dch-webhooks: Configure SSH cert signer

The *dch-webhooks* tool now provides an operation for hosts to request a signed SSH certificate from the SSH CA. It's primarily useful for unattended deployments like CoreOS Ignition, where hosts do not have any credentials to authenticate with the CA directly.
2023-10-09 08:07:29 -05:00 · 2023-10-09 08:07:29 -05:00 · f7a8f391ea
parent 92a5aee7b4
commit f7a8f391ea
7 changed files with 88 additions and 8 deletions
--- a/dch-root-ca/dch-root-ca.crt
+++ b/dch-root-ca/dch-root-ca.crt
@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBxDCCAWqgAwIBAgIUbHz2tssa09zsHk+EdGD3QKprMKQwCgYIKoZIzj0EAwQw
+QDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UE
+AwwORENIIFJvb3QgQ0EgUjIwHhcNMjMwOTI0MjA1MzA5WhcNNDMwOTE5MjA1MzA5
+WjBAMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPRHVzdGluIEMuIEhhdGNoMRcwFQYD
+VQQDDA5EQ0ggUm9vdCBDQSBSMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2D
+NJHRcjuA19ZoprBKaxIfUxAbz6LigM7dgtO6+isaMlxRAVJmsITADIE/22RrUDgD
+Ofkt2iZTUjMrz3AxXhWjQjBAMB0GA1UdDgQWBBTM+d8kb1koGmKRtJs4gN9zYa+6
+oTASBgNVHRMBAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDBANI
+ADBFAiEA2Ka8mMiAFLmrFWt0dAml247re2+i4UPhyHcOBfNK+goCIHv+vEw7CHZQ
+irIa697nfe4KiXIMwHlAMS1+1QZohFDC
+-----END CERTIFICATE-----
--- a/dch-root-ca/kustomization.yaml
+++ b/dch-root-ca/kustomization.yaml
@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+configMapGenerator:
+- name: dch-root-ca
+  files:
+  - dch-root-ca.crt
--- a/dch-webhooks/.gitignore
+++ b/dch-webhooks/.gitignore
@ -1,2 +1,3 @@
 paperless.token
 firefly.token
+provisioner.password
--- a/dch-webhooks/dch-webhooks.env
+++ b/dch-webhooks/dch-webhooks.env
@ -0,0 +1,9 @@
+FIREFLY_URL=http://firefly-iii.firefly-iii.svc.cluster.local:8080
+FIREFLY_AUTH_TOKEN=/run/secrets/du5t1n.me/firefly/firefly.token
+PAPERLESS_URL=http://paperless-ngx.paperless-ngx.svc.cluster.local:8000
+PAPERLESS_AUTH_TOKEN=/run/secrets/du5t1n.me/paperless/paperless.token
+
+STEP_CA_URL=https://ca.pyrocufflink.blue:32599
+STEP_ROOT=/run/dch-root-ca.crt
+STEP_PROVISIONER=host-bootstrap
+STEP_PROVISIONER_PASSWORD_FILE=/run/secrets/du5t1n.me/step-ca/provisioner.password
--- a/dch-webhooks/dch-webhooks.yaml
+++ b/dch-webhooks/dch-webhooks.yaml
@ -44,18 +44,13 @@ spec:
      - name: dch-webhooks
        image: git.pyrocufflink.net/containerimages/dch-webhooks
        env:
-        - name: FIREFLY_URL
-          value: http://firefly-iii.firefly-iii.svc.cluster.local:8080
-        - name: FIREFLY_AUTH_TOKEN
-          value: /run/secrets/du5t1n.me/firefly/firefly.token
-        - name: PAPERLESS_URL
-          value: http://paperless-ngx.paperless-ngx.svc.cluster.local:8000
-        - name: PAPERLESS_AUTH_TOKEN
-          value: /run/secrets/du5t1n.me/paperless/paperless.token
        - name: UVICORN_HOST
          value: 0.0.0.0
        - name: UVICORN_LOG_LEVEL
          value: debug
+        envFrom:
+        - configMapRef:
+            name: dch-webhooks
        ports:
        - name: http
          containerPort: 8000
@ -74,10 +69,18 @@ spec:
        securityContext:
          readOnlyRootFilesystem: true
        volumeMounts:
+        - mountPath: /run/dch-root-ca.crt
+          name: root-ca
+          subPath: dch-root-ca.crt
        - mountPath: /run/secrets/du5t1n.me/firefly
          name: firefly-token
        - mountPath: /run/secrets/du5t1n.me/paperless
          name: paperless-token
+        - mountPath: /run/secrets/du5t1n.me/step-ca
+          name: step-ca-password
+        - mountPath: /tmp
+          name: tmp
+          subPath: tmp
      securityContext:
        runAsNonRoot: true
      volumes:
@ -89,3 +92,13 @@ spec:
        secret:
          secretName: paperless-token
          optional: true
+      - name: root-ca
+        configMap:
+          name: dch-root-ca
+      - name: step-ca-password
+        secret:
+          secretName: step-ca-password
+          optional: true
+      - name: tmp
+        emptyDir:
+          medium: Memory
--- a/dch-webhooks/ingress.yaml
+++ b/dch-webhooks/ingress.yaml
@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  labels:
+    app.kubernetes.io/name: dch-webhooks
+    app.kubernetes.io/component: dch-webhooks
+    app.kubernetes.io/instance: dch-webhooks
+    app.kubernetes.io/part-of: dch-webhooks
+  name: dch-webhooks
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - webhooks.pyrocufflink.blue
+  rules:
+  - host: webhooks.pyrocufflink.blue
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: dch-webhooks
+            port:
+              name: http
+
--- a/dch-webhooks/kustomization.yaml
+++ b/dch-webhooks/kustomization.yaml
@ -2,7 +2,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

 resources:
+- ../dch-root-ca
 - dch-webhooks.yaml
+- ingress.yaml
+
+configMapGenerator:
+- name: dch-webhooks
+  envs:
+  - dch-webhooks.env

 secretGenerator:
 - name: firefly-token
@ -12,3 +19,7 @@ secretGenerator:
 - name: paperless-token
  files:
  - paperless.token
+
+- name: step-ca-password
+  files:
+  - provisioner.password