est-operator
is a cert-manager External certificate issuer that implements a subset of RFC 7030 Enrollment over Secure Transport (EST). It provides custom resources for EST services and a custom controller that reconciles certificate requests.
est-operator
is written in Python using the kopf framework.
This operator covers only a portion of RFC 7030; see this document for an overview of what’s implemented, planned, and not planned.
See this document for an overview of this operator’s design.
- Kubernetes v1.19.1 or later.
est-operator
should run on v1.16 or later, but is only tested with v1.19.1. - Python 3.9 and packages. requirements.txt has all Python package dependencies. Install prerequistest with
pip
.pip install -r requirements.txt
dev-requirements.txt has additional Python packages for development purposes (e.g., building packages). The full set of reqiurements can be installed with
pip
. The order of requirements files is important;dev-requirements.txt
depends onrequirement.txt
.pip install -r requirements.txt -r dev-requirements.txt
See FIPS section below for installing dependencies in that mode.
This repository uses pip-tools to build requirements files.
See *Deployment, below. Also see the design document for a deployment description.
TBD.
The operator can be run “out of cluster,” meaning in a process that runs outside of Kubernetes control. This is useful for development, testing, and debugging est-operator
. This mode is not recommended for production.
The kopf
command will use the current cluster context in KUBECONFIG
by default.
kopf run est-operator.py
See kopf documentation for more details of running in this mode.
The operator can be built to satisfy FIPS 140-2 certification requirements. FIPS 140-2 certification depends on the module and the platform. A platform with Python dynamically linked to OpenSSL and links OpenSSL to a validated version of the OpenSSL FIPS Object Module can demonstrate FIPS 140-2 certification. Consult the NIST Cryptographic Module Validation Program list of OpenSSL modules for combinations of OpenSSL and platform that are certified.
Note: OpenSSL 1.0.2 is no longer supported by the OpenSSL project, but OpenSSL FIPS Object Module 2.0 is not compatible with OpenSSL 1.1. A new version is not available nor certified yet.
Other FIPS certified modules are available (e.g., GnuTLS and Network Security Services) but the work to integrate these modules is extensive. We welcome merge requests on this topic.
Requirements for FIPS mode vary slightly from above. The cryptography
package embeds a statically linked version of OpenSSL and is not compatible with OpenSSL 1.0.2, which is the latest FIPS certified version.
Install requirements with the following pip
command. You will need OpenSSL headers, Python3 headers, CFFI headers, and GCC. See cryptography build instructions for details.
pip install -r fips-requirements.txt
Note: This container image demonstrates FIPS 140-2 certification only on Amazon Linux 2 running on AWS EC2.
Dockerfile.fips builds a version of the operator image that maintains FIPS 140-2 certification. The image is built on Amazon Linux 2 and has FIPS validated libraries installed according to AWS documentation. The image runs with the environment variable OPENSSL_FIPS=1
set, and startup code in module initialization enables FIPS mode in the cryptographic library.
docker build -t est-operator:fips -f Dockerfile.fips .
If you have a FIPS certified version of OpenSSL installed and installed dependencies as above, the operator can be run “out of cluster” by OPENSSL_FIPS=1
in the shell environment before running kopf
. Otherwise we recommend using the container image.
- Python 3.9
- kopf framework
- Docker
TBD
TBD
- Timothy J. Miller - initial work - Cerebus
- The MITRE Corporation for allowing this work to be open sourced.
- Jetstack and all the cert-manager contributors for the framework that makes this extension possible.
- Sergey Vasilyev for kopf, so I don’t have to learn Go yet.