs`          |
+| `webhookCertSecretName`                   | Name of the Secret containing webhook certificates                                         | `fleet-webhook-server-cert`                      |
 | `enableV1Beta1APIs`                       | Watch for v1beta1 APIs                                                                     | `true`                                           |
 | `hubAPIQPS`                               | QPS for fleet-apiserver (not including events/node heartbeat)                              | `250`                                            |
 | `hubAPIBurst`                             | Burst for fleet-apiserver (not including events/node heartbeat)                            | `1000`                                           |
@@ -85,6 +87,8 @@ By default, the hub-agent generates certificates automatically at startup. This
 
 When `useCertManager=true`, certificates are managed by cert-manager. This mode:
 - Requires cert-manager to be installed as a prerequisite
+- Requires `enableWorkload=true` to allow cert-manager pods to run in the hub cluster (without this, pod creation would be blocked by the webhook)
+- Requires `enableWebhook=true` because cert-manager is only used for webhook certificate management
 - Handles certificate rotation automatically (90-day certificates)
 - Follows industry-standard certificate management practices
 - Suitable for production environments
@@ -101,5 +105,26 @@ helm install cert-manager jetstack/cert-manager \
   --set crds.enabled=true
 
 # Then install hub-agent with cert-manager enabled
-helm install hub-agent ./charts/hub-agent --set useCertManager=true
+helm install hub-agent ./charts/hub-agent --set useCertManager=true --set enableWorkload=true --set enableWebhook=true
+```
+
+### Certificate Directory Configuration
+
+The `webhookCertDir` parameter allows you to customize where webhook certificates are stored:
+- Default: `/tmp/k8s-webhook-server/serving-certs`
+- Must match the volumeMount path when using cert-manager
+- Configurable via both Helm values and `--webhook-cert-dir` flag
+
+The `webhookCertSecretName` parameter allows you to customize the Secret name for webhook certificates:
+- Default: `fleet-webhook-server-cert`
+- When using cert-manager, this must match the Certificate resource's secretName
+- Configurable via both Helm values and `--webhook-cert-secret-name` flag
+
+Example with custom certificate directory and secret name:
+```console
+helm install hub-agent ./charts/hub-agent \
+  --set useCertManager=true \
+  --set enableWorkload=true \
+  --set webhookCertDir=/custom/cert/path \
+  --set webhookCertSecretName=my-webhook-cert
 ```

charts/hub-agent/templates/certificate.yaml

@@ -3,13 +3,13 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: fleet-webhook-server-cert
+  name: {{ .Values.webhookCertSecretName }}
   namespace: {{ .Values.namespace }}
   labels:
     {{- include "hub-agent.labels" . | nindent 4 }}
 spec:
   # Secret name where cert-manager will store the certificate
-  secretName: fleet-webhook-server-cert
+  secretName: {{ .Values.webhookCertSecretName }}
 
   # Certificate duration (90 days is cert-manager's default and recommended)
   duration: 2160h # 90 days

charts/hub-agent/templates/deployment.yaml

@@ -30,6 +30,8 @@ spec:
             - --enable-guard-rail={{ .Values.enableGuardRail }}
             - --enable-workload={{ .Values.enableWorkload }}
             - --use-cert-manager={{ .Values.useCertManager }}
+            - --webhook-cert-dir={{ .Values.webhookCertDir }}
+            - --webhook-cert-secret-name={{ .Values.webhookCertSecretName }}
             - --whitelisted-users=system:serviceaccount:fleet-system:hub-agent-sa
             - --webhook-client-connection-type={{.Values.webhookClientConnectionType}}
             - --v={{ .Values.logVerbosity }}
@@ -81,14 +83,16 @@ spec:
           {{- if .Values.useCertManager }}
           volumeMounts:
           - name: webhook-cert
-            mountPath: /tmp/k8s-webhook-server/serving-certs
+            mountPath: {{ .Values.webhookCertDir }}
             readOnly: true
           {{- end }}
       {{- if .Values.useCertManager }}
       volumes:
       - name: webhook-cert
         secret:
-          secretName: fleet-webhook-server-cert
+          secretName: {{ .Values.webhookCertSecretName }}
+          # defaultMode 0400 (read-only for owner) prevents unauthorized access to certificate files
+          # and reduces attack surface by ensuring only the container process can read the certs
           defaultMode: 0400
       {{- end }}
       {{- with .Values.affinity }}

charts/hub-agent/values.yaml

@@ -21,6 +21,12 @@ enableWorkload: false
 # When enabled, cert-manager will be installed as a dependency
 # and a Certificate resource will be created
 useCertManager: false
+# webhookCertDir is the directory where webhook certificates are mounted
+# This is configurable via --webhook-cert-dir flag and must match the volumeMount path in deployment
+webhookCertDir: /tmp/k8s-webhook-server/serving-certs
+# webhookCertSecretName is the name of the Secret containing webhook certificates
+# When using cert-manager, this must match the Certificate resource's secretName
+webhookCertSecretName: fleet-webhook-server-cert
 
 forceDeleteWaitTime: 15m0s
 clusterUnhealthyThreshold: 3m0s

cmd/hubagent/main.go

@@ -65,8 +65,7 @@ var (
 )
 
 const (
-	FleetWebhookCertDir = "/tmp/k8s-webhook-server/serving-certs"
-	FleetWebhookPort    = 9443
+	FleetWebhookPort = 9443
 )
 
 func init() {
@@ -121,7 +120,7 @@ func main() {
 		},
 		WebhookServer: ctrlwebhook.NewServer(ctrlwebhook.Options{
 			Port:    FleetWebhookPort,
-			CertDir: FleetWebhookCertDir,
+			CertDir: opts.WebhookCertDir,
 		}),
 	}
 	if opts.EnablePprof {
@@ -159,7 +158,7 @@ func main() {
 	if opts.EnableWebhook {
 		whiteListedUsers := strings.Split(opts.WhiteListedUsers, ",")
 		if err := SetupWebhook(mgr, options.WebhookClientConnectionType(opts.WebhookClientConnectionType), opts.WebhookServiceName, whiteListedUsers,
-			opts.EnableGuardRail, opts.EnableV1Beta1APIs, opts.DenyModifyMemberClusterLabels, opts.EnableWorkload, opts.NetworkingAgentsEnabled, opts.UseCertManager); err != nil {
+			opts.EnableGuardRail, opts.EnableV1Beta1APIs, opts.DenyModifyMemberClusterLabels, opts.EnableWorkload, opts.NetworkingAgentsEnabled, opts.UseCertManager, opts.WebhookCertDir, opts.WebhookCertSecretName); err != nil {
 			klog.ErrorS(err, "unable to set up webhook")
 			exitWithErrorFunc()
 		}
@@ -202,9 +201,9 @@ func main() {
 
 // SetupWebhook generates the webhook cert and then set up the webhook configurator.
 func SetupWebhook(mgr manager.Manager, webhookClientConnectionType options.WebhookClientConnectionType, webhookServiceName string,
-	whiteListedUsers []string, enableGuardRail, isFleetV1Beta1API bool, denyModifyMemberClusterLabels bool, enableWorkload bool, networkingAgentsEnabled bool, useCertManager bool) error {
-	// Generate self-signed key and crt files in FleetWebhookCertDir for the webhook server to start.
-	w, err := webhook.NewWebhookConfig(mgr, webhookServiceName, FleetWebhookPort, &webhookClientConnectionType, FleetWebhookCertDir, enableGuardRail, denyModifyMemberClusterLabels, enableWorkload, useCertManager)
+	whiteListedUsers []string, enableGuardRail, isFleetV1Beta1API bool, denyModifyMemberClusterLabels bool, enableWorkload bool, networkingAgentsEnabled bool, useCertManager bool, webhookCertDir string, webhookCertSecretName string) error {
+	// Generate self-signed key and crt files in webhookCertDir for the webhook server to start.
+	w, err := webhook.NewWebhookConfig(mgr, webhookServiceName, FleetWebhookPort, &webhookClientConnectionType, webhookCertDir, enableGuardRail, denyModifyMemberClusterLabels, enableWorkload, useCertManager, webhookCertSecretName)
 	if err != nil {
 		klog.ErrorS(err, "fail to generate WebhookConfig")
 		return err

cmd/hubagent/options/options.go

@@ -113,6 +113,12 @@ type Options struct {
 	// UseCertManager indicates whether to use cert-manager for webhook certificate management.
 	// When enabled, webhook certificates are managed by cert-manager instead of self-signed generation.
 	UseCertManager bool
+	// WebhookCertDir is the directory where webhook certificates are stored/mounted.
+	// This must match the mountPath in the Helm chart deployment when using cert-manager.
+	WebhookCertDir string
+	// WebhookCertSecretName is the name of the Secret containing webhook certificates.
+	// When using cert-manager, this is the Secret name created by the Certificate resource.
+	WebhookCertSecretName string
 	// ResourceSnapshotCreationMinimumInterval is the minimum interval at which resource snapshots could be created.
 	// Whether the resource snapshot is created or not depends on the both ResourceSnapshotCreationMinimumInterval and ResourceChangesCollectionDuration.
 	ResourceSnapshotCreationMinimumInterval time.Duration
@@ -189,6 +195,8 @@ func (o *Options) AddFlags(flags *flag.FlagSet) {
 	flags.BoolVar(&o.DenyModifyMemberClusterLabels, "deny-modify-member-cluster-labels", false, "If set, users not in the system:masters cannot modify member cluster labels.")
 	flags.BoolVar(&o.EnableWorkload, "enable-workload", false, "If set, workloads (pods and replicasets) can be created in the hub cluster. This disables the pod and replicaset validating webhooks.")
 	flags.BoolVar(&o.UseCertManager, "use-cert-manager", false, "If set, cert-manager will be used for webhook certificate management instead of self-signed certificates.")
+	flags.StringVar(&o.WebhookCertDir, "webhook-cert-dir", "/tmp/k8s-webhook-server/serving-certs", "The directory where webhook certificates are stored. Must match the volumeMount path in deployment when using cert-manager.")
+	flags.StringVar(&o.WebhookCertSecretName, "webhook-cert-secret-name", "fleet-webhook-server-cert", "The name of the Secret containing webhook certificates. Must match the secretName in deployment and Certificate resource when using cert-manager.")
 	flags.DurationVar(&o.ResourceSnapshotCreationMinimumInterval, "resource-snapshot-creation-minimum-interval", 30*time.Second, "The minimum interval at which resource snapshots could be created.")
 	flags.DurationVar(&o.ResourceChangesCollectionDuration, "resource-changes-collection-duration", 15*time.Second,
 		"The duration for collecting resource changes into one snapshot. The default is 15 seconds, which means that the controller will collect resource changes for 15 seconds before creating a resource snapshot.")

cmd/hubagent/options/validation.go

@@ -52,6 +52,14 @@ func (o *Options) Validate() field.ErrorList {
 		errs = append(errs, field.Invalid(newPath.Child("WebhookServiceName"), o.WebhookServiceName, "Webhook service name is required when webhook is enabled"))
 	}
 
+	if o.UseCertManager && !o.EnableWebhook {
+		errs = append(errs, field.Invalid(newPath.Child("UseCertManager"), o.UseCertManager, "UseCertManager requires EnableWebhook to be true (cert-manager is only used for webhook certificate management)"))
+	}
+
+	if o.UseCertManager && !o.EnableWorkload {
+		errs = append(errs, field.Invalid(newPath.Child("UseCertManager"), o.UseCertManager, "UseCertManager requires EnableWorkload to be true (cert-manager pods need to run in the hub cluster)"))
+	}
+
 	connectionType := o.WebhookClientConnectionType
 	if _, err := parseWebhookClientConnectionString(connectionType); err != nil {
 		errs = append(errs, field.Invalid(newPath.Child("WebhookClientConnectionType"), o.WebhookClientConnectionType, err.Error()))

cmd/hubagent/options/validation_test.go

@@ -27,6 +27,10 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 )
 
+const (
+	testWebhookServiceName = "test-webhook"
+)
+
 // a callback function to modify options
 type ModifyOptions func(option *Options)
 
@@ -93,6 +97,42 @@ func TestValidateControllerManagerConfiguration(t *testing.T) {
 			}),
 			want: field.ErrorList{field.Invalid(newPath.Child("WebhookServiceName"), "", "Webhook service name is required when webhook is enabled")},
 		},
+		"UseCertManager without EnableWebhook": {
+			opt: newTestOptions(func(option *Options) {
+				option.EnableWebhook = false
+				option.UseCertManager = true
+			}),
+			want: field.ErrorList{
+				field.Invalid(newPath.Child("UseCertManager"), true, "UseCertManager requires EnableWebhook to be true (cert-manager is only used for webhook certificate management)"),
+				field.Invalid(newPath.Child("UseCertManager"), true, "UseCertManager requires EnableWorkload to be true (cert-manager pods need to run in the hub cluster)"),
+			},
+		},
+		"UseCertManager with EnableWebhook": {
+			opt: newTestOptions(func(option *Options) {
+				option.EnableWebhook = true
+				option.WebhookServiceName = testWebhookServiceName
+				option.UseCertManager = true
+			}),
+			want: field.ErrorList{field.Invalid(newPath.Child("UseCertManager"), true, "UseCertManager requires EnableWorkload to be true (cert-manager pods need to run in the hub cluster)")},
+		},
+		"UseCertManager without EnableWorkload": {
+			opt: newTestOptions(func(option *Options) {
+				option.EnableWebhook = true
+				option.WebhookServiceName = testWebhookServiceName
+				option.UseCertManager = true
+				option.EnableWorkload = false
+			}),
+			want: field.ErrorList{field.Invalid(newPath.Child("UseCertManager"), true, "UseCertManager requires EnableWorkload to be true (cert-manager pods need to run in the hub cluster)")},
+		},
+		"UseCertManager with EnableWebhook and EnableWorkload": {
+			opt: newTestOptions(func(option *Options) {
+				option.EnableWebhook = true
+				option.WebhookServiceName = testWebhookServiceName
+				option.UseCertManager = true
+				option.EnableWorkload = true
+			}),
+			want: field.ErrorList{},
+		},
 	}
 
 	for name, tc := range testCases {

pkg/webhook/webhook.go

@@ -165,9 +165,11 @@ type Config struct {
 	enableWorkload                bool
 	// useCertManager indicates whether cert-manager is used for certificate management
 	useCertManager bool
+	// webhookCertSecretName is the name of the Secret containing webhook certificates
+	webhookCertSecretName string
 }
 
-func NewWebhookConfig(mgr manager.Manager, webhookServiceName string, port int32, clientConnectionType *options.WebhookClientConnectionType, certDir string, enableGuardRail bool, denyModifyMemberClusterLabels bool, enableWorkload bool, useCertManager bool) (*Config, error) {
+func NewWebhookConfig(mgr manager.Manager, webhookServiceName string, port int32, clientConnectionType *options.WebhookClientConnectionType, certDir string, enableGuardRail bool, denyModifyMemberClusterLabels bool, enableWorkload bool, useCertManager bool, webhookCertSecretName string) (*Config, error) {
 	// We assume the Pod namespace should be passed to env through downward API in the Pod spec.
 	namespace := os.Getenv("POD_NAMESPACE")
 	if namespace == "" {
@@ -184,6 +186,7 @@ func NewWebhookConfig(mgr manager.Manager, webhookServiceName string, port int32
 		denyModifyMemberClusterLabels: denyModifyMemberClusterLabels,
 		enableWorkload:                enableWorkload,
 		useCertManager:                useCertManager,
+		webhookCertSecretName:         webhookCertSecretName,
 	}
 
 	var caPEM []byte
@@ -238,7 +241,7 @@ func (w *Config) createMutatingWebhookConfiguration(ctx context.Context, webhook
 	annotations := map[string]string{}
 	if w.useCertManager {
 		// Tell cert-manager's CA injector to automatically inject the CA bundle
-		annotations["cert-manager.io/inject-ca-from"] = fmt.Sprintf("%s/%s", w.serviceNamespace, fleetWebhookCertSecretName)
+		annotations["cert-manager.io/inject-ca-from"] = fmt.Sprintf("%s/%s", w.serviceNamespace, w.webhookCertSecretName)
 	}
 
 	mutatingWebhookConfig := admv1.MutatingWebhookConfiguration{
@@ -298,7 +301,7 @@ func (w *Config) createValidatingWebhookConfiguration(ctx context.Context, webho
 	annotations := map[string]string{}
 	if w.useCertManager {
 		// Tell cert-manager's CA injector to automatically inject the CA bundle
-		annotations["cert-manager.io/inject-ca-from"] = fmt.Sprintf("%s/%s", w.serviceNamespace, fleetWebhookCertSecretName)
+		annotations["cert-manager.io/inject-ca-from"] = fmt.Sprintf("%s/%s", w.serviceNamespace, w.webhookCertSecretName)
 	}
 
 	validatingWebhookConfig := admv1.ValidatingWebhookConfiguration{

pkg/webhook/webhook_test.go

@@ -194,7 +194,7 @@ func TestNewWebhookConfig(t *testing.T) {
 				setupMockCertManagerFiles(t, tt.certDir)
 			}
 
-			got, err := NewWebhookConfig(tt.mgr, tt.webhookServiceName, tt.port, tt.clientConnectionType, tt.certDir, tt.enableGuardRail, tt.denyModifyMemberClusterLabels, tt.enableWorkload, tt.useCertManager)
+			got, err := NewWebhookConfig(tt.mgr, tt.webhookServiceName, tt.port, tt.clientConnectionType, tt.certDir, tt.enableGuardRail, tt.denyModifyMemberClusterLabels, tt.enableWorkload, tt.useCertManager, "fleet-webhook-server-cert")
 			if (err != nil) != tt.wantErr {
 				t.Errorf("NewWebhookConfig() error = %v, wantErr %v", err, tt.wantErr)
 				return
@@ -269,7 +269,7 @@ func TestNewWebhookConfig_CertManagerNotMounted(t *testing.T) {
 	dir := t.TempDir()
 	// Don't create any certificate files to simulate cert-manager not ready
 
-	_, err := NewWebhookConfig(nil, "test-webhook", 8080, nil, dir, true, true, false, true)
+	_, err := NewWebhookConfig(nil, "test-webhook", 8080, nil, dir, true, true, false, true, "fleet-webhook-server-cert")
 	if err == nil {
 		t.Error("Expected error when cert-manager certificates not mounted")
 	}
@@ -291,10 +291,11 @@ func TestNewWebhookConfig_SelfSignedCertError(t *testing.T) {
 		443,
 		&clientConnectionType,
 		invalidCertDir,
-		false, // enableGuardRail
-		false, // denyModifyMemberClusterLabels
-		false, // enableWorkload
-		false, // useCertManager = false to trigger self-signed path
+		false,                       // enableGuardRail
+		false,                       // denyModifyMemberClusterLabels
+		false,                       // enableWorkload
+		false,                       // useCertManager = false to trigger self-signed path
+		"fleet-webhook-server-cert", // webhookCertSecretName
 	)
 
 	if err == nil {