Extend Venafi document

Signed-off-by: James Munnelly <james@munnelly.eu>
2019-07-17 18:57:13 +01:00 · 2019-07-17 18:57:13 +01:00 · e55dffe451
commit e55dffe451
parent c4d7ded535
2 changed files with 164 additions and 28 deletions
--- a/docs/tutorials/index.rst
+++ b/docs/tutorials/index.rst
@ -12,3 +12,4 @@ For more information on performing individual tasks, read the
   :maxdepth: 2

   acme/index
+   venafi/securing-ingress
--- a/docs/tutorials/venafi/securing-ingress.rst
+++ b/docs/tutorials/venafi/securing-ingress.rst
@ -145,7 +145,6 @@ the ingress-nginx service.
 .. _`documentation for nginx-ingress`: https://kubernetes.github.io/ingress-nginx/
 .. _Network Load Balancer (NLB): https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html

-==========================
 Configure your DNS records
 ==========================

@ -156,17 +155,15 @@ Go into your DNS provider's console and set a CNAME record pointing to your
 NLB.

 For the purposes of demonstration, we will assume in this guide you have
-created the following DNS entries:
+created the following DNS entry:

-.. code-block::
+.. code-block:: text

-   www.example.com CNAME a8c2870a5a8a311e9a9a10a2e7af57d7-6c2ec8ede48726ab.elb.eu-west-1.amazonaws.com
   example.com CNAME a8c2870a5a8a311e9a9a10a2e7af57d7-6c2ec8ede48726ab.elb.eu-west-1.amazonaws.com

-As you progress through the rest of this tutorial, please replace these
-domain names with your own registered domain.
+As you progress through the rest of this tutorial, please replace
+``example.com`` with your own registered domain.

-============================
 Deploying a demo application
 ============================

@ -238,7 +235,7 @@ You should be able to see two Pods and one Service in the ``demo`` namespace:

 .. code-block:: shell

-   kubectl get po,svc
+   kubectl get po,svc -n demo
   NAME                                READY   STATUS    RESTARTS   AGE
   hello-kubernetes-66d45d6dff-m2lnr   1/1     Running   0          7s
   hello-kubernetes-66d45d6dff-qt2kb   1/1     Running   0          7s
@ -249,7 +246,6 @@ You should be able to see two Pods and one Service in the ``demo`` namespace:
 Note that we have not yet exposed this application to be accessible over the
 internet. We will expose the demo application to the internet in later steps.

-=================================
 Creating a Venafi Issuer resource
 =================================

@ -262,7 +258,8 @@ In order for cert-manager to be able to authenticate with your Venafi Cloud
 account and set up a ClusterIssuer resource, you'll need to create a Kubernetes
 Secret containing your API key:

-.. code-block:: secret
+.. code-block:: shell
+
   kubectl create secret generic \
     venafi-cloud-secret \
     --namespace=demo \
@ -294,7 +291,7 @@ Then run:

 .. code-block:: shell

-   kubectl apply -f venafi-issuer.yaml
+   kubectl apply -n demo -f venafi-issuer.yaml

 When you run the following command, you should see that the Status stanza of
 the output shows that the Issuer is Ready (i.e. has successfully validated
@ -319,7 +316,6 @@ itself with the Venafi Cloud service).

 .. _enroll page: https://ui.venafi.cloud/enroll

-=====================
 Request a Certificate
 =====================

@ -331,8 +327,8 @@ Full information on how to specify and request Certificate resources can be
 found in the :doc:`Issuing certificates </tasks/issuing-certificates/index>`
 guide.

-For now, we will create a basic x509 Certificate that is valid for our two
-domains, ``example.com`` and ``www.example.com``:
+For now, we will create a basic x509 Certificate that is valid for our domain,
+``example.com``:

 .. code-block:: yaml
   :linenos:
@ -346,7 +342,6 @@ domains, ``example.com`` and ``www.example.com``:
     secretName: example-com-tls
     dnsNames:
     - example.com
-     - www.example.com
     issuerRef:
       name: cloud-venafi-issuer

@ -354,13 +349,148 @@ Save this YAML into a file named ``example-com-tls.yaml`` and run:

 .. code-block:: shell

-   kubectl apply -f example-com-tls.yaml
+   kubectl apply -n demo -f example-com-tls.yaml
+
+As long as you've ensured that the zone of your Venafi Cloud account (in our
+example, we use the "Default" zone) has been configured with a CA or contains a
+custom certificate, cert-manager can now take steps to populate the
+``example-com-tls`` Secret with a certificate. It does this by identifying
+itself with Venafi Cloud using the API key, then requesting a certificate to
+match the specifications of the Certificate resource that we've created.
+
+You can run ``kubectl describe`` to check the progress of your Certificate:
+
+.. code-block:: shell
+
+   kubectl describe certificate -n demo example-com-tls
+
+   ...
+   Status:
+     Conditions:
+       Last Transition Time:  2019-07-17T17:43:01Z
+       Message:               Certificate is up to date and has not expired
+       Reason:                Ready
+       Status:                True
+       Type:                  Ready
+     Not After:               2019-10-15T12:00:00Z
+   Events:
+     Type    Reason       Age   From          Message
+     ----    ------       ----  ----          -------
+     Normal  Issuing      33s   cert-manager  Requesting new certificate...
+     Normal  GenerateKey  33s   cert-manager  Generated new private key
+     Normal  Validate     33s   cert-manager  Validated certificate request against Venafi zone policy
+     Normal  Requesting   33s   cert-manager  Requesting certificate from Venafi server...
+     Normal  Retrieve     15s   cert-manager  Retrieved certificate from Venafi server
+     Normal  CertIssued   15s   cert-manager  Certificate issued successfully
+
+Once the Certificate has been issued, you should see events similar to above.
+
+You should then be able to see the certificate has been successfully stored in
+the Secret resource:
+
+.. code-block:: shell
+
+   kubectl get secret -n demo example-com-tls
+
+   NAME              TYPE                DATA   AGE
+   example-com-tls   kubernetes.io/tls   3      2m47s
+
+   kubectl get secret example-com-tls -o 'go-template={{index .data "tls.crt"}}' | \
+     base64 --decode | \
+     openssl x509 -noout -text
+
+   Certificate:
+       Data:
+           Version: 3 (0x2)
+           Serial Number:
+               0d:ce:bf:89:04:d4:41:83:f4:4c:32:66:64:fb:60:14
+       Signature Algorithm: sha256WithRSAEncryption
+           Issuer: C=US, O=DigiCert Inc, CN=DigiCert Test SHA2 Intermediate CA-1
+           Validity
+               Not Before: Jul 17 00:00:00 2019 GMT
+               Not After : Oct 15 12:00:00 2019 GMT
+           Subject: C=US, ST=California, L=Palo Alto, O=Venafi Cloud, OU=SerialNumber, CN=example.com
+           Subject Public Key Info:
+               Public Key Algorithm: rsaEncryption
+                   Public-Key: (2048 bit)
+                   Modulus:
+                       00:ad:2e:66:02:20:c9:b1:6a:00:63:70:4e:22:3c:
+                       45:63:6e:e7:fd:4c:94:7d:75:50:22:a2:01:72:99:
+                       9c:23:04:90:51:85:4d:47:32:e4:8b:ee:b1:ea:09:
+                       1a:de:97:5d:31:05:a2:73:73:4f:06:a3:b2:59:ee:
+                       bc:30:f7:26:85:3d:b3:56:e4:c2:97:34:b6:ac:6d:
+                       65:7e:a2:4e:b4:ce:f2:0a:0a:4c:d7:32:d7:5a:18:
+                       e8:69:c6:34:28:26:36:ef:c5:bc:ae:ba:ca:d2:46:
+                       3f:d4:61:39:66:8f:19:cc:d6:d6:10:77:af:51:93:
+                       1b:4d:f8:d1:10:19:ab:ac:b3:7b:0b:98:58:29:e6:
+                       a9:ac:9f:7a:dc:63:0d:51:f5:bd:9f:f3:03:2e:b3:
+                       2d:2f:00:87:f4:e1:cd:5a:32:c6:d8:fb:49:c4:e7:
+                       da:3f:0f:8f:bb:66:94:28:5d:99:fe:7c:f0:17:1b:
+                       fd:3e:ed:dd:36:bf:8e:62:60:0c:85:7f:76:74:4b:
+                       37:d9:c2:e8:74:49:04:bf:f1:83:81:cc:4f:9b:f3:
+                       40:97:d4:dc:b6:d3:2d:dc:73:18:93:48:a5:8f:6c:
+                       57:7f:ec:62:c0:bc:c2:b0:e9:0a:51:2d:c4:b6:87:
+                       68:96:87:f8:9a:86:3c:6a:f1:01:ca:57:c4:07:e7:
+                       b0:51
+                   Exponent: 65537 (0x10001)
+           X509v3 extensions:
+               X509v3 Authority Key Identifier:
+                   keyid:D6:4D:F9:39:60:6C:73:C3:22:F5:AD:30:0C:2F:A0:D5:CA:75:4A:2A
+
+               X509v3 Subject Key Identifier:
+                   A3:B3:47:2C:41:5E:9C:B2:27:97:57:14:A4:2E:BA:8C:93:E7:01:65
+               X509v3 Subject Alternative Name:
+                   DNS:example.com
+               X509v3 Key Usage: critical
+                   Digital Signature, Key Encipherment
+               X509v3 Extended Key Usage:
+                   TLS Web Server Authentication, TLS Web Client Authentication
+               X509v3 CRL Distribution Points:
+
+                   Full Name:
+                     URI:http://crl3.digicert.com/DigiCertTestSHA2IntermediateCA1.crl
+
+                   Full Name:
+                     URI:http://crl4.digicert.com/DigiCertTestSHA2IntermediateCA1.crl
+
+               X509v3 Certificate Policies:
+                   Policy: 2.16.840.1.114412.1.1
+                     CPS: https://www.digicert.com/CPS
+
+               Authority Information Access:
+                   OCSP - URI:http://ocsp.digicert.com
+                   CA Issuers - URI:http://cacerts.test.digicert.com/DigiCertTestSHA2IntermediateCA1.crt
+
+               X509v3 Basic Constraints: critical
+                   CA:FALSE
+       Signature Algorithm: sha256WithRSAEncryption
+            ae:d4:9c:8a:66:19:9e:7d:12:b7:05:c2:b6:33:b3:9c:a5:40:
+            47:ab:34:8d:1b:0f:51:96:de:e9:46:5a:e4:16:10:43:56:bf:
+            fa:f8:64:f4:cb:53:39:5b:45:ca:7f:15:d9:59:25:21:23:c4:
+            4d:dc:a7:f7:83:21:d2:3f:a8:0a:26:f4:ef:fa:1b:2b:7d:97:
+            7e:28:f3:ca:cd:b2:c4:92:f3:92:27:7f:e0:f1:ac:d6:db:4c:
+            10:8a:f8:6f:09:bb:b3:4f:19:06:aa:bb:74:1c:e0:51:42:f6:
+            8c:7d:77:f7:80:a4:03:ab:a9:ae:ae:2b:89:17:af:2f:eb:f7:
+            3d:61:7c:dd:e1:5d:d2:5a:c5:6a:f6:c8:92:4c:0a:b5:75:d1:
+            dd:39:f2:a7:a2:10:8c:6d:bf:ca:08:ad:b9:a9:df:e3:59:8f:
+            64:16:3c:7e:8a:6e:27:fc:49:d7:06:f0:bd:94:15:f2:fd:0f:
+            94:8a:b8:73:67:73:53:22:df:9d:36:e9:34:f9:2a:68:00:59:
+            78:6d:2d:8f:a0:0f:13:af:bd:b3:aa:8c:37:c4:22:cf:23:fb:
+            56:bc:4e:55:ae:3a:0a:e6:3e:b1:1a:22:71:7b:08:b8:00:41:
+            14:26:f6:9b:9b:72:3f:eb:dc:dd:1b:db:a8:20:fd:54:75:ae:
+            25:7f:80:e6
+
+In the next step, we'll configure your application to actually use this new
+Certificate resource.

-======================================
 Exposing and securing your application
 ======================================

-Now that we have configured an Issuer resource for Venafi Cloud,
+Now that we have issued a Certificate, we can expose our application using a
+Kubernetes Ingress resource.
+
+Create a file named ``application-ingress.yaml`` and save the following in it,
+replacing ``example.com`` with your own domain name:

 .. code-block:: yaml
   :linenos:
@ -369,16 +499,16 @@ Now that we have configured an Issuer resource for Venafi Cloud,
   kind: Ingress
   metadata:
     name: frontend-ingress
-     namespace: hello-kubernetes-ns
+     namespace: demo
     annotations:
       kubernetes.io/ingress.class: "nginx"
   spec:
     tls:
     - hosts:
-       - <host-name>
-       secretName: venafi-cert-tls
+       - example.com
+       secretName: example-com-tls
     rules:
-     - host: <host-name>
+     - host: example.com
       http:
         paths:
         - path: /
@ -386,9 +516,14 @@ Now that we have configured an Issuer resource for Venafi Cloud,
             serviceName: hello-kubernetes
             servicePort: 80

-As long as you've ensured that the zone of your Venafi Cloud account (in our
-example, we use the "Default" zone) has been configured with a CA or contains a
-custom certificate, cert-manager can now take steps to populate the
-``venafi-cert-tls`` Secret with a certificate. It does this by identifying
-itself with Venafi Cloud using the API key, then requesting a certificate to
-match the specifications of the Certificate resource that we've created.
+You can then apply this resource with:
+
+.. code-block:: shell
+
+   kubectl apply -n demo -f application-ingress.yaml
+
+Once this has been created, you should be able to visit your application at
+the configured hostname, here ``example.com``!
+
+Navigate to the address in your web browser and you should see the certificate
+obtained via Venafi being used to secure application traffic.