{"id":13839379,"url":"https://github.com/vmware-tanzu/cert-injection-webhook","last_synced_at":"2025-07-11T03:32:00.606Z","repository":{"id":43397248,"uuid":"307482147","full_name":"vmware-tanzu/cert-injection-webhook","owner":"vmware-tanzu","description":"Provides a Kubernetes webhook to inject CA certificates and proxy environment variables into pods.","archived":false,"fork":false,"pushed_at":"2025-05-23T02:20:45.000Z","size":539,"stargazers_count":44,"open_issues_count":10,"forks_count":12,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-06-06T17:08:55.830Z","etag":null,"topics":["hacktoberfest","kubernetes"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vmware-tanzu.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE-OF-CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-10-26T19:25:06.000Z","updated_at":"2025-05-23T02:20:42.000Z","dependencies_parsed_at":"2023-07-12T22:08:58.618Z","dependency_job_id":"b376fa93-d8e5-48e0-afc3-82bd4e5eaa49","html_url":"https://github.com/vmware-tanzu/cert-injection-webhook","commit_stats":{"total_commits":41,"total_committers":8,"mean_commits":5.125,"dds":0.6585365853658536,"last_synced_commit":"61cd357c57edd266bc0fb9958377f50498a3f47b"},"previous_names":["pivotal/cert-injection-webhook"],"tags_count":14,"template":false,"template_full_name":null,"purl":"pkg:github/vmware-tanzu/cert-injection-webhook","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vmware-tanzu%2Fcert-injection-webhook","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vmware-tanzu%2Fcert-injection-webhook/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vmware-tanzu%2Fcert-injection-webhook/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vmware-tanzu%2Fcert-injection-webhook/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vmware-tanzu","download_url":"https://codeload.github.com/vmware-tanzu/cert-injection-webhook/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vmware-tanzu%2Fcert-injection-webhook/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264721330,"owners_count":23653920,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacktoberfest","kubernetes"],"created_at":"2024-08-04T17:00:21.118Z","updated_at":"2025-07-11T03:32:00.310Z","avatar_url":"https://github.com/vmware-tanzu.png","language":"Go","funding_links":[],"categories":["OPS"],"sub_categories":[],"readme":"# Cert Injection Webhook for Kubernetes\n\n## About\n\nThe Cert Injection Webhook for Kubernetes extends kubernetes with a webhook that injects\nCA certificates and proxy environment variables into pods. The webhook uses certificates and\nenvironment variables defined in configmaps and injects them into pods with the desired labels or annotations.\n\n## Contributing\n\nTo begin contributing, please read the [contributing](CONTRIBUTING.md) doc.\n\n## Installation and Usage\n\nThe Cert Injection Webhook for Kubernetes is deployed using the [Carvel](https://carvel.dev/) tool suite.\n\n### Install using kapp controller\nIf you would like to install with [Tanzu Community Edition](https://tanzucommunityedition.io/). See [this guide](packaging/README.md)\n1. Create an install namespace\n   ```bash\n   kubectl create namespace cert-injection-webhook-install\n   ```\n\n2. Create a service account and role binding for your installation\n\n   ```yaml\n   ---\n   apiVersion: v1\n   kind: ServiceAccount\n   metadata:\n     name: cert-injection-webhook-install-sa\n     namespace: cert-injection-webhook-install\n   ---\n   apiVersion: rbac.authorization.k8s.io/v1\n   kind: ClusterRoleBinding\n   metadata:\n     name: cert-injection-webhook-install-admin\n   roleRef:\n     apiGroup: rbac.authorization.k8s.io\n     kind: ClusterRole\n     name: cluster-admin\n   subjects:\n   - kind: ServiceAccount\n     name: cert-injection-webhook-install-sa\n     namespace: cert-injection-webhook-install\n   ```\n\n   Apply with:\n   ```bash\n   kapp deploy -a cert-injection-webhook-sa -n cert-injection-webhook-install -f \u003cPATH-TO-SERVICE-ACCOUNT-YAML\u003e\n   ```\n\n3. Create a `cert-injection-webhook-config-values` Secret yaml with the labels or annotations (or both) that you would like to use.\n   Any pod that matches one of these labels or annotations will have the provided cert injected.\n\n   ```yaml\n   ---\n   apiVersion: v1\n   kind: Secret\n   metadata:\n     name: cert-injection-webhook-install-values\n     namespace: cert-injection-webhook-install\n   stringData:\n     values.yml: |\n       ---\n       labels:\n       - kpack.io/build\n       annotations:\n       - some-annotation\n       ca_cert_data: |\n         -----BEGIN CERTIFICATE-----\n         MIICrDCCAZQCCQDcakcvwbW4UTANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA1t\n         eXdlYnNpdGUuY29tMB4XDTIyMDIxNDE2MjM1OVoXDTMyMDIxMjE2MjM1OVowGDEW\n         MBQGA1UEAwwNbXl3ZWJzaXRlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC\n         AQoCggEBAMgWkhYr7OPSTuDwGSM5jMQtO5vnqfESPPh829IMTBNXkS0KV6Hi90ka\n         T/gIbq0H+QO5Abzh8QDIOWqaTLLp5FedsU1xsGTiKQ+YVKfoQ7T7R/K+adWuJL6H\n         i8kgb4ErzhYhDQqsPU6ZglKkTZTL+7fhpsc7ZewASa7TRJiSo51Qye9K1qsjj3Wd\n         MB+0qH1vxvN2zs/117qowW/2YH2H++lJSfnEMH4Z67RQ5o56DpeHvE7mLz0LNVu/\n         gyM8JXClgsPdr11Iiv17TevWoXSeoWa0ts6MGd/r376dtEZ60wGG+geXcf9szAx1\n         GZLEQamRHnVyrGvb7U/AvLaJMnNY8PcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA\n         bc4XeX7sKvtEHK5tYKJDarP6suArgs7/IpfT2DiRB8JSBYX7rHD6NIB3433JxQfc\n         SHD9FBpH9E8aSMDsCWKcuRRI7GeRarqwfblAqflCv85NJaiC9zu+haue7aNMNnwA\n         uB+q0urjiKlEOM2OsLqgjXXmx5+nSrdwUhFXmyMsJC2eP4Dm1gJp5tQG2hSONC7w\n         dX2wAQp7PYaq+h1ASkDNaKy3ZoeD7yEp3Mhbnh+fu0O06NpnJhUZPhdTtMD3LYPJ\n         +iwL43iSAQt05ZK39u23zsdMc+RLFbqQYsULYZS2g/SmcSnw8CC3aer8X6x4lEw7\n         FpCpA2Wta8mXHGKqmq0+og==\n         -----END CERTIFICATE-----\n   ```\n\n   Apply with:\n   ```bash\n   kapp deploy -a cert-injection-webhook-values -n cert-injection-webhook-install -f \u003cPATH-TO-PACKAGE-SECRET-YAML\u003e\n   ```\n\n4. Download the [latest release of the cert-injection-webhook](https://github.com/vmware-tanzu/cert-injection-webhook/releases).\n\n5. Apply the `package.yaml` and `metadata.yaml` from from the release\n   ```bash\n   ytt -f package.yaml -f metadata.yaml | kapp deploy -a cert-injection-webhook-package -n cert-injection-webhook-install\n   ```\n   \n6. Create a package install\n\n   ```yaml\n   ---\n   apiVersion: packaging.carvel.dev/v1alpha1\n   kind: PackageInstall\n   metadata:\n      name: cert-injection-webhook-package-install\n      namespace: cert-injection-webhook-install \n   spec:\n      serviceAccountName: cert-injection-webhook-install-sa\n      packageRef:\n         refName: cert-injection-webhook.community.tanzu.vmware.com\n         versionSelection:\n            constraints: \u003cversion you would like to deploy\u003e\n      values:\n      - secretRef:\n           name: cert-injection-webhook-install-values\n   ```\n\n   Apply with:\n   ```bash\n   kapp deploy -a cert-injection-webhook-package-install -n cert-injection-webhook-install -f \u003cPATH-TO-PACKAGE-INSTALL-YAML\u003e\n   ```\n\n### Install using kapp\nDownload the latest release of the cert-injection-webhook and get the imagevalues.yaml.\nUse the Carvel tools to install to your cluster.\n\n```bash\n$ ytt -f ./config \\\n      -f \u003cPATH-TO-IMAGEVALUES_YAML\u003e \\\n      -v ca_cert_data=\"some cert\" \\\n      --data-value-yaml labels=\"[label-1, label-2]\" \\\n      --data-value-yaml annotations=\"[annotation-1, annotation-2]\" \\\n      | kapp deploy -a cert-injection-webhook -f-\n```\n**Note**: You may provide labels, annotations, or both.\n\nIf you would like to build the webhook and setup-ca-certs image yourself,\nuse the [pack](https://github.com/buildpacks/pack) CLI.\n\n```bash\n$ pack build \u003cwebhook-image\u003e -e BP_GO_TARGETS=\"./cmd/webhook\" --builder paketobuildpacks/builder:base --publish\n$ pack build \u003csetup-ca-certs-image\u003e -e BP_GO_TARGETS=\"./cmd/setup-ca-certs\" --builder paketobuildpacks/builder:base --publish\n```\n\nThen, use the Carvel tools to install to your cluster.\n\n```bash\n$ ytt -f ./config \\\n      -v webhook_image=\u003cpod-webhook-image\u003e \\\n      -v setup_ca_certs_image=\u003csetup-ca-certs-image\u003e \\\n      -v ca_cert_data=\"some cert\" \\\n      --data-value-yaml labels=\"[label-1, label-2]\" \\\n      --data-value-yaml annotations=\"[annotation-1, annotation-2]\" \\\n      | kapp deploy -a cert-injection-webhook -f-\n```\n\n### Usage\n\nTo have the webhook operate on a Pod, label or annotate the Pod with the labels and annotations you provided during install.\n\n#### Injecting certificates into kpack builds\n\nWhen providing ca_cert_data directly to kpack, that CA Certificate be injected into builds themselves.\nIf you want kpack builds to have CA Certificates for communicating with a self-signed registry,\nmake sure the values yaml has a label with `kpack.io/build`. This will match on any build pod that kpack creates.\n\n### Running e2e tests\n\n1. Deploy the cert injection webhook using the following values:\n\n   ```yaml\n   ---\n   http_proxy: some-http-proxy\n   https_proxy: some-https-proxy\n   no_proxy: some-no-proxy\n   ca_cert_data: some-cert\n   labels:\n     - some-label-1\n     - some-label-2\n   annotations:\n     - some-annotation-1\n     - some-annotation-2\n   ```\n\n2. Run the e2e tests\n\n   ```bash\n   go test -v ./e2e/...\n   ```\n\n### Uninstall\nIf installed using kapp controller:\n```bash\nkapp delete -a cert-injection-webhook-package-install -n cert-injection-webhook-install\nkapp delete -a cert-injection-webhook-package -n cert-injection-webhook-install\nkapp delete -a cert-injection-webhook-values -n cert-injection-webhook-install\n ````\n\nYou can also delete the namespace\n\n```bash\nkubectl delete namespace cert-injection-webhook-install\n```\n\nIf installed using kapp:\n```bash\nkapp delete -a cert-injection-webhook\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvmware-tanzu%2Fcert-injection-webhook","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvmware-tanzu%2Fcert-injection-webhook","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvmware-tanzu%2Fcert-injection-webhook/lists"}