diff --git a/Makefile b/Makefile index 10bfad8..81ef373 100644 --- a/Makefile +++ b/Makefile @@ -52,9 +52,6 @@ fmt: ## Run go fmt against code. vet: ## Run go vet against code. go vet ./... -.PHONY: test -test: fmt vet envtest ## Run tests. - ##@ Build .PHONY: regcheck @@ -98,9 +95,3 @@ docker-buildx: regcheck ## Build and push docker image for the manager for cross - docker buildx rm project-v3-builder rm Dockerfile.cross -##@ Build Dependencies - -.PHONY: envtest -envtest: $(ENVTEST) ## Download envtest-setup locally if necessary. -$(ENVTEST): $(LOCALBIN) - test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest diff --git a/deploy/charts/ejbca-k8s-csr-signer/values.yaml b/deploy/charts/ejbca-k8s-csr-signer/values.yaml index 972844a..95611ce 100644 --- a/deploy/charts/ejbca-k8s-csr-signer/values.yaml +++ b/deploy/charts/ejbca-k8s-csr-signer/values.yaml @@ -9,7 +9,7 @@ nameOverride: "" fullnameOverride: "" image: - repository: "" + repository: "keyfactor/ejbca-k8s-csr-signer" tag: "" pullPolicy: IfNotPresent diff --git a/docs/getting-started.markdown b/docs/getting-started.markdown index 9f9cc34..7281635 100644 --- a/docs/getting-started.markdown +++ b/docs/getting-started.markdown @@ -3,10 +3,17 @@ [![Go Report Card](https://goreportcard.com/badge/github.com/Keyfactor/ejbca-k8s-csr-signer)](https://goreportcard.com/report/github.com/Keyfactor/ejbca-k8s-csr-signer) [![GitHub tag (latest SemVer)](https://img.shields.io/github/v/tag/keyfactor/ejbca-k8s-csr-signer?label=release)](https://github.com/keyfactor/ejbca-k8s-csr-signer/releases) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) [![license](https://img.shields.io/github/license/keyfactor/ejbca-k8s-csr-signer.svg)]() ## Requirements -* EJBCA - * [EJBCA Enterprise](https://www.primekey.com/products/ejbca-enterprise/) (v7.7 +) -* Docker (to build the container) + +### To build + +* Docker * [Docker Engine](https://docs.docker.com/engine/install/) or [Docker Desktop](https://docs.docker.com/desktop/) +* [Git](https://git-scm.com/) +* [Make](https://www.gnu.org/software/make/) +* [Go](https://golang.org/) >= v1.23.3 + +### To use + * [Kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) (v1.11.3 +) * Kubernetes (v1.19 +) * [Kubernetes](https://kubernetes.io/docs/tasks/tools/) @@ -18,6 +25,10 @@ * [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine) * Helm (to deploy to Kubernetes) * [Helm](https://helm.sh/docs/intro/install/) (v3.1 +) +* EJBCA [Community](https://www.ejbca.org/) or EJBCA [Enterprise](https://www.keyfactor.com/products/ejbca-enterprise/) >= v7.7 + * The "REST Certificate Management" protocol must be enabled under System Configuration > Protocol Configuration. + +> EJBCA Enterprise is required for the OAuth 2.0 "client credentials" token flow. EJBCA Community only supports mTLS (client certificate) authentication. ## Getting Started Install required software and their dependencies if not already present. Additionally, verify that at least one Kubernetes node is running by running the following command: @@ -26,16 +37,14 @@ Install required software and their dependencies if not already present. Additio kubectl get nodes ``` -### 1. Building the Container Image +### 0. Building the Container Image (optional) -The EJBCA K8s CSR Signer is distributed as source code, and the container must be built manually. The container image can be built using the following command: +The EJBCA K8s CSR Signer manager image is available [on DockerHub](https://hub.docker.com/r/keyfactor/ejbca-k8s-csr-signer). However, you can also build the image manually by using the included Makefile. ```shell make docker-build DOCKER_REGISTRY= DOCKER_IMAGE_NAME=keyfactor/ejbca-k8s-csr-signer ``` -###### :pushpin: The container image can be built using Docker Buildx by running `make docker-buildx`. This will build the image for all supported platforms. - -### 2. Prepare Credentials and Configuration +### 1. Prepare Credentials and Configuration 1. Create a new namespace for the CSR proxy. ```shell @@ -53,8 +62,7 @@ make docker-build DOCKER_REGISTRY= DOCKER_IMAGE_NAME=ke Create a `kubernetes.io/tls` secret containing the client certificate and key. The secret must be created in the same namespace as the CSR proxy. ```shell - kubectl create secret tls ejbca-credentials \ - --namespace ejbca-signer-system \ + kubectl -n ejbca-signer-system create secret tls ejbca-credentials \ --cert= \ --key= ``` @@ -70,7 +78,7 @@ make docker-build DOCKER_REGISTRY= DOCKER_IMAGE_NAME=ke audience="" scopes="" - kubectl -n ejbca-issuer-system create secret generic ejbca-secret \ + kubectl -n ejbca-signer-system create secret generic ejbca-secret \ "--from-literal=tokenUrl=$token_url" \ "--from-literal=clientId=$client_id" \ "--from-literal=clientSecret=$client_secret" \ @@ -85,11 +93,16 @@ make docker-build DOCKER_REGISTRY= DOCKER_IMAGE_NAME=ke Create a `kubernetes.io/basic-auth` secret containing the username and password. The secret must be created in the same namespace as the CSR proxy. ```shell - kubectl -n ejbca create secret generic ejbca-credentials \ - --namespace ejbca-signer-system \ - --type=kubernetes.io/basic-auth \ - --from-literal=username= \ - --from-literal=password= + cat < + password: + EOF ``` 3. The EJCBA K8s CSR Signer uses a K8s ConfigMap to configure how certificates are signed by EJBCA, and how signed certificates are stored back into Kubernetes. A [sample](../ejbca-signer-config.yaml) ConfigMap is provided as a reference. @@ -109,8 +122,7 @@ make docker-build DOCKER_REGISTRY= DOCKER_IMAGE_NAME=ke Create a new ConfigMap resource using the following command: ```shell - kubectl apply \ - --namespace ejbca-signer-system \ + kubectl -n ejbca-signer-system apply \ -f ejbca-signer-config.yaml ``` @@ -124,7 +136,7 @@ make docker-build DOCKER_REGISTRY= DOCKER_IMAGE_NAME=ke --from-file=ca.crt ``` -### 3. Installation from Helm Chart +### 2. Installation from Helm Chart The EJCBA K8s CSR Signer is installed using a Helm chart. The chart is available in the [EJCBA K8s CSR Signer Helm repository](https://keyfactor.github.io/ejbca-k8s-csr-signer/). @@ -140,10 +152,6 @@ The EJCBA K8s CSR Signer is installed using a Helm chart. The chart is available ```bash helm install ejbca-k8s-csr-signer ejbca-k8s/ejbca-k8s-csr-signer \ --namespace ejbca-signer-system \ - --set image.repository=/keyfactor/ejbca-k8s-csr-signer \ - --set image.tag= \ - # --set image.pullPolicy=Never # Only required if using a local image \ - --set image.pullPolicy=Never \ --set ejbca.credsSecretName=ejbca-credentials \ --set ejbca.configMapName=ejbca-signer-config \ # --set ejbca.caCertConfigmapName=ejbca-ca-cert # Only required if EJBCA API serves an untrusted certificate \ @@ -154,8 +162,9 @@ The EJCBA K8s CSR Signer is installed using a Helm chart. The chart is available ```shell helm install ejbca-k8s-csr-signer ejbca-k8s/ejbca-k8s-csr-signer \ --namespace ejbca-signer-system \ - --set image.repository=/keyfactor/ejbca-k8s-csr-signer \ + --set image.repository=keyfactor/ejbca-k8s-csr-signer \ --set image.tag= \ + --set image.pullPolicy=Never \ --set ejbca.signerNames[0]=internalsigner.com ``` @@ -185,11 +194,11 @@ The EJCBA K8s CSR Signer is installed using a Helm chart. The chart is available -f override.yaml ``` -###### :pushpin: Wildcards are **NOT** supported in the `signerNames` field. If you want to allow all signers, do not specify any signer names. +> Wildcards are **NOT** supported in the `signerNames` field. If you want to allow all signers, do not specify any signer names. -###### :pushpin: The EJBCA K8s CSR signer uses the `SelfSubjectAccessReview` API to determine if the user has permission to sign the CSR. If the user does not have permission, the signer will ignore the CSR. +> The EJBCA K8s CSR signer uses the `SelfSubjectAccessReview` API to determine if the user has permission to sign the CSR. If the user does not have permission, the signer will ignore the CSR. -### 4. Create a new CertificateSigningRequest resource with the provided sample +### 3. Create a new CertificateSigningRequest resource with the provided sample A [sample CSR object file](../sample/sample.yaml) is provided to getting started. Create a new CSR resource using the following command. The `request` field contains a Base64 encoded PKCS#10 PEM encoded certificate. ```shell kubectl apply -f sample/sample.yaml diff --git a/docs/testing.markdown b/docs/testing.markdown deleted file mode 100644 index df1997d..0000000 --- a/docs/testing.markdown +++ /dev/null @@ -1,23 +0,0 @@ -# Testing the EJBCA K8s CSR Signer Source Code - -[![Go Report Card](https://goreportcard.com/badge/github.com/Keyfactor/ejbca-k8s-csr-signer)](https://goreportcard.com/report/github.com/Keyfactor/ejbca-k8s-csr-signer) [![GitHub tag (latest SemVer)](https://img.shields.io/github/v/tag/keyfactor/ejbca-k8s-csr-signer?label=release)](https://github.com/keyfactor/ejbca-k8s-csr-signer/releases) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) [![license](https://img.shields.io/github/license/keyfactor/ejbca-k8s-csr-signer.svg)]() - -The test cases for the controller require a set of environment variables to be set. These variables are used to -authenticate to an EJBCA API server and to enroll a certificate. The test cases are run using the `make test` command. - -The following environment variables must be exported before testing the controller: -- **EJBCA_CA_CERT_PATH**: The path to the CA certificate. -- **EJBCA_CA_NAME**: The name of the Certificate Authority. -- **EJBCA_CERTIFICATE_PROFILE_NAME**: The name of the certificate profile. -- **EJBCA_CLIENT_CERT_PATH**: The path to the client certificate. -- **EJBCA_CSR_SUBJECT**: The subject for the Certificate Signing Request (CSR). -- **EJBCA_END_ENTITY_PROFILE_NAME**: The name of the end entity profile. -- **EJBCA_EST_ALIAS**: Alias for EST. -- **EJBCA_EST_PASSWORD**: Password for EST. -- **EJBCA_EST_USERNAME**: Username for EST. -- **EJBCA_HOSTNAME**: The hostname for EJBCA. - -To run the test cases, run: -```shell -make test -``` \ No newline at end of file diff --git a/docsource/overview.md b/docsource/overview.md index d361e48..2a16b65 100644 --- a/docsource/overview.md +++ b/docsource/overview.md @@ -2,9 +2,35 @@ The EJBCA Certificate Signing Request Proxy for K8s forwards certificate signing requests generated by Kubernetes to [EJBCA](https://www.primekey.com/products/ejbca-enterprise/) for signing by a trusted enterprise certificate authority. The signer operates within the [K8s CertificateSigningRequests API](https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/) and implements a Controller that uses the the V1 CertificateSigningRequests informer to handle associated resources. CSRs are only enrolled if they are approved using an [approver](https://github.com/kubernetes/kubernetes/tree/master/pkg/controller/certificates/approver). +> This project uses only the `/ejbca-rest-api/v1/certificate/pkcs10enroll` REST API endpoint, and is compatible with both [EJBCA Community](https://www.ejbca.org/) and [EJBCA Enterprise](https://www.keyfactor.com/products/ejbca-enterprise/). + ## Requirements -TODO Requirements is a required section +### To build + +* Docker + * [Docker Engine](https://docs.docker.com/engine/install/) or [Docker Desktop](https://docs.docker.com/desktop/) +* [Git](https://git-scm.com/) +* [Make](https://www.gnu.org/software/make/) +* [Go](https://golang.org/) >= v1.23.3 + +### To use + +* [Kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) (v1.11.3 +) +* Kubernetes (v1.19 +) + * [Kubernetes](https://kubernetes.io/docs/tasks/tools/) + * [Minikube](https://minikube.sigs.k8s.io/docs/start/) + * [Kind](https://kind.sigs.k8s.io/docs/user/quick-start/) + * [Docker Desktop](https://docs.docker.com/desktop/kubernetes/) + * [Azure Kubernetes](https://azure.microsoft.com/en-us/products/kubernetes-service) + * [Amazon EKS](https://aws.amazon.com/eks/) + * [Google Kubernetes Engine](https://cloud.google.com/kubernetes-engine) +* Helm (to deploy to Kubernetes) + * [Helm](https://helm.sh/docs/intro/install/) (v3.1 +) +* EJBCA [Community](https://www.ejbca.org/) or EJBCA [Enterprise](https://www.keyfactor.com/products/ejbca-enterprise/) >= v7.7 + * The "REST Certificate Management" protocol must be enabled under System Configuration > Protocol Configuration. + +> EJBCA Enterprise is required for the OAuth 2.0 "client credentials" token flow. EJBCA Community only supports mTLS (client certificate) authentication. ## Getting Started @@ -20,16 +46,6 @@ TODO Requirements is a required section The EJBCA CSR Signer v2.0 has breaking changes from v1.0. To migrate from v1.0 to v2.0, uninstall the v1.0 deployment and install the v2.0 deployment. The v2.0 deployment uses the same configuration as v1.0, but the configuration is now stored in a Kubernetes ConfigMap. See the [Getting Started](docs/getting-started.markdown) to install the v2.0 deployment. -## Logos - - - Kubernetes logo - - - - Helm logo - - ## Badges [![Go Report Card](https://goreportcard.com/badge/github.com/Keyfactor/ejbca-k8s-csr-signer)](https://goreportcard.com/report/github.com/Keyfactor/ejbca-k8s-csr-signer) diff --git a/test/integrationtest.sh b/test/integrationtest.sh index 6e6fb51..b564780 100755 --- a/test/integrationtest.sh +++ b/test/integrationtest.sh @@ -161,3 +161,5 @@ helm delete "$reconciler_chart_name" -n "$reconciler_namespace" echo "Deleting $reconciler_namespace namespace" kubectl delete ns "$reconciler_namespace" + +echo "Integration test successful"