forked from hswaw/hscloud
Remove pki scripts and info (now in hspki)
parent
5cb204b15e
commit
543bd6fa55
78
README.md
78
README.md
|
@ -5,46 +5,10 @@ Our Arista 7148S does not support gRPC/OpenConfig, so we have to make our own da
|
||||||
|
|
||||||
The schema is supposed to be 1:1 mapped to the JSON-RPC EAPI. This is just a dumb proxy.
|
The schema is supposed to be 1:1 mapped to the JSON-RPC EAPI. This is just a dumb proxy.
|
||||||
|
|
||||||
PKI Introduction
|
PKI
|
||||||
----------------
|
---
|
||||||
|
|
||||||
This project is a testing ground for the HSCloud PKI setup. Long story short,
|
This service uses [HSPKI](https://code.hackerspace.pl/q3k/hspki), you will need to generate development TLS certificates for local use.
|
||||||
all gRPC is mutually authenticated via TLS (server & client certs).
|
|
||||||
|
|
||||||
All certs for mutual auth have the following CN/SAN format:
|
|
||||||
|
|
||||||
<job>.<principal>.<realm>
|
|
||||||
|
|
||||||
For example, if principal maps into a 'group' and job into a 'user':
|
|
||||||
|
|
||||||
arista-proxy-dcr01u23.prod.c.example.com
|
|
||||||
|
|
||||||
job = arista-proxy-dcr01u23
|
|
||||||
principal = cluster-management-prod
|
|
||||||
realm = c.example.com
|
|
||||||
|
|
||||||
The Realm is a DNS name that is global to all jobs that need mutual authentication.
|
|
||||||
|
|
||||||
The Principal is any name that carries significance for logical grouping of jobs.
|
|
||||||
It can, but doesn't need to, group jobs by similar permissions.
|
|
||||||
|
|
||||||
The Job is any name that identifies uniquely (within the principal) a security
|
|
||||||
endpoint that describes a single security policy for a gRPC endpoint.
|
|
||||||
|
|
||||||
The entire CN should be DNS resolvable into an IP address that would respond to
|
|
||||||
gRPC requests on port 42000 (with a server TLS certificate that represents this CN) if the
|
|
||||||
job represents a service.
|
|
||||||
|
|
||||||
This maps nicely to the Kubernetes Cluster DNS format if you set `realm` to `svc.cluster.local`.
|
|
||||||
Then, `principal` maps to a Kubernetes namespace, and `job` maps into a Kubernetes service.
|
|
||||||
|
|
||||||
arista-proxy-dcr01u23.arista-prod.svc.cluster.local
|
|
||||||
|
|
||||||
job/service = arista-proxy-dcr01u23
|
|
||||||
principal/namespace = arista-prod
|
|
||||||
realm = svc.cluster.local
|
|
||||||
|
|
||||||
ACLs based on job/principal are yet to be implemented :).
|
|
||||||
|
|
||||||
Getting and Building
|
Getting and Building
|
||||||
--------------------
|
--------------------
|
||||||
|
@ -53,34 +17,6 @@ Getting and Building
|
||||||
go generate code.hackerspace.pl/q3k/arista-proxy/proto
|
go generate code.hackerspace.pl/q3k/arista-proxy/proto
|
||||||
go build code.hackerspace.pl/q3k/arista-proxy
|
go build code.hackerspace.pl/q3k/arista-proxy
|
||||||
|
|
||||||
PKI Certs for Development
|
|
||||||
-------------------------
|
|
||||||
|
|
||||||
In production, those certs will be automatigacally provided for you by
|
|
||||||
automation. In development, you'll have to do the following:
|
|
||||||
|
|
||||||
cd pki
|
|
||||||
./gen.sh
|
|
||||||
|
|
||||||
This will generate:
|
|
||||||
- `pki/ca.pem` - CA certificate
|
|
||||||
- `pki/client{,-key}.pem` - certificate and key for `developer.humans.svc.cluster.local`
|
|
||||||
- `pki/service{,-key}.pem` - certificate and key for `test.arista-proxy.svc.cluster.local`
|
|
||||||
|
|
||||||
You will have to setup an /etc/hosts alias to make `test.arista-proxy.svc.cluster.local` resolve to your machine.
|
|
||||||
|
|
||||||
# cat /etc/hosts
|
|
||||||
...
|
|
||||||
127.0.0.1 test.arista-proxy.svc.cluster.local
|
|
||||||
...
|
|
||||||
|
|
||||||
You can then start `arista-proxy` with default flags and talk to it via gRPC:
|
|
||||||
|
|
||||||
./arista-proxy
|
|
||||||
|
|
||||||
alias grpc-dev="grpc -cacert $(pwd)/pki/ca.pem -key $(pwd)/pki/client-key.pem -cert $(pwd)/pki/client.pem"
|
|
||||||
grpc-dev test.arista-proxy.svc.cluster.local:42000 proto.AristaProxy.ShowVersion
|
|
||||||
|
|
||||||
Debug Status Page
|
Debug Status Page
|
||||||
-----------------
|
-----------------
|
||||||
|
|
||||||
|
@ -105,16 +41,8 @@ Flags
|
||||||
If non-empty, write log files in this directory
|
If non-empty, write log files in this directory
|
||||||
-logtostderr
|
-logtostderr
|
||||||
log to standard error instead of files
|
log to standard error instead of files
|
||||||
-pki_realm string
|
|
||||||
PKI realm (default "svc.cluster.local")
|
|
||||||
-stderrthreshold value
|
-stderrthreshold value
|
||||||
logs at or above this threshold go to stderr
|
logs at or above this threshold go to stderr
|
||||||
-tls_ca_path string
|
|
||||||
Path to PKI CA certificate (default "pki/ca.pem")
|
|
||||||
-tls_certificate_path string
|
|
||||||
Path to PKI service certificate (default "pki/service.pem")
|
|
||||||
-tls_key_path string
|
|
||||||
Path to PKI service private key (default "pki/service-key.pem")
|
|
||||||
-v value
|
-v value
|
||||||
log level for V logs
|
log level for V logs
|
||||||
-vmodule value
|
-vmodule value
|
||||||
|
|
|
@ -1,2 +0,0 @@
|
||||||
*csr
|
|
||||||
*pem
|
|
|
@ -1,13 +0,0 @@
|
||||||
{
|
|
||||||
"signing": {
|
|
||||||
"default": {
|
|
||||||
"expiry": "8760h"
|
|
||||||
},
|
|
||||||
"profiles": {
|
|
||||||
"test": {
|
|
||||||
"usages": ["signing", "key encipherment", "server auth", "client auth"],
|
|
||||||
"expiry": "8760h"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,11 +0,0 @@
|
||||||
{
|
|
||||||
"names": [
|
|
||||||
{
|
|
||||||
"C": "US",
|
|
||||||
"L": "San Francisco",
|
|
||||||
"O": "Internet Widgets, Inc.",
|
|
||||||
"OU": "WWW",
|
|
||||||
"ST": "California"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
|
@ -1,6 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
set -e -x
|
|
||||||
|
|
||||||
rm *pem
|
|
||||||
rm *csr
|
|
|
@ -1,12 +0,0 @@
|
||||||
{
|
|
||||||
"CN": "developer.humans.svc.cluster.local",
|
|
||||||
"names": [
|
|
||||||
{
|
|
||||||
"C": "US",
|
|
||||||
"L": "San Francisco",
|
|
||||||
"O": "Internet Widgets, Inc.",
|
|
||||||
"OU": "WWW",
|
|
||||||
"ST": "California"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
|
@ -1,7 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
set -e -x
|
|
||||||
|
|
||||||
test -f ca.pem || ( cfssl gencert -initca ca_csr.json | cfssljson -bare ca )
|
|
||||||
test -f service.pem || ( cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca_config.json -profile=test service_csr.json | cfssljson -bare service )
|
|
||||||
test -f client.pem || ( cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca_config.json -profile=test client_csr.json | cfssljson -bare client )
|
|
|
@ -1,12 +0,0 @@
|
||||||
{
|
|
||||||
"CN": "test.arista-proxy.svc.cluster.local",
|
|
||||||
"names": [
|
|
||||||
{
|
|
||||||
"C": "US",
|
|
||||||
"L": "San Francisco",
|
|
||||||
"O": "Internet Widgets, Inc.",
|
|
||||||
"OU": "WWW",
|
|
||||||
"ST": "California"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
Loading…
Reference in New Issue