Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Local CA Issuer #43

Merged
merged 2 commits into from
Oct 5, 2020
Merged

Add Local CA Issuer #43

merged 2 commits into from
Oct 5, 2020

Conversation

spiarh
Copy link
Contributor

@spiarh spiarh commented Sep 3, 2020

What this PR does / why we need it:

This PR adds the possibility for a user to provide its own Certificate Authority. This can be useful in airgap environment or in enterprise environment where no ACME server is present.

The created certificate have the same parameters (duration, Key algorithm and key usage) as the letsencrypt default.

This is configurable by configuring a TLS Secret and a new Issuer (see examples/20-issuer-ca.yaml):

After some validation on the CA Certificate, the issuer looks like this:

spec:
  ca:
    privateKeySecretRef:
      name: issuer-ca-secret
      namespace: default
status:
  ca:
    NotAfter: "2023-05-31T14:55:55Z"
    NotBefore: "2020-09-03T14:55:55Z"
    Subject:
      CommonName: my-domain.com
      Country:
      - DE
      Locality:
      - Walldorf
      Organization:
      - Gardener
      OrganizationalUnit:
      - Gardener
      PostalCode: null
      Province:
      - BW
      SerialNumber: 1E04A2C8F057AC890F45FEC5446AE4DDA73EA1D5
      StreetAddress: null

Current differences with the ACME Issuer:

  • There are no metrics exported
  • No CSR can be provided
  • No CA "Autocreation", this means a user must provide its own CA.
    For testing puproses, it could be helpful to have this feature but I didn't want to include it in this PR.

Special notes for your reviewer:

What is the proper way to bump the version ?

I plan on updating the README.md in an other PR once the feature is fully ready.

Release note:

Add Local Certificate Authority Issuer

@spiarh spiarh requested a review from a team as a code owner September 3, 2020 16:49
@gardener-robot
Copy link

@lcavajani Thank you for your contribution.

@gardener-robot-ci-1
Copy link
Contributor

Thank you @lcavajani for your contribution. Before I can start building your PR, a member of the organization must set the required label(s) {'reviewed/ok-to-test'}. Once started, you can check the build status in the PR checks section below.

@CLAassistant
Copy link

CLAassistant commented Sep 16, 2020

CLA assistant check
All committers have signed the CLA.

MartinWeindel and others added 2 commits September 29, 2020 12:06
Signed-off-by: lcavajani <lcavajani@suse.com>
@spiarh
Copy link
Contributor Author

spiarh commented Sep 29, 2020

I have updated the existing copyrights and added the missing ones.

@MartinWeindel
Copy link
Member

@lcavajani
Thanks for the PR and sorry for the late answer.
I have just played with it and it looks good so far.

There is one problem, if I try to create a new ca issuer with a new CA certificate following the steps you described it examples/20-issuer-ca.yaml.
I.e. if I run the steps

openssl genrsa -out CA-key.pem 4096
openssl req -new -key CA-key.pem -x509 -days 1000 -out CA-cert.pem
kubectl create secret tls issuer-ca-secret --cert=CA-cert.pem --key=CA-key.pem -oyaml --dry-run=client

and use it for the issuer, this error is reported:

certificate is not a CA

Any idea what's missing?

@MartinWeindel
Copy link
Member

With this adjustment I could resolve the problem with "certificate is not a CA":

openssl genrsa -out CA-key.pem 4096
CONFIG="
[req]
distinguished_name=dn
[ dn ]
[ ext ]
basicConstraints=CA:TRUE,pathlen:0
"
openssl req -new -nodes -x509 -config <(echo "$CONFIG") -key CA-key.pem  -subj "/CN=Hello" -extensions ext -days 1000 -out CA-cert.pem
kubectl create secret tls issuer-ca-secret --cert=CA-cert.pem --key=CA-key.pem -oyaml --dry-run=client

Copy link
Member

@MartinWeindel MartinWeindel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/ltgm

I'm looking forward to the next PR with updating the readme.
Thanks again!

@gardener-robot
Copy link

@MartinWeindel Command /ltgm is not known.

@MartinWeindel MartinWeindel merged commit 9fac257 into gardener:master Oct 5, 2020
@spiarh spiarh deleted the add_ca branch October 26, 2020 12:52
@spiarh spiarh mentioned this pull request Oct 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants