Trendyol Tech
Published in

Trendyol Tech

Photo by ANIRUDH on Unsplash

5 Ways of Managing TLS Certificates for your Kubernetes Admission Webhooks

Table of Content 🔮

cert-manager CA Injector and BotKube

BotKube

Installation

https://gist.github.com/developer-guy/fa9b90ea77a642858c2697841b7b4ca6
https://gist.github.com/developer-guy/b847b4e1e934a26d20b0a210c64b1175

cert-manager

Installation

https://gist.github.com/developer-guy/d544ae1f299c74cc1baa738c0a853719

1. Create Certificate resource and inject it to WebhookConfiguration

https://gist.github.com/developer-guy/7c70cfa63f5cdeb1c5e53466341d0b9f
https://gist.github.com/developer-guy/180f3fc316c5038c5b73f89b35af51b0

2. Create a Secret with a certificate and inject it to WebhookConfiguration

https://gist.github.com/developer-guy/454cd8d0355e2bc0c17c93ccd88841c9

Helm Hook and Certificator

https://gist.github.com/developer-guy/5f23eab3366dd206e880964f5b6c8b49

NewRelic k8s-webhook-cert-manager

  • Generate a server key.
  • If there is any previous CSR (certificate signing request) for this key, it is deleted.
  • Generate a CSR for such key.
  • The signature of the key is then approved.
  • The server’s certificate is fetched from the CSR and then encoded.
  • A secret of type TLS is created with the server certificate and key.
  • The k8s extension API server’s CA bundle is fetched.
  • The mutating webhook configuration for the webhook server is patched with the k8s API server’s CA bundle from the previous step. This CA bundle will be used by the k8s extension API server when calling our webhook.
https://gist.github.com/developer-guy/bd306741b3a12d6311776121e9e94445

webhook-create-signed-cert.sh

https://gist.github.com/developer-guy/dd5f8df4f73b3f51819248a6f2e98c48

Custom Admission Webhook Server Init Container

https://gist.github.com/velotiotech/b63c6cf34d7327d0a2a39cd4cb11e152#file-webhook_pod_spec-yaml

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
developer-guy

🇹🇷KCD Turkey Organizer🎖Best Sigstore Evangelist🐦SSCS Twitter Community Admin✍️@chainguard_dev Fan📦Container Addict📅Organizer at @cloudnativetr•@devopstr