webhook-certificate-generator

module
v0.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 5, 2019 License: Apache-2.0

README

Webhook Certificate Generator

Uses the Kubernetes CSR Api to create a Secret containing a private key and signed certificate. This tool is intended to be deployed alongside a Mutating/Validating Webhook Admission Controller. Since these Admission controllers need certificates with a trusted CA, this tool signs them using the Kubernetes cluster CA and can then patch the webhook definition appropriately.

Usage

When creating a service foo in the namespace bar, the following will generate a CSR and place the Certificate and Private key in a secret called foo-certs:

wcg --service-name=foo --namespace=bar --secret-name=foo-certs

This generates a CSR with the name foo.bar (servicename.namespace) in the K8s API and waits for it's approval.

Once the CSR is approved, wcg waits for the certificate to be signed and then creates a secret foo-certs with the following format:

apiVersion: v1
kind: Secret
metadata:
  name: foo-certs
data:
  cert.pem: <BASE64_ENCODED_CERT_PEM>
  key.pem: <BASE64_ENCODED_PRIVATE_KEY_PEM>

This secret can then be mounted into a Pod.

CSR Approval

WCG will pause after it has generated the CSR. The CSR needs to be approved before the secret can be generated.

To approve the CSR:

  • Manually approve the CSR: kubectl certificate approve foo.bar
  • Automatically approve the CSR: Add the flag --auto-approve-csr to wcg when requesting a certificate.
Webhook Configuration Patching

In Kubernetes 1.9, Mutating and Validating Webhook Configurations have a mandatory caBundle field in the service definition. This field should contain the CA certificate chain that signs the serving certificates of your webhook (The certificates generated by wcg).

Since this certificate is likely to be different per cluster, wcg can auto patch this field for you.

Create the Webhook configutaion with an empty CA Bundle:

apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
  name: foo-webhook
webhooks:
  - name: foo.example.com
    clientConfig:
      service:
        name: foo
        namespace: bar
        path: /admissionreviews
      caBundle: ""
    ...

Add the --patch-mutating or --patch-validating flag when running wcg with the name of the Webhook configuration (eg --patch-mutating=foo-webhook) and wcg will patch the caBundle field with the cluster's CA Bundle once the certificate has been issued.

Flags

The following flags are configure the certificate generation process. namespace, secret-name and service-name are required.

  -a, --auto-approve-csr                 Auto approve CSR once created
      --in-cluster                       Running inside a Kubernetes Cluster (default true)
  -k, --kubeconfig string                Kubeconfig file to use
  -n, --namespace string                 Service Namespace
      --patch-mutating string            Name of MutatingWebhookConfiguration to patch CABundle into
      --patch-validating string          Name of ValidatingWebhookConfiguration to patch CABundle into
  -o, --secret-name string               Secret name to put certificates in
  -s, --service-name string              Service to generate certificate for

Kubernetes Installation

A collection of example Kubernetes Manifests are available in the install folder.

These allow you to configure certificate generator as a Kubernetes Job.

The appropriate RBAC bindings have also been included. It is recommended to run this Job in the kube-system namespace or another namespace only accessible by cluster admins. In an RBAC enabled system, the service account may be granted rights to approve CSRs. Make sure you understand the risks of this before you grant these privileges.

Communication

  • Found a bug? Please open an issue.
  • Have a feature request. Please open an issue.
  • If you want to contribute, please submit a pull request

Contributing

Please see our Contributing guidelines.

License

This project is licensed under Apache 2.0 and a copy of the license is available here.

Directories

Path Synopsis
cmd
pkg

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL