The responsibility of this webhook is to patch all newly created/updated namespaces so that they contain predefined empty secret with given annotation.
This repo produces one helm chart available via helm repository https://ysoftdevs.github.io/secret-duplicator. There are also 2 docker images:
ghcr.io/ysoftdevs/secret-duplicator/secret-duplicator- the image containing the webhook itselfghcr.io/ysoftdevs/secret-duplicator/webhook-cert-generator- helper image responsible for (re)generating the certificates
The helm chart consists of 2 parts: the certificate generator and the webhook configuration itself.
Certificate generation part periodically generates certificates signed by kubernetes' CA and passes them to the webhook where they are used as server-side certificates. The flow works roughly like this:
- We generate a CSR using openssl and tie the certificate to the webhook's service DNS.
- We create a k8s CertificateSigningRequest from the openssl CSR.
- We approve this request using our special ServiceAccount with approve permissions. This makes kubernetes issue the certificate
- We fetch the certificate from the k8s CSR (at
.status.certificate) and create a secret from it - We also create a CronJob that does this periodically as k8s only issues certificates for 1 year
The main part is the deployment and the web hook configuration. The flow is as follows
- The MutatingWebhookConfiguration we create instructs k8s to pass all requests for creating/updating all Namespaces to our webhook before finishing the request
- We check whether the Namespaces has the correctly defined secret configuration. if not, we create the secret.
- We also check whether we have the secret with correct annotation. If not, we update the secret
Of note is also a fact that the chart runs a lookup to the connected cluster to fetch the CA bundle for the MutatingWebhook. This means helm template won't work.
-
Create the prerequisite resources:
kubectl create ns secret-duplicator kubectl create secret -n secret-duplicator \ generic acr-dockerconfigjson-source \ --type=kubernetes.io/dockerconfigjson \ --from-literal=.dockerconfigjson='<your .dockerconfigjson configuration file>' -
Build the images and run the chart
make build-image helm upgrade -i secret-duplicator \ -n secret-duplicator \ charts/secret-duplicatorAlternatively, you can use the pre-built, publicly available helm chart and docker images:
helm repo add secret-duplicator https://ysoftdevs.github.io/secret-duplicator helm repo update helm upgrade -i secret-duplicator \ -n secret-duplicator \ secret-duplicator/secret-duplicator -
To test whether everything works, you can run
kubectl create ns yolo
The
getcommand should display some non-empty result.
To authenticate to the docker registry to push the images manually, you will need your own Github Personal Access Token. For more information follow this guide https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry#authenticating-to-the-container-registry