kelseyhightower / certificate-init-container Goto Github PK
View Code? Open in Web Editor NEWBootstrap TLS certificates for Pods using the Kubernetes certificates API.
License: Apache License 2.0
Bootstrap TLS certificates for Pods using the Kubernetes certificates API.
License: Apache License 2.0
I have a use-case that requires me to specify a bespoke common name (CN) that is different from the first DNS name (dnsName[0]
). It'd be nice to have a flag that let's me overwrite the common name so that it's different from the first DNS name.
I have a use-case that requires me to set the OU (Organizational Unit) and SN (Serial Number). It'd be nice to have a flag that lets me set the OU, and a flag that lets me set the SN or have the SN autogenerated.
I am getting an error while trying to load this init container in my deployment:
2018/06/14 12:32:05 wrote /etc/tls/tls.key
2018/06/14 12:32:05 wrote /etc/tls/tls.csr
2018/06/14 12:32:05 unable to create the certificate signing request: resource not namespaced
Here is my deployment yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: users
labels:
app: users
spec:
replicas: 1
selector:
matchLabels:
app: users
template:
metadata:
labels:
app: users
spec:
initContainers:
- name: certificate-init-container
image: gcr.io/hightowerlabs/certificate-init-container:0.0.2
imagePullPolicy: Always
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
args:
- "-additional-dnsnames=comply-online.com"
- "-cert-dir=/etc/tls"
- "-namespace=$(NAMESPACE)"
- "-pod-ip=$(POD_IP)"
- "-pod-name=$(POD_NAME)"
- "-service-names=users"
volumeMounts:
- name: tls
mountPath: /etc/tls
containers:
- name: users
imagePullPolicy: Always
image: compliance/compliance-users
args:
- "-tls-cert=/etc/tls/tls.crt"
- "-tls-key=/etc/tls/tls.key"
readinessProbe: # Check when application is ready
httpGet:
path: "/api/v1/ready"
port: nodejs-port
initialDelaySeconds: 15
timeoutSeconds: 5
livenessProbe: # healthcheck every 60 seconds
httpGet:
valueFrom:
fieldRef:
fieldPath: status.podIP
args:
- "-additional-dnsnames=comply-online.com"
- "-cert-dir=/etc/tls"
- "-namespace=$(NAMESPACE)"
- "-pod-ip=$(POD_IP)"
- "-pod-name=$(POD_NAME)"
- "-service-names=users"
volumeMounts:
- name: tls
mountPath: /etc/tls
containers:
- name: users
imagePullPolicy: Always
image: compliance/compliance-users
args:
- "-tls-cert=/etc/tls/tls.crt"
- "-tls-key=/etc/tls/tls.key"
readinessProbe: # Check when application is ready
httpGet:
path: "/api/v1/ready"
port: nodejs-port
initialDelaySeconds: 15
timeoutSeconds: 5
livenessProbe: # healthcheck every 60 seconds
httpGet:
path: "/api/v1/ready"
port: nodejs-port
initialDelaySeconds: 15
timeoutSeconds: 10
periodSeconds: 60
ports:
- name: nodejs-port
containerPort: 3000
- name: sslport
containerPort: 3443
volumeMounts:
- name: tls
mountPath: /etc/tls
- name: mongo
image: mongo
ports:
- name: mongo
containerPort: 27017
hostPort: 27017
volumeMounts:
- name: mongo-persistent-storage
mountPath: /data/db
volumes:
- name: tls
emptyDir: {}
- name: mongo-persistent-storage
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: users
labels:
app: users
spec:
selector:
app: users
ports:
- port: 3000
protocol: TCP
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
name: mongo
spec:
ports:
- port: 27017
targetPort: 27017
selector:
app: mongo
type: ClusterIP
Which namespace is it referring to?
kubectl create -f tls-app.yaml
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
tls-app-dc7787455-69rhx 0/1 Init:Error 1 6s
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
tls-app-dc7787455-69rhx 0/1 Init:CrashLoopBackOff 1 12s
$ kubectl logs tls-app-dc7787455-69rhx
Error from server (BadRequest): container "tls-app" in pod "tls-app-dc7787455-69rhx" is waiting to start: PodInitializing
I'm just running the yaml uploaded in keley's github repository. Am I missing something?
Capturing thoughts from an email thread:
I think it would possible to leverage
the confidentiality of the service account token to do this e.g. an
approval controller will approve these dual client/server certs if and
only if:
Right now the CN will always be the 'default' ip-based CN, but some client certificate auth schemes use only CN to authenticate (namely: http://floragunncom.github.io/search-guard-docs/tls_certificates_production.html). To facilitate glob matching like: *.subdomain.namespace.svc.cluster.local
on CN, I would suggest having a flag that switches the array places of the headless service hostname and the pod ip hostname. Will submit PR soon.
context: kubernetes 1.6.0, mongodb stateful set with certificate-init-container
problem: after approving the csr request and a successful exit of the init container, mongo pod has mounted the tls directory, in which a valid key file appears to be present, but the corresponding crt file appears to be empty.
here is the result of executing commands in that container:
Leifs-MacBook-Pro:devops leif$ kubectl --namespace=www exec mongo-0 --container mongo ls /etc/tls
tls.crt
tls.csr
tls.key
Leifs-MacBook-Pro:devops leif$ kubectl --namespace=www exec mongo-0 --container mongo cat /etc/tls/tls.crt
Leifs-MacBook-Pro:devops leif$ kubectl --namespace=www exec mongo-0 --container mongo cat /etc/tls/tls.key
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDgOIfy6cg0QOa5xdsHqVaTQUMNjx3noKrzIhFcZjkhyEDHBGg7
q79vL412QGh/J4jABDDBlBtJYht6Joif9/CWsJDK8nukCtIUGAkanfqN9LYw6Kx0
+zekhD4VYuqBkdHhX4gPergQEx2KPwYTiMcopHU7ZjcWHhg5KwjKDxWyYQIDAQAB
AoGBAMMw80iIM/0pMrIuh8pXpEJ04cZ//GyT9b3KvopNgxbhmWKnd4XascA9CU0U
LOPkqqtd+oPKRybO/VSNDwsTcKBcH+By2apnruV5Fyq7ajZ9p9FcfKWB8ULJpTGV
ZvxWJmlSN1sBxzHRavxfYUhPxKMta2cAoDcqgd2x6JXg8/txAkEA4dtD9/pS59e0
vfsBl7pN6aobMXFTcs5fNi43u/PgA1BKR8B1uEb79+DqZdlTx74eGQ8rjfA6cJzF
E1fmBXqqdwJBAP4lYUY9DZKBH/m9hw4pe51s1PS/4ysDNklzBFsFRO/mjZhlWEc3
EhfpqIHCC958D2Y7zyPlwejHkoQt/jewZ+cCQEDFrEFyxdH9l7UgRj2oTW3kvfW5
BXCYZM/aA1vgve7VWOgo9tnJabuWAkMBR7ix+lm/cwM60Ne47f/1Jl+N5VMCQCvy
wNiJlEBCbgoc2S78w3CcslLEn/7/JjMbXaRzy9EEeHXjCJoADvPtpwMRUEYgA/W0
4AQgJiEf6dlLrstoiP8CQFMhrjexarF7GkqwdL5uHD+3V8EdkVEh9LPKcEX2zO9e
r6ULfXqfGJrDmH25MRCD3P6AYVubWzQbCUmpCxM1esA=
-----END RSA PRIVATE KEY-----
happy to provide more context or the associated yaml files
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.