Skip to content

Commit

Permalink
Merge pull request #3 from EverTrust/v0.0.1
Browse files Browse the repository at this point in the history
v0.0.1
  • Loading branch information
antoninguyot authored Jul 6, 2022
2 parents c0bbf9d + be70594 commit 5455c7e
Show file tree
Hide file tree
Showing 15 changed files with 383 additions and 90 deletions.
28 changes: 28 additions & 0 deletions .github/workflows/docker_build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
name: Docker build
on:
workflow_dispatch:
inputs:
tag:
description: Docker image tag
type: string
required: true
jobs:
docker:
runs-on: ubuntu-latest
steps:
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Login to DockerHub
uses: docker/login-action@v2
with:
registry: registry.evertrust.io
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
- name: Build and push
uses: docker/build-push-action@v3
with:
push: true
platforms: linux/amd64,linux/arm64
tags: registry.evertrust.io/horizon-issuer:${{ inputs.tag }}
55 changes: 51 additions & 4 deletions Readme.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
## Prerequisites
This software has been testing against the following environment :
- Horizon version 2.1.0 and above
- Horizon version 2.2.0 and above
- Kubernetes version 1.22 and above

## Installation
Expand Down Expand Up @@ -76,10 +76,57 @@ metadata:
> **Warning** : be sure to set the `cert-manager.io/common-name` annotation as by default, ingress-shim will generate certificates without any DN. This will cause errors on Horizon's side.


### Using labels, owners and teams
Horizon offers useful features to categorize and better understand your certificates through metadata. You may specify metadata at three levels :

#### On an ingress object
You may use the following annotations on ingresses that will be reflected onto the enrolled certificate :
```yaml
horizon.evertrust.io/owner: owner-name
horizon.evertrust.io/team: team-name
```

#### On a certificate object
You may use the following annotations on the cert-manager `Certificate` object, that will be reflected onto the enrolled certificate :
```yaml
horizon.evertrust.io/owner: owner-name
horizon.evertrust.io/team: team-name
```
These values, if set, will take precedence over annotations on an `Ingress` object.

#### On a `ClusterIssuer` or `Issuer` object
You may configure your issuer to apply certain metadata to every certificate enrolled through it, by modifying its spec. The following keys are available :
```yaml
apiVersion: horizon.evertrust.io/v1alpha1
kind: ClusterIssuer
spec:
owner: owner-name
team: team-name
labels:
label-key: label-value
```
These values, if set, will take precedence over annotations on an `Ingress` or `Certificate` object.

## Configuration

### Revoking deleted certificates
### Trusting custom CAs

By default, Horizon issuer does not revoke certificates deleted from Kubernetes as cert-manager can reuse the private key kept in the according secret.
Your Horizon instance may be presenting a certificate issued by your custom CA. To trust that certificate, you may specify a CA bundle when creating the issuer through the `caBundle` field. You may also completely disable TLS verification by setting `skipTLSVerify` to `true`, this is however highly discouraged.

Example :
```yaml
apiVersion: horizon.evertrust.io/v1alpha1
kind: ClusterIssuer
spec:
caBundle: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
skipTLSVerify: false
```
You can also mount your custom `/etc/ssl/certs` directory if you wish to have more control over the underlying OS trust store.

### Revoking deleted certificates

If you want to enable that behavior, set the `revokeCertificates` to `true` in your `values.yaml` file.
By default, Horizon issuer does not revoke certificates deleted from Kubernetes as cert-manager can reuse the private key kept in the deleted certificate's secret.
If you want to revoke certificates are they are deleted, set the `revokeCertificates` property to `true` on your `Issuer` or `ClusterIssuer` object. When doing so, you may want to [clean up secrets as soon as certificates are revoked](https://cert-manager.io/docs/usage/certificate/#cleaning-up-secrets-when-certificates-are-deleted).
31 changes: 28 additions & 3 deletions api/v1alpha1/issuer_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,8 @@ import (

// IssuerSpec defines the desired state of Issuer
type IssuerSpec struct {
// URL is the base URL for the endpoint of the signing service,
// for example: "https://sample-signer.example.com/api".
// URL is the base URL of your Horizon instance,
// for instance: "https://horizon.yourcompany.com".
URL string `json:"url"`

// The Horizon Profile that will be used to enroll certificates. Your
Expand All @@ -37,9 +37,34 @@ type IssuerSpec struct {
// namespace that the controller runs in).
AuthSecretName string `json:"authSecretName"`

// An optional string containing the CA bundle required to
// CaBundle contains the CA bundle required to
// trust the Horizon endpoint certificate
// +optional
CaBundle *string `json:"caBundle,omitempty"`

// SkipTLSVerify indicates if untrusted certificates should be allowed
// when connecting to the Horizon instance.
// +optional
// +kubebuilder:default:=false
SkipTLSVerify bool `json:"skipTLSVerify"`

// RevokeCertificates controls whether this issuer should revoke certificates
// that have been issued through it when their Kubernetes object is deleted.
// +kubebuilder:default:=false
// +optional
RevokeCertificates bool `json:"revokeCertificates"`

// Labels is a map of labels that will override labels
// set at the Certificate or Ingress levels.
Labels map[string]string `json:"labels,omitempty"`

// Owner will override the owner value set
// at the Certificate or Ingress levels.
Owner *string `json:"owner,omitempty"`

// Team will override the team value set
// at the Certificate or Ingress levels.
Team *string `json:"team,omitempty"`
}

// IssuerStatus defines the observed state of Issuer
Expand Down
17 changes: 17 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

26 changes: 5 additions & 21 deletions charts/horizon-issuer/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,24 +1,8 @@
apiVersion: v2
name: horizon-issuer
description: A Helm chart for Kubernetes

# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
description: Issue certificates seamlessly using Horizon and cert-manager.
type: application

# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "1.16.0"
version: 0.0.1
appVersion: "0.0.1"
sources:
- https://github.com/evertrust/horizon-issuer
Original file line number Diff line number Diff line change
Expand Up @@ -57,16 +57,41 @@ spec:
(and defaults to the namespace that the controller runs in).
type: string
caBundle:
description: An optional string containing the CA bundle required
to trust the Horizon endpoint certificate
description: CaBundle contains the CA bundle required to trust the
Horizon endpoint certificate
type: string
labels:
additionalProperties:
type: string
description: Labels is a map of labels that will override labels set
at the Certificate or Ingress levels.
type: object
owner:
description: Owner will override the owner value set at the Certificate
or Ingress levels.
type: string
profile:
description: The Horizon Profile that will be used to enroll certificates.
Your authenticated principal should have rights over this Profile.
type: string
revokeCertificates:
default: false
description: RevokeCertificates controls whether this issuer should
revoke certificates that have been issued through it when their
Kubernetes object is deleted.
type: boolean
skipTLSVerify:
default: false
description: SkipTLSVerify indicates if untrusted certificates should
be allowed when connecting to the Horizon instance.
type: boolean
team:
description: Team will override the team value set at the Certificate
or Ingress levels.
type: string
url:
description: 'URL is the base URL for the endpoint of the signing
service, for example: "https://sample-signer.example.com/api".'
description: 'URL is the base URL of your Horizon instance, for instance:
"https://horizon.yourcompany.com".'
type: string
required:
- authSecretName
Expand Down
48 changes: 40 additions & 8 deletions charts/horizon-issuer/crds/horizon.evertrust.io_issuers.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,21 @@ spec:
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .profile
- jsonPath: .spec.profile
name: Profile
type: string
- jsonPath: .spec.url
name: Horizon URL
type: string
- jsonPath: .spec.authSecretName
name: Secret
type: string
- jsonPath: .status.conditions[?(@.type=='Ready')].status
name: Ready
type: string
name: v1alpha1
schema:
openAPIV3Schema:
description: Issuer is the Schema for the issuers API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
Expand All @@ -48,16 +56,41 @@ spec:
(and defaults to the namespace that the controller runs in).
type: string
caBundle:
description: An optional string containing the CA bundle required
to trust the Horizon endpoint certificate
description: CaBundle contains the CA bundle required to trust the
Horizon endpoint certificate
type: string
labels:
additionalProperties:
type: string
description: Labels is a map of labels that will override labels set
at the Certificate or Ingress levels.
type: object
owner:
description: Owner will override the owner value set at the Certificate
or Ingress levels.
type: string
profile:
description: The Horizon Profile that will be used to enroll certificates.
Your authenticated principal should have rights over this Profile.
type: string
revokeCertificates:
default: false
description: RevokeCertificates controls whether this issuer should
revoke certificates that have been issued through it when their
Kubernetes object is deleted.
type: boolean
skipTLSVerify:
default: false
description: SkipTLSVerify indicates if untrusted certificates should
be allowed when connecting to the Horizon instance.
type: boolean
team:
description: Team will override the team value set at the Certificate
or Ingress levels.
type: string
url:
description: 'URL is the base URL for the endpoint of the signing
service, for example: "https://sample-signer.example.com/api".'
description: 'URL is the base URL of your Horizon instance, for instance:
"https://horizon.yourcompany.com".'
type: string
required:
- authSecretName
Expand Down Expand Up @@ -107,8 +140,7 @@ spec:
type: object
served: true
storage: true
subresources:
status: {}
subresources: {}
status:
acceptedNames:
kind: ""
Expand Down
11 changes: 8 additions & 3 deletions charts/horizon-issuer/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,9 +38,6 @@ spec:
- /manager
args:
- --leader-elect
{{- if .Values.revokeCertificates }}
- --revoke-certificates
{{- end }}
ports:
- containerPort: 8080
name: http
Expand All @@ -56,13 +53,21 @@ spec:
port: 8081
initialDelaySeconds: 5
periodSeconds: 10
{{- if .Values.volumeMounts }}
volumeMounts:
{{- toYaml .Values.volumeMounts | nindent 12 }}
{{- end }}
env:
{{- range $key, $value := .Values.env }}
- name: {{ $key }}
value: "{{ $value }}"
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- if .Values.volumes }}
volumes:
{{- toYaml .Values.volumes | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
Expand Down
8 changes: 5 additions & 3 deletions charts/horizon-issuer/values.yaml
Original file line number Diff line number Diff line change
@@ -1,12 +1,10 @@
# Default values for horizon-issuer.

revokeCertificates: true

replicaCount: 1

image:
repository: registry.evertrust.io/horizon-issuer
tag: 0.0.1
tag: 0.0.3
pullPolicy: IfNotPresent

imagePullSecrets: []
Expand Down Expand Up @@ -38,6 +36,10 @@ podSecurityContext:
securityContext:
allowPrivilegeEscalation: false

volumeMounts: []

volumes: []

resources: {}

autoscaling:
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ module github.com/evertrust/horizon-issuer
go 1.16

require (
github.com/evertrust/horizon-go v0.0.0-20220405090940-041e01ad81b4
github.com/evertrust/horizon-go v0.0.3
github.com/jetstack/cert-manager v1.6.1
k8s.io/api v0.22.2
k8s.io/apimachinery v0.22.2
Expand Down
Loading

0 comments on commit 5455c7e

Please sign in to comment.