Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Self signed issuer #228

Merged
merged 33 commits into from
Nov 26, 2024
Merged
Show file tree
Hide file tree
Changes from 27 commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
645c949
implement selfSigned issuer
RaphaelVogel Jun 28, 2024
5f9435b
enable cert duration for ca issuer
RaphaelVogel Jul 31, 2024
21f8def
enable cert duration for acme issuer
RaphaelVogel Aug 1, 2024
b5f2a00
checks for isCA and duration
RaphaelVogel Sep 11, 2024
7e655da
set requests per day to MaxInt for CA and self-signed issuer
RaphaelVogel Sep 11, 2024
175deba
Update pkg/controller/issuer/ca/handler.go
RaphaelVogel Sep 13, 2024
a084afb
chore: Remove obsolete script format.sh
marc1404 Nov 12, 2024
f6cbe9a
style: Run `make format`
marc1404 Nov 12, 2024
313776c
fix: Resolve mishaps from rebase
marc1404 Nov 13, 2024
f37200a
style: Add trailing newline
marc1404 Nov 13, 2024
5a6888a
fix: Dereference duration pointer
marc1404 Nov 13, 2024
b9de4b0
refactor: Rename multipleIssuerTypes to hasMultipleIssuerTypes
marc1404 Nov 13, 2024
761a4e2
chore: Fix typo in comment
marc1404 Nov 13, 2024
f4471e9
fix: Check against nil Duration pointer
marc1404 Nov 13, 2024
7372035
fix: Check against nil Duration pointer
marc1404 Nov 13, 2024
16a6b56
chore: Fix typo in comment
marc1404 Nov 13, 2024
1b8dbca
test: Add self-signed controller unit tests
marc1404 Nov 19, 2024
44ead42
test: Add certificate controller unit tests
marc1404 Nov 19, 2024
83e4c38
test: Add issuer info unit test
marc1404 Nov 19, 2024
ca209e8
test: Add PKI unit tests
marc1404 Nov 19, 2024
55f9633
test: Add certificate unit tests
marc1404 Nov 19, 2024
ff58a40
chore: Use proper assertion HaveCap()
marc1404 Nov 19, 2024
c7a39d3
style: Format Go imports
marc1404 Nov 19, 2024
810415a
chore: Add missing license headers
marc1404 Nov 19, 2024
e148445
test: Wrap ACME issuer test in context
marc1404 Nov 21, 2024
340bdb4
test: Integration test for self-signed certificates
marc1404 Nov 21, 2024
5a4ff17
test: Structure self-signed certificate unit test
marc1404 Nov 21, 2024
b35411a
style: Add period after comment (PR review)
marc1404 Nov 25, 2024
8d17580
style: Add period after comment (PR review)
marc1404 Nov 25, 2024
194500c
style: Add period after comment (PR review)
marc1404 Nov 25, 2024
a3dea7a
test: Fix test name (PR review)
marc1404 Nov 25, 2024
3b0504e
test: Assert private key size properly (PR review)
marc1404 Nov 25, 2024
77904e2
test: Assert private key size (PR review)
marc1404 Nov 25, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 65 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -143,11 +143,13 @@ is already in place. The operator must request/provide by its own means a CA
or an intermediate CA. This is mainly used for **on-premises** and
**airgapped** environements.

It can also be used for **developement** or **testing** purproses. In this case
a Self-signed Certificate Authority can be created by following the section below.
To create a self-signed certificate a dedicated issuer of type [selfSigned](#selfsigned) should be used.

_Create a Self-signed Certificate Authority (optional)_
It is also possible to manually create a self-signed certificate using the CA issuer
<details>
<summary>Manual steps</summary>

Create a Self-signed Certificate Authority
```bash
▶ openssl genrsa -out CA-key.pem 4096
▶ export CONFIG="
Expand Down Expand Up @@ -244,6 +246,66 @@ Some details about the CA can be found in the status of the issuer.
"type": "ca"
}
```
</details>

### SelfSigned
This issuer is meant to be used when you want to create a fully managed self-signed certificate.

Configure your shoot to allow custom issuers in the shoot cluster. By default, issuers are created in the control plane of your cluster.
```yaml
kind: Shoot
...
spec:
extensions:
- type: shoot-cert-service
providerConfig:
apiVersion: service.cert.extensions.gardener.cloud/v1alpha1
kind: CertConfig
shootIssuers:
enabled: true # if true, allows to specify issuers in the shoot cluster
...
```

Create and deploy a self-signed issuer in your shoot cluster ([examples/20-issuer-selfsigned.yaml](./examples/20-issuer-selfsigned.yaml))
```yaml
apiVersion: cert.gardener.cloud/v1alpha1
kind: Issuer
metadata:
name: issuer-selfsigned
namespace: default
spec:
selfSigned: {}

```

Create a certificate ([examples/30-cert-selfsigned.yaml](./examples/30-cert-selfsigned.yaml)).
Please note that `spec.isCA` must be set to `true` to create a self-signed certificate. The duration (life-time) of the certificate
as well as the private key algorithm and key size may be specified. Duration value must be in units accepted by Go `time.ParseDuration`
([see here](https://golang.org/pkg/time/#ParseDurationThe)), and it must be greater than 720h (30 days).
```yaml
apiVersion: cert.gardener.cloud/v1alpha1
kind: Certificate
metadata:
name: cert-selfsigned
namespace: default
spec:
commonName: cert1.mydomain.com
isCA: true
# optional: default is 90 days (2160h). Must be greater 30 days (720h)
# duration: 720h1m
# optional defaults to RSA 2048
#privateKey:
# algorithm: ECDSA
# size: 384
issuerRef:
name: issuer-selfsigned
namespace: default # must be specified when issuer runs in shoot!
# optional: secret where the certificate should be stored
#secretRef:
# name: cert-selfsigned-foo
# namespace: default
```


## Requesting a Certificate

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,12 @@ spec:
is used if CNAME record for DNS01 challange domain `_acme-challenge.<domain>`
is set.
type: boolean
isCA:
description: |-
IsCA value is used to set the `isCA` field on the certificate request.
Note that the issuer may choose to ignore the requested isCA value, just
like any other requested attribute.
type: boolean
issuerRef:
description: IssuerRef is the reference of the issuer to use.
properties:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,9 @@ spec:
description: RequestsPerDayQuota is the maximum number of certificate
requests per days allowed for this issuer
type: integer
selfSigned:
description: SelfSigned is the self signed specific spec.
type: object
type: object
status:
description: IssuerStatus is the status of the issuer.
Expand Down Expand Up @@ -209,8 +212,8 @@ spec:
description: State is either empty, 'Pending', 'Error', or 'Ready'.
type: string
type:
description: Type is the issuer type. Currently only 'acme' and 'ca'
are supported.
description: Type is the issuer type. Currently only 'acme', 'ca'
and 'selfSigned' are supported.
type: string
required:
- state
Expand Down
7 changes: 7 additions & 0 deletions examples/20-issuer-selfsigned.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: cert.gardener.cloud/v1alpha1
kind: Issuer
metadata:
name: issuer-selfsigned
namespace: default
spec:
selfSigned: {}
23 changes: 23 additions & 0 deletions examples/30-cert-selfsigned.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
apiVersion: cert.gardener.cloud/v1alpha1
kind: Certificate
metadata:
name: cert-selfsigned
namespace: default
spec:
commonName: ca1.mydomain.com
isCA: true
# optional: default is 90 days (2160h). Must be greater 2*30 days (1440h)
# duration: 1441h
# optional defaults to RSA 2048
# privateKey:
# algorithm: ECDSA
# size: 384
# CSR can also be specified
# csr: ...
issuerRef:
name: issuer-selfsigned
namespace: default # must be specified when issuer runs in shoot!
# optional: secret where the certificate should be stored
#secretRef:
# name: cert-selfsigned-foo
# namespace: default
6 changes: 6 additions & 0 deletions pkg/apis/cert/crds/cert.gardener.cloud_certificates.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,12 @@ spec:
is used if CNAME record for DNS01 challange domain `_acme-challenge.<domain>`
is set.
type: boolean
isCA:
description: |-
IsCA value is used to set the `isCA` field on the certificate request.
Note that the issuer may choose to ignore the requested isCA value, just
like any other requested attribute.
type: boolean
issuerRef:
description: IssuerRef is the reference of the issuer to use.
properties:
Expand Down
7 changes: 5 additions & 2 deletions pkg/apis/cert/crds/cert.gardener.cloud_issuers.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,9 @@ spec:
description: RequestsPerDayQuota is the maximum number of certificate
requests per days allowed for this issuer
type: integer
selfSigned:
description: SelfSigned is the self signed specific spec.
type: object
type: object
status:
description: IssuerStatus is the status of the issuer.
Expand Down Expand Up @@ -204,8 +207,8 @@ spec:
description: State is either empty, 'Pending', 'Error', or 'Ready'.
type: string
type:
description: Type is the issuer type. Currently only 'acme' and 'ca'
are supported.
description: Type is the issuer type. Currently only 'acme', 'ca'
and 'selfSigned' are supported.
type: string
required:
- state
Expand Down
13 changes: 11 additions & 2 deletions pkg/apis/cert/crds/zz_generated_crds.go
Original file line number Diff line number Diff line change
Expand Up @@ -407,6 +407,12 @@ spec:
is used if CNAME record for DNS01 challange domain ` + "`" + `_acme-challenge.<domain>` + "`" + `
is set.
type: boolean
isCA:
description: |-
IsCA value is used to set the ` + "`" + `isCA` + "`" + ` field on the certificate request.
Note that the issuer may choose to ignore the requested isCA value, just
like any other requested attribute.
type: boolean
issuerRef:
description: IssuerRef is the reference of the issuer to use.
properties:
Expand Down Expand Up @@ -875,6 +881,9 @@ spec:
description: RequestsPerDayQuota is the maximum number of certificate
requests per days allowed for this issuer
type: integer
selfSigned:
description: SelfSigned is the self signed specific spec.
type: object
type: object
status:
description: IssuerStatus is the status of the issuer.
Expand Down Expand Up @@ -903,8 +912,8 @@ spec:
description: State is either empty, 'Pending', 'Error', or 'Ready'.
type: string
type:
description: Type is the issuer type. Currently only 'acme' and 'ca'
are supported.
description: Type is the issuer type. Currently only 'acme', 'ca'
and 'selfSigned' are supported.
type: string
required:
- state
Expand Down
14 changes: 13 additions & 1 deletion pkg/apis/cert/v1alpha1/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,11 @@ type CertificateSpec struct {
// Private key options. These include the key algorithm and size.
// +optional
PrivateKey *CertificatePrivateKey `json:"privateKey,omitempty"`
// IsCA value is used to set the `isCA` field on the certificate request.
// Note that the issuer may choose to ignore the requested isCA value, just
// like any other requested attribute.
// +optional
IsCA *bool `json:"isCA,omitempty"`
// Requested 'duration' (i.e. lifetime) of the Certificate. Note that the
// ACME issuer may choose to ignore the requested duration, just like any other
// requested attribute.
Expand Down Expand Up @@ -406,6 +411,9 @@ type IssuerSpec struct {
// CA is the CA specific spec.
// +optional
CA *CASpec `json:"ca,omitempty"`
// SelfSigned is the self signed specific spec.
// +optional
SelfSigned *SelfSignedSpec `json:"selfSigned,omitempty"`
// RequestsPerDayQuota is the maximum number of certificate requests per days allowed for this issuer
// +optional
RequestsPerDayQuota *int `json:"requestsPerDayQuota,omitempty"`
Expand Down Expand Up @@ -475,6 +483,10 @@ type CASpec struct {
PrivateKeySecretRef *corev1.SecretReference `json:"privateKeySecretRef,omitempty"`
}

// SelfSignedSpec is the self signed specific spec.
type SelfSignedSpec struct {
}

// IssuerStatus is the status of the issuer.
type IssuerStatus struct {
// ObservedGeneration is the observed generation of the spec.
Expand All @@ -484,7 +496,7 @@ type IssuerStatus struct {
// Message is the status or error message.
// +optional
Message *string `json:"message,omitempty"`
// Type is the issuer type. Currently only 'acme' and 'ca' are supported.
// Type is the issuer type. Currently only 'acme', 'ca' and 'selfSigned' are supported.
// +optional
Type *string `json:"type"`
// ACME is the ACME specific status.
Expand Down
26 changes: 26 additions & 0 deletions pkg/apis/cert/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading