Enable Admission Webhook

The Admission Webhook can perform before applying the change a validation to see if the secret would get created correct without an exception that the secret is not accessible by Vault-CRD:

$ kubectl apply -f dockercfg-error.yml
Error from server: error when creating "dockercfg-error.yml": admission webhook "validate.vault.koudingspawn.de" denied the request: Couldn't load secret from vault path blub/docker-hub

Configure Admission Webhook

The Admission Webhook can be applied by editing the deploy/rbac.yaml file. There are multiple lines commented out that configure the server to serve traffic on HTTPS.

The initContainer in this block simply converts the tls.crt and tls.key into a keystore. As Vault-CRD is written in Java it has to deal with keystores. The initContainer simply takes over this task to convert the pem encoded cert and key into a valid p12-Format.

Additionally there is a Secret called vault-crd-tls, this is an example secret that contains a tls.crt and a tls.key, these are the secrets used for serving HTTPS and receive Admission Webhook Requests form the APIServer. You can simply replace them with self signed certificates. The certificates must be valid for the service defined in "deploy/admission-webhook.yaml".

By default this is vault-crd, so it should be valid for:

  • vault-crd.vault-crd

  • vault-crd.vault-crd.svc

In case you have another name for the service you should name it with <service-name>.<namespace-name> and <service-name>.<namespace-name>.svc.

Afterwards please manipulate also the deploy/admission-webhook.yaml file. There replace the caBundle with the ca certificate to allow the APIServer to validate if the certificate is valid. In case you don't have a certificate chain you can also set here the certificate file as caBundle value.