{"id":15066000,"url":"https://github.com/mozillazg/webhookcert","last_synced_at":"2025-04-10T13:35:07.539Z","repository":{"id":45275689,"uuid":"400809914","full_name":"mozillazg/webhookcert","owner":"mozillazg","description":"A simple certificate solution for writing Kubernetes Webhook Server","archived":false,"fork":false,"pushed_at":"2024-03-23T06:04:57.000Z","size":257,"stargazers_count":2,"open_issues_count":2,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-24T12:21:28.350Z","etag":null,"topics":["cert","certificate","k8s","kubernetes","webhook"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mozillazg.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-08-28T14:16:08.000Z","updated_at":"2023-07-04T03:39:09.000Z","dependencies_parsed_at":"2024-03-23T05:34:50.152Z","dependency_job_id":"c1425358-3847-4b6b-aa4c-d05dd803b024","html_url":"https://github.com/mozillazg/webhookcert","commit_stats":{"total_commits":48,"total_committers":2,"mean_commits":24.0,"dds":0.02083333333333337,"last_synced_commit":"7e32ea3e5f9304b5b45d3bccbe595c02f42db024"},"previous_names":[],"tags_count":19,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mozillazg%2Fwebhookcert","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mozillazg%2Fwebhookcert/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mozillazg%2Fwebhookcert/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mozillazg%2Fwebhookcert/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mozillazg","download_url":"https://codeload.github.com/mozillazg/webhookcert/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248225878,"owners_count":21068079,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cert","certificate","k8s","kubernetes","webhook"],"created_at":"2024-09-25T00:59:28.917Z","updated_at":"2025-04-10T13:35:07.513Z","avatar_url":"https://github.com/mozillazg.png","language":"Go","readme":"# webhookcert\n\n[![CI](https://github.com/mozillazg/webhookcert/actions/workflows/ci.yml/badge.svg)](https://github.com/mozillazg/webhookcert/actions/workflows/ci.yml)\n[![Coverage Status](https://coveralls.io/repos/github/mozillazg/webhookcert/badge.svg?branch=master)](https://coveralls.io/github/mozillazg/webhookcert?branch=master)\n\nA simple cert solution for writing Kubernetes Webhook Server.\n\n## Feature\n\n* Auto-create certificate for webhook server.\n* Reuse certificate from secret.\n* Auto patch `caBundle` for the `validatingwebhookconfigurations` and `mutatingwebhookconfigurations` resources.\n* Auto restore `caBundle` when the value is updated with invalid value (for example, it was overwritten via `kubectl replace`).\n* A checker to check whether the webhook server is started.\n* A checker to check whether the webhook server used certificate is expired or not synced.\n\n\n## Usage\n\n```go\npackage main\n\nimport (\n\t\"github.com/mozillazg/webhookcert/pkg/cert\"\n\t\"github.com/mozillazg/webhookcert/pkg/ctlrhelper\"\n\t// ...\n)\n\nvar (\n\tnamespace = \"test\"\n\tsecretName = \"webhook-test-server-cert\"\n\tserviceName = \"webhook-test-server\"\n\tport = 9443\n\tcertDir = \"/certs\"\n\twebhookConfigName = \"webhook-test-server-config\"\n)\n\nfunc main() {\n\tmgr, err := manager.New(config.GetConfigOrDie(), manager.Options{\n\t\tPort:                   port,\n\t\tCertDir:                certDir,\n\t\t// ...\n\t})\n\n\tctx := signals.SetupSignalHandler()\n\terrC := make(chan error, 2)\n\n\tsetupWebhook(ctx, mgr, errC)\n\n\tgo func() {\n\t\tif err := mgr.Start(ctx); err != nil {\n\t\t\terrC \u003c- err\n\t\t}\n\t}()\n\n\tselect {\n\tcase \u003c-errC:\n\t\tos.Exit(1)\n\tcase \u003c-ctx.Done():\n\t}\n}\n\nfunc setupWebhook(ctx context.Context, mgr manager.Manager, errC chan\u003c- error) {\n\topt := ctlrhelper.Option{\n\t\tNamespace:   namespace,\n\t\tSecretName:  secretName,\n\t\tServiceName: serviceName,\n\t\tCertDir:     certDir,\n\t\tWebhooks: []cert.WebhookInfo{\n\t\t\t{\n\t\t\t\tType: cert.ValidatingV1,\n\t\t\t\tName: webhookConfigName,\n\t\t\t},\n\t\t},\n\t\tWebhookServerPort: port,\n\t}\n\n\th, err := ctlrhelper.NewNewWebhookHelper(opt)\n\tif err != nil {\n\t\terrC \u003c- err\n\t\treturn\n\t}\n\n\thandler1 := // ...\n\thandler2 := // ...\n\n\th.Setup(ctx, mgr, func(s *webhook.Server) {\n\t\ts.Register(\"/webhook/path/1\", \u0026webhook.Admission{Handler: handler1})\n\t\ts.Register(\"/webhook/path/1\", \u0026webhook.Admission{Handler: handler2})\n\t}, errC)\n}\n\n```\n\nReal world example: [main.go](https://github.com/mozillazg/echo-k8s-webhook/blob/master/main.go)\n\n## Permissions\n\n```yaml\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n  name: \u003cname\u003e\n  namespace: \u003cnamespace\u003e\nrules:\n  - apiGroups:\n      - \"\"\n    resources:\n      - secrets\n    verbs:\n      - create\n  - apiGroups:\n      - \"\"\n    resources:\n      - secrets\n    resourceNames:\n      - \u003ccert_secret_name\u003e\n    verbs:\n      - get\n      - update\n\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n  name: \u003cname\u003e\nrules:\n  - apiGroups:\n      - admissionregistration.k8s.io\n    resources:\n      - validatingwebhookconfigurations\n      - mutatingwebhookconfigurations\n    resourceNames:\n      - \u003cvalidating_name\u003e\n      - \u003cmutating_name\u003e\n    verbs:\n      - get\n      - update\n  - apiGroups:\n      - admissionregistration.k8s.io\n    resources:\n      - validatingwebhookconfigurations\n      - mutatingwebhookconfigurations\n    verbs:\n      - watch\n```\n\n## Healthz and Readyz\n\n```yaml\nlivenessProbe:\n  httpGet:\n    path: /healthz\n    port: 9090\n  initialDelaySeconds: 5\n  timeoutSeconds: 4\nreadinessProbe:\n  httpGet:\n    path: /readyz\n    port: 9090\n  initialDelaySeconds: 5\n  timeoutSeconds: 4\nstartupProbe:\n  httpGet:\n    path: /readyz\n    port: 9090\n  failureThreshold: 24\n  periodSeconds: 10\n  timeoutSeconds: 4\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmozillazg%2Fwebhookcert","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmozillazg%2Fwebhookcert","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmozillazg%2Fwebhookcert/lists"}