infra
/
kubernetes
1
0
Fork 0
Code Pull Requests 4 Activity
kubernetes/sshca
History
Dustin 4dc21e6179 sshca: Add machine IDs for CM4 cluster nodes 
* _ctrl-2ed83d.k8s.pyrocufflink.black_
* _node-6a3f8.k8s.pyrocufflink.black_
* _node-6ed191.k8s.pyrocufflink.black_
 		2025-07-27 17:42:43 -05:00
..
.gitignore sshca: Deploy SSH CA service 2023-11-10 14:22:31 -06:00
README.md sshca: Deploy SSH CA service 2023-11-10 14:22:31 -06:00
config.toml sshca: Do not sign certs for root 2025-03-04 19:23:49 -06:00
host-ca-key.pub sshca: Deploy SSH CA service 2023-11-10 14:22:31 -06:00
ingress.yaml sshca: Deploy SSH CA service 2023-11-10 14:22:31 -06:00
jenkins.yaml sshca: Allow Jenkins jobs to restart the Deployment 2024-07-27 13:10:20 -05:00
kustomization.yaml sshca: Deploy SSH CA service 2023-11-10 14:22:31 -06:00
libvirt-sshkey.pub sshca: Deploy SSH CA service 2023-11-10 14:22:31 -06:00
namespace.yaml sshca: Deploy SSH CA service 2023-11-10 14:22:31 -06:00
secrets.yaml sshca: Add machine IDs for CM4 cluster nodes 2025-07-27 17:42:43 -05:00
ssh_known_hosts sshca: Deploy SSH CA service 2023-11-10 14:22:31 -06:00
sshca.yaml sshca: Configure user CA 2024-02-01 09:02:11 -06:00
update-machine-ids.sh sshca: Add update-machine-ids script 2024-01-25 20:42:47 -06:00

README.md

SSHCA

SSHCA is an online Certificate Authority for SSH. It can automatically issue signed SSH certificates for hosts' public keys. Machines authenticate to the service using a JWT signed with their machine UUID, and the service validates the signature by looking up the UUID in either a local JSON document or by querying the libvirt API on one or more VM hosts. Certificates will only be issued for hosts that can authenticate successfully.

Installation

kubectl apply -k sshca

Configuration

SSHCA is configured by the config.toml file. It is stored as a Kubernetes ConfigMap and mounted into the server container. The configuration file is only read at startup, so the ConfigMap uses the name suffix hash feature of Kustomize; when the contents of the configuration file change, the name of the ConfigMap will change, which will cause Kubernetes to restart the pod. Old ConfigMap resources are not deleted, but must be cleaned up by some other means (manually or e.g. Argo CD).

The configuration file specifies the path to the private keys for signing certificates. It also includes the list of libvirt hosts to check for machine UUIDs, as well as the path to a static file where additional machine UUIDs are provided.

Besides the main configuration file, SSHCA needs an additional ConfigMap that contains an ssh_known_hosts file. This file contains the public keys of the libvirt VM hosts, so that the service can securely connect to the libvirt API over SSH.

Secrets

Several secrets are necessary for SSHCA to operate:

  1. The private key used to issue SSH host certificates, and optionally a password to encrypt that key.
  2. A JSON document containing a map of host names to machine UUIDs, in order to authenticate physical machines and other hosts that are not libvirt domains.
  3. An SSH user private key for authenticating to the libvirt hosts for VM UUID lookups.
  4. OCI registry credentials for pulling container images.

These secrets are stored encrypted as SealedSecret resources. The Bitnami Sealed Secrets controller decrypts these and manages regular Secret resources for them automatically.