为了使ValidatingWebhookConfiguration有效,我必须执行一堆openssl命令,然后将证书颁发机构复制粘贴(或sed)到我的定义了Webhook的deploy.yaml文件中。但这不是很干净。我知道我可以将我的CA设置为秘密,但是如何在ValidatingWebhookConfiguration中评估此秘密?
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
name: webhook-test
webhooks:
- name: my.webhook.frick
failurePolicy: Fail
clientConfig:
caBundle: CA_BUNDLE_THAT_I_HAVE_TO_PASTE_BY_HAND
service:
name: validating-svc
namespace: default
path: /services/validate
rules:
...
所有openssl命令:
openssl genrsa -out certs/ca.key 2048;
openssl req -new -x509 -key certs/ca.key -out certs/ca.crt -config certs/ca_config.txt
openssl genrsa -out certs/chris.pem 2048;
openssl req -new -key certs/chris.pem -subj "/CN=validating-svc.default.svc" -out certs/chris.csr -config certs/chris_config.txt;
openssl x509 -req -in certs/chris.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/chris-crt.pem;
export CA_BUNDLE=$(cat certs/ca.crt | base64 | tr -d '\n'); # Copy paste in deploy.yaml
从长远来看,目标是将我的webhook项目打包为头盔。
答案 0 :(得分:1)
您可以具有一个控制器,用于将CA捆绑软件注入到Webhook的ValidatingWebhookConfiguration和MutatingWebhookConfiguration资源中,以允许Kubernetes API服务器“信任” Webhook API服务器。 ca injector的cert manager正是这样做的,您可以将其用作参考,因为source code是开源的。