TLS Certificates for Kubernetes Admission Webhooks made easy with Certificator and Helm Hook?
In this post, we are going to demonstrate that how can we manage TLS Certificates for our Kubernetes Admission Webhooks automatically with the help of our brand new project k8s-webhook-certificator and Helm Hooks.
Let’s give a quick introduction about what they are :
- Kubernetes Admission Webhooks
- Helm Hooks
- Certificator
1. Understand the Problem
2. Solution - Example of Helm Hook + Certificator
What is the Kubernetes Admission Webhooks?
An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to the persistence of the object, but after the request is authenticated and authorized. The controllers consist of the list below, are compiled into the kube-apiserver binary, and may only be configured by the cluster administrator. In that list, there are two special controllers: MutatingAdmissionWebhook and ValidatingAdmissionWebhook. These execute the mutating and validating (respectively) admission control webhooks which are configured in the API. ¹
What are the Helm Hooks?
Helm provides a hook mechanism to allow chart developers to intervene at certain points in a release’s life cycle. For example, you can use hooks to:
- Load a ConfigMap or Secret during install before any other charts are loaded.
- Execute a Job to back up a database before installing a new chart, and then execute a second job after the upgrade in order to restore data.
- Run a Job before deleting a release to gracefully take a service out of rotation before removing it.
Hooks work like regular templates, but they have special annotations that cause Helm to utilize them differently. In this section, we cover the basic usage pattern for hooks.²
Certificator
Understand the problem
To extend the native functionalities, these admission webhook controllers call a custom-configured HTTP callback (webhook server) for additional checks. But the API server only communicates over HTTPS with the admission webhook servers and needs TLS cert’s CA information.³ This poses a problem for how we handle this webhook server certificate and how to pass CA information to the API server automatically.
Solution
In order to address this problem, we created an open-source project called k8s-webhook-certificator which is inspired by New Relic’s project.
Certificator creates a private key and CSR(Certificate Signing Request) using the “x509 package” of the Go in a PEM format.
After that,Certificator uses the “Kubernetes’s CertificateSigningRequest API” to generate a certificate signed by Kubernetes CA suitable for use with webhook services. Certificator heavily relies on “client-go package” which is one of the official Kubernetes Go libraries. This requires permissions to create and approve CSR ⁴.
Once all done, Certificator creates a Kubernetes Secret. This Secret includes a private key and the certificate. Then the Secret will be mounted to the webhook service with help of the Secret Volume Type eventually.
However, what about the expiration date for the certificate ??? While working with the “Self-signed certificate method” to generate the certificate, we can specify the expiration date for the certificate with the help of this command below:
But while using the “Kubernetes’s CertificateSigningRequest API” method to generate the certificate, how can we specify the expiration date of the certificate? We can’t 😅
Kubernetes generates a certificate with a one-year expiration date.
Last but not least, in addition to New Relic’s project, we added a renewal process for the certificate by simply retrieving the “notAfter” attribute of the certificate and the optional “-days” flag which describes the number of days remaining for the certificate renewal then decides the renewal whether necessary or not by comparing them.
Example of Helm Hook + Certificator
Here is the example of how can we use Certificator project in Helm with the Helm Hooks:
Wrapping Up
So, we can finally manage our TLS certificates for Kubernetes Admission Webhooks with the combination of our Certificator project and the Helm Hook automatically.
References
- ¹ https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers
- ² https://helm.sh/docs/topics/charts_hooks
- ³ https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#contacting-the-webhook
- ⁴ https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster
Acknowledgments
- Special Thanks to Furkan Türkal for all the support.
