Monitor and manage public keys for services running on a disconnected private network.
getpublickey is a utility that provides an API for applications to obtain the public key of a service. This is particularly valuable in secure environments where services utilize self-signed keys. Instead of disabling certificate verification within the secure network, this utility enables them to utilize TLS by retrieving the self-signed public key, allowing users to verify the acquired public key before using it for further communication.
Note
This utility is intended for applications that can't fetch the publick key directly, for example applications that run on a network that does not have access to the service. If your applicaion have access to the service you can get a public key without the need of a service running on a different network.
For example if the service is running on the same network you can use command line tools like openssl
to get the public key directly:
echo | openssl s_client -connect google.com:443 2>/dev/null | openssl x509 -text
To start using getpublickey, follow these simple steps:
To get started with getpublickey, the first step is to clone the repository to your local machine.
git clone https://github.com/kubev2v/getpublickey.git
cd getpublickey
Before you run the server, ensure your environment is properly set up:
Install Python: getpublickey requires Python to run. If you haven't already, download and install Python.
Install isort
for imports sorting:
pip install isort
Install black
for code formatting:
pip install black
Install podman
if you wish to build and use container images. Follow the installation guide specific to your operating system.
Set up a kind
Kubernetes cluster if you want to run the server in a cluster environment. Detailed instructions can be found on the kind GitHub repository.
python ./src/getpublickey.py --help
--port: Specify the port for the server to listen to. (Default is 8443)
python ./src/getpublickey.py --port 8080
--listen: Set the listen address. (Default is 0.0.0.0)
python ./src/getpublickey.py --listen 192.168.1.100
--tls-key and --tls-cert: Point to files containing the server PEM certs. (Default are tls.key and tls.crt)
python ./src/getpublickey.py --tls-key certs/tls.key --tls-cert certs/tls.crt
mkdir certs
openssl req -x509 -newkey rsa:4096 -keyout certs/tls.key -out certs/tls.crt -days 365 -nodes
Note
This will create a certs directory with two files: tls.key
(the private key) and tls.crt
(the certificate).
With the server up and running, you can access the API to retrieve public keys. Use the curl
CLI utility:
curl -k -G https://127.0.0.1:8443/ --data 'url=github.com'
Note
Replace the url
parameter value with the desired server's URL from which you want to retrieve the public key.
To build the container image using Podman:
podman build -t quay.io/kubev2v/getpublickey:latest .
This command builds the container and tags it as quay.io/kubev2v/getpublickey:latest
.
Once the image is built, you can run it locally using the following command:
podman run -it -p 8443:8443 -v $(pwd)/certs:/var/run/secrets/getpublickey-serving-cert:Z quay.io/kubev2v/getpublickey:latest
This command:
- Maps port 8443 on the host to port 8443 in the container.
- Mounts the
certs
directory (with the self-signed certificates) to/var/run/secrets/getpublickey-serving-cert
in the container. - Uses the
:Z
option to ensure the mounted directory has the correct SELinux label. - Runs the container image
quay.io/kubev2v/getpublickey:latest
.
After executing the command, your service should be accessible at https://localhost:8443
.
To deploy and run the getpublickey
server on a Kubernetes cluster, follow the steps below:
Ensure you have kubectl
installed and properly configured to communicate with your cluster.
You need permissions to create new namespaces
and deployments
on the cluster.
-
Log in to the cluster: Ensure you're logged into your Kubernetes cluster with the necessary permissions.
-
Deploy the Application: Apply the provided deployment configuration:
kubectl apply -f ci/deployment.yaml
This command will perform the following actions:
- Create the
konveyor-forklift
namespace. - Create a secret containing example PEM certification files.
- Deploy the
getpublickey
server. - Create a service to expose the
getpublickey
server inside the cluster.
After running the command, ensure that the deployment is successful and the pods are running:
kubectl get pods -n konveyor-forklift
The getpublickey
service is exposed within the cluster under the konveyor-forklift
namespace on port 8443.
To access the service from your local machine, you can use kubectl
port-forward:
Run the following command to forward port 8443 from the service to port 8443 on your local machine:
kubectl port-forward svc/getpublickey 8443:8443 -n konveyor-forklift