forked from TrueCloudLab/certificates
parent
025e36bf10
commit
754670ad12
17 changed files with 481 additions and 0 deletions
|
@ -451,6 +451,110 @@ Removing docker_ca_1 ... done
|
||||||
Removing network docker_default
|
Removing network docker_default
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Basic Federation
|
||||||
|
|
||||||
|
The [basic-federation example](basic-federation) showcases how to securely facilitate communication between relying parties of multiple autonomous certificate authorities. Federation is what's required when services are spread between multiple independent Kubernetes clusters, public clouds, and/or serverless cloud functions to enable service communication across boundaries.
|
||||||
|
|
||||||
|
This example uses a pre-generated PKI (public/private key material). Do not use pre-generated PKIs for dev, staging, or production purposes outside of this example.
|
||||||
|
|
||||||
|
# Launch Online CAs
|
||||||
|
|
||||||
|
Bring up two online CAs; `Cloud CA` and `Kubernetes CA`.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ step-ca ./pki/cloud/config/ca.federated.json
|
||||||
|
Please enter the password to decrypt intermediate_ca_key: password
|
||||||
|
2019/01/22 13:38:52 Serving HTTPS on :1443 ...
|
||||||
|
```
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ step-ca ./pki/kubernetes/config/ca.federated.json
|
||||||
|
Please enter the password to decrypt intermediate_ca_key: password
|
||||||
|
2019/01/22 13:39:44 Serving HTTPS on :2443 ...
|
||||||
|
```
|
||||||
|
|
||||||
|
Notice the difference between the two configuration options below. `Cloud CA` will list `Kubernetes CA` in the `federatedRoots` section and vice versa for the federated options.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ diff pki/cloud/config/ca.json pki/cloud/config/ca.federated.json
|
||||||
|
3c3
|
||||||
|
< "federatedRoots": [],
|
||||||
|
---
|
||||||
|
> "federatedRoots": ["pki/cloud/certs/kubernetes_root_ca.crt"],
|
||||||
|
```
|
||||||
|
|
||||||
|
# Bring up Demo Server
|
||||||
|
|
||||||
|
This demo server leverages step's [SDK](https://godoc.org/github.com/smallstep/certificates/ca) to obtain certs, automatically renew them, and fetch a bundle of trusted roots. When it starts up it will report what root certificates it will use to authenticate client certs.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
go run server/main.go $(step ca token \
|
||||||
|
--ca-url https://localhost:1443 \
|
||||||
|
--root ./pki/cloud/certs/root_ca.crt \
|
||||||
|
127.0.0.1)
|
||||||
|
✔ Key ID: EE1ZiqkMaxsUdpz8SCSkRBzwK9TWUoidQnMnJ8Eryn8 (sebastian@smallstep.com)
|
||||||
|
✔ Please enter the password to decrypt the provisioner key: password
|
||||||
|
Server is using federated root certificates
|
||||||
|
Accepting certs anchored in CN=Smallstep Public Cloud Root CA
|
||||||
|
Accepting certs anchored in CN=Smallstep Kubernetes Root CA
|
||||||
|
Listening on :8443 ...
|
||||||
|
```
|
||||||
|
|
||||||
|
# Run Demo Client
|
||||||
|
|
||||||
|
Similarly step's [SDK](https://godoc.org/github.com/smallstep/certificates/ca) provides a client option to mutually authenticate connections to servers. It automatically handles cert bootstrapping, renewal, and fetches a bundle of trusted roots. The demo client will send HTTP requests to the demo server periodically (every 5s).
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ go run client/main.go $(step ca token sdk_client \
|
||||||
|
--ca-url https://localhost:2443 \
|
||||||
|
--root ./pki/kubernetes/certs/root_ca.crt)
|
||||||
|
✔ Key ID: S5gYgpeqcIAgc1Zr4myZXpgJ_Ao4ryS6F6wqg9o8RYo (sebastian@smallstep.com)
|
||||||
|
✔ Please enter the password to decrypt the provisioner key: password
|
||||||
|
Server responded: Hello sdk_client (cert issued by 'Smallstep Kubernetes Root CA') at 2019-01-23 00:51:38.576648 +0000 UTC
|
||||||
|
```
|
||||||
|
|
||||||
|
# Curl as Client
|
||||||
|
|
||||||
|
While the demo client provides a convenient way to periodically send requests to the demo server curl in combination with a client cert from `Kubernetes CA` can be used to hit the server instead:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ step ca certificate kube_client kube_client.crt kube_client.key \
|
||||||
|
--ca-url https://localhost:2443 \
|
||||||
|
--root pki/kubernetes/certs/root_ca.crt
|
||||||
|
✔ Key ID: S5gYgpeqcIAgc1Zr4myZXpgJ_Ao4ryS6F6wqg9o8RYo (sebastian@smallstep.com)
|
||||||
|
✔ Please enter the password to decrypt the provisioner key:
|
||||||
|
✔ CA: https://localhost:2443/1.0/sign
|
||||||
|
✔ Certificate: kube_client.crt
|
||||||
|
✔ Private Key: kube_client.key
|
||||||
|
```
|
||||||
|
|
||||||
|
Federation relies on a bundle of multiple trusted roots which need to be fetched before passed into curl.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ step ca federation --ca-url https://localhost:1443 \
|
||||||
|
--root pki/cloud/certs/root_ca.crt \
|
||||||
|
federated.pem
|
||||||
|
The federation certificate bundle has been saved in federated.pem.
|
||||||
|
```
|
||||||
|
|
||||||
|
Passing the cert (issued by `Kubernetes CA`) into curl using the appropriate command line flags:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ curl -i --cacert federated.pem \
|
||||||
|
--cert kube_client.crt \
|
||||||
|
--key kube_client.key \
|
||||||
|
https://127.0.0.1:8443
|
||||||
|
|
||||||
|
HTTP/2 200
|
||||||
|
content-type: text/plain; charset=utf-8
|
||||||
|
content-length: 105
|
||||||
|
date: Mon, 28 Jan 2019 15:24:54 GMT
|
||||||
|
|
||||||
|
Hello kube_client (cert issued by 'Smallstep Kubernetes Root CA') at 2019-01-28 15:24:54.864373 +0000 UTC
|
||||||
|
```
|
||||||
|
|
||||||
|
Since the demo server is enrolled with the federated `Cloud CA` that trusts certs issued by the `Kubernetes CA` through federation the connection is successfully established.
|
||||||
|
|
||||||
## Configuration Management Tools
|
## Configuration Management Tools
|
||||||
|
|
||||||
Configuration management tools such as Puppet, Chef, Ansible, Salt, etc. make
|
Configuration management tools such as Puppet, Chef, Ansible, Salt, etc. make
|
||||||
|
|
44
examples/basic-federation/client/main.go
Normal file
44
examples/basic-federation/client/main.go
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"fmt"
|
||||||
|
"io/ioutil"
|
||||||
|
"os"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/smallstep/certificates/ca"
|
||||||
|
)
|
||||||
|
|
||||||
|
func main() {
|
||||||
|
if len(os.Args) != 2 {
|
||||||
|
fmt.Fprintf(os.Stderr, "Usage: %s <token>\n", os.Args[0])
|
||||||
|
os.Exit(1)
|
||||||
|
}
|
||||||
|
|
||||||
|
token := os.Args[1]
|
||||||
|
|
||||||
|
// make sure to cancel the renew goroutine
|
||||||
|
ctx, cancel := context.WithCancel(context.Background())
|
||||||
|
defer cancel()
|
||||||
|
|
||||||
|
client, err := ca.BootstrapClient(ctx, token, ca.AddFederationToRootCAs())
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
for {
|
||||||
|
resp, err := client.Get("https://127.0.0.1:8443")
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
b, err := ioutil.ReadAll(resp.Body)
|
||||||
|
resp.Body.Close()
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
fmt.Printf("Server responded: %s\n", b)
|
||||||
|
time.Sleep(5 * time.Second)
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,12 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIBvjCCAWSgAwIBAgIQPDSG4MCReDzPu96+Cb5e0TAKBggqhkjOPQQDAjApMScw
|
||||||
|
JQYDVQQDEx5TbWFsbHN0ZXAgUHVibGljIENsb3VkIFJvb3QgQ0EwHhcNMTkwMTE4
|
||||||
|
MjEwNjE2WhcNMjkwMTE1MjEwNjE2WjAxMS8wLQYDVQQDEyZTbWFsbHN0ZXAgUHVi
|
||||||
|
bGljIENsb3VkIEludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEH
|
||||||
|
A0IABCQRZefT8U34OiW3o+R2/Ob2DUWrcL87jj9D7IGtAgOjulbfoJaH3rnJumG2
|
||||||
|
DtMImBJ1hPa2mXMjThnjOXSlGA+jZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMB
|
||||||
|
Af8ECDAGAQH/AgEAMB0GA1UdDgQWBBSCHPvFHHqEJU82OtFPZVHhstA/rDAfBgNV
|
||||||
|
HSMEGDAWgBSMOU1vYot1qfDaTG2uY9l2nQNSADAKBggqhkjOPQQDAgNIADBFAiEA
|
||||||
|
hojptJQvmTlu9Ybyr9UCL6Akiks8U1RPF2NS+YKZm+8CIDjbipMuz5AXCez57/5r
|
||||||
|
ZrEv0JxcWpK6AxfitwyYg34e
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -0,0 +1,11 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIBkjCCATigAwIBAgIRAKqKZhDGVx8dcxTDGpowzNEwCgYIKoZIzj0EAwIwJzEl
|
||||||
|
MCMGA1UEAxMcU21hbGxzdGVwIEt1YmVybmV0ZXMgUm9vdCBDQTAeFw0xOTAxMTgy
|
||||||
|
MTA2NDdaFw0yOTAxMTUyMTA2NDdaMCcxJTAjBgNVBAMTHFNtYWxsc3RlcCBLdWJl
|
||||||
|
cm5ldGVzIFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASst212A8a9
|
||||||
|
h1DBFEzCgIaoZEWWf0JlBkSmnlHCHZLK2ookNKY6k8UAki4o1xpYjeLtlL4xn4WL
|
||||||
|
mMEafC2tPQvxo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIB
|
||||||
|
ATAdBgNVHQ4EFgQU1+ia0R8GNWYXgs7qkbXHzinghlEwCgYIKoZIzj0EAwIDSAAw
|
||||||
|
RQIgDQlbDQxnNxRsR8d/lQiBSy6v0u6BOmftfbB3y0CcGI4CIQC2dxkUvi6GsfHs
|
||||||
|
zRgU5ZPIT7sVEfNi9G3GZABj0vOnvQ==
|
||||||
|
-----END CERTIFICATE-----
|
11
examples/basic-federation/pki/cloud/certs/root_ca.crt
Normal file
11
examples/basic-federation/pki/cloud/certs/root_ca.crt
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIBlTCCATygAwIBAgIRAPykhdlDneUGU9rI1g+Y40MwCgYIKoZIzj0EAwIwKTEn
|
||||||
|
MCUGA1UEAxMeU21hbGxzdGVwIFB1YmxpYyBDbG91ZCBSb290IENBMB4XDTE5MDEx
|
||||||
|
ODIxMDYxM1oXDTI5MDExNTIxMDYxM1owKTEnMCUGA1UEAxMeU21hbGxzdGVwIFB1
|
||||||
|
YmxpYyBDbG91ZCBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESc9z
|
||||||
|
Y77gf4XhCCOzsAhvMThV3Wro6EVnfBaSlmmnq15VaONG6FP7kVyJEM+XD75Thu10
|
||||||
|
AsxwB0w4WxKIJ63TNaNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
|
||||||
|
Af8CAQEwHQYDVR0OBBYEFIw5TW9ii3Wp8NpMba5j2XadA1IAMAoGCCqGSM49BAMC
|
||||||
|
A0cAMEQCICVylyEZfBBilwKN1nvS4j9Lbt6/nhF5DH9K/wjPIBhiAiBZojDvMZhj
|
||||||
|
mreuuFfRC4kWE/OUG5Iz2qVUtlvL/NaXXQ==
|
||||||
|
-----END CERTIFICATE-----
|
40
examples/basic-federation/pki/cloud/config/ca.federated.json
Normal file
40
examples/basic-federation/pki/cloud/config/ca.federated.json
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
{
|
||||||
|
"root": "pki/cloud/certs/root_ca.crt",
|
||||||
|
"federatedRoots": ["pki/cloud/certs/kubernetes_root_ca.crt"],
|
||||||
|
"crt": "pki/cloud/certs/intermediate_ca.crt",
|
||||||
|
"key": "pki/cloud/secrets/intermediate_ca_key",
|
||||||
|
"address": ":1443",
|
||||||
|
"dnsNames": [
|
||||||
|
"localhost"
|
||||||
|
],
|
||||||
|
"logger": {
|
||||||
|
"format": "text"
|
||||||
|
},
|
||||||
|
"authority": {
|
||||||
|
"provisioners": [
|
||||||
|
{
|
||||||
|
"name": "sebastian@smallstep.com",
|
||||||
|
"type": "jwk",
|
||||||
|
"key": {
|
||||||
|
"use": "sig",
|
||||||
|
"kty": "EC",
|
||||||
|
"kid": "EE1ZiqkMaxsUdpz8SCSkRBzwK9TWUoidQnMnJ8Eryn8",
|
||||||
|
"crv": "P-256",
|
||||||
|
"alg": "ES256",
|
||||||
|
"x": "BcoXteWHdYxXUrckEQwEQDol2nM97J8KIg7GiXc3AMc",
|
||||||
|
"y": "8QkL41tl7BZ5uIf_VTOEypp8vsKUnDGpNdrfk0FNt0Q"
|
||||||
|
},
|
||||||
|
"encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoicTV2MkZ2bmRjNnF0ZWlEZkVBNWI5ZyJ9.MZCVUhU1yuYkhKbQqJDJX0Y6d1X6ranvIeGHIpWLc_STHAgta8c0tA.4o-sw0jTV064OtuL.QVqIo2l0Qf_MRXVghjFYUFkWlK-3VomqzskLLDfLz1norWQa-wEdV56_CIZ7gAPxiLj2N6VOlpEg-sKA2xL3w9b-2WovH_o93iN2MziiWajFf9uq-41LVyEeROd_6Gs4TQbxyz5rk_iMsZeRNRKTpYvW1E2lA4YlMTm4QLV7s7xkGaWsL_-pATfb24bnDMrjRyAVLR61rPHxUQ2wcK_hRG272xoSAsNOWRrUcnDYzjylj-YfmhQZy77Rf38Rxy3UlhB4iMB-y7wMoMuseRKTvBEncL-c0wrllKWUP_KjCl6VeanKWAGUilbmgIpEa1Y_QbNZTD9t0rw2TJSkjx0.CNtEZWZrfp542E65F2oi4w"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"tls": {
|
||||||
|
"cipherSuites": [
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
|
||||||
|
],
|
||||||
|
"minVersion": 1.2,
|
||||||
|
"maxVersion": 1.2,
|
||||||
|
"renegotiation": false
|
||||||
|
}
|
||||||
|
}
|
40
examples/basic-federation/pki/cloud/config/ca.json
Normal file
40
examples/basic-federation/pki/cloud/config/ca.json
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
{
|
||||||
|
"root": "pki/cloud/certs/root_ca.crt",
|
||||||
|
"federatedRoots": [],
|
||||||
|
"crt": "pki/cloud/certs/intermediate_ca.crt",
|
||||||
|
"key": "pki/cloud/secrets/intermediate_ca_key",
|
||||||
|
"address": ":1443",
|
||||||
|
"dnsNames": [
|
||||||
|
"localhost"
|
||||||
|
],
|
||||||
|
"logger": {
|
||||||
|
"format": "text"
|
||||||
|
},
|
||||||
|
"authority": {
|
||||||
|
"provisioners": [
|
||||||
|
{
|
||||||
|
"name": "sebastian@smallstep.com",
|
||||||
|
"type": "jwk",
|
||||||
|
"key": {
|
||||||
|
"use": "sig",
|
||||||
|
"kty": "EC",
|
||||||
|
"kid": "EE1ZiqkMaxsUdpz8SCSkRBzwK9TWUoidQnMnJ8Eryn8",
|
||||||
|
"crv": "P-256",
|
||||||
|
"alg": "ES256",
|
||||||
|
"x": "BcoXteWHdYxXUrckEQwEQDol2nM97J8KIg7GiXc3AMc",
|
||||||
|
"y": "8QkL41tl7BZ5uIf_VTOEypp8vsKUnDGpNdrfk0FNt0Q"
|
||||||
|
},
|
||||||
|
"encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoicTV2MkZ2bmRjNnF0ZWlEZkVBNWI5ZyJ9.MZCVUhU1yuYkhKbQqJDJX0Y6d1X6ranvIeGHIpWLc_STHAgta8c0tA.4o-sw0jTV064OtuL.QVqIo2l0Qf_MRXVghjFYUFkWlK-3VomqzskLLDfLz1norWQa-wEdV56_CIZ7gAPxiLj2N6VOlpEg-sKA2xL3w9b-2WovH_o93iN2MziiWajFf9uq-41LVyEeROd_6Gs4TQbxyz5rk_iMsZeRNRKTpYvW1E2lA4YlMTm4QLV7s7xkGaWsL_-pATfb24bnDMrjRyAVLR61rPHxUQ2wcK_hRG272xoSAsNOWRrUcnDYzjylj-YfmhQZy77Rf38Rxy3UlhB4iMB-y7wMoMuseRKTvBEncL-c0wrllKWUP_KjCl6VeanKWAGUilbmgIpEa1Y_QbNZTD9t0rw2TJSkjx0.CNtEZWZrfp542E65F2oi4w"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"tls": {
|
||||||
|
"cipherSuites": [
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
|
||||||
|
],
|
||||||
|
"minVersion": 1.2,
|
||||||
|
"maxVersion": 1.2,
|
||||||
|
"renegotiation": false
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,8 @@
|
||||||
|
-----BEGIN EC PRIVATE KEY-----
|
||||||
|
Proc-Type: 4,ENCRYPTED
|
||||||
|
DEK-Info: AES-256-CBC,61d1fda0c56e8b8fcf2eb8ba5e20903f
|
||||||
|
|
||||||
|
pFdzP/NSsBCJ3LiVNd6Qg8BRZrNO9+MOcXeg93LAOFQVOswPRya+tfTojfv6t4Lm
|
||||||
|
qJYJlENAAKCjM5+GuMeslTpyqlgDvUYi36v4FAxvLNp49r+nzKXqq0chIPhlLwGb
|
||||||
|
Mr8rEtX97vosyYEtsYhbjjzgCJXMhBXzi9tbLkkiRxw=
|
||||||
|
-----END EC PRIVATE KEY-----
|
8
examples/basic-federation/pki/cloud/secrets/root_ca_key
Normal file
8
examples/basic-federation/pki/cloud/secrets/root_ca_key
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
-----BEGIN EC PRIVATE KEY-----
|
||||||
|
Proc-Type: 4,ENCRYPTED
|
||||||
|
DEK-Info: AES-256-CBC,78223655d6ee4b458ff2d5b79dadbd06
|
||||||
|
|
||||||
|
+bHgP06x5ScVppDSysFN/1xVPnC5MrrUhG7zLG/eX6yJrj4YegthwnDrCuWSCc9U
|
||||||
|
0fv0jJ0QGGm8YL5NdH1EpOF7f3+KhOaCv3KLUFJqDWy7HC9anvLHRZPxEeGgndfZ
|
||||||
|
5EJz043Lg7xYSDDaH1a0ZVcHPpyiUJNhS9lxmOQP+Ec=
|
||||||
|
-----END EC PRIVATE KEY-----
|
|
@ -0,0 +1,11 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIBlTCCATygAwIBAgIRAPykhdlDneUGU9rI1g+Y40MwCgYIKoZIzj0EAwIwKTEn
|
||||||
|
MCUGA1UEAxMeU21hbGxzdGVwIFB1YmxpYyBDbG91ZCBSb290IENBMB4XDTE5MDEx
|
||||||
|
ODIxMDYxM1oXDTI5MDExNTIxMDYxM1owKTEnMCUGA1UEAxMeU21hbGxzdGVwIFB1
|
||||||
|
YmxpYyBDbG91ZCBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESc9z
|
||||||
|
Y77gf4XhCCOzsAhvMThV3Wro6EVnfBaSlmmnq15VaONG6FP7kVyJEM+XD75Thu10
|
||||||
|
AsxwB0w4WxKIJ63TNaNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
|
||||||
|
Af8CAQEwHQYDVR0OBBYEFIw5TW9ii3Wp8NpMba5j2XadA1IAMAoGCCqGSM49BAMC
|
||||||
|
A0cAMEQCICVylyEZfBBilwKN1nvS4j9Lbt6/nhF5DH9K/wjPIBhiAiBZojDvMZhj
|
||||||
|
mreuuFfRC4kWE/OUG5Iz2qVUtlvL/NaXXQ==
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -0,0 +1,12 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIBuzCCAWGgAwIBAgIRAK/si8hkdtyDLAjg6ZiRxIgwCgYIKoZIzj0EAwIwJzEl
|
||||||
|
MCMGA1UEAxMcU21hbGxzdGVwIEt1YmVybmV0ZXMgUm9vdCBDQTAeFw0xOTAxMTgy
|
||||||
|
MTA2NDlaFw0yOTAxMTUyMTA2NDlaMC8xLTArBgNVBAMTJFNtYWxsc3RlcCBLdWJl
|
||||||
|
cm5ldGVzIEludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
|
||||||
|
BBIuNImYDPC6BIGm0/C97su9GPsrGoS2uSHDuPIORbaGPtGI8A2SHInw7pHXRqnW
|
||||||
|
5TvrbCOcLI2Ao2RQvAd/9jCjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8E
|
||||||
|
CDAGAQH/AgEAMB0GA1UdDgQWBBT3w/Rtaw3B4mjhqwDb+/tCFLQTozAfBgNVHSME
|
||||||
|
GDAWgBTX6JrRHwY1ZheCzuqRtcfOKeCGUTAKBggqhkjOPQQDAgNIADBFAiEAz8Lo
|
||||||
|
GPyrFRGvQ6Eie/qIjJByNEmN3FCOJOJr0J7csy0CIBLxKfMhsT719con+/ZMBNRt
|
||||||
|
HEV9xTWpPhUvnlsTPIJl
|
||||||
|
-----END CERTIFICATE-----
|
11
examples/basic-federation/pki/kubernetes/certs/root_ca.crt
Normal file
11
examples/basic-federation/pki/kubernetes/certs/root_ca.crt
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIBkjCCATigAwIBAgIRAKqKZhDGVx8dcxTDGpowzNEwCgYIKoZIzj0EAwIwJzEl
|
||||||
|
MCMGA1UEAxMcU21hbGxzdGVwIEt1YmVybmV0ZXMgUm9vdCBDQTAeFw0xOTAxMTgy
|
||||||
|
MTA2NDdaFw0yOTAxMTUyMTA2NDdaMCcxJTAjBgNVBAMTHFNtYWxsc3RlcCBLdWJl
|
||||||
|
cm5ldGVzIFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASst212A8a9
|
||||||
|
h1DBFEzCgIaoZEWWf0JlBkSmnlHCHZLK2ookNKY6k8UAki4o1xpYjeLtlL4xn4WL
|
||||||
|
mMEafC2tPQvxo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIB
|
||||||
|
ATAdBgNVHQ4EFgQU1+ia0R8GNWYXgs7qkbXHzinghlEwCgYIKoZIzj0EAwIDSAAw
|
||||||
|
RQIgDQlbDQxnNxRsR8d/lQiBSy6v0u6BOmftfbB3y0CcGI4CIQC2dxkUvi6GsfHs
|
||||||
|
zRgU5ZPIT7sVEfNi9G3GZABj0vOnvQ==
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -0,0 +1,40 @@
|
||||||
|
{
|
||||||
|
"root": "pki/kubernetes/certs/root_ca.crt",
|
||||||
|
"federatedRoots": ["pki/kubernetes/certs/cloud_root_ca.crt"],
|
||||||
|
"crt": "pki/kubernetes/certs/intermediate_ca.crt",
|
||||||
|
"key": "pki/kubernetes/secrets/intermediate_ca_key",
|
||||||
|
"address": ":2443",
|
||||||
|
"dnsNames": [
|
||||||
|
"localhost"
|
||||||
|
],
|
||||||
|
"logger": {
|
||||||
|
"format": "text"
|
||||||
|
},
|
||||||
|
"authority": {
|
||||||
|
"provisioners": [
|
||||||
|
{
|
||||||
|
"name": "sebastian@smallstep.com",
|
||||||
|
"type": "jwk",
|
||||||
|
"key": {
|
||||||
|
"use": "sig",
|
||||||
|
"kty": "EC",
|
||||||
|
"kid": "S5gYgpeqcIAgc1Zr4myZXpgJ_Ao4ryS6F6wqg9o8RYo",
|
||||||
|
"crv": "P-256",
|
||||||
|
"alg": "ES256",
|
||||||
|
"x": "uYecJyfa3pKHrO36zVsPKCHAcCUoYKOic2M7_qv9Jes",
|
||||||
|
"y": "WXzgS-36_BcXSi-G86RcLmLaHJEjmcmkhzR9ajrhhGo"
|
||||||
|
},
|
||||||
|
"encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiRlBVMHBJclNYbUU5VzhFSzFaMlQ2USJ9.wTT9VpKIOKzoiaBJ2fIcOYwypkKTwuKauwkf4fcfmJ6_VVQ6TykIrA.y_YTjVhmpztcOqYq.9j_pppHHcJ3_VEbt-WfxSOks05QMXNI862uYWcFGc7EVCoD1qEiKIDKEuoUSTG-_WcgkaXrag9UUQPKfDpuYi6UJcyaLkehO2DBX26DJ1T-qEYlhPxPGpx8r7p84zcg_AftypD6PNheiCLe6HOQWWuPtuPrfyUpvyfMWkJC14NZjR4iJysKP5dndxFbSTI2XCw1X-zBDVD9xMnVPlRtezIIuDi2cLEYnNaIlr5NMNQBOrzQaSo1LQaOOoSa_OrZzTdjg7HaUU5DaAA6YEDQPfFxLIJdKshvj5sxDlH_LLY58mzsGECrUx396zjvN8FD-bFSrdbCNlJJ4xhtt34c.FhRAcFIg-5k2srdtdsq2VQ"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"tls": {
|
||||||
|
"cipherSuites": [
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
|
||||||
|
],
|
||||||
|
"minVersion": 1.2,
|
||||||
|
"maxVersion": 1.2,
|
||||||
|
"renegotiation": false
|
||||||
|
}
|
||||||
|
}
|
40
examples/basic-federation/pki/kubernetes/config/ca.json
Normal file
40
examples/basic-federation/pki/kubernetes/config/ca.json
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
{
|
||||||
|
"root": "pki/kubernetes/certs/root_ca.crt",
|
||||||
|
"federatedRoots": [],
|
||||||
|
"crt": "pki/kubernetes/certs/intermediate_ca.crt",
|
||||||
|
"key": "pki/kubernetes/secrets/intermediate_ca_key",
|
||||||
|
"address": ":2443",
|
||||||
|
"dnsNames": [
|
||||||
|
"localhost"
|
||||||
|
],
|
||||||
|
"logger": {
|
||||||
|
"format": "text"
|
||||||
|
},
|
||||||
|
"authority": {
|
||||||
|
"provisioners": [
|
||||||
|
{
|
||||||
|
"name": "sebastian@smallstep.com",
|
||||||
|
"type": "jwk",
|
||||||
|
"key": {
|
||||||
|
"use": "sig",
|
||||||
|
"kty": "EC",
|
||||||
|
"kid": "S5gYgpeqcIAgc1Zr4myZXpgJ_Ao4ryS6F6wqg9o8RYo",
|
||||||
|
"crv": "P-256",
|
||||||
|
"alg": "ES256",
|
||||||
|
"x": "uYecJyfa3pKHrO36zVsPKCHAcCUoYKOic2M7_qv9Jes",
|
||||||
|
"y": "WXzgS-36_BcXSi-G86RcLmLaHJEjmcmkhzR9ajrhhGo"
|
||||||
|
},
|
||||||
|
"encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiRlBVMHBJclNYbUU5VzhFSzFaMlQ2USJ9.wTT9VpKIOKzoiaBJ2fIcOYwypkKTwuKauwkf4fcfmJ6_VVQ6TykIrA.y_YTjVhmpztcOqYq.9j_pppHHcJ3_VEbt-WfxSOks05QMXNI862uYWcFGc7EVCoD1qEiKIDKEuoUSTG-_WcgkaXrag9UUQPKfDpuYi6UJcyaLkehO2DBX26DJ1T-qEYlhPxPGpx8r7p84zcg_AftypD6PNheiCLe6HOQWWuPtuPrfyUpvyfMWkJC14NZjR4iJysKP5dndxFbSTI2XCw1X-zBDVD9xMnVPlRtezIIuDi2cLEYnNaIlr5NMNQBOrzQaSo1LQaOOoSa_OrZzTdjg7HaUU5DaAA6YEDQPfFxLIJdKshvj5sxDlH_LLY58mzsGECrUx396zjvN8FD-bFSrdbCNlJJ4xhtt34c.FhRAcFIg-5k2srdtdsq2VQ"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"tls": {
|
||||||
|
"cipherSuites": [
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
||||||
|
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
|
||||||
|
],
|
||||||
|
"minVersion": 1.2,
|
||||||
|
"maxVersion": 1.2,
|
||||||
|
"renegotiation": false
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,8 @@
|
||||||
|
-----BEGIN EC PRIVATE KEY-----
|
||||||
|
Proc-Type: 4,ENCRYPTED
|
||||||
|
DEK-Info: AES-256-CBC,fb0860a45dbae164b2657f27c2a3f1cf
|
||||||
|
|
||||||
|
6nFswxVAct5zIqsThsJ1uYY6gzkhMzAmurih+mhlhANfl6SHURdzk8AtutIQrFfV
|
||||||
|
jr/vTPyr3aR+dqldt/wg1L9pJFc/OoWVlOFbltmLTkWMPk+VHKxR5V6A7IVYoKvm
|
||||||
|
EUFzVb+aHj6M9R7ecBf0IslGQ0nsqYa54WppGHmAA4A=
|
||||||
|
-----END EC PRIVATE KEY-----
|
|
@ -0,0 +1,8 @@
|
||||||
|
-----BEGIN EC PRIVATE KEY-----
|
||||||
|
Proc-Type: 4,ENCRYPTED
|
||||||
|
DEK-Info: AES-256-CBC,965ede7ef96d4640932c18bdf1795645
|
||||||
|
|
||||||
|
treDpMX0uYFlWMiPvjYfnv6K9jmT4f8pTG6AkzZB0eeaNj04tt4FuIgrabHoZFNx
|
||||||
|
IC1mFIRZvhJaiOXNIvQbo/Wnweu8nVV/xn73xNKBramgfXDo9WCvIsffjRg1xtsq
|
||||||
|
s3SuONddo4IdpmrG7iEZTkDe2IzSV5NYhGsKiwvDvaU=
|
||||||
|
-----END EC PRIVATE KEY-----
|
73
examples/basic-federation/server/main.go
Normal file
73
examples/basic-federation/server/main.go
Normal file
|
@ -0,0 +1,73 @@
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"fmt"
|
||||||
|
"net/http"
|
||||||
|
"os"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/smallstep/certificates/ca"
|
||||||
|
)
|
||||||
|
|
||||||
|
func main() {
|
||||||
|
if len(os.Args) != 2 {
|
||||||
|
fmt.Fprintf(os.Stderr, "Usage: %s <token>\n", os.Args[0])
|
||||||
|
os.Exit(1)
|
||||||
|
}
|
||||||
|
|
||||||
|
token := os.Args[1]
|
||||||
|
|
||||||
|
// make sure to cancel the renew goroutine
|
||||||
|
ctx, cancel := context.WithCancel(context.Background())
|
||||||
|
defer cancel()
|
||||||
|
|
||||||
|
srv, err := ca.BootstrapServer(ctx, token, &http.Server{
|
||||||
|
Addr: ":8443",
|
||||||
|
Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
name := "nobody"
|
||||||
|
issuer := "none"
|
||||||
|
if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
|
||||||
|
name = r.TLS.PeerCertificates[0].Subject.CommonName
|
||||||
|
issuer = r.TLS.PeerCertificates[len(r.TLS.PeerCertificates)-1].Issuer.CommonName
|
||||||
|
}
|
||||||
|
|
||||||
|
w.Write([]byte(fmt.Sprintf("Hello %s (cert issued by '%s') at %s", name, issuer, time.Now().UTC())))
|
||||||
|
}),
|
||||||
|
}, ca.AddFederationToRootCAs(), ListTrustedRoots())
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
fmt.Println("Listening on :8443 ...")
|
||||||
|
if err := srv.ListenAndServeTLS("", ""); err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// ListTrustedRoots prints list of trusted roots for illustration purposes
|
||||||
|
func ListTrustedRoots() ca.TLSOption {
|
||||||
|
fn := func(ctx *ca.TLSOptionCtx) error {
|
||||||
|
certs, err := ctx.Client.Federation()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
roots, err := ctx.Client.Roots()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(certs.Certificates) > len(roots.Certificates) {
|
||||||
|
fmt.Println("Server is using federated root certificates")
|
||||||
|
}
|
||||||
|
for _, cert := range certs.Certificates {
|
||||||
|
fmt.Printf("Accepting certs anchored in %s\n", cert.Certificate.Subject)
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
return func(ctx *ca.TLSOptionCtx) error {
|
||||||
|
ctx.OnRenewFunc = append(ctx.OnRenewFunc, fn)
|
||||||
|
return fn(ctx)
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in a new issue