Gatekeeper's Default Certificate Authority Is Hard Coded In The System

[ibanks]

What steps did you take and what happened:
I updated the helm chart to create the K8 resources that are associated with using Cert Manager. I did this by adding the manifest files for these cert manager specific resources into the templates directory.

In the values.yaml file I then set the instruction to use externalCertInjection by setting the enabled to true and then the secretName to the name of the new cert manager produced secret that will be used to store the tls credentials.

I also noticed that the default secretName that comes with the Gatekeeper helm chart installation is hard coded into both the audit and the controller manager manifest files. The name of that default secret is gatekeeper-webhook-server-cert. It does not use the value from the values.yaml file.

During the installation of Gatekeeper when running helm install, the new cert manager specific tls secret is created but the webhook still references the default secret - gatekeeper-webhook-server-cert. This causes a conflict and Gatekeeper system never fully loads as the controller manager pod is stuck in a crashloopbackoff state.

What did you expect to happen:

I expected the entire Gatekeeper system to use the new tls secret that is generated by cert manager as I performed a string search and replace the default tls secret name with the new one. But when you look at the logs of the controller manager pod, it is still referencing the default tls secret name.

Anything else you would like to add:
I believe somehow that this issue is hard coded into the Go code. Here is the error from the controller manager logs:

{ "level":"error", "ts":1734477865.0671961, "logger":"cert-rotation", "msg":"could not refresh cert on startup", "error":"acquiring secret to update certificates: Secret \"gatekeeper-webhook-server-cert\" not found", "errorVerbose":"Secret \"gatekeeper-webhook-server-cert\" not found\nacquiring secret to update certificates\ngithub.com/open-policy-agent/cert-controller/pkg/rotator.(*CertRotator).refreshCertIfNeeded.func1\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/github.com/open-policy-agent/cert-controller/pkg/rotator/rotator.go:317\nk8s.io/apimachinery/pkg/util/wait.runConditionWithCrashProtection\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:145\nk8s.io/apimachinery/pkg/util/wait.ExponentialBackoff\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/k8s.io/apimachinery/pkg/util/wait/backoff.go:461\ngithub.com/open-policy-agent/cert-controller/pkg/rotator.(*CertRotator).refreshCertIfNeeded\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/github.com/open-policy-agent/cert-controller/pkg/rotator/rotator.go:350\ngithub.com/open-policy-agent/cert-controller/pkg/rotator.(*CertRotator).Start\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/github.com/open-policy-agent/cert-controller/pkg/rotator/rotator.go:278\nsigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/manager/runnable_group.go:226\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1700","stacktrace":"github.com/open-policy-agent/cert-controller/pkg/rotator.(*CertRotator).Start\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/github.com/open-policy-agent/cert-controller/pkg/rotator/rotator.go:279\nsigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/manager/runnable_group.go:226" }

Environment:

• Gatekeeper version: 3.13
• Kubernetes version: (use kubectl version): v1.27.15