Skip to content

eck webhook default value clarified #6734

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
eedugon wants to merge 1 commit into
base: main
Choose a base branch
from
+5 −2
Open

eck webhook default value clarified #6734

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions deploy-manage/deploy/cloud-on-k8s/configure-validating-webhook.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@

## Defaults provided by ECK [k8s-webhook-defaults]

When using the default `operator.yaml` manifest, ECK is installed with a `ValidatingWebhookConfiguration` configured as follows:
When installing ECK using the [`operator.yaml` manifest](install-using-yaml-manifest-quickstart.md) or the [Helm chart](install-using-helm-chart.md) with default settings, ECK is installed with a `ValidatingWebhookConfiguration` configured as follows:

* Validate all known Elastic custom resources ({{eck_resources_list}}) on create and update.
* The operator itself is the webhook server — which is exposed through a service named `elastic-webhook-server` in the `elastic-system` namespace.
Expand All @@ -45,13 +45,16 @@

| Configuration option | Default value | Description |
| --- | --- | --- |
| `enable-webhook` | false | This must be set to `true` to enable the webhook server. |
| `enable-webhook` | false | Set to `true` to enable the webhook server. |
| `manage-webhook-certs` | true | Set to `false` to disable auto-generating the certificate for the webhook. If disabled, you must provide your own certificates using one of the methods described later in this document. |

Check notice on line 49 in deploy-manage/deploy/cloud-on-k8s/configure-validating-webhook.md

View workflow job for this annotation

GitHub Actions / build / vale 

Elastic.WordChoice: Consider using 'deactivated, deselected, hidden, turned off, unavailable' instead of 'disabled', unless the term is in the UI.

Check notice on line 49 in deploy-manage/deploy/cloud-on-k8s/configure-validating-webhook.md

View workflow job for this annotation

GitHub Actions / build / vale 

Elastic.WordChoice: Consider using 'deactivate, deselect, hide, turn off' instead of 'disable', unless the term is in the UI.
| `webhook-cert-dir` | /tmp/k8s-webhook-server/serving-certs | Path to mount the certificate. |
| `webhook-name` | elastic-webhook.k8s.elastic.co | Name of the `ValidatingWebhookConfiguration` resource. |
| `webhook-secret` | elastic-webhook-server-cert | Name of the secret containing the certificate for the webhook server. |
| `webhook-port` | 9443 | Port to listen for incoming validation requests. |

:::::{note}
Although the `enable-webhook` flag default is `false`, the default ECK installation manifests and Helm chart set it to `true`.
Copy link
Copy Markdown
Member

@shainaraskas shainaraskas May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we remove "default" later in this sentence? we might rephrase to say "if you're editing x y z / installed using x y z methods, the setting is already present and set to true"

I think a think that makes this confusing is we call this manual configuration but likely it's being applied in a layer over one of these defaults. we also say "If you installed ECK without the webhook" but what is the context that makes this possible?

consider putting this default mismatch info directly in the description rather than as a note below the table

Copy link
Copy Markdown
Contributor Author

@eedugon eedugon May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"If you installed ECK without the webhook" but what is the context that makes this possible?

You can install ECK without the webhook by tweaking the operator.yaml manifest file before installing through a manifest, or by tweaking the values.yaml before installing the helm chart. When doing that, you can decide to either "remove the webhook setting" (it would then default to false :) ), or set it to false explicitly.

I think it's a good practice when installing a production system to decide what exact configuration you want and not just deploy the quickstart or the default provided file, and some users could have installed ECK without the webhook.

Anyway, this PR aims to solve a possible confusion due to the fact that we provide default config files enabling the webhook but internally the code has a default value of disabling it. That can generates a bit of confusion when reading both sentences.

We can rephrase it to something like:

Although the enable-webhook flag of the operator defaults to false when not provided, the standard ECK installation manifests and Helm chart set it to true explicitly.

But please suggest whatever you think it's better :)

What I want to ensure is that people doesn't get confused when reading these two sentences:

  • The webhook is installed by default (through our manifests)
  • enable-webhook default value is false

Oh, and if you believe we can remove the note completely because the other minor change we did already avoids the possible confusion then I'm totally ok with it too ;)

Copy link
Copy Markdown
Member

@shainaraskas shainaraskas May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that rephrase looks better to me.

:::::

### Using your own certificates [k8s-webhook-existing-certs]

Expand Down
Loading