Trendyol Tech
Published in

Trendyol Tech

Photo by ANIRUDH on Unsplash

5 Ways of Managing TLS Certificates for your Kubernetes Admission Webhooks

Table of Content 🔮

cert-manager CA Injector and BotKube





1. Create Certificate resource and inject it to WebhookConfiguration

2. Create a Secret with a certificate and inject it to WebhookConfiguration

Helm Hook and Certificator

NewRelic k8s-webhook-cert-manager

  • Generate a server key.
  • If there is any previous CSR (certificate signing request) for this key, it is deleted.
  • Generate a CSR for such key.
  • The signature of the key is then approved.
  • The server’s certificate is fetched from the CSR and then encoded.
  • A secret of type TLS is created with the server certificate and key.
  • The k8s extension API server’s CA bundle is fetched.
  • The mutating webhook configuration for the webhook server is patched with the k8s API server’s CA bundle from the previous step. This CA bundle will be used by the k8s extension API server when calling our webhook.

Custom Admission Webhook Server Init Container




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

🇹🇷KCD Turkey Organizer🎖Best Sigstore Evangelist🐦SSCS Twitter Community Admin✍️@chainguard_dev Fan📦Container Addict📅Organizer at @cloudnativetr•@devopstr