Skip to content

Commit

Permalink
add external account binding for ACME, add requestedAt annotation for…
Browse files Browse the repository at this point in the history 
… certificate secrets, domain ranges for issuer
  • Loading branch information
@MartinWeindel
MartinWeindel committed Feb 19, 2021
1 parent a759f45 commit 0f21477
Show file tree
Hide file tree
Showing 19 changed files with 774 additions and 137 deletions.
56 changes: 55 additions & 1 deletion charts/cert-management/templates/crds.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: issuers.cert.gardener.cloud
annotations:
controller-gen.kubebuilder.io/version: v0.2.9
name: issuers.cert.gardener.cloud
labels:
helm.sh/chart: {{ include "cert-management.chart" . }}
app.kubernetes.io/name: {{ include "cert-management.name" . }}
Expand Down Expand Up @@ -36,6 +36,11 @@ spec:
description: object creation timestamp
name: AGE
type: date
- JSONPath: .spec.acme.domains.include
description: included domains
name: INCLUDED_DOMAINS
priority: 2000
type: string
conversion:
strategy: None
group: cert.gardener.cloud
Expand Down Expand Up @@ -76,9 +81,53 @@ spec:
description: AutoRegistration is the flag if automatic registration
should be applied if needed.
type: boolean
domains:
description: Domains optionally specifies domains allowed or forbidden
for certificate requests
properties:
exclude:
description: Exclude are domain names for which certificate
requests are forbidden (including any subdomains)
items:
type: string
type: array
include:
description: Include are domain names for which certificate
requests are allowed (including any subdomains)
items:
type: string
type: array
type: object
email:
description: Email is the email address to use for user registration.
type: string
externalAccountBinding:
description: ACMEExternalAccountBinding is a reference to a CA external
account of the ACME server.
properties:
keyID:
description: keyID is the ID of the CA key that the External
Account is bound to.
type: string
keySecretRef:
description: keySecretRef is the secret ref to the Secret which
holds the symmetric MAC key of the External Account Binding
with data key 'hmacKey'. The secret key stored in the Secret
**must** be un-padded, base64 URL encoded data.
properties:
name:
description: Name is unique within a namespace to reference
a secret resource.
type: string
namespace:
description: Namespace defines the space within which the
secret name must be unique.
type: string
type: object
required:
- keyID
- keySecretRef
type: object
privateKeySecretRef:
description: PrivateKeySecretRef is the secret ref to the ACME private
key.
Expand All @@ -95,6 +144,11 @@ spec:
server:
description: Server is the URL of the ACME server.
type: string
skipDNSChallengeValidation:
description: SkipDNSChallengeValidation marks that this issuer does
not validate DNS challenges. In this case no DNS entries/records
are created for a DNS Challenge and DNS propagation is not checked.
type: boolean
required:
- email
- server
Expand Down
92 changes: 80 additions & 12 deletions examples/10-crds.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,16 +41,25 @@ spec:
jsonPath: .metadata.creationTimestamp
name: AGE
type: date
- description: included domains
jsonPath: .spec.acme.domains.include
name: INCLUDED_DOMAINS
priority: 2000
type: string
name: v1alpha1
schema:
openAPIV3Schema:
description: Issuer is the issuer CR.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
Expand All @@ -61,24 +70,77 @@ spec:
description: ACME is the ACME protocol specific spec.
properties:
autoRegistration:
description: AutoRegistration is the flag if automatic registration should be applied if needed.
description: AutoRegistration is the flag if automatic registration
should be applied if needed.
type: boolean
domains:
description: Domains optionally specifies domains allowed or forbidden
for certificate requests
properties:
exclude:
description: Exclude are domain names for which certificate
requests are forbidden (including any subdomains)
items:
type: string
type: array
include:
description: Include are domain names for which certificate
requests are allowed (including any subdomains)
items:
type: string
type: array
type: object
email:
description: Email is the email address to use for user registration.
type: string
externalAccountBinding:
description: ACMEExternalAccountBinding is a reference to a CA
external account of the ACME server.
properties:
keyID:
description: keyID is the ID of the CA key that the External
Account is bound to.
type: string
keySecretRef:
description: keySecretRef is the secret ref to the Secret
which holds the symmetric MAC key of the External Account
Binding with data key 'hmacKey'. The secret key stored in
the Secret **must** be un-padded, base64 URL encoded data.
properties:
name:
description: Name is unique within a namespace to reference
a secret resource.
type: string
namespace:
description: Namespace defines the space within which
the secret name must be unique.
type: string
type: object
required:
- keyID
- keySecretRef
type: object
privateKeySecretRef:
description: PrivateKeySecretRef is the secret ref to the ACME private key.
description: PrivateKeySecretRef is the secret ref to the ACME
private key.
properties:
name:
description: Name is unique within a namespace to reference a secret resource.
description: Name is unique within a namespace to reference
a secret resource.
type: string
namespace:
description: Namespace defines the space within which the secret name must be unique.
description: Namespace defines the space within which the
secret name must be unique.
type: string
type: object
server:
description: Server is the URL of the ACME server.
type: string
skipDNSChallengeValidation:
description: SkipDNSChallengeValidation marks that this issuer
does not validate DNS challenges. In this case no DNS entries/records
are created for a DNS Challenge and DNS propagation is not checked.
type: boolean
required:
- email
- server
Expand All @@ -90,15 +152,18 @@ spec:
description: PrivateKeySecretRef is the secret ref to the CA secret.
properties:
name:
description: Name is unique within a namespace to reference a secret resource.
description: Name is unique within a namespace to reference
a secret resource.
type: string
namespace:
description: Namespace defines the space within which the secret name must be unique.
description: Namespace defines the space within which the
secret name must be unique.
type: string
type: object
type: object
requestsPerDayQuota:
description: RequestsPerDayQuota is the maximum number of certificate requests per days allowed for this issuer
description: RequestsPerDayQuota is the maximum number of certificate
requests per days allowed for this issuer
type: integer
type: object
status:
Expand All @@ -116,17 +181,20 @@ spec:
description: Message is the status or error message.
type: string
observedGeneration:
description: ObservedGeneration is the observed generation of the spec.
description: ObservedGeneration is the observed generation of the
spec.
format: int64
type: integer
requestsPerDayQuota:
description: RequestsPerDayQuota is the actual maximum number of certificate requests per days allowed for this issuer
description: RequestsPerDayQuota is the actual maximum number of certificate
requests per days allowed for this issuer
type: integer
state:
description: State is either empty, 'Pending', 'Error', or 'Ready'.
type: string
type:
description: Type is the issuer type. Currently only 'acme' and 'ca' are supported.
description: Type is the issuer type. Currently only 'acme' and 'ca'
are supported.
type: string
required:
- state
Expand Down
31 changes: 31 additions & 0 deletions examples/21-issuer-acme-eab.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# SPDX-FileCopyrightText: 2019 SAP SE or an SAP affiliate company and Gardener contributors
#
# SPDX-License-Identifier: Apache-2.0

apiVersion: cert.gardener.cloud/v1alpha1
kind: Issuer
metadata:
name: issuer-with-external-account
namespace: default
spec:
acme:
server: https://some.acme.provider.com/directory
email: some.user@mydomain.com
autoRegistration: true
externalAccountBinding:
keyID: mykey
keySecretRef:
# the secret must contain the data key 'hmacKey'
name: issuer-external-account-secret
namespace: default
# For some special setups, the DNS challenges are only performed pro forma. In this case the
# DNS Entry creation and DNS propagation check can be disabled with 'skipDNSChallengeValidation: true'
# skipDNSChallengeValidation: true

# optionally restrict domain ranges for which certificates can be requested
# domains:
# include:
# - sub1.mydomain.com
# - sub2.mydomain.com
# exclude:
# - private.sub1.mydomain.com
6 changes: 5 additions & 1 deletion hack/check-cert-secret.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ Helper for extracting information about the X509 certificate from the secret of
./check-cert-secret.sh check-revoke <namespace> <certificate name>
check OCSP revocation using OpenSSL
Prerequisites: `kubectl` and `openssl` must be on PATH. kubectl will use the current context.
Prerequisites: 'kubectl' and 'openssl' must be on PATH. kubectl will use the current context.
EOM
}
Expand Down Expand Up @@ -77,6 +77,10 @@ getOCSP()
OSCP_URI=$(openssl x509 -noout -ocsp_uri -in $certfile)
HOST=$(echo $OSCP_URI | awk '-F[/:]' '{print $4}')

if [[ ! -f "$immediatefile" ]]; then
immediatefile="$certfile"
fi

# Checking OCSP revocation using OpenSSL
openssl ocsp -header HOST $HOST -no_nonce -issuer "$immediatefile" -cert "$certfile" -text -url $OSCP_URI > "$ocspresponsefile"
}
Expand Down
42 changes: 42 additions & 0 deletions pkg/apis/cert/crds/cert.gardener.cloud_issuers.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,11 @@ spec:
jsonPath: .metadata.creationTimestamp
name: AGE
type: date
- description: included domains
jsonPath: .spec.acme.domains.include
name: INCLUDED_DOMAINS
priority: 2000
type: string
name: v1alpha1
schema:
openAPIV3Schema:
Expand All @@ -61,9 +66,43 @@ spec:
autoRegistration:
description: AutoRegistration is the flag if automatic registration should be applied if needed.
type: boolean
domains:
description: Domains optionally specifies domains allowed or forbidden for certificate requests
properties:
exclude:
description: Exclude are domain names for which certificate requests are forbidden (including any subdomains)
items:
type: string
type: array
include:
description: Include are domain names for which certificate requests are allowed (including any subdomains)
items:
type: string
type: array
type: object
email:
description: Email is the email address to use for user registration.
type: string
externalAccountBinding:
description: ACMEExternalAccountBinding is a reference to a CA external account of the ACME server.
properties:
keyID:
description: keyID is the ID of the CA key that the External Account is bound to.
type: string
keySecretRef:
description: keySecretRef is the secret ref to the Secret which holds the symmetric MAC key of the External Account Binding with data key 'hmacKey'. The secret key stored in the Secret **must** be un-padded, base64 URL encoded data.
properties:
name:
description: Name is unique within a namespace to reference a secret resource.
type: string
namespace:
description: Namespace defines the space within which the secret name must be unique.
type: string
type: object
required:
- keyID
- keySecretRef
type: object
privateKeySecretRef:
description: PrivateKeySecretRef is the secret ref to the ACME private key.
properties:
Expand All @@ -77,6 +116,9 @@ spec:
server:
description: Server is the URL of the ACME server.
type: string
skipDNSChallengeValidation:
description: SkipDNSChallengeValidation marks that this issuer does not validate DNS challenges. In this case no DNS entries/records are created for a DNS Challenge and DNS propagation is not checked.
type: boolean
required:
- email
- server
Expand Down
Loading

0 comments on commit 0f21477

Please sign in to comment.