RustJack

Ultimate Certificate Authority Injector for Kubernetes Pods 💉

A blazing fast, zero-allocation, stateless, and cloud-native event-driven Mutating Admission Webhook for CA Injection in Kubernetes.

RustJack allows off-the-shelf deployments to run in enterprise or air-gapped clusters with custom Certificate Authorities (CAs) without modifying container images. Say goodbye to the manual, repetitive process of ADD yourca.crt ... and RUN update-ca-certificates in your Dockerfiles.

🎯 The Pain of Custom CAs (Why You Need RustJack)

If you work in an enterprise, air-gapped, or highly regulated environment, you already know the nightmare of Deep Packet Inspection (DPI), SSL interception, and custom root authorities. Before RustJack, SRE/Platform/DevOps Engineers had to choose their poison:

🚫 The Dockerfile Anti-Pattern (Image Bloat): Forking and rebuilding every upstream Open Source image (like Alpine, Node, or Python) just to inject corporate-ca.crt. It breaks your software supply chain and slows down CI/CD pipelines.
🚫 The YAML Manifest Hell: Manually hardcoding volumes, volumeMounts, and environment variables into hundreds of Deployments. A single typo brings down the application with x509: unknown authority.
🚫 The InitContainer Tax (Boilerplate Burden): Forcing developers to inject initContainers or sidecars into every Pod just to fetch a certificate. It severely bloats YAML and slows down Pod startup times.
🚫 Bloated Legacy Webhooks: Using traditional webhooks that consume 50MB+ RAM at idle, introduce API Server latency, and rely on a fragile maze of third-party cert-managers just to keep their own TLS alive.

RustJack is the ultimate cure. It decouples the certificate trust layer from your application layer cleanly, instantly, and with zero operational overhead.

🏛️ The RustJack Philosophy

RustJack is not just another Kubernetes webhook, it is an architectural statement. Built with extreme Site Reliability Engineering (SRE) principles:

Zero-Allocation Pipeline: Processes JSON patches using pointer references (&str). Resulting in a flat 1 MiB RAM usage and < 1ms latency.
True Stateless High Availability (HA): Powered by the Kubernetes Watch API. Multiple replicas sync their TLS states entirely in-memory without Split-Brain.
Zero Trust "Short-Lived" TLS: Discards external cert-managers for its internal webhook. Generates its own keys in-memory with a 12-hour lifespan, auto-renewing at the 9-hour mark.
Distroless & Immutable: Packaged in Google's cc-debian12:nonroot Distroless image. No shell, no root access.
Idempotent Self-Healing: Chaos-tested against node failures and aggressive secret deletions. Gracefully handles SIGTERM.

✨ How It Works

When a Pod with the rustjack.io/inject: "true" label is submitted, RustJack intercepts the request and instantly injects the required CA trust chain before the Pod is scheduled:

Injects a Secret Volume: Mounts your custom CA bundle into all containers (including initContainers).
Exports Environment Variables: Automatically configures standard trust paths (SSL_CERT_FILE, REQUESTS_CA_BUNDLE, NODE_EXTRA_CA_CERTS, etc.) pointing to the injected CA file.

Your applications instantly trust the corporate CA—zero code changes required.

🚀 Installation (Helm)

This page serves as the official Helm chart repository. Install RustJack directly into your cluster:

helm repo add rustjack https://omidiyanto.github.io/rustjack/
helm repo update

helm upgrade --install rustjack-cainjector rustjack/rustjack-cainjector \
  --namespace cert-manager \
  --create-namespace \
  --wait

🔗 Enterprise Ecosystem: CA Distribution (Optional)

Architectural Note: RustJack is 100% independent. If you manually create a standard Kubernetes Opaque Secret containing your ca.crt, RustJack will happily inject it. However, for true enterprise automation across dozens of namespaces, we highly recommend pairing RustJack with trust-manager.

1. Install the cert-manager & trust-manager stack:

helm repo add jetstack https://charts.jetstack.io --force-update

helm install cert-manager jetstack/cert-manager \
  --namespace cert-manager --create-namespace --set crds.enabled=true

helm upgrade trust-manager jetstack/trust-manager \
  --install --namespace cert-manager --wait \
  --set secretTargets.enabled=true --set secretTargets.authorizedSecretsAll=true

2. Define your corporate CA once using a Bundle:

apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
  name: my-root-ca # This name will be referenced in your pod's annotation
spec:
  sources:
    - useDefaultCAs: true
    - inLine: |
        -----BEGIN CERTIFICATE-----
        MIIDNTC..................
        -----END CERTIFICATE-----
  target:
    secret:
      key: "ca.crt"

trust-manager replicates this CA into every namespace, and RustJack natively mounts these replicated Secrets into your Pods.

💡 Usage Guide (Strict Mode)

RustJack operates in Strict Mode. You MUST provide both the specific trigger label and the configuration annotation to prevent unnecessary webhook invocations.

Scope	Key	Description
Label	`rustjack.io/inject: "true"`	[REQUIRED] Instructs the Kube-apiserver to route this Pod to the webhook.
Annotation	`rustjack.io/ca-secret`	[REQUIRED] The exact name of the Kubernetes Secret containing your `ca.crt`.
Annotation	`rustjack.io/mount-path`	[Optional] Directory where the CA will be mounted. Default: `/ssl`.
Annotation	`rustjack.io/extra-envs`	[Optional] Comma-separated list of additional env vars to inject.

Example: Zero-Touch Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-secure-app
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: my-secure-app
  template:
    metadata:
      labels:
        app: my-secure-app
        # 👇 1. THE TRIGGER LABEL 👇
        rustjack.io/inject: "true"
      annotations:
        # 👇 2. DEFINE CA SECRET NAME TO BE INJECTED 👇
        rustjack.io/ca-secret: "my-root-ca"
    spec:
      containers:
      - name: main-app
        image: alpine:latest
        command: ["sleep", "infinity"]

Verification

# Check the RustJack logs
kubectl logs -l app.kubernetes.io/name=rustjack-cainjector -n cert-manager

# Verify the application Pod
kubectl exec -it deploy/my-secure-app -- env | grep "SSL\|CUSTOM"
kubectl exec -it deploy/my-secure-app -- ls -la /ssl/ca.crt

📊 Performance Benchmarks

Tested on a production RKE2 cluster with 30 concurrent Pod scaling operations:

Memory Footprint: ~ 1.0 MiB (Flat line, immune to garbage collection spikes)
CPU Usage: ~ 1m (0.001 cores at peak concurrent load)
API Latency: < 1 ms
High Availability: Active-Active Topology Spread via Kubernetes Watch API