https://github.com/jet/kube-webhook-certgen

Tools to help with self signed cert generation for Kubernetes test environment
https://github.com/jet/kube-webhook-certgen

Last synced: 3 months ago
JSON representation

Tools to help with self signed cert generation for Kubernetes test environment

• Host: GitHub
• URL: https://github.com/jet/kube-webhook-certgen
• Owner: jet
• License: apache-2.0
• Created: 2019-05-08T01:32:33.000Z (over 5 years ago)
• Default Branch: master
• Last Pushed: 2023-05-16T19:35:40.000Z (over 1 year ago)
• Last Synced: 2024-06-18T16:56:12.446Z (5 months ago)
• Language: Go
• Size: 6.57 MB
• Stars: 138
• Watchers: 8
• Forks: 39
• Open Issues: 7
• Metadata Files:
  • Readme: README.md
  • License: LICENSE
  • Security: SECURITY.md

Awesome Lists containing this project

• awesome-starred - jet/kube-webhook-certgen - Tools to help with self signed cert generation for Kubernetes test environment (others)

README

        
[![Build Status](https://dev.azure.com/jet-opensource/opensource/_apis/build/status/kube-webhook-certgen/kube-webhook-certgen.master?branchName=master)](https://dev.azure.com/jet-opensource/opensource/_build/latest?definitionId=15&branchName=master)

[![Go Report Card](https://goreportcard.com/badge/github.com/jet/kube-webhook-certgen)](https://goreportcard.com/report/github.com/jet/kube-webhook-certgen)

[![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/jet/kube-webhook-certgen?sort=semver)](https://github.com/jet/kube-webhook-certgen/releases/latest)

[![Docker Pulls](https://img.shields.io/docker/pulls/jettech/kube-webhook-certgen?color=blue)](https://hub.docker.com/r/jettech/kube-webhook-certgen/tags)

# Kubernetes webhook certificate generator and patcher

## Overview

Generates a CA and leaf certificate with a long (100y) expiration, then patches [Kubernetes Admission Webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/)

by setting the `caBundle` field with the generated CA. 

Can optionally patch the hooks `failurePolicy` setting - useful in cases where a single Helm chart needs to provision resources

and hooks at the same time as patching.

The utility works in two parts, optimized to work better with the Helm provisioning process that leverages pre-install and post-install hooks to execute this as a Kubernetes job.

## Security Considerations

This tool may not be adequate in all security environments. If a more complete solution is required, you may want to 

seek alternatives such as [jetstack/cert-manager](https://github.com/jetstack/cert-manager)

## Command line options

```

Use this to create a ca and signed certificates and patch admission webhooks to allow for quick

                   installation and configuration of validating and admission webhooks.

Usage:

  kube-webhook-certgen [flags]

  kube-webhook-certgen [command]

Available Commands:

  create      Generate a ca and server cert+key and store the results in a secret 'secret-name' in 'namespace'

  help        Help about any command

  patch       Patch a validatingwebhookconfiguration and mutatingwebhookconfiguration 'webhook-name' by using the ca from 'secret-name' in 'namespace'

  version     Prints the CLI version information

Flags:

  -h, --help                help for kube-webhook-certgen

      --kubeconfig string   Path to kubeconfig file: e.g. ~/.kube/kind-config-kind

      --log-format string   Log format: text|json (default "text")

      --log-level string    Log level: panic|fatal|error|warn|info|debug|trace (default "info")

```

### Create

```

Generate a ca and server cert+key and store the results in a secret 'secret-name' in 'namespace'

Usage:

  kube-webhook-certgen create [flags]

Flags:

      --cert-name string     Name of cert file in the secret (default "cert")

  -h, --help                 help for create

      --host string          Comma-separated hostnames and IPs to generate a certificate for

      --key-name string      Name of key file in the secret (default "key")

      --namespace string     Namespace of the secret where certificate information will be written

      --secret-name string   Name of the secret where certificate information will be written

Global Flags:

      --kubeconfig string   Path to kubeconfig file: e.g. ~/.kube/kind-config-kind

      --log-format string   Log format: text|json (default "json")

      --log-level string    Log level: panic|fatal|error|warn|info|debug|trace (default "info")

```

### Patch

```

Patch a validatingwebhookconfiguration and mutatingwebhookconfiguration 'webhook-name' by using the ca from 'secret-name' in 'namespace'

Usage:

  kube-webhook-certgen patch [flags]

Flags:

  -h, --help                          help for patch

      --namespace string              Namespace of the secret where certificate information will be read from

      --patch-failure-policy string   If set, patch the webhooks with this failure policy. Valid options are Ignore or Fail

      --patch-mutating                If true, patch mutatingwebhookconfiguration (default true)

      --patch-validating              If true, patch validatingwebhookconfiguration (default true)

      --secret-name string            Name of the secret where certificate information will be read from

      --webhook-name string           Name of validatingwebhookconfiguration and mutatingwebhookconfiguration that will be updated

Global Flags:

      --kubeconfig string   Path to kubeconfig file: e.g. ~/.kube/kind-config-kind

      --log-format string   Log format: text|json (default "text")

      --log-level string    Log level: panic|fatal|error|warn|info|debug|trace (default "info")

```

## Known Users

- [stable/prometheus-operator](https://github.com/helm/charts/tree/master/stable/prometheus-operator) helm chart