https://github.com/microcumulus/ca-injector
Painlessly use off-the-shelf images (and your own) in your k8s cluster, with custom root CAs.
https://github.com/microcumulus/ca-injector
certificate certificate-authority injector kubernetes kubernetes-addons ssl tls vault webhook
Last synced: 5 months ago
JSON representation
Painlessly use off-the-shelf images (and your own) in your k8s cluster, with custom root CAs.
- Host: GitHub
- URL: https://github.com/microcumulus/ca-injector
- Owner: microcumulus
- License: mit
- Created: 2021-07-03T19:47:51.000Z (almost 5 years ago)
- Default Branch: main
- Last Pushed: 2025-05-21T22:10:15.000Z (about 1 year ago)
- Last Synced: 2025-09-02T12:58:07.325Z (10 months ago)
- Topics: certificate, certificate-authority, injector, kubernetes, kubernetes-addons, ssl, tls, vault, webhook
- Language: Go
- Homepage:
- Size: 54.7 KB
- Stars: 31
- Watchers: 1
- Forks: 3
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE.md
Awesome Lists containing this project
README
# ca-injector
A kubernetes MutatingAdmissionWebhook to inject certificate bundles into pods
based on annotations, so that off-the-shelf deployments can be deployed in
clusters with custom certificate authorities, with minimal disruption and
minimal maintenance. No more building images off of upstream base images just to
`ADD yourca.crt /usr/share/ca-certificates/trust-source/anchors/` and `RUN trust
extract-compat || update-ca-certificates` etc.
This webhook does three things:
1. Add to pods as a volume the certificate bundle specified by the value of the
`microcumul.us/injectssl` annotation. The value should correspond with a
secret in the same namespace as the pod which has a key `ca.crt` whose value
is a CA bundle.
1. Add this volume to all containers as a volumemount
1. Add the `SSL_CERT_FILE` environment variable [respected by
OpenSSL](https://www.openssl.org/docs/man3.1/man3/SSL_CTX_set_default_verify_paths.html)
and most tls libraries.
Just deploy this in your cluster, create CA bundles as e.g. `foo-crt` secret,
with the key `ca.crt` (`kubectl create secret generic foo-crt
--from-file=ca.crt=my-bundle.crt`), and use the `microcumul.us/injectssl:
foo-crt` annotation on your pod or in your helm chart's appropriate annotations
section. `ca.crt` can be changed by setting `tls.ca.key` in any of the typical
ways (config files at `/etc/ca-injector.yaml`, `$HOME/.config/ca-injector.yaml`,
or `TLS_CA_KEY` env var all work).
I highly suggest using this with
[replicator](https://github.com/mittwald/kubernetes-replicator) for a consistent
experience across namespaces. Another great tool that may work well for building
the bundle here is [trust-manager](https://github.com/cert-manager/trust-manager).
## Helm chart
```bash
helm repo add ca-injector https://microcumulus.github.io/ca-injector
helm install ca-injector/ca-injector ca-injector
```