FOR DEVELOPMENT AND TESTING PURPOSES ONLY
This is a kubernetes MutatingAdmissionWebhook to inject
certificate bundles into pods based on labels and annotations.
With that off-the-shelf containers can be deployed in clusters with custom certificate
authorities, with minimal disruption and minimal maintenance. No more creating images from
upstream base images just to ADD custom-ca.crt /usr/local/share/ca-certificates/ and
RUN update-ca-certificates etc.
This webhook will be triggered in following cases:
- object label
ca-injector.zeiss.com/inject: "true" - namespace label
ca-injector.zeiss.com/inject: "true"and object labelca-injector.zeiss.com/injectdoes not exist - deployment setting
admissionWebhook.enableNamespacesByDefault: true(helm chart) and namespace/object labelca-injector.zeiss.com/injectdoes not exist
If triggered, this webhook does three things:
- Add a volume to the pod referencing a certificate bundle specified by the value of the object annotation
ca-injector.zeiss.com/inject-ca-fromor the deployment settingcaBundle.configMap(helm chart). The value should correspond with a config map in the same namespace as the pod which has the keyca.crtcontaining the CA bundle content. - Add this volume to all containers and init containers as a volume mount
- Add the
SSL_CERT_FILEandNODE_EXTRA_CA_CERTSenvironment variable respected by OpenSSL and most tls libraries.
It is strongly recommended to use this webhook with replicator or trust-manager for a consistent experience across namespaces.
Helm must be installed to use the chart. Please refer to Helm's documentation to get started.
Once Helm has been set up correctly, add the repo as follows:
helm repo add ca-injector https://zeiss.github.io/ca-injector
If you had already added this repo earlier, run helm repo update to retrieve
the latest versions of the packages. You can then run helm search repo ca-injector
to see the charts.
To install the ca-injector chart:
helm install ca-injector ca-injector/ca-injector
To uninstall the chart:
helm delete ca-injector
#TODO
Deploy this in your cluster (see Usage chapter) and create a CA bundle as e.g. foo-crt config map, with the key ca.crt:
kubectl create configmap foo-crt --from-file=ca.crt=my-bundle.crtUse this CA bundle by defining the label ca-injector.zeiss.com/inject:true and
the annotation ca-injector.zeiss.com/inject-ca-from: foo-crt on your pod or
in your helm chart's appropriate annotations section.
ca.crt can be changed by configuration caBundle.crt in any of the typical
ways (config files at /etc/ca-injector.yaml, $HOME/.config/ca-injector.yaml,
or environment variable CAINJECTOR_CABUNDLE_CRT).
To trigger a new tagged docker build, create a PR with label 'app-release'. The app Version within the helm chart will be used as reference for the container tag. This will be done automatically by below mentioned workflow.
In case the appVersion is increased, the helm Chart version should also be increased. In case the helm Chart version is increased, the appVersion does not have to be increased as well.
Option 1: Manually set version and/or appVersion within Helm Chart. The Helm release workflow will create a new release in case the helm Chart version has changed.
Option 2: Add one or two(app and helm) of the following labels to your PR:
- app-major
- app-minor
- app-patch
- helm-major
- helm-minor
- helm-patch
According to the label, appVersion and/or helm version will be bumped and a PullRequest will be created. The Pull request will include label 'app-release' to trigger above mentioned workflow. After this PR has benn closed, the Helm release workflow will create a new release in case the helm Chart version has changed.