Skip to content
/ kube-webhook-certgen Public

Tools to help with self signed cert generation for Kubernetes test environment

License

Apache-2.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kubeshop/kube-webhook-certgen

BranchesTags

Repository files navigation

Go Report Card GitHub release (latest SemVer) Docker Pulls

Kubernetes webhook certificate generator and patcher

This is repo is a fork from jet/kube-webhook-certgen as the original project is no longer maintained.

This project will diverge from jet/kube-webhook-certgen and kubernetes/ingress-nginx as it has a roadmap of its own.

Overview

Generates a CA and leaf certificate with a long (100y) expiration, then patches Kubernetes Admission Webhooks by setting the caBundle field with the generated CA. Can optionally patch the hooks failurePolicy setting - useful in cases where a single Helm chart needs to provision resources and hooks at the same time as patching.

The utility works in two parts, optimized to work better with the Helm provisioning process that leverages pre-install and post-install hooks to execute this as a Kubernetes job.

Security Considerations

This tool may not be adequate in all security environments. If a more complete solution is required, you may want to seek alternatives such as jetstack/cert-manager

Command line options

Use this to create a ca and signed certificates and patch admission webhooks to allow for quick
                   installation and configuration of validating and admission webhooks.

Usage:
  kube-webhook-certgen [flags]
  kube-webhook-certgen [command]

Available Commands:
  completion  Generate the autocompletion script for the specified shell
  create      Generate a ca and server cert+key and store the results in a secret 'secret-name' in 'namespace'
  help        Help about any command
  patch       Patch a ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CustomResourceDefinition
  version     Prints the CLI version information

Flags:
  -h, --help                help for kube-webhook-certgen
      --kubeconfig string   Path to kubeconfig file: e.g. ~/.kube/kind-config-kind
      --log-format string   Log format: text|json (default "json")
      --log-level string    Log level: panic|fatal|error|warn|info|debug|trace (default "info")

Use "kube-webhook-certgen [command] --help" for more information about a command.

Create

Generate a ca and server cert+key and store the results in a secret 'secret-name' in 'namespace'

Usage:
  kube-webhook-certgen create [flags]

Flags:
      --ca-name string       Name of ca file in the secret (default "ca.crt")
      --cert-name string     Name of cert file in the secret (default "cert")
  -h, --help                 help for create
      --host string          Comma-separated hostnames and IPs to generate a certificate for
      --key-name string      Name of key file in the secret (default "key")
      --namespace string     Namespace of the secret where certificate information will be written
      --secret-name string   Name of the secret where certificate information will be written

Global Flags:
      --kubeconfig string   Path to kubeconfig file: e.g. ~/.kube/kind-config-kind
      --log-format string   Log format: text|json (default "json")
      --log-level string    Log level: panic|fatal|error|warn|info|debug|trace (default "info")

Patch

Patch a ValidatingWebhookConfiguration and MutatingWebhookConfiguration 'webhook-name' and CustomResourceDefinitions by using the ca from 'secret-name' in 'namespace'

Usage:
  kube-webhook-certgen patch [flags]

Flags:
      --admission-registration-version string   admissionregistration.k8s.io api version (default "v1")
      --crd-api-groups string                   Comma-separated CustomResourceDefinition API Groups for which to patch the conversion webhook caBundle
      --crds string                             Comma-separated CustomResourceDefinition names for which to patch the conversion webhook caBundle
  -h, --help                                    help for patch
      --namespace string                        Namespace of the secret where certificate information will be read from
      --patch-failure-policy string             If set, patch the webhooks with this failure policy. Valid options are Ignore or Fail
      --patch-mutating                          If true, patch MutatingWebhookConfiguration (default true)
      --patch-validating                        If true, patch ValidatingWebhookConfiguration (default true)
      --secret-name string                      Name of the secret where certificate information will be read from
      --webhook-name string                     Name of ValidatingWebhookConfiguration and MutatingWebhookConfiguration that will be updated

Global Flags:
      --kubeconfig string   Path to kubeconfig file: e.g. ~/.kube/kind-config-kind
      --log-format string   Log format: text|json (default "json")
      --log-level string    Log level: panic|fatal|error|warn|info|debug|trace (default "info")

Recent changes

  • added support for CRDs
  • Updated go version to v1.19
  • Added support for --admission-registration-version flag which allows users to select which version of admissionregistration.k8s.io they want to use (v1 or v1beta1)

About

Tools to help with self signed cert generation for Kubernetes test environment

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

1 star

Watchers

11 watching

Forks

0 forks
Report repository

Releases 4

v0.0.4 Latest
Sep 18, 2024
+ 3 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages