mirror of https://github.com/helm/helm
Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com>pull/5650/head
parent
dcb81c9c09
commit
2ed42013c4
@ -0,0 +1,311 @@
|
|||||||
|
# Generating Certificate Authorities and Certificates using Terraform
|
||||||
|
|
||||||
|
It's possible to create all the necessary keys and certificates to secure Helm using
|
||||||
|
Terraform. Simply create the following file and apply it using `terraform`.
|
||||||
|
|
||||||
|
## tiller_certs.tf
|
||||||
|
|
||||||
|
```terraform
|
||||||
|
# Generate the Tiller CA key
|
||||||
|
resource "tls_private_key" "ca" {
|
||||||
|
algorithm = "RSA"
|
||||||
|
rsa_bits = 4096
|
||||||
|
}
|
||||||
|
|
||||||
|
# Generate a self signed CA certificate
|
||||||
|
resource "tls_self_signed_cert" "ca" {
|
||||||
|
key_algorithm = "${tls_private_key.ca.algorithm}"
|
||||||
|
private_key_pem = "${tls_private_key.ca.private_key_pem}"
|
||||||
|
is_ca_certificate = true
|
||||||
|
validity_period_hours = 87600
|
||||||
|
early_renewal_hours = 8760
|
||||||
|
|
||||||
|
allowed_uses = [
|
||||||
|
"v3_ca",
|
||||||
|
]
|
||||||
|
|
||||||
|
subject {
|
||||||
|
organization = "Tiller CA"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Write the CA key to file
|
||||||
|
resource "local_file" "ca_key" {
|
||||||
|
content = "${tls_private_key.ca.private_key_pem}"
|
||||||
|
filename = "${path.module}/ca.key.pem"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Write the CA cert to file
|
||||||
|
resource "local_file" "ca_cert" {
|
||||||
|
content = "${tls_self_signed_cert.ca.cert_pem}"
|
||||||
|
filename = "${path.module}/ca.cert.pem"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Generate the Tiller Server key
|
||||||
|
resource "tls_private_key" "tiller" {
|
||||||
|
algorithm = "RSA"
|
||||||
|
rsa_bits = 4096
|
||||||
|
}
|
||||||
|
|
||||||
|
# Generate a signing request for the Tiller Server certificate
|
||||||
|
resource "tls_cert_request" "tiller" {
|
||||||
|
key_algorithm = "${tls_private_key.tiller.algorithm}"
|
||||||
|
private_key_pem = "${tls_private_key.tiller.private_key_pem}"
|
||||||
|
|
||||||
|
ip_addresses = [
|
||||||
|
"127.0.0.1",
|
||||||
|
]
|
||||||
|
|
||||||
|
subject {
|
||||||
|
organization = "Tiller Server"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Write the Tiller Server key to file
|
||||||
|
resource "local_file" "tiller_key" {
|
||||||
|
content = "${tls_private_key.tiller.private_key_pem}"
|
||||||
|
filename = "${path.module}/tiller.key.pem"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Write the Tiller Server cert to file
|
||||||
|
resource "local_file" "tiller_cert" {
|
||||||
|
content = "${tls_locally_signed_cert.tiller.cert_pem}"
|
||||||
|
filename = "${path.module}/tiller.cert.pem"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Sign the Tiller Server certificate signing request
|
||||||
|
resource "tls_locally_signed_cert" "tiller" {
|
||||||
|
cert_request_pem = "${tls_cert_request.tiller.cert_request_pem}"
|
||||||
|
ca_key_algorithm = "${tls_private_key.ca.algorithm}"
|
||||||
|
ca_private_key_pem = "${tls_private_key.ca.private_key_pem}"
|
||||||
|
ca_cert_pem = "${tls_self_signed_cert.ca.cert_pem}"
|
||||||
|
validity_period_hours = 87600
|
||||||
|
allowed_uses = []
|
||||||
|
}
|
||||||
|
|
||||||
|
# Generate a key for the Helm Client
|
||||||
|
resource "tls_private_key" "helm" {
|
||||||
|
algorithm = "RSA"
|
||||||
|
rsa_bits = 4096
|
||||||
|
}
|
||||||
|
|
||||||
|
# Generate a signing request for the Helm Client certificate
|
||||||
|
resource "tls_cert_request" "helm" {
|
||||||
|
key_algorithm = "${tls_private_key.helm.algorithm}"
|
||||||
|
private_key_pem = "${tls_private_key.helm.private_key_pem}"
|
||||||
|
|
||||||
|
subject {
|
||||||
|
organization = "Helm Client"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Sign the Helm Client certificate signing request
|
||||||
|
resource "tls_locally_signed_cert" "helm" {
|
||||||
|
cert_request_pem = "${tls_cert_request.helm.cert_request_pem}"
|
||||||
|
ca_key_algorithm = "${tls_private_key.ca.algorithm}"
|
||||||
|
ca_private_key_pem = "${tls_private_key.ca.private_key_pem}"
|
||||||
|
ca_cert_pem = "${tls_self_signed_cert.ca.cert_pem}"
|
||||||
|
validity_period_hours = 87600
|
||||||
|
allowed_uses = []
|
||||||
|
}
|
||||||
|
|
||||||
|
# Write the Helm Client key to file
|
||||||
|
resource "local_file" "helm_key" {
|
||||||
|
content = "${tls_private_key.helm.private_key_pem}"
|
||||||
|
filename = "${path.module}/helm.key.pem"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Write the Helm Client cert to file
|
||||||
|
resource "local_file" "helm_cert" {
|
||||||
|
content = "${tls_locally_signed_cert.helm.cert_pem}"
|
||||||
|
filename = "${path.module}/helm.cert.pem"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Now simply run Terraform init and apply:
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ terraform init
|
||||||
|
|
||||||
|
Initializing provider plugins...
|
||||||
|
- Checking for available provider plugins on https://releases.hashicorp.com...
|
||||||
|
- Downloading plugin for provider "tls" (2.0.0)...
|
||||||
|
- Downloading plugin for provider "local" (1.2.1)...
|
||||||
|
|
||||||
|
The following providers do not have any version constraints in configuration,
|
||||||
|
so the latest version was installed.
|
||||||
|
|
||||||
|
To prevent automatic upgrades to new major versions that may contain breaking
|
||||||
|
changes, it is recommended to add version = "..." constraints to the
|
||||||
|
corresponding provider blocks in configuration, with the constraint strings
|
||||||
|
suggested below.
|
||||||
|
|
||||||
|
* provider.local: version = "~> 1.2"
|
||||||
|
* provider.tls: version = "~> 2.0"
|
||||||
|
|
||||||
|
Terraform has been successfully initialized!
|
||||||
|
|
||||||
|
You may now begin working with Terraform. Try running "terraform plan" to see
|
||||||
|
any changes that are required for your infrastructure. All Terraform commands
|
||||||
|
should now work.
|
||||||
|
|
||||||
|
If you ever set or change modules or backend configuration for Terraform,
|
||||||
|
rerun this command to reinitialize your working directory. If you forget, other
|
||||||
|
commands will detect it and remind you to do so if necessary.
|
||||||
|
```
|
||||||
|
|
||||||
|
```console
|
||||||
|
$ terraform apply
|
||||||
|
|
||||||
|
An execution plan has been generated and is shown below.
|
||||||
|
Resource actions are indicated with the following symbols:
|
||||||
|
+ create
|
||||||
|
|
||||||
|
Terraform will perform the following actions:
|
||||||
|
|
||||||
|
+ local_file.ca_cert
|
||||||
|
id: <computed>
|
||||||
|
content: "${tls_self_signed_cert.ca.cert_pem}"
|
||||||
|
filename: "/home/user/ca.cert.pem"
|
||||||
|
|
||||||
|
+ local_file.ca_key
|
||||||
|
id: <computed>
|
||||||
|
content: "${tls_private_key.ca.private_key_pem}"
|
||||||
|
filename: "/home/user/ca.key.pem"
|
||||||
|
|
||||||
|
+ local_file.helm_cert
|
||||||
|
id: <computed>
|
||||||
|
content: "${tls_locally_signed_cert.helm.cert_pem}"
|
||||||
|
filename: "/home/user/helm.cert.pem"
|
||||||
|
|
||||||
|
+ local_file.helm_key
|
||||||
|
id: <computed>
|
||||||
|
content: "${tls_private_key.helm.private_key_pem}"
|
||||||
|
filename: "/home/user/helm.key.pem"
|
||||||
|
|
||||||
|
+ local_file.tiller_cert
|
||||||
|
id: <computed>
|
||||||
|
content: "${tls_locally_signed_cert.tiller.cert_pem}"
|
||||||
|
filename: "/home/user/tiller.cert.pem"
|
||||||
|
|
||||||
|
+ local_file.tiller_key
|
||||||
|
id: <computed>
|
||||||
|
content: "${tls_private_key.tiller.private_key_pem}"
|
||||||
|
filename: "/home/user/tiller.key.pem"
|
||||||
|
|
||||||
|
+ tls_cert_request.helm
|
||||||
|
id: <computed>
|
||||||
|
cert_request_pem: <computed>
|
||||||
|
key_algorithm: "RSA"
|
||||||
|
private_key_pem: "088d7282d5fd07c60edbb06a0391bbfef9ed0752"
|
||||||
|
subject.#: "1"
|
||||||
|
subject.0.organization: "Helm Client"
|
||||||
|
|
||||||
|
+ tls_cert_request.tiller
|
||||||
|
id: <computed>
|
||||||
|
cert_request_pem: <computed>
|
||||||
|
ip_addresses.#: "1"
|
||||||
|
ip_addresses.0: "127.0.0.1"
|
||||||
|
key_algorithm: "RSA"
|
||||||
|
private_key_pem: "ce4d1f657394357cb9df6394e1749953ede611c0"
|
||||||
|
subject.#: "1"
|
||||||
|
subject.0.organization: "Tiller Server"
|
||||||
|
|
||||||
|
+ tls_locally_signed_cert.helm
|
||||||
|
id: <computed>
|
||||||
|
ca_cert_pem: "67c5245fc6ca7f0c9c84221a0286253194dbb985"
|
||||||
|
ca_key_algorithm: "RSA"
|
||||||
|
ca_private_key_pem: "6c435a4a25d847452106d0271104a386d269ae6b"
|
||||||
|
cert_pem: <computed>
|
||||||
|
cert_request_pem: "e9cbcf1529e9b4532c56ae91defc2c387fbdef94"
|
||||||
|
early_renewal_hours: "0"
|
||||||
|
validity_end_time: <computed>
|
||||||
|
validity_period_hours: "87600"
|
||||||
|
validity_start_time: <computed>
|
||||||
|
|
||||||
|
+ tls_locally_signed_cert.tiller
|
||||||
|
id: <computed>
|
||||||
|
ca_cert_pem: "67c5245fc6ca7f0c9c84221a0286253194dbb985"
|
||||||
|
ca_key_algorithm: "RSA"
|
||||||
|
ca_private_key_pem: "6c435a4a25d847452106d0271104a386d269ae6b"
|
||||||
|
cert_pem: <computed>
|
||||||
|
cert_request_pem: "c7444562da59395a93599d2b6693dee3d39a6469"
|
||||||
|
early_renewal_hours: "0"
|
||||||
|
validity_end_time: <computed>
|
||||||
|
validity_period_hours: "87600"
|
||||||
|
validity_start_time: <computed>
|
||||||
|
|
||||||
|
+ tls_private_key.ca
|
||||||
|
id: <computed>
|
||||||
|
algorithm: "RSA"
|
||||||
|
ecdsa_curve: "P224"
|
||||||
|
private_key_pem: <computed>
|
||||||
|
public_key_fingerprint_md5: <computed>
|
||||||
|
public_key_openssh: <computed>
|
||||||
|
public_key_pem: <computed>
|
||||||
|
rsa_bits: "4096"
|
||||||
|
|
||||||
|
+ tls_private_key.helm
|
||||||
|
id: <computed>
|
||||||
|
algorithm: "RSA"
|
||||||
|
ecdsa_curve: "P224"
|
||||||
|
private_key_pem: <computed>
|
||||||
|
public_key_fingerprint_md5: <computed>
|
||||||
|
public_key_openssh: <computed>
|
||||||
|
public_key_pem: <computed>
|
||||||
|
rsa_bits: "4096"
|
||||||
|
|
||||||
|
+ tls_private_key.tiller
|
||||||
|
id: <computed>
|
||||||
|
algorithm: "RSA"
|
||||||
|
ecdsa_curve: "P224"
|
||||||
|
private_key_pem: <computed>
|
||||||
|
public_key_fingerprint_md5: <computed>
|
||||||
|
public_key_openssh: <computed>
|
||||||
|
public_key_pem: <computed>
|
||||||
|
rsa_bits: "4096"
|
||||||
|
|
||||||
|
+ tls_self_signed_cert.ca
|
||||||
|
id: <computed>
|
||||||
|
allowed_uses.#: "1"
|
||||||
|
allowed_uses.0: "v3_ca"
|
||||||
|
cert_pem: <computed>
|
||||||
|
early_renewal_hours: "8760"
|
||||||
|
is_ca_certificate: "true"
|
||||||
|
key_algorithm: "RSA"
|
||||||
|
private_key_pem: "6c435a4a25d847452106d0271104a386d269ae6b"
|
||||||
|
subject.#: "1"
|
||||||
|
subject.0.organization: "Tiller CA"
|
||||||
|
validity_end_time: <computed>
|
||||||
|
validity_period_hours: "87600"
|
||||||
|
validity_start_time: <computed>
|
||||||
|
|
||||||
|
|
||||||
|
Plan: 14 to add, 0 to change, 0 to destroy.
|
||||||
|
|
||||||
|
Do you want to perform these actions?
|
||||||
|
Terraform will perform the actions described above.
|
||||||
|
Only 'yes' will be accepted to approve.
|
||||||
|
|
||||||
|
Enter a value: yes
|
||||||
|
|
||||||
|
...
|
||||||
|
|
||||||
|
Apply complete! Resources: 14 added, 0 changed, 0 destroyed.
|
||||||
|
```
|
||||||
|
|
||||||
|
At this point, the important files for us are these:
|
||||||
|
|
||||||
|
```
|
||||||
|
# The CA. Make sure the key is kept secret.
|
||||||
|
ca.cert.pem
|
||||||
|
ca.key.pem
|
||||||
|
# The Helm client files
|
||||||
|
helm.cert.pem
|
||||||
|
helm.key.pem
|
||||||
|
# The Tiller server files.
|
||||||
|
tiller.cert.pem
|
||||||
|
tiller.key.pem
|
||||||
|
```
|
||||||
|
|
||||||
|
Now we're ready to move on to the next steps here: [TLS/SSL for Helm and Tiller - Creating a Custom Tiller Installation](tiller_ssl.md#creating-a-custom-tiller-installation)
|
Loading…
Reference in new issue