alexvanin/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity
certificates/autocert/RUNBOOK.md
Mike Malone d40911937f updated readme & added runbook
2019-02-08 09:42:57 -08:00

3.1 KiB
Raw Blame History

Runbook

Recover admin and CA password

kubectl -n step get secret ca-password -o jsonpath='{$.data.password}' | base64 -D

Recover autocert password

kubectl -n step get secret autocert-password -o jsonpath='{$.data.password}' | base64 -D

Recompute your CA's root certificate fingerprint

export CA_POD=$(kubectl -n step get pods -l app=ca -o jsonpath={$.items[0].metadata.name})
kubectl -n step exec -it $CA_POD step certificate fingerprint /home/step/.step/certs/root_ca.crt

Tip: Some slight fanciness is necessary to trim this string if you want to put it into an environment variable:

export FINGERPRINT="$(kubectl -n step exec -it $CA_POD step certificate fingerprint /home/step/.step/certs/root_ca.crt | tr -d '[:space:]')"

Inspect a certificate

kubectl exec -it <pod> -c autocert-renewer -- step certificate inspect /var/run/autocert.step.sm/site.crt

Labelling a namespace (enabling autocert for a namespace)

To enable autocert for a namespace it must be labelled. To label an existing namespace run:

kubectl label namespace <namespace> autocert.step.sm=enabled

Checking which namespaces are labelled

kubectl get namespace -L autocert.step.sm

Removing a label from a namespace (disabling autocert for a namespace)

kubectl label namespace <namespace> autocert.step.sm-

Naming considerations

Use hostnames. Must be global. Everyone who connects to the service using mTLS must use the same hostname. For internal communication it's easy enough to use the FQDN of a service. For stuff you expose publicly you'll need to manage DNS yourself...

In any case, the critical invariant is: ...

Diagram here?

Cleaning up one-time token secrets

for ns in $(kubectl get namespace --selector autocert.step.sm=enabled -o jsonpath='{$.items[*].metadata.name}'); do
  kubectl -n "$ns" delete secrets --selector="autocert.step.sm/token=true"
done

Uninstalling

To uninstall autocert completely simply delete the mutating webhook configuration, the step namespace and the autocert RBAC artifacts:

kubectl delete mutatingwebhookconfiguration autocert-webhook-config
kubectl delete namespace step
kubectl delete clusterrolebinding autocert-controller
kubectl delete clusterrole autocert-controller

Remove any namespace labels and clean up any stray secrets that autocert hasn't cleaned up yet:

for ns in $(kubectl get namespace --selector autocert.step.sm=enabled -o jsonpath='{$.items[*].metadata.name}'); do
  kubectl label namespace "$ns" autocert.step.sm-
  kubectl -n "$ns" delete secrets --selector="autocert.step.sm/token=true"
done

Any remaining sidecar containers will go away once you remove annotations and re-deploy your workloads.

TODO:

  • Change admin password
  • Change autocert password
  • Federating with another CA
  • DNS tips and tricks
  • Multiple SANs
  • Getting rid of the sidecar
  • Getting logs from the CA (certificates weren't issued)
  • Getting logs from the init container / renewer (didn't start properly)
  • Adjusting certificate expiration (default 24h)
  • Remove label
  • Clean up secrets