BTP Manager maintains two Secrets, ca-server-cert and webhook-server-cert. They are used for communication within BTP Operator webhooks and for the creation of resources like ServiceInstances and ServiceBindings. The reconciliation mechanism syncs the two Secrets and their CA Bundles, which means that whenever the user manually changes them, they are automatically regenerated.
BTP Manager maintains the resources by creating, deleting, and updating them during the reconciliation. The goal is to keep ca-server-cert, webhook-server-cert, and the webhooks' CA Bundles in sync all the time. The reconciliation also checks the certificates’ expiration dates, and if it detects that a certificate expires soon, it regenerates it in advance so that the processes run smoothly.
- Certification reconciliation is triggered by one of the three events: scheduled reconciliation, editing BtpOperator custom resource (CR), or using custom watchers founded on Secret and Webhook resources.
- During provisioning, BTP Manager checks if a self-signed CA certificate,
ca-server-cert, exists. If it doesn't exist:
a. BTP Manager generates the certificate.
b. Based on that, the application creates a signed certificate,webhook-server-cert, which is mounted under the deployment.
c. The webhooks have a CA Bundle field set to the content ofca-server-cert, and BTP Manager manages this field; the process of certificates' reconciliation is complete. - If the
ca-server-certSecret exists, BTP Manager checks if thewebhook-server-certSecret exists. If not, it is created as described in step 2b, and then step 2c follows. The process of certificates' reconciliation is complete. - The webhooks have a CA Bundle field set to the content of the
ca-server-certSecret, and BTP Manager manages this field. Ifwebhook-server-certexists, BTP Manager checks if the current webhook CA Bundle is the same as theca-server-certSecret. If it is different, BTP Manager recreatesca-server-certas described in step 2a. Then the procedure progresses as described in steps 2b and 2c until the process of certificates' reconciliation is complete. - If the current webhook CA Bundle is the same as the
ca-server-certSecret, BTP Manager checks ifwebhook-server-certis signed byca-server-cert. If not signed, BTP Manager recreatesca-server-certas described in step 2a. Then the procedure progresses as described in steps 2b and 2c until the process of certificates' reconciliation is complete. - The scheduled reconciliation checks the expiration date of
ca-server-cert. If it detects that the certificate expires soon, it regeneratesca-server-certas described in point 2a. Then the procedure progresses as described in steps 2b and 2c until the process of certificates' reconciliation is complete. - If
ca-server-certis still valid, the scheduled reconciliation checks the expiration date ofwebhook-server-cert. If it detects that the certificate expires soon, it recreates thewebhook-server-certSecret. The process continues as described in points 2b and 2c. - The process of certificates' reconciliation is complete.