Skip to content

Commit

Permalink
Merge pull request #19 from Keyfactor/pan_feedback
Browse files Browse the repository at this point in the history 
Set Exportable Key Flag
  • Loading branch information
@spbsoluble
spbsoluble authored Apr 24, 2023
2 parents cbd53a8 + 1fa203c commit 3049550
Show file tree
Hide file tree
Showing 8 changed files with 444 additions and 156 deletions.
66 changes: 37 additions & 29 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,9 +117,9 @@ This text would be entered in as the value for the __Server Password__, instead
* [Security Considerations](#security-considerations)
+ [Service Account Setup](#service-account-setup)
* [Kubernetes Orchestrator Extension Installation](#kubernetes-orchestrator-extension-installation)
* [Certificate Store Discovery](#certificate-store-discovery)
* [Certificate Store Types](#certificate-store-types)
+ [Configuration Information](#configuration-information)
- [Store Path](#note-about-storepath)
- [Common Values](#common-values)
* [UI Basic Tab](#ui-basic-tab)
* [UI Advanced Tab](#ui-advanced-tab)
Expand Down Expand Up @@ -230,7 +230,7 @@ must have the `tls.crt` and `tls.key` fields and may only contain a single key a
## Versioning

The version number of a the Kubernetes Orchestrator Extension can be verified by right clicking on the
`Kube.dll` file in the `<path>/<to>/<orchstrator install>/Extensions/Kubernetes` installation folder,
`Kyefactor.Orchestrators.K8S.dll` file in the `<path>/<to>/<orchstrator install>/Extensions/Kubernetes` installation folder,
selecting Properties, and then clicking on the Details tab.

## Security Considerations
Expand Down Expand Up @@ -305,12 +305,6 @@ subjects:
certificates. See the [Certificate Store Discovery](#certificate-store-discovery) section later in this README for more
information.
## Certificate Store Discovery
**NOTE:** To use disovery jobs, you must have the story type created in Keyfactor Command and the `needs_server` checkbox MUST be checked.
Otherwise you will not be able to provide credentials to the discovery job.

The Kubernetes Orchestrator Extension supports certificate discovery jobs. This allows you to populate the certificate stores with existing certificates. To run a discovery job, follow these steps:

## Certificate Store Types
When setting up the certificate store types you wish the Kubernetes Orchestrator Extension to
Expand All @@ -324,6 +318,16 @@ the creation of the desired store types.
### Configuration Information
Below is a table of the common values that should be used for all certificate store types.

#### Note about StorePath
A Keyfactor Command certificate store `StorePath` for the K8S orchestrator extension can follow the following formats:

| Pattern | Description |
|-----------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------|
| `secretName` | The name of the secret to use. This assumes `KubeNamespace` is defined or `default` and will be the `secret` or `cert` name on k8s. |
| `namespace/secretName` | If `KubeNamespace` or `KubeSecretName` are not set, then the path will be split by `/` and the values will be parsed according to the pattern. |
| `clusterName/namespace/secretName` | Same as above, clusterName is purely informational |
| `clusterName/namespace/secretType/secretName` | Considered a `full` path, this is what discovery will return as `StorePath` |

#### Common Values
##### UI Basic Tab
| Field Name | Required | Description | Value |
Expand All @@ -347,11 +351,11 @@ Below is a table of the common values that should be used for all certificate st
| PFX Password Style | | The password style used by the certificate store type. | Default |

##### Custom Fields Tab
| Name | Display Name | Type | Required | Default Value | Description |
|----------------|----------------------|--------|----------|---------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| KubeNamespace | Kube Namespace | String | | `default` | The Kubernetes namespace the store will reside. |
| KubeSecretName | Kube Secret Name | String | | none | This field overrides `storepath` value. The Kubernetes secret or certificate resource name. |
| KubeSecretType | Kube Secret Type | String | &check; | none | Must be one of the following `secret`, `secret_tls` or `cert`. See [kube-secret-types](#kube-secret-types). |
| Name | Display Name | Type | Required | Default Value | Description |
|----------------|----------------------|--------|----------|---------------|-------------------------------------------------------------------------------------------------------------|
| KubeNamespace | Kube Namespace | String | | `default` | The Kubernetes namespace the store will reside. This will override the value parsed from `storepath`. |
| KubeSecretName | Kube Secret Name | String | | none | This field overrides `storepath` value. The Kubernetes secret or certificate resource name. |
| KubeSecretType | Kube Secret Type | String | &check; | none | Must be one of the following `secret`, `secret_tls` or `cert`. See [kube-secret-types](#kube-secret-types). |

##### Kube Secret Types
- `secret` - A generic secret of type `Opaque`. Must contain a key of one of the following values: [ `cert`, `certficate`, `certs`,`certificates` ] to be inventoried.
Expand Down Expand Up @@ -392,12 +396,12 @@ kfutil store-types create --name K8SSecret
![k8ssecret_basic.png](docs%2Fscreenshots%2Fstore_types%2Fk8ssecret_basic.png)

##### UI Advanced Tab
| Field Name | Required | Value |
|------------|----------|-----------|
| Store Path Type | | Freeform |
| Field Name | Required | Value |
|-----------------------|----------|-----------|
| Store Path Type | | Freeform |
| Supports Custom Alias | | Forbidden |
| Private Key Handling | | Optional |
| PFX Password Style | | Default |
| Private Key Handling | | Optional |
| PFX Password Style | | Default |

![k8ssecret_advanced.png](docs%2Fscreenshots%2Fstore_types%2Fk8ssecret_advanced.png)

Expand Down Expand Up @@ -442,12 +446,12 @@ kfutil store-types create --name K8STLSSecr
![k8sstlssecr_basic.png](docs%2Fscreenshots%2Fstore_types%2Fk8sstlssecr_basic.png)

##### UI Advanced Tab
| Field Name | Required | Value |
|------------|----------|-----------|
| Store Path Type | | Freeform |
| Field Name | Required | Value |
|-----------------------|----------|-----------|
| Store Path Type | | Freeform |
| Supports Custom Alias | | Forbidden |
| Private Key Handling | | Optional |
| PFX Password Style | | Default |
| Private Key Handling | | Optional |
| PFX Password Style | | Default |

![k8sstlssecr_advanced.png](docs%2Fscreenshots%2Fstore_types%2Fk8sstlssecr_advanced.png)

Expand Down Expand Up @@ -490,12 +494,12 @@ kfutil store-types create --name K8SCert
![k8scert_basic.png](docs%2Fscreenshots%2Fstore_types%2Fk8scert_basic.png)

##### UI Advanced Tab
| Field Name | Required | Value |
|------------|----------|-----------|
| Store Path Type | | Freeform |
| Supports Custom Alias | | Forbidden |
| Private Key Handling | | Forbidden |
| PFX Password Style | | Default |
| Field Name | Required | Value |
|-----------------------|----------|------------|
| Store Path Type | | Freeform |
| Supports Custom Alias | | Forbidden |
| Private Key Handling | | Forbidden |
| PFX Password Style | | Default |

![k8scert_advanced.png](docs%2Fscreenshots%2Fstore_types%2Fk8scert_advanced.png)

Expand All @@ -517,6 +521,10 @@ Please refer to the Keyfactor Command Reference Guide for information on creatin
certificate stores and scheduling Discovery jobs in Keyfactor Command.

## Certificate Discovery
**NOTE:** To use disovery jobs, you must have the story type created in Keyfactor Command and the `needs_server` checkbox MUST be checked.
Otherwise you will not be able to provide credentials to the discovery job.

The Kubernetes Orchestrator Extension supports certificate discovery jobs. This allows you to populate the certificate stores with existing certificates. To run a discovery job, follow these steps:
1. Click on the "Locations > Certificate Stores" menu item.
2. Click the "Discover" tab.
3. Click the "Schedule" button.
Expand Down
41 changes: 31 additions & 10 deletions kubernetes-orchestrator-extension/Clients/KubeClient.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,15 +30,37 @@ public class KubeCertificateManagerClient
{

internal protected ILogger Logger;
private string ConfigJson { get; set; }
private K8SConfiguration ConfigObj { get; set; }
public KubeCertificateManagerClient(string kubeconfig)
{
Logger = LogHandler.GetClassLogger(MethodBase.GetCurrentMethod().DeclaringType);
Client = GetKubeClient(kubeconfig);

ConfigJson = kubeconfig;
try
{
ConfigObj = ParseKubeConfig(kubeconfig);
} catch (Exception ex)
{
ConfigObj = new K8SConfiguration() { };
}
}

private IKubernetes Client { get; set; }

public string GetClusterName()
{
Logger.LogTrace("Entered GetClusterName()");
try
{
return ConfigObj.Clusters.FirstOrDefault()?.Name;
} catch (Exception ex)
{
return GetHost();
}

}

public string GetHost()
{
Logger.LogTrace("Entered GetHost()");
Expand Down Expand Up @@ -640,6 +662,7 @@ public List<string> DiscoverCertificates()
Logger.LogTrace("csr.Items.Count: " + csr.Items.Count);

Logger.LogTrace("Entering foreach loop to add certificate locations to list.");
var clusterName = GetClusterName();
foreach (var cr in csr)
{
Logger.LogTrace("cr.Metadata.Name: " + cr.Metadata.Name);
Expand Down Expand Up @@ -669,12 +692,7 @@ public List<string> DiscoverCertificates()
Logger.LogTrace("certName: " + certName);

Logger.LogDebug($"Adding certificate {certName} discovered location to list.");
locations.Add($"certificate/{certName}");
// else
// {
// // locations.Add(utfCsr);
// continue;
// }
locations.Add($"{clusterName}/certificate/{certName}");
}

Logger.LogDebug("Completed discovering certificates from k8s certificate resources.");
Expand Down Expand Up @@ -746,6 +764,9 @@ public List<string> DiscoverSecrets(string[] allowedKeys, string secType, string
Logger.LogTrace("Finished calling CoreV1.ReadNamespacedSecret()");
// Logger.LogTrace("secretData: " + secretData);
Logger.LogTrace("Entering switch statement to check secret type.");

var clusterName = GetClusterName() ?? GetHost();

switch (secret.Type)
{
case "kubernetes.io/tls":
Expand All @@ -763,8 +784,8 @@ public List<string> DiscoverSecrets(string[] allowedKeys, string secType, string

Logger.LogDebug("Attempting to convert TLS certificate to X509Certificate2 object");
_ = new X509Certificate2(secretData.Data["tls.crt"]); // Check if cert is valid

var cLocation = $"{nsObj.Metadata.Name}/secrets/{secret.Metadata.Name}";
var cLocation = $"{clusterName}/{nsObj.Metadata.Name}/secrets/{secret.Metadata.Name}";
Logger.LogDebug($"Adding certificate location {cLocation} to list of discovered certificates");
locations.Add(cLocation);
secretsList.Add(certData);
Expand Down Expand Up @@ -803,7 +824,7 @@ public List<string> DiscoverSecrets(string[] allowedKeys, string secType, string
secretsList.Append(cer);
index++;
}
locations.Add($"{nsObj.Metadata.Name}/secrets/{secret.Metadata.Name}");
locations.Add($"{clusterName}/{nsObj.Metadata.Name}/secrets/{secret.Metadata.Name}");
}
catch (Exception e)
{
Expand Down
Loading

0 comments on commit 3049550

Please sign in to comment.