kubernetes-replicator
trust-manager
kubernetes-replicator | trust-manager | |
---|---|---|
3 | 2 | |
805 | 217 | |
1.9% | 2.8% | |
6.2 | 9.2 | |
18 days ago | 6 days ago | |
Go | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
kubernetes-replicator
-
What if your Pods need to trust self-signed certificates?
I've built a small MutatingAdmissionWebhook controller [0] that handles this, via a pod annotation whose value is a secret with `ca.crt` inside, and it uses the (mostly) de facto standard openssl variables to configure the libraries, so that it works across pretty much everything I've tried it with off the shelf.
I build a bundle (though I may just move to trust-manager [1]) and replicate it into all namespaces with kubernetes-replicator [2], and then I can annotate any pod with
[0] https://github.com/microcumulus/ca-injector
[1] https://github.com/cert-manager/trust-manager
[2] https://github.com/mittwald/kubernetes-replicator
-
To anyone hosting in Kubernetes: Do you put all of your apps in one namespace (e.g., default), or one app per namespace?
Whichever way you go, I’ve successfully used this to replicate secrets: https://github.com/mittwald/kubernetes-replicator
- GitHub - mittwald/kubernetes-replicator: Kubernetes controller for synchronizing secrets & config maps across namespaces
trust-manager
-
What if your Pods need to trust self-signed certificates?
Plug (but it's open source and free!): We've been trying to address this in Kubernetes with trust-manager. [1] Trust bundles need to be a runtime concern and they need to support trusting both the old a new version of a cert to safely allow for rotation. It's pretty simple but it seems to work well!
trust-manager also supports pulling in the Mozilla trust bundle which most Linux distros (and therefore most containers) use!
Handling trust of private [2] certificates is done poorly generally across many orgs and platforms, not just Kubernetes. There are lots of ways of shooting yourself in the foot - particularly when it comes to rotating CA certificates. I think there's a lot of space here for new solutions here!
[1] https://cert-manager.io/docs/projects/trust-manager/
[2] I try to avoid "self-signed" in this use case because its literal meaning is that the certificate signs itself using its own key, which is what root certificates do. The Let's Encrypt ISRG X1 root certificate is self-signed but it's definitely not what I'd call a 'private CA'; see https://letsencrypt.org/certificates/
What are some alternatives?
KubernetesCRDOperator - A sample about Kubernetes controller which can work with CRD to implement Operator pattern.
ssl-proxy - :lock: Simple zero-config SSL reverse proxy with real autogenerated certificates (LetsEncrypt, self-signed, provided)
aws-cloud-map-mcs-controller-for-k8s - K8s controller implementing Multi-Cluster Services API based on AWS Cloud Map.
ca-injector - Painlessly use off-the-shelf images (and your own) in your k8s cluster, with custom root CAs.
secrets-manager - A daemon to sync Vault secrets to Kubernetes secrets
certmagic - Automatic HTTPS for any Go program: fully-managed TLS certificate issuance and renewal
kubed - 🛡️ Kubernetes Config Syncer (previously kubed) [Moved to: https://github.com/kubeops/config-syncer]
docker-compose-stack - Use docker-compose and watchtower to self-deploy and auto-update a stack
config-syncer - 🛡️ Kubernetes Config Syncer (previously kubed)
Caddy - Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS
sealed-secrets - A Kubernetes controller and tool for one-way encrypted Secrets
k8tz - Kubernetes admission controller and a CLI tool to inject timezones into Pods and CronJobs