8000 GitHub - peeveen/derrer: Mutating webhook for converting PEM-encoded private keys in K8S Secrets to DER-encoded form
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
/ derrer Public

Mutating webhook for converting PEM-encoded private keys in K8S Secrets to DER-encoded form

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

peeveen/derrer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
.vscode
.vscode
 
 
helm
helm
 
 
service
service
 
 
ssl
ssl
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

Derrer

Helm has some very useful functions for creating TLS/SSL certificates and keys.

But everything it produces is PEM-encoded.

I hit a problem where I wanted a container running a JDBC service to use a Helm-generated private key, but it would only accept a DER-encoded key.

Rather than muck around with initContainers or new entrypoint scripts running openssl commands, I decided to create Derrer.

What is it?

Derrer is a Helm chart that installs a MutatingWebhookConfiguration and a webservice for that webhook.

Once installed, any appropriately-annotated Secret that is added to the cluster will be passed to the webservice for mutation. If the webservice finds something that appears to be a PEM-encoded private key in the secret, it will add a DER-encoded version of that same key to the secret.

How to use it

First of all, install the Helm chart into your cluster:

helm install derrer oci://registry-1.docker.io/peeveen/derrer --version=1.2.0

Use --set mutateOnUpdate=false if you don't want the mutation to occur on UPDATE events. By default, it will affect CREATE and UPDATE events.

Then, add an appropriate annotation to your Secret and, when it is added to the cluster, Derrer should jump into action and perform any requested conversions.

Annotation name Description Default value
com.peeveen.derrer/names A :-separated list of names. Any items in the Secret that match any of these names will be considered as candidates for conversion. Empty string
com.peeveen.derrer/extensions A :-separated list of file extensions. Any items in the Secret that look like filenames with any of these extensions will be considered as candidates for conversion. key
com.peeveen.derrer If this is set to any non-blank value, Derrer will trigger. If you supply any of the above annotations, you don't need to use this one. This is just a shorthand annotation for when you want Derrer to trigger with all-default values. Empty string
com.peeveen.derrer/addExtension When an item is converted to DER, this extension is added. For example, if an item called tls.key is converted, and the value of this annotation is der, the Secret will have a new item called tls.key.der added to it. der

NOTE: Derrer won't do anything if addExtension is the only annotation you add. You need to use at least one of the others.

About

Mutating webhook for converting PEM-encoded private keys in K8S Secrets to DER-encoded form

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching 3F50

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages
0