Background

Proxy auto-inject is done by a mutating webhook and it is likely that Linkerd will add more webhooks in the future (for example, a validating webhook for service profile validation). The configuration and initialization of these webhooks is complicated because of the way that TLS credentials are distributed.

When the webhook is created, the webhook container posts a MutatingWebhookConfiguration object to the Kubernetes API. The Linkerd CA notices this and creates TLS credentials for the webhook service and distributes them to to the webhook as a secret. The webhook then waits until the secret is mounted and then uses the given credentials to serve over TLS.

Problem

This approach is complex and difficult to follow. We would like for the webhook to be able to serve TLS without all of this credential management. Ideally:

• There would be little to no special case code in the CA for handling webhooks
• There would be little to no code in the webhook for managing certificates