From: stephan48 Date: Tue, 3 Dec 2024 23:00:06 +0000 (+0100) Subject: (no commit message) X-Git-Url: https://blog.stejau.de/gitweb/gitweb.cgi?a=commitdiff_plain;h=96ac6e169504a6c3476ce44bc2b747d40d2b90e5;p=stejau-blog.git --- diff --git a/posts/2024-08-29-k8s-cluster-step-ca-intermediate-with-existing-root.mdwn b/posts/2024-08-29-k8s-cluster-step-ca-intermediate-with-existing-root.mdwn index 91b4a91..6cc81d1 100644 --- a/posts/2024-08-29-k8s-cluster-step-ca-intermediate-with-existing-root.mdwn +++ b/posts/2024-08-29-k8s-cluster-step-ca-intermediate-with-existing-root.mdwn @@ -152,23 +152,30 @@ We continue on the step-ca host: $ # Copy the signed cert into pki/issued/ca.kubecluster.example.org.crt. $ # Copy the root ca crt from pk/ca.crt into pki/ca.crt -$ pwgen -s 50 1 > pwd -$ step ca init --password-file=pwd --provisioner-password-file=pwd --name=test1 --key-password-file=pwd --deployment-type=standalone --dns ca.kubecluster.example.org --dns step-certificates.step-ca.svc.cluster.local --address=:9000 --provisioner=step-ca-issuer --helm > test1.yaml -$ cat ./test1.yaml | yq -o json | jq --arg fingerprint "$(openssl x509 -in pki/ca.crt -noout -fingerprint -sha256 | sed 's/.*=//; s/://g')" --rawfile root_ca_crt pki/ca.crt --rawfile intermediate_ca_pw ./intermediate-pw --rawfile intermediate_ca_key pki/private/ca.kubecluster.home.stejau.vpn.key --rawfile intermediate_ca_crt pki/issued/ca.kubecluster.home.stejau.vpn.crt '.inject.certificates.root_ca = $root_ca_crt | .inject.secrets.x509.root_ca_key = null | .inject.certificates.intermediate_ca = $intermediate_ca_crt | .inject.secrets.x509.intermediate_ca_key = $intermediate_ca_key | .inject.secrets.ca_password = ($intermediate_ca_pw | @base64) | .inject.secrets.provisioner_password = null | .inject.config.files["defaults.json"].fingerprint = $fingerprint' | yq -o yaml -P | tee test2.yaml -$ # you now have the step-ca config inside test2.yaml. +$ bash finaggle-step-configs.sh ca.kubecluster.example.org step-certificates.step-ca.svc.cluster.local step-ca-issuer ``` -TODOs: +Follow the helm repo part from https://github.com/smallstep/step-issuer and install the repo and the step-issuer via helm. + +The files: +- test2.yaml will contain your helm values to be fed to "helm upgrade --install --create-namespace --namespace step-ca --values test2.yaml step-certificates smallstep/step-certificates" +- test-cluster.issuer-filled.yaml will contain the manifest for the cluster issuer, it can simply be applied. + +If this works the cmd "kubectl get stepclusterissuers.certmanager.step.sm step-cluster-issuer -o yaml" should output "StepClusterIssuer verified and ready to sign certificates" or "Ready"/"true". + +With this you can annotate your resources properly and will get certificates. + -* How to get from test2.yaml to a working step-ca -* Add provisioner password to above invokation -* step-ca-cluster-issuer - generate config like above + + +TODOs: +* [!] put finaggle-step-configs.sh and its deps somewhere +* document stuff around cert-manager / ingress-shim docs - https://cert-manager.io/docs/usage/ingress/#supported-annotations * multiple provisioners - how to do? * ??? - +* PROFIT Caveat: - * it might be that x509-types in a modern easy-rsa install is under pki/ instead of in the same dir as the easy-rsa script