GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → Skyscanner → kms-issuer

Skyscanner / kms-issuer

Licence: Apache-2.0 license
KMS issuer is a cert-manager Certificate Request controller that uses AWS KMS to sign the certificate request.

Programming Languages

go
31211 projects - #10 most used programming language
Makefile
30231 projects
Smarty
1635 projects
Dockerfile
14818 projects

Labels

kubernetesawskmscertificatesx509hacktoberfestcert-manager

Projects that are alternatives of or similar to kms-issuer

X509
A PHP library for X.509 public key certificates, attribute certificates, certification requests and certification path validation.
Stars: ✭ 27 (-37.21%)
Mutual labels:  certificates, x509
Xca
X Certificate and Key management
Stars: ✭ 574 (+1234.88%)
Mutual labels:  certificates, x509
Certificates
🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
Stars: ✭ 3,693 (+8488.37%)
Mutual labels:  certificates, x509
sscg
Simple Signed Certificate Generator
Stars: ✭ 57 (+32.56%)
Mutual labels:  certificates, x509
tls certificate generation
Use temporary Amazon EC2 / Digital Ocean cloud machines to get / renew letsencrypt certificates
Stars: ✭ 28 (-34.88%)
Mutual labels:  certificates
laravel-x509-auth
Client certificate authentication middleware for Laravel 5
Stars: ✭ 34 (-20.93%)
Mutual labels:  x509
win-ca
Get Windows System Root certificates
Stars: ✭ 78 (+81.4%)
Mutual labels:  x509
Microsoft Activation Scripts
A collection of scripts for activating Microsoft products using HWID / KMS38 / Online KMS activation methods with a focus on open-source code, less antivirus detection and user-friendliness.
Stars: ✭ 9,286 (+21495.35%)
Mutual labels:  kms
sopstool
SOPS multi-file wrapper
Stars: ✭ 28 (-34.88%)
Mutual labels:  kms
rfc3161timestampingserver
This project offers a rfc 3161 compliant timestamping authority/server
Stars: ✭ 30 (-30.23%)
Mutual labels:  x509
terraform-aws-ssm-parameter-store
Terraform module to populate AWS Systems Manager (SSM) Parameter Store with values from Terraform. Works great with Chamber.
Stars: ✭ 87 (+102.33%)
Mutual labels:  kms
sops-operator
A Kubernetes operator for Mozilla SOPS
Stars: ✭ 23 (-46.51%)
Mutual labels:  kms
vault-pki-monitor-venafi
Venafi PKI Monitoring Secrets Engine for HashiCorp Vault that enforces security policy and provides certificate visiblity to the enterprise.
Stars: ✭ 18 (-58.14%)
Mutual labels:  certificates
kmstool
Tool for using AWS Kms data keys to encrypt and decrypt large files.
Stars: ✭ 33 (-23.26%)
Mutual labels:  kms
pki-manager
IT Freelancers : Manage small PKI for multiple projects (or clients) with 2 bash scripts
Stars: ✭ 36 (-16.28%)
Mutual labels:  x509
Kms vl all
🔑KMS_VL_ALL - Smart Activation Script
Stars: ✭ 2,066 (+4704.65%)
Mutual labels:  kms
exec-with-secrets
Handle secrets in Docker using AWS KMS, SSM parameter store, Secrets Manager, or Azure Key Vault
Stars: ✭ 54 (+25.58%)
Mutual labels:  kms
bowser
a smart, friendly, secure, and auditable ssh daemon
Stars: ✭ 44 (+2.33%)
Mutual labels:  certificates
go-kmip
KMIP protocol implementation in Go
Stars: ✭ 21 (-51.16%)
Mutual labels:  kms
lucurious
😱 Lucurious -> [Library] for building advanced DRM/KMS Vulkan Renderers 😱
Stars: ✭ 18 (-58.14%)
Mutual labels:  kms
View All Similar Projects ➔

KMS Issuer

Build Status CodeQL Status E2E Tests Helm Chart Tests

KMS issuer is a cert-manager Certificate Request controller that uses AWS KMS to sign the certificate request.

Getting started

In this guide, we assume that you have a Kubernetes environment with a cert-manager version supporting CertificateRequest issuers, cert-manager v0.11.0 or higher.

For any details on Cert-Manager, check the official documentation.

Install

You can install the controller using the official helm chart:

helm repo add kms-issuer 'https://skyscanner.github.io/kms-issuer'
helm repo update

To install the chart with the release name kms-issuer:

helm upgrade --install kms-issuer kms-issuer/kms-issuer --namespace kms-issuer-system --create-namespace

Usage

  1. Install cert-manager. The operator has been tested with version v0.15.1
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.1/cert-manager.yaml
  1. Install and run the kms-issuer

Install the kms-issuer Kubernetes Custom Resources and start the controller.

# Install CRD
make install
# Run the controller (you must have have a role able to create/access KMS keys)
make run
  1. Create a KMS Key

You need a valid KMS asymetric key that as the ability to SIGN_VERIFY messages. Currently, Cloudformation does not support KMS SIGN_VERIFY keys. To simply the provisioning process, the kms-issuer operator provides a dedicated controller for provisioning a valid KMS key.

cat << EOF | kubectl apply -f -
---
apiVersion: cert-manager.skyscanner.net/v1alpha1
kind: KMSKey
metadata:
  name: kmskey-sample
spec:
  aliasName: alias/kms-issuer-example
  description: a kms-issuer example kms key
  customerMasterKeySpec: RSA_2048
  tags:
    project: kms-issuer
  deletionPolicy: Delete
  deletionPendingWindowInDays: 7
EOF
  1. Create a KMS issuer object
cat << EOF | kubectl apply -f -
---
apiVersion: cert-manager.skyscanner.net/v1alpha1
kind: KMSIssuer
metadata:
  name: kms-issuer
  namespace: default
spec:
  keyId: alias/kms-issuer-example # The KMS key id or alias
  commonName: My Root CA # The common name for the root certificate
  duration: 87600h # 10 years
EOF

At this point, the operator geneates a public root certificate signed using the provided KMS key. You can inspect it with the following command:

kubectl get kmsissuer kms-issuer -o json | jq -r ".status.certificate" |  base64 --decode  | openssl x509 -noout -text
  1. Finally, create a Certificate request that will be signed by our KMS issuer.
cat << EOF | kubectl apply -f -
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: example-com
  namespace: default
spec:
  # Secret names are always required.
  secretName: example-com-tls
  duration: 8760h # 1 year
  renewBefore: 360h # 15d
  subject:
    organizations:
      - skyscanner
  # The use of the common name field has been deprecated since 2000 and is
  # discouraged from being used.
  commonName: example.com
  isCA: false
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
  usages:
    - server auth
    - client auth
  # At least one of a DNS Name, URI, or IP address is required.
  dnsNames:
    - example.com
    - www.example.com
  uris:
    - spiffe://cluster.local/ns/sandbox/sa/example
  ipAddresses:
    - 192.168.0.5
  # Issuer references are always required.
  issuerRef:
    name: kms-issuer
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: KMSIssuer
    # This is optional since cert-manager will default to this value however
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.skyscanner.net
EOF

You now have a key pair signed by KMS

kubectl get secret example-com-tls

API Reference

KMSKey

A KMSKey resource is used to create an AWS KMS asymetric key compatible with the KMS issuer.

Field Type Description
apiVersion string cert-manager.skyscanner.net/v1alpha1
kind string KMSKey
metadata object Refer to the Kubernetes API documentation for metadata fields.
spec object Desired state of the KMSKey resource.
spec.aliasName string the alias name for the kms key. This value must begin with alias/ followed by a name, such as alias/ExampleAlias.
spec.description string Description for the key. (optional)
spec.customerMasterKeySpec string Determines the signing algorithms that the CMK supports. Only RSA_2048 is currently supported. (optional, default=RSA_2048)
spec.policy string The key policy to attach to the CMK. (optional)
spec.tags object A list of tags for the key. (optional)
spec.deletionPolicy string Policy to deletes the alias and key on object deletion. Either Retain or Delete. (optional, default=Retain).
spec.deletionPendingWindowInDays int Number of days before the KMS key gets deleted. If you include a value, it must be between 7 and 30, inclusive. If you do not include a value, it defaults to 30. (optional)

KMSIssuer

A KMSIssuer resource configures a new Cert-Manager external issuer.

Field Type Description
apiVersion string cert-manager.skyscanner.net/v1alpha1
kind string KMSIssuer
metadata object Refer to the Kubernetes API documentation for metadata fields.
spec object Desired state of the KMSIssuer resource.
spec.keyId string The unique identifier for the customer master key
spec.commonName string The common name to be used on the Certificate.
spec.duration duration Certificate default Duration. (optional, default=26280h aka 3 years)
spec.renewBefore duration The amount of time before the certificate’s notAfter time that the issuer will begin to attempt to renew the certificate. If this value is greater than the total duration of the certificate (i.e. notAfter - notBefore), it will be automatically renewed 2/3rds of the way through the certificate’s duration.

The NotBefore field on the certificate is set to the current time rounded down by the renewal interval. For example, if the certificate is renewed every hour, the NotBefore field is set to the beggining of the hour. If the certificate is renewed every day, the NotBefore field is set to the beggining of the day. This allows the generation of consistent certificates regardless of when it has been generated during the renewal period, or recreate the same certificate after a backup/restore of your kubernetes cluster. For more details on the computation, check the time.Truncate function.

Disable Approval Check

The KMS Issuer will wait for CertificateRequests to have an approved condition set before signing. If using an older version of cert-manager (pre v1.3), you can disable this check by supplying the command line flag -enable-approved-check=false to the Issuer Deployment.

Contributing

Kms-Issuer is built using the Kubebuilder framework. See the official documentation to get started and check CONTRIBUTING.md for more details.

Security

Check SECURITY.md.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].