From 68eed1bce99e9d12b42a43f75120de2ee3f4b26d Mon Sep 17 00:00:00 2001 From: Mike Malone Date: Mon, 11 Feb 2019 17:43:47 -0800 Subject: [PATCH] docs updates --- autocert/INSTALL.md | 44 ++++++++++++++++++++++++++ autocert/README.md | 13 +++----- autocert/examples/hello-mtls/README.md | 19 +++++++++++ 3 files changed, 67 insertions(+), 9 deletions(-) diff --git a/autocert/INSTALL.md b/autocert/INSTALL.md index 61787a81..0b4b788b 100644 --- a/autocert/INSTALL.md +++ b/autocert/INSTALL.md @@ -1,3 +1,39 @@ +# Installing `autocert` + +### Prerequisites + +To get started you'll need [`kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl/#install-kubectl) and a cluster running kubernetes `1.9` or later with [admission webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks) enabled: + +```bash +$ kubectl version --short +Client Version: v1.13.1 +Server Version: v1.10.11 +$ kubectl api-versions | grep "admissionregistration.k8s.io/v1beta1" +admissionregistration.k8s.io/v1beta1 +``` + +### Install + +The easiest way to install `autocert` is to run: + +```bash +kubectl run autocert-init -it --rm --image smallstep/autocert-init --restart Never +``` + +💥 installation complete. + +> You might want to [check out what this command does](init/autocert.sh) before running it. + +## Manual install + +To install manually you'll need to [install step](https://github.com/smallstep/cli#installing) version `0.8.3` or later. + +``` +$ step version +Smallstep CLI/0.8.3 (darwin/amd64) +Release Date: 2019-01-16 01:46 UTC +``` + ### Create a CA Set your `STEPPATH` to a working directory where we can stage our CA artifacts before we push them to kubernetes. You can delete this directory once installation is complete. @@ -41,6 +77,14 @@ $ sed -i "" "s|ca.step.svc.cluster.local:4443|ca.step.svc.cluster.local|" $(step ### Install the CA in Kubernetes +We'll be creating a new kubernetes namespace and setting up some RBAC rules during installation. You'll need appropriate permissions in your cluster (e.g., you may need to be cluster-admin). GKE, in particular, does not give the cluster owner these rights by default. You can give yourself cluster-admin rights on GKE by running: + +```bash +kubectl create clusterrolebinding cluster-admin-binding \ + --clusterrole cluster-admin \ + --user $(gcloud config get-value account) +``` + We'll install our CA and the `autocert` controller in the `step` namespace. ``` diff --git a/autocert/README.md b/autocert/README.md index 813cc3bf..f2eeac07 100644 --- a/autocert/README.md +++ b/autocert/README.md @@ -8,11 +8,6 @@ [![GitHub stars](https://img.shields.io/github/stars/smallstep/certificates.svg?style=social)](https://github.com/smallstep/certificates/stargazers) [![Twitter followers](https://img.shields.io/twitter/follow/smallsteplabs.svg?label=Follow&style=social)](https://twitter.com/intent/follow?screen_name=smallsteplabs) - - **Autocert** is a kubernetes add-on that automatically injects TLS/HTTPS certificates into your containers. To get a certificate **simply annotate your pods** with a name. An X.509 (TLS/HTTPS) certificate is automatically created and mounted at `/var/run/autocert.step.sm/` along with a corresponding private key and root certificate (everything you need for [mTLS](#motivation)). @@ -75,7 +70,7 @@ kubectl run autocert-init -it --rm --image smallstep/autocert-init --restart Nev 💥 installation complete. -> You might want to [check out what this command does](init/autocert.sh) before running it. You can also [install `autocert` manually](INSTALL.md) if that's your style. +> You might want to [check out what this command does](init/autocert.sh) before running it. You can also [install `autocert` manually](INSTALL.md#manual-install) if that's your style. ## Usage @@ -145,7 +140,7 @@ We're done. Our container has a certificate, issued by our CA, which `autocert` ## Hello mTLS -It's easy to deploy certificates using `autocert`, but it's up to you to use them correctly. To get you started, [`hello-mtls`](examples/hello-mtls) demonstrates the right way to use mTLS with various tools and languages (contributions welcome :). If you're a bit fuzzy on how mTLS works, [the `hello-mtls` README](examples/hello-mtls) is a great place to start. +It's easy to deploy certificates using `autocert`, but it's up to you to use them correctly. To get you started, [`hello-mtls`](examples/hello-mtls) demonstrates the right way to use mTLS with various tools and languages (contributions welcome :). If you're a bit fuzzy on how mTLS works, [the `hello-mtls` README](examples/hello-mtls/README.md) is a great place to start. To finish out this tutorial let's keep things simple and try `curl`ing the server we just deployed from inside and outside the cluster. @@ -224,7 +219,7 @@ kubectl -n step port-forward $(kubectl -n step get pods -l app=ca -o jsonpath={$ In another window we'll use `step` to grab the root certificate, generate a key pair, and get a certificate. -> To follow along you'll need to [`install step`](https://github.com/smallstep/cli#installing) if you haven't already. You'll also need your admin password and CA fingerprint, which were output during installation (see [here](RUNBOOK.md#recover-admin-and-ca-password) and [here](#RUNBOOK.md#recompute-root-certificate-fingerprint) if you already lost them :). +> To follow along you'll need to [`install step`](https://github.com/smallstep/cli#installing) if you haven't already. You'll also need your admin password and CA fingerprint, which were output during installation (see [here](RUNBOOK.md#recover-admin-and-ca-password) and [here](RUNBOOK.md#recompute-root-certificate-fingerprint) if you already lost them :). ```bash $ export CA_POD=$(kubectl -n step get pods -l app=ca -o jsonpath={$.items[0].metadata.name}) @@ -405,7 +400,7 @@ If you build your own containers you'll probably need to [install manually](INST ## Contributing -If you have improvements to `autocert`, send us your pull requests! For those just getting started, Github has a [howto](https://help.github.com/articles/about-pull-requests/). A team member will review your pull requests, provide feedback, and merge your changes. In order to accept contributions we do need you to [sign our contributor license agreement](https://cla-assistant.io/smallstep/certificates). +If you have improvements to `autocert`, send us your pull requests! For those just getting started, GitHub has a [howto](https://help.github.com/articles/about-pull-requests/). A team member will review your pull requests, provide feedback, and merge your changes. In order to accept contributions we do need you to [sign our contributor license agreement](https://cla-assistant.io/smallstep/certificates). If you want to contribute but you're not sure where to start, take a look at the [issues with the "good first issue" label](https://github.com/smallstep/certificates/issues?q=is%3Aopen+label%3A%22good+first+issue%22+label%3Aarea%2Fautocert). These are issues that we believe are particularly well suited for outside contributions, often because we probably won't get to them right now. If you decide to start on an issue, leave a comment so that other people know that you're working on it. If you want to help out, but not alone, use the issue comment thread to coordinate. diff --git a/autocert/examples/hello-mtls/README.md b/autocert/examples/hello-mtls/README.md index 16843615..f2b0fe99 100644 --- a/autocert/examples/hello-mtls/README.md +++ b/autocert/examples/hello-mtls/README.md @@ -25,6 +25,25 @@ kubectl apply -f hello-mtls.server.yaml kubectl apply -f hello-mtls.client.yaml ``` +## Mutual TLS + +Unlike the _server auth TLS_ that's typical with web browsers, where the browser authenticates the server but not vice versa, _mutual TLS_ (mTLS) connections have both remote peers (client and server) authenticate to one another by presenting certificates. mTLS is not a different protocol. It's just a variant of TLS that's not usually turned on by default. This respository demonstrates **how to turn on mTLS** with different tools and languages. It also demonstrates other **TLS best practices** like certificate rotation. + +mTLS provides _authenticated encryption_: an _identity dialtone_ and _end-to-end encryption_ for your workloads. It's like a secure line with caller ID. This has [all sorts of benefits](https://smallstep.com/blog/use-tls.html): better security, compliance, and easier auditability for starters. It **makes workloads identity-aware**, improving observability and enabling granular access control. Perhaps most compelling, mTLS lets you securely communicate with workloads running anywhere. Code, containers, devices, people, and anything else can connect securely using mTLS as long as they know one anothers' names and can resolve those names to routable IP addresses. + +With properly configured mTLS, services can be safely exposed directly to the public internet: **only clients that have a certificate issued by the internal certificate authority will be allowed to connect**. + +Here's a rough approximation of how an mTLS handshake works: + +![mTLS handshake diagram](https://raw.githubusercontent.com/smallstep/certificates/autocert/autocert/mtls-handshake.png) + +A few things to note: + + * It's the signing of random numbers that proves we're talking to the right remote. It's the digital equivalent of asking someone to send you a photo of them with today's newspaper. + * The client and server need to have prior knowledge of the root certificate(s) used for signing other certificates. + * The client and server need to be configured to use the correct certificate and private key (the certificate must have been issued by a CA with a trusted root certificate) + * Private keys are never shared. This is the magic of public key cryptography: unlike passwords or access tokens, certificates let you prove who you are without giving anyone the ability to impersonate you. + ## Feature matrix This matrix shows the set of features we'd like to demonstrate in each language