infra/kubernetes
1
0
Fork 0
Code Pull Requests 3 Activity

sshca: Deploy SSH CA service

Browse Source 
[sshca] is a simple web service I wrote to automatically create signed
SSH certificates for hosts' public keys.  It authenticates hosts by
their machine UUID, which it can find using the libvirt API.

[sshca]: https://git.pyrocufflink.net/dustin/sshca
This commit is contained in:
Dustin
2023-11-06 20:35:04 -06:00
parent 0e7bd36d34
commit fe2a84a222
12 changed files with 322 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
sshca/README.md Normal file
View File

@@ -0,0 +1,53 @@
# SSHCA
[SSHCA][0] is an online Certificate Authority for SSH. It can automatically
issue signed SSH certificates for hosts' public keys. Machines authenticate to
the service using a JWT signed with their machine UUID, and the service
validates the signature by looking up the UUID in either a local JSON document
or by querying the libvirt API on one or more VM hosts. Certificates will only
be issued for hosts that can authenticate successfully.
## Installation
```sh
kubectl apply -k sshca
```
## Configuration
SSHCA is configured by the `config.toml` file. It is stored as a Kubernetes
ConfigMap and mounted into the server container. The configuration file is
only read at startup, so the ConfigMap uses the name suffix hash feature of
Kustomize; when the contents of the configuration file change, the name of the
ConfigMap will change, which will cause Kubernetes to restart the pod. Old
ConfigMap resources are not deleted, but must be cleaned up by some other means
(manually or e.g. Argo CD).
The configuration file specifies the path to the private keys for signing
certificates. It also includes the list of libvirt hosts to check for machine
UUIDs, as well as the path to a static file where additional machine UUIDs are
provided.
Besides the main configuration file, SSHCA needs an additional ConfigMap that
contains an `ssh_known_hosts` file. This file contains the public keys of the
libvirt VM hosts, so that the service can securely connect to the libvirt API
over SSH.
## Secrets
Several secrets are necessary for SSHCA to operate:
1. The private key used to issue SSH host certificates, and optionally a
password to encrypt that key.
2. A JSON document containing a map of host names to machine UUIDs, in order to
authenticate physical machines and other hosts that are not libvirt domains.
3. An SSH user private key for authenticating to the libvirt hosts for VM UUID
lookups.
4. OCI registry credentials for pulling container images.
These secrets are stored encrypted as SealedSecret resources. The Bitnami
Sealed Secrets controller decrypts these and manages regular Secret resources
for them automatically.
[0]: https://git.pyrocufflink.net/dustin/sshca