A kubernetes MutatingAdmissionWebhook to inject certificate bundles into pods
based on annotations, so that off-the-shelf deployments can be deployed in
clusters with custom certificate authorities, with minimal disruption and
minimal maintenance. No more building images off of upstream base images just to
ADD yourca.crt /usr/share/ca-certificates/trust-source/anchors/ and RUN trust extract-compat || update-ca-certificates etc.
This webhook does three things:
- Add to pods as a volume the certificate bundle specified by the value of the
microcumul.us/injectsslannotation. The value should correspond with a secret in the same namespace as the pod which has a keyca.crtwhose value is a CA bundle. - Add this volume to all containers as a volumemount
- Add the
SSL_CERT_FILEenvironment variable respected by OpenSSL and most tls libraries.
Just deploy this in your cluster, create CA bundles as e.g. foo-crt secret,
with the key ca.crt (kubectl create secret generic foo-crt --from-file=ca.crt=my-bundle.crt), and use the microcumul.us/injectssl: foo-crt annotation on your pod or in your helm chart's appropriate annotations
section. ca.crt can be changed by setting tls.ca.key in any of the typical
ways (config files at /etc/ca-injector.yaml, $HOME/.config/ca-injector.yaml,
or TLS_CA_KEY env var all work).
I highly suggest using this with replicator for a consistent experience across namespaces. Another great tool that may work well for building the bundle here is trust-manager.
kubectl apply -f k8s.yaml
kubectl apply -f mwh.yamlhelm repo add ca-injector https://microcumulus.github.io/ca-injector
helm install ca-injector/ca-injector ca-injector