diff --git a/docs/tutorials/index.rst b/docs/tutorials/index.rst index 1b5a0cac6..519871f65 100644 --- a/docs/tutorials/index.rst +++ b/docs/tutorials/index.rst @@ -12,3 +12,4 @@ For more information on performing individual tasks, read the :maxdepth: 2 acme/index + venafi/securing-ingress diff --git a/docs/tutorials/venafi/securing-ingress.rst b/docs/tutorials/venafi/securing-ingress.rst index 300062469..03075dd20 100644 --- a/docs/tutorials/venafi/securing-ingress.rst +++ b/docs/tutorials/venafi/securing-ingress.rst @@ -145,7 +145,6 @@ the ingress-nginx service. .. _`documentation for nginx-ingress`: https://kubernetes.github.io/ingress-nginx/ .. _Network Load Balancer (NLB): https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html -========================== Configure your DNS records ========================== @@ -156,17 +155,15 @@ Go into your DNS provider's console and set a CNAME record pointing to your NLB. For the purposes of demonstration, we will assume in this guide you have -created the following DNS entries: +created the following DNS entry: -.. code-block:: +.. code-block:: text - www.example.com CNAME a8c2870a5a8a311e9a9a10a2e7af57d7-6c2ec8ede48726ab.elb.eu-west-1.amazonaws.com example.com CNAME a8c2870a5a8a311e9a9a10a2e7af57d7-6c2ec8ede48726ab.elb.eu-west-1.amazonaws.com -As you progress through the rest of this tutorial, please replace these -domain names with your own registered domain. +As you progress through the rest of this tutorial, please replace +``example.com`` with your own registered domain. -============================ Deploying a demo application ============================ @@ -238,7 +235,7 @@ You should be able to see two Pods and one Service in the ``demo`` namespace: .. code-block:: shell - kubectl get po,svc + kubectl get po,svc -n demo NAME READY STATUS RESTARTS AGE hello-kubernetes-66d45d6dff-m2lnr 1/1 Running 0 7s hello-kubernetes-66d45d6dff-qt2kb 1/1 Running 0 7s @@ -249,7 +246,6 @@ You should be able to see two Pods and one Service in the ``demo`` namespace: Note that we have not yet exposed this application to be accessible over the internet. We will expose the demo application to the internet in later steps. -================================= Creating a Venafi Issuer resource ================================= @@ -262,7 +258,8 @@ In order for cert-manager to be able to authenticate with your Venafi Cloud account and set up a ClusterIssuer resource, you'll need to create a Kubernetes Secret containing your API key: -.. code-block:: secret +.. code-block:: shell + kubectl create secret generic \ venafi-cloud-secret \ --namespace=demo \ @@ -294,7 +291,7 @@ Then run: .. code-block:: shell - kubectl apply -f venafi-issuer.yaml + kubectl apply -n demo -f venafi-issuer.yaml When you run the following command, you should see that the Status stanza of the output shows that the Issuer is Ready (i.e. has successfully validated @@ -319,7 +316,6 @@ itself with the Venafi Cloud service). .. _enroll page: https://ui.venafi.cloud/enroll -===================== Request a Certificate ===================== @@ -331,8 +327,8 @@ Full information on how to specify and request Certificate resources can be found in the :doc:`Issuing certificates ` guide. -For now, we will create a basic x509 Certificate that is valid for our two -domains, ``example.com`` and ``www.example.com``: +For now, we will create a basic x509 Certificate that is valid for our domain, +``example.com``: .. code-block:: yaml :linenos: @@ -346,7 +342,6 @@ domains, ``example.com`` and ``www.example.com``: secretName: example-com-tls dnsNames: - example.com - - www.example.com issuerRef: name: cloud-venafi-issuer @@ -354,13 +349,148 @@ Save this YAML into a file named ``example-com-tls.yaml`` and run: .. code-block:: shell - kubectl apply -f example-com-tls.yaml + kubectl apply -n demo -f example-com-tls.yaml + +As long as you've ensured that the zone of your Venafi Cloud account (in our +example, we use the "Default" zone) has been configured with a CA or contains a +custom certificate, cert-manager can now take steps to populate the +``example-com-tls`` Secret with a certificate. It does this by identifying +itself with Venafi Cloud using the API key, then requesting a certificate to +match the specifications of the Certificate resource that we've created. + +You can run ``kubectl describe`` to check the progress of your Certificate: + +.. code-block:: shell + + kubectl describe certificate -n demo example-com-tls + + ... + Status: + Conditions: + Last Transition Time: 2019-07-17T17:43:01Z + Message: Certificate is up to date and has not expired + Reason: Ready + Status: True + Type: Ready + Not After: 2019-10-15T12:00:00Z + Events: + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal Issuing 33s cert-manager Requesting new certificate... + Normal GenerateKey 33s cert-manager Generated new private key + Normal Validate 33s cert-manager Validated certificate request against Venafi zone policy + Normal Requesting 33s cert-manager Requesting certificate from Venafi server... + Normal Retrieve 15s cert-manager Retrieved certificate from Venafi server + Normal CertIssued 15s cert-manager Certificate issued successfully + +Once the Certificate has been issued, you should see events similar to above. + +You should then be able to see the certificate has been successfully stored in +the Secret resource: + +.. code-block:: shell + + kubectl get secret -n demo example-com-tls + + NAME TYPE DATA AGE + example-com-tls kubernetes.io/tls 3 2m47s + + kubectl get secret example-com-tls -o 'go-template={{index .data "tls.crt"}}' | \ + base64 --decode | \ + openssl x509 -noout -text + + Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0d:ce:bf:89:04:d4:41:83:f4:4c:32:66:64:fb:60:14 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, O=DigiCert Inc, CN=DigiCert Test SHA2 Intermediate CA-1 + Validity + Not Before: Jul 17 00:00:00 2019 GMT + Not After : Oct 15 12:00:00 2019 GMT + Subject: C=US, ST=California, L=Palo Alto, O=Venafi Cloud, OU=SerialNumber, CN=example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ad:2e:66:02:20:c9:b1:6a:00:63:70:4e:22:3c: + 45:63:6e:e7:fd:4c:94:7d:75:50:22:a2:01:72:99: + 9c:23:04:90:51:85:4d:47:32:e4:8b:ee:b1:ea:09: + 1a:de:97:5d:31:05:a2:73:73:4f:06:a3:b2:59:ee: + bc:30:f7:26:85:3d:b3:56:e4:c2:97:34:b6:ac:6d: + 65:7e:a2:4e:b4:ce:f2:0a:0a:4c:d7:32:d7:5a:18: + e8:69:c6:34:28:26:36:ef:c5:bc:ae:ba:ca:d2:46: + 3f:d4:61:39:66:8f:19:cc:d6:d6:10:77:af:51:93: + 1b:4d:f8:d1:10:19:ab:ac:b3:7b:0b:98:58:29:e6: + a9:ac:9f:7a:dc:63:0d:51:f5:bd:9f:f3:03:2e:b3: + 2d:2f:00:87:f4:e1:cd:5a:32:c6:d8:fb:49:c4:e7: + da:3f:0f:8f:bb:66:94:28:5d:99:fe:7c:f0:17:1b: + fd:3e:ed:dd:36:bf:8e:62:60:0c:85:7f:76:74:4b: + 37:d9:c2:e8:74:49:04:bf:f1:83:81:cc:4f:9b:f3: + 40:97:d4:dc:b6:d3:2d:dc:73:18:93:48:a5:8f:6c: + 57:7f:ec:62:c0:bc:c2:b0:e9:0a:51:2d:c4:b6:87: + 68:96:87:f8:9a:86:3c:6a:f1:01:ca:57:c4:07:e7: + b0:51 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:D6:4D:F9:39:60:6C:73:C3:22:F5:AD:30:0C:2F:A0:D5:CA:75:4A:2A + + X509v3 Subject Key Identifier: + A3:B3:47:2C:41:5E:9C:B2:27:97:57:14:A4:2E:BA:8C:93:E7:01:65 + X509v3 Subject Alternative Name: + DNS:example.com + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 CRL Distribution Points: + + Full Name: + URI:http://crl3.digicert.com/DigiCertTestSHA2IntermediateCA1.crl + + Full Name: + URI:http://crl4.digicert.com/DigiCertTestSHA2IntermediateCA1.crl + + X509v3 Certificate Policies: + Policy: 2.16.840.1.114412.1.1 + CPS: https://www.digicert.com/CPS + + Authority Information Access: + OCSP - URI:http://ocsp.digicert.com + CA Issuers - URI:http://cacerts.test.digicert.com/DigiCertTestSHA2IntermediateCA1.crt + + X509v3 Basic Constraints: critical + CA:FALSE + Signature Algorithm: sha256WithRSAEncryption + ae:d4:9c:8a:66:19:9e:7d:12:b7:05:c2:b6:33:b3:9c:a5:40: + 47:ab:34:8d:1b:0f:51:96:de:e9:46:5a:e4:16:10:43:56:bf: + fa:f8:64:f4:cb:53:39:5b:45:ca:7f:15:d9:59:25:21:23:c4: + 4d:dc:a7:f7:83:21:d2:3f:a8:0a:26:f4:ef:fa:1b:2b:7d:97: + 7e:28:f3:ca:cd:b2:c4:92:f3:92:27:7f:e0:f1:ac:d6:db:4c: + 10:8a:f8:6f:09:bb:b3:4f:19:06:aa:bb:74:1c:e0:51:42:f6: + 8c:7d:77:f7:80:a4:03:ab:a9:ae:ae:2b:89:17:af:2f:eb:f7: + 3d:61:7c:dd:e1:5d:d2:5a:c5:6a:f6:c8:92:4c:0a:b5:75:d1: + dd:39:f2:a7:a2:10:8c:6d:bf:ca:08:ad:b9:a9:df:e3:59:8f: + 64:16:3c:7e:8a:6e:27:fc:49:d7:06:f0:bd:94:15:f2:fd:0f: + 94:8a:b8:73:67:73:53:22:df:9d:36:e9:34:f9:2a:68:00:59: + 78:6d:2d:8f:a0:0f:13:af:bd:b3:aa:8c:37:c4:22:cf:23:fb: + 56:bc:4e:55:ae:3a:0a:e6:3e:b1:1a:22:71:7b:08:b8:00:41: + 14:26:f6:9b:9b:72:3f:eb:dc:dd:1b:db:a8:20:fd:54:75:ae: + 25:7f:80:e6 + +In the next step, we'll configure your application to actually use this new +Certificate resource. -====================================== Exposing and securing your application ====================================== -Now that we have configured an Issuer resource for Venafi Cloud, +Now that we have issued a Certificate, we can expose our application using a +Kubernetes Ingress resource. + +Create a file named ``application-ingress.yaml`` and save the following in it, +replacing ``example.com`` with your own domain name: .. code-block:: yaml :linenos: @@ -369,16 +499,16 @@ Now that we have configured an Issuer resource for Venafi Cloud, kind: Ingress metadata: name: frontend-ingress - namespace: hello-kubernetes-ns + namespace: demo annotations: kubernetes.io/ingress.class: "nginx" spec: tls: - hosts: - - - secretName: venafi-cert-tls + - example.com + secretName: example-com-tls rules: - - host: + - host: example.com http: paths: - path: / @@ -386,9 +516,14 @@ Now that we have configured an Issuer resource for Venafi Cloud, serviceName: hello-kubernetes servicePort: 80 -As long as you've ensured that the zone of your Venafi Cloud account (in our -example, we use the "Default" zone) has been configured with a CA or contains a -custom certificate, cert-manager can now take steps to populate the -``venafi-cert-tls`` Secret with a certificate. It does this by identifying -itself with Venafi Cloud using the API key, then requesting a certificate to -match the specifications of the Certificate resource that we've created. \ No newline at end of file +You can then apply this resource with: + +.. code-block:: shell + + kubectl apply -n demo -f application-ingress.yaml + +Once this has been created, you should be able to visit your application at +the configured hostname, here ``example.com``! + +Navigate to the address in your web browser and you should see the certificate +obtained via Venafi being used to secure application traffic.