Create self-signed certificates by default when webhook is enabled (#186)

Author: orishavit

Diff for: src/mapper/cmd/main.go

@@ -93,32 +93,6 @@ func main() {
 		os.Exit(1)
 	}
 
-	if viper.GetBool(config.CreateWebhookCertificateKey) {
-		// create webhook server certificate
-		logrus.Infoln("Creating self signing certs")
-		podNamespace, err := kubeutils.GetCurrentNamespace()
-
-		if err != nil {
-			logrus.WithError(err).Panic("unable to get pod namespace")
-		}
-
-		certBundle, err :=
-			operatorwebhooks.GenerateSelfSignedCertificate("otterize-network-mapper-webhook-service", podNamespace)
-		if err != nil {
-			logrus.WithError(err).Panic("unable to create self signed certs for webhook")
-		}
-		err = operatorwebhooks.WriteCertToFiles(certBundle)
-		if err != nil {
-			logrus.WithError(err).Panic("failed writing certs to file system")
-		}
-
-		err = operatorwebhooks.UpdateMutationWebHookCA(context.Background(),
-			"otterize-aws-visibility-mutating-webhook-configuration", certBundle.CertPem)
-		if err != nil {
-			logrus.WithError(err).Panic("updating validation webhook certificate failed")
-		}
-	}
-
 	errgrp.Go(func() error {
 		defer errorreporter.AutoNotify()
 
@@ -162,7 +136,9 @@ func main() {
 	defer cancelFn()
 	mgr.GetCache().WaitForCacheSync(initCtx) // needed to let the manager initialize before used in intentsHolder
 
-	if viper.GetBool(config.EnableAWSVisibilityKeyWebHook) {
+	if viper.GetBool(config.EnableAWSVisibilityWebHookKey) {
+		logrus.Infoln("Registering AWS visibility mutating webhook")
+
 		webhookHandler, err := pod_webhook.NewInjectDNSConfigToPodWebhook(
 			mgr.GetClient(),
 			admission.NewDecoder(mgr.GetScheme()),
@@ -178,6 +154,32 @@ func main() {
 				Handler: webhookHandler,
 			},
 		)
+
+		if viper.GetBool(config.CreateWebhookCertificateKey) {
+			// create webhook server certificate
+			logrus.Infoln("Creating self signing certs for webhook")
+			podNamespace, err := kubeutils.GetCurrentNamespace()
+
+			if err != nil {
+				logrus.WithError(err).Panic("unable to get pod namespace")
+			}
+
+			certBundle, err :=
+				operatorwebhooks.GenerateSelfSignedCertificate("otterize-network-mapper-webhook-service", podNamespace)
+			if err != nil {
+				logrus.WithError(err).Panic("unable to create self signed certs for webhook")
+			}
+			err = operatorwebhooks.WriteCertToFiles(certBundle)
+			if err != nil {
+				logrus.WithError(err).Panic("failed writing certs to file system")
+			}
+
+			err = operatorwebhooks.UpdateMutationWebHookCA(context.Background(),
+				"otterize-aws-visibility-mutating-webhook-configuration", certBundle.CertPem)
+			if err != nil {
+				logrus.WithError(err).Panic("updating validation webhook certificate failed")
+			}
+		}
 	}
 
 	intentsHolder := intentsstore.NewIntentsHolder()

Diff for: src/mapper/pkg/config/config.go

@@ -24,9 +24,9 @@ const (
 	ExternalTrafficCaptureEnabledKey     = "capture-external-traffic-enabled"
 	ExternalTrafficCaptureEnabledDefault = false
 	CreateWebhookCertificateKey          = "create-webhook-certificate"
-	CreateWebhookCertificateDefault      = false
-	EnableAWSVisibilityKeyWebHook        = "enable-aws-visibility-webhook"
-	EnableAWSVisibilityDefaultWebHook    = false
+	CreateWebhookCertificateDefault      = true
+	EnableAWSVisibilityWebHookKey        = "enable-aws-visibility-webhook"
+	EnableAWSVisibilityWebHookDefault    = false
 )
 
 var excludedNamespaces *goset.Set[string]
@@ -45,6 +45,6 @@ func init() {
 	viper.SetDefault(OTelMetricKey, OTelMetricDefault)
 	viper.SetDefault(ExternalTrafficCaptureEnabledKey, ExternalTrafficCaptureEnabledDefault)
 	viper.SetDefault(CreateWebhookCertificateKey, CreateWebhookCertificateDefault)
-	viper.SetDefault(EnableAWSVisibilityKeyWebHook, EnableAWSVisibilityDefaultWebHook)
+	viper.SetDefault(EnableAWSVisibilityWebHookKey, EnableAWSVisibilityWebHookDefault)
 	excludedNamespaces = goset.FromSlice(viper.GetStringSlice(ExcludedNamespacesKey))
 }