DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ingress-nginx-helm/images/kube-webhook-certgen
History
Mateusz Gozdek 9acf62d867
images/kube-webhook-certgen/rootfs: add support for patching APIService objects (#7641) 
* images/kube-webhook-certgen/rootfs/pkg/k8s: return err from functions

Initially only from some to preserve existing behavior.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs: make patching return error

So we don't call log.Fatal in so many places, which makes code testable.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs/pkg/k8s: require context

So initialize top-level contexts in tests and CLI, then pass them around
all the way down, so there is an ability e.g. to add timeouts to patch
operations, if needed and to follow general conventions.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs/pkg/k8s: support patching APIService

APIService object is very similar to MutatingWebhookConfiguration and
ValidatingWebhookConfiguration objects, so support for patching it
shouldn't be too much of a burden.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs/cmd: use new patch API

So old function PatchWebhookConfigurations can be unexported and CLI can
be extended to also support patching APIService.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs/pkg/k8s: unexport old patch function

PatchObjects should be now used instead.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs: add .gitignore

To ignore manually built binaries during development process.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs/cmd: test patching

By adding a PatchConfig and Patch function, it is now possible to test
logic of flag validation, which was previously tied to CLI options.

This commit adds nice set of tests covering existing logic.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs/cmd: improve formatting

Those strings will be changed anyway in future commits, so at first we
can properly capitalize used names.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs/cmd: support patching APIService

As logic for creating a CA certificate and patching an object is almost
the same for both webhook configuration and API services, this commit
adds support to kube-webhook-certgen CLI to also patch APIService
objects, so they can be served over TLS as well.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>

* images/kube-webhook-certgen/rootfs: pass failure policy by value

k8s.k8s.patchWebhookConfigurations() always dereferences it and we do
not do a nil check, so the code may panic in some conditions, so it's
safer to just pass it by value, as it's just a wrapped string.

Signed-off-by: Mateusz Gozdek <mgozdek@microsoft.com>
2021-09-26 10:44:22 -07:00
..
rootfs images/kube-webhook-certgen/rootfs: add support for patching APIService objects (#7641) 2021-09-26 10:44:22 -07:00
cloudbuild.yaml Trigger webhook image generation 2021-08-10 18:06:41 -03:00
Makefile Migrate the webhook-certgen program to inside ingress repo (#7475) 2021-08-10 13:22:40 -07:00
README.md Migrate the webhook-certgen program to inside ingress repo (#7475) 2021-08-10 13:22:40 -07:00

README.md

Kubernetes webhook certificate generator and patcher

This is a copy/fork of the project existing in jet/kube-webhook-certgen

We moved it here so we can change / update the Kubernetes APIs, and we are really thankful to the original creators.

Overview

Generates a CA and leaf certificate with a long (100y) expiration, then patches Kubernetes Admission Webhooks by setting the caBundle field with the generated CA. Can optionally patch the hooks failurePolicy setting - useful in cases where a single Helm chart needs to provision resources and hooks at the same time as patching.

The utility works in two parts, optimized to work better with the Helm provisioning process that leverages pre-install and post-install hooks to execute this as a Kubernetes job.

Security Considerations

This tool may not be adequate in all security environments. If a more complete solution is required, you may want to seek alternatives such as jetstack/cert-manager

Command line options

Use this to create a ca and signed certificates and patch admission webhooks to allow for quick
                   installation and configuration of validating and admission webhooks.

Usage:
  kube-webhook-certgen [flags]
  kube-webhook-certgen [command]

Available Commands:
  create      Generate a ca and server cert+key and store the results in a secret 'secret-name' in 'namespace'
  help        Help about any command
  patch       Patch a validatingwebhookconfiguration and mutatingwebhookconfiguration 'webhook-name' by using the ca from 'secret-name' in 'namespace'
  version     Prints the CLI version information

Flags:
  -h, --help                help for kube-webhook-certgen
      --kubeconfig string   Path to kubeconfig file: e.g. ~/.kube/kind-config-kind
      --log-format string   Log format: text|json (default "text")
      --log-level string    Log level: panic|fatal|error|warn|info|debug|trace (default "info")

Create

Generate a ca and server cert+key and store the results in a secret 'secret-name' in 'namespace'

Usage:
  kube-webhook-certgen create [flags]

Flags:
      --cert-name string     Name of cert file in the secret (default "cert")
  -h, --help                 help for create
      --host string          Comma-separated hostnames and IPs to generate a certificate for
      --key-name string      Name of key file in the secret (default "key")
      --namespace string     Namespace of the secret where certificate information will be written
      --secret-name string   Name of the secret where certificate information will be written

Global Flags:
      --kubeconfig string   Path to kubeconfig file: e.g. ~/.kube/kind-config-kind
      --log-format string   Log format: text|json (default "json")
      --log-level string    Log level: panic|fatal|error|warn|info|debug|trace (default "info")

Patch

Patch a validatingwebhookconfiguration and mutatingwebhookconfiguration 'webhook-name' by using the ca from 'secret-name' in 'namespace'

Usage:
  kube-webhook-certgen patch [flags]

Flags:
  -h, --help                          help for patch
      --namespace string              Namespace of the secret where certificate information will be read from
      --patch-failure-policy string   If set, patch the webhooks with this failure policy. Valid options are Ignore or Fail
      --patch-mutating                If true, patch mutatingwebhookconfiguration (default true)
      --patch-validating              If true, patch validatingwebhookconfiguration (default true)
      --secret-name string            Name of the secret where certificate information will be read from
      --webhook-name string           Name of validatingwebhookconfiguration and mutatingwebhookconfiguration that will be updated

Global Flags:
      --kubeconfig string   Path to kubeconfig file: e.g. ~/.kube/kind-config-kind
      --log-format string   Log format: text|json (default "text")
      --log-level string    Log level: panic|fatal|error|warn|info|debug|trace (default "info")

Known Users