This project is still in development. This is not supposed to be used on production systems.
This Kubernetes MutatingWebhook provides a the possibility to append custom CA certificates to the pod’s trusted CA config. You can inject your custom CA to both the Pod’s PEM or JKS truststore. The only prerequisite is to have a configMap containing your list of your custom CA certicicates in PEM format in the same project where you want to inject it to the pods. Then you can define by pod annotations to configure which trustore you want to inject(PEM or JKS), the paths on the containers where the truststore should be stored, the name of the configmap containing the custom CA.
As I will rely on some OpenShift specific automations, like the signing of service SSL certificates, I will follow the deployment steps for OpenShift. I will emphasise however, what needs to be adjusted in case the deployment is on vanilla K8S.
First create the namespace where you want to deploy the injector application
oc new-project custom-ca-injector
For OpenShift, the certificates of the Injector will be created and signed by the internal CA and this will be achieved by adding this specific annotation service.beta.openshift.io/serving-cert-secret-name: ca-injector to the service definition. After reading this annototion, OpenShift API will generate a TLS secret with the name ca-injector . This secret will be mounted afterwards to the injector pod in the deployment definition.
Let’s deploy the injector. Adjust the manifests if the you use a different namespace name
oc apply -f deployments/injector
When Kubernetes API will make a request to the MutatingWebhook, it will need to trust the CA used to sign the Webhook certificates, i.e. OpenShift CA. To achieve this, use the following script (adjust webhook name if necessary):
./scripts/configure-ssl.sh
|
Note
|
If you are deploying to vanilla K8S, you can use the following Github project: https://github.com/newrelic/k8s-webhook-cert-manager. This automates generation of the SSL certificates for injector and the configuration of the MutatingWebhookConfiguration with the CA used to sign the certificates. |
First go to the namespace where we want the pods to have custom ca injected. We will create a new one:
oc new-project custom-ca-injector-test
Then label the namespace:
oc label namespace custom-ca-injector-test inject=custom-pki
As a prerequisite, we need to create a configmap containing the list of trusted CAs in PEM format. This configmap should contain the additional custom CA certificates that would need to be added additionally to the already trusted ones. The key in the configMap where the CA list is stored should be called ca-bundle.crt
Let’s deploy now a test application. We will use a a dummy Quarkus Hello World application. Let’s assume that we will need to inject both JKS and PEM custom certificates.
To trigger the injections, we need to annotate the pods in the deployment.
oc apply -f deployments/example-spring
The available annotations are listed below:
| Annotation | Default value | Info |
|---|---|---|
custompki.openshift.io/inject-pem |
Inject PEM custom ca |
|
custompki.openshift.io/inject-jks |
Inject JKS custom ca |
|
custompki.openshift.io/inject-pem-path |
/etc/pki/ca-trust/extracted/pem |
Path where the pem truststore should be injected |
custompki.openshift.io/inject-jks-path |
/etc/pki/ca-trust/extracted/java |
Path where the pem truststore should be injected |
custompki.openshift.io/image |
registry.redhat.io/ubi8/openjdk-11 |
If JKS needs to be injected, an additional initContainer that will convert the PEM to JKS will be required. This setting specifies the image to be used for this init container |
custompki.openshift.io/configmap |
custom-ca |
The name of the configMap containing the trusted CAs in PEM format. This need to be created in advance |
-
Refactor based on https://github.com/kubernetes/kubernetes/blob/v1.13.0/test/images/webhook/main.go
-
Support authentication and use OpenShift best practices: https://docs.openshift.com/container-platform/4.5/architecture/admission-plug-ins.html
-
Investigate Binary ConfigMaps for JKS injection