Skip to content

Latest commit

 

History

History

kube-secrets-init

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
templates
templates
 
 
.helmignore
.helmignore
 
 
Chart.yaml
Chart.yaml
 
 
README.md
README.md
 
 
values.test.yaml
values.test.yaml
 
 
values.yaml
values.yaml
 
 

README.md

Deprecated

This chart is no longer maintained. A maintained fork can be found here.

kube-secrets-init

kube-secrets-init is a Kubernetes mutating admission webhook, that mutates any Pod that is using specially prefixed environment variables, directly or from Kubernetes as Secret or ConfigMap.

TL;DR;

On Kubernetes <1.15 the namespace where you install the webhook must have a label of name with the namespace name as the value, so the namespaceSelector in the MutatingWebhookConfiguration can skip the namespace of the webhook and no self-mutation takes place. As of Kubernetes 1.15, the default objectSelector will prevent self-mutations.

WEBHOOK_NS=${WEBHOOK_NS:-kube-secrets-init}
kubectl create namespace "${WEBHOOK_NS}"
kubectl label ns "${WEBHOOK_NS}" name="${WEBHOOK_NS}"
$ helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com
$ helm repo update
$ helm install --namespace $WEBHOOK_NS --generate-name banzaicloud-stable/kube-secrets-init --wait

Configuration

Check values.yaml for configuration options.

Certificate

Webhooks require CA and TLS certificates to secure communication between the API server and the webhook. The chart offers the following options for certificate provisioning:

Generate (default)

The default option is to let Helm generate the CA and TLS certificates during installation.

This will renew the certificates on each deployment.

certificate:
  generate: true

Using cert-manager

If have cert-manager installed in your cluster, you can use it to automatically provision and inject certificates.

certificate:
  useCertManager: true
  generate: false

About GKE Private Clusters

When Google configure the control plane for private clusters, they automatically configure VPC peering between your Kubernetes cluster’s network in a separate Google managed project.

The auto-generated rules only open ports 10250 and 443 between masters and nodes. This means that to use the webhook component with a GKE private cluster, you must configure an additional firewall rule to allow your masters CIDR to access your webhook pod using the port 8443.

You can read more information on how to add firewall rules for the GKE control plane nodes in the GKE docs.

Roadmap

  • add back service config
  • add pod security policy support
  • add pod distruption budget
  • add all the remaining options of kube-secrets-init