Documentation
¶
Overview ¶
Package admission provides functions to manage webhooks certificates.
There are 3 typical ways to use this library:
* The sync function can be used as a Reconciler function.
* Invoking it directly fromt eh webhook server at startup.
* Deploying it as an init container along with the webhook server.
Webhook Configuration ¶
The following is an example MutatingWebhookConfiguration in yaml.
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
name: myMutatingWebhookConfiguration
annotations:
secret.certprovisioner.kubernetes.io/webhook-1: namespace-bar/secret-foo
secret.certprovisioner.kubernetes.io/webhook-2: default/secret-baz
webhooks:
- name: webhook-1
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- "*"
resources:
- pods
clientConfig:
service:
namespace: service-ns-1
name: service-foo
path: "/mutating-pods"
caBundle: [] # CA bundle here
- name: webhook-2
rules:
- apiGroups:
- apps
apiVersions:
- v1
operations:
- "*"
resources:
- deployments
clientConfig:
service:
namespace: service-ns-2
name: service-bar
path: "/mutating-deployment"
caBundle: [] # CA bundle here
Build the CertProvisioner ¶
You can choose to provide your own CertGenerator and CertWriter. An easier way is to use an empty Options the package will default it with reasonable values. The package will write self-signed certificates to secrets.
// Build a client. You can also create a client with your own config.Config.
cl, err := client.New(config.GetConfigOrDie(), client.Options)
if err != nil {
// handle error
}
// Build a CertProvisioner with unspecified CertGenerator and CertWriter.
cp := &CertProvisioner{client: cl}
Provision certificates ¶
Provision certificates for webhook configuration objects' by calling Sync method.
err = cp.Sync(mwc)
if err != nil {
// handler error
}
When the above MutatingWebhookConfiguration is processed, the cert provisioner will create the certificate and create a secret named "secret-foo" in namespace "namespace-bar" for webhook "webhook-1". Similarly, it will create an secret named "secret-baz" in namespace "default" for webhook "webhook-2". And it will also write the CA back to the WebhookConfiguration.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CertProvisioner ¶
type CertProvisioner struct {
Client client.Client
// CertGenerator generates certificate for a given common name.
CertGenerator generator.CertGenerator
CertWriter writer.CertWriter
// contains filtered or unexported fields
}
CertProvisioner provisions certificates for webhook configurations and writes them to an output destination - such as a Secret or local file. CertProvisioner can update the CA field of certain resources with the CA of the certs.
func (*CertProvisioner) Sync ¶
func (cp *CertProvisioner) Sync(webhookConfiguration runtime.Object) error
Sync takes a runtime.Object which is expected to be either a MutatingWebhookConfiguration or a ValidatingWebhookConfiguration. It provisions certificate for each webhook in the webhookConfiguration, ensures the cert and CA are valid, and not expiring. It updates the CABundle in the webhook configuration if necessary.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
cert
|
|
|
generator
Package generator provides an interface and implementation to provision certificates.
|
Package generator provides an interface and implementation to provision certificates. |
|
writer
Package writer provides method to ensure each webhook has a working certificate and private key in the right place for consuming.
|
Package writer provides method to ensure each webhook has a working certificate and private key in the right place for consuming. |