diff --git a/docs/related.md b/docs/related.md index 3f8c73d4a..4a38e68f1 100644 --- a/docs/related.md +++ b/docs/related.md @@ -19,6 +19,7 @@ or [pull request](https://github.com/helm/helm/pulls). - [Writing a Helm Chart](https://www.influxdata.com/packaged-kubernetes-deployments-writing-helm-chart/) - [A basic walk through Kubernetes Helm](https://github.com/muffin87/helm-tutorial) - [Tillerless Helm v2](https://rimusz.net/tillerless-helm/) +- [Generating Certificate Authorities and Certificates using Terraform](https://github.com/jbussdieker/tiller-ssl-terraform) ## Video, Audio, and Podcast diff --git a/docs/tiller_ssl_terraform.md b/docs/tiller_ssl_terraform.md deleted file mode 100644 index 40591e36f..000000000 --- a/docs/tiller_ssl_terraform.md +++ /dev/null @@ -1,311 +0,0 @@ -# Generating Certificate Authorities and Certificates using Terraform - -It's possible to create all the necessary keys and certificates to secure Helm using -Terraform. Simply create the following file and apply it using `terraform`. - -## tiller_certs.tf - -```terraform -# Generate the Tiller CA key -resource "tls_private_key" "ca" { - algorithm = "RSA" - rsa_bits = 4096 -} - -# Generate a self signed CA certificate -resource "tls_self_signed_cert" "ca" { - key_algorithm = "${tls_private_key.ca.algorithm}" - private_key_pem = "${tls_private_key.ca.private_key_pem}" - is_ca_certificate = true - validity_period_hours = 87600 - early_renewal_hours = 8760 - - allowed_uses = [ - "v3_ca", - ] - - subject { - organization = "Tiller CA" - } -} - -# Write the CA key to file -resource "local_file" "ca_key" { - content = "${tls_private_key.ca.private_key_pem}" - filename = "${path.module}/ca.key.pem" -} - -# Write the CA cert to file -resource "local_file" "ca_cert" { - content = "${tls_self_signed_cert.ca.cert_pem}" - filename = "${path.module}/ca.cert.pem" -} - -# Generate the Tiller Server key -resource "tls_private_key" "tiller" { - algorithm = "RSA" - rsa_bits = 4096 -} - -# Generate a signing request for the Tiller Server certificate -resource "tls_cert_request" "tiller" { - key_algorithm = "${tls_private_key.tiller.algorithm}" - private_key_pem = "${tls_private_key.tiller.private_key_pem}" - - ip_addresses = [ - "127.0.0.1", - ] - - subject { - organization = "Tiller Server" - } -} - -# Write the Tiller Server key to file -resource "local_file" "tiller_key" { - content = "${tls_private_key.tiller.private_key_pem}" - filename = "${path.module}/tiller.key.pem" -} - -# Write the Tiller Server cert to file -resource "local_file" "tiller_cert" { - content = "${tls_locally_signed_cert.tiller.cert_pem}" - filename = "${path.module}/tiller.cert.pem" -} - -# Sign the Tiller Server certificate signing request -resource "tls_locally_signed_cert" "tiller" { - cert_request_pem = "${tls_cert_request.tiller.cert_request_pem}" - ca_key_algorithm = "${tls_private_key.ca.algorithm}" - ca_private_key_pem = "${tls_private_key.ca.private_key_pem}" - ca_cert_pem = "${tls_self_signed_cert.ca.cert_pem}" - validity_period_hours = 87600 - allowed_uses = [] -} - -# Generate a key for the Helm Client -resource "tls_private_key" "helm" { - algorithm = "RSA" - rsa_bits = 4096 -} - -# Generate a signing request for the Helm Client certificate -resource "tls_cert_request" "helm" { - key_algorithm = "${tls_private_key.helm.algorithm}" - private_key_pem = "${tls_private_key.helm.private_key_pem}" - - subject { - organization = "Helm Client" - } -} - -# Sign the Helm Client certificate signing request -resource "tls_locally_signed_cert" "helm" { - cert_request_pem = "${tls_cert_request.helm.cert_request_pem}" - ca_key_algorithm = "${tls_private_key.ca.algorithm}" - ca_private_key_pem = "${tls_private_key.ca.private_key_pem}" - ca_cert_pem = "${tls_self_signed_cert.ca.cert_pem}" - validity_period_hours = 87600 - allowed_uses = [] -} - -# Write the Helm Client key to file -resource "local_file" "helm_key" { - content = "${tls_private_key.helm.private_key_pem}" - filename = "${path.module}/helm.key.pem" -} - -# Write the Helm Client cert to file -resource "local_file" "helm_cert" { - content = "${tls_locally_signed_cert.helm.cert_pem}" - filename = "${path.module}/helm.cert.pem" -} -``` - -Now simply run Terraform init and apply: - -```console -$ terraform init - -Initializing provider plugins... -- Checking for available provider plugins on https://releases.hashicorp.com... -- Downloading plugin for provider "tls" (2.0.0)... -- Downloading plugin for provider "local" (1.2.1)... - -The following providers do not have any version constraints in configuration, -so the latest version was installed. - -To prevent automatic upgrades to new major versions that may contain breaking -changes, it is recommended to add version = "..." constraints to the -corresponding provider blocks in configuration, with the constraint strings -suggested below. - -* provider.local: version = "~> 1.2" -* provider.tls: version = "~> 2.0" - -Terraform has been successfully initialized! - -You may now begin working with Terraform. Try running "terraform plan" to see -any changes that are required for your infrastructure. All Terraform commands -should now work. - -If you ever set or change modules or backend configuration for Terraform, -rerun this command to reinitialize your working directory. If you forget, other -commands will detect it and remind you to do so if necessary. -``` - -```console -$ terraform apply - -An execution plan has been generated and is shown below. -Resource actions are indicated with the following symbols: - + create - -Terraform will perform the following actions: - - + local_file.ca_cert - id: - content: "${tls_self_signed_cert.ca.cert_pem}" - filename: "/home/user/ca.cert.pem" - - + local_file.ca_key - id: - content: "${tls_private_key.ca.private_key_pem}" - filename: "/home/user/ca.key.pem" - - + local_file.helm_cert - id: - content: "${tls_locally_signed_cert.helm.cert_pem}" - filename: "/home/user/helm.cert.pem" - - + local_file.helm_key - id: - content: "${tls_private_key.helm.private_key_pem}" - filename: "/home/user/helm.key.pem" - - + local_file.tiller_cert - id: - content: "${tls_locally_signed_cert.tiller.cert_pem}" - filename: "/home/user/tiller.cert.pem" - - + local_file.tiller_key - id: - content: "${tls_private_key.tiller.private_key_pem}" - filename: "/home/user/tiller.key.pem" - - + tls_cert_request.helm - id: - cert_request_pem: - key_algorithm: "RSA" - private_key_pem: "088d7282d5fd07c60edbb06a0391bbfef9ed0752" - subject.#: "1" - subject.0.organization: "Helm Client" - - + tls_cert_request.tiller - id: - cert_request_pem: - ip_addresses.#: "1" - ip_addresses.0: "127.0.0.1" - key_algorithm: "RSA" - private_key_pem: "ce4d1f657394357cb9df6394e1749953ede611c0" - subject.#: "1" - subject.0.organization: "Tiller Server" - - + tls_locally_signed_cert.helm - id: - ca_cert_pem: "67c5245fc6ca7f0c9c84221a0286253194dbb985" - ca_key_algorithm: "RSA" - ca_private_key_pem: "6c435a4a25d847452106d0271104a386d269ae6b" - cert_pem: - cert_request_pem: "e9cbcf1529e9b4532c56ae91defc2c387fbdef94" - early_renewal_hours: "0" - validity_end_time: - validity_period_hours: "87600" - validity_start_time: - - + tls_locally_signed_cert.tiller - id: - ca_cert_pem: "67c5245fc6ca7f0c9c84221a0286253194dbb985" - ca_key_algorithm: "RSA" - ca_private_key_pem: "6c435a4a25d847452106d0271104a386d269ae6b" - cert_pem: - cert_request_pem: "c7444562da59395a93599d2b6693dee3d39a6469" - early_renewal_hours: "0" - validity_end_time: - validity_period_hours: "87600" - validity_start_time: - - + tls_private_key.ca - id: - algorithm: "RSA" - ecdsa_curve: "P224" - private_key_pem: - public_key_fingerprint_md5: - public_key_openssh: - public_key_pem: - rsa_bits: "4096" - - + tls_private_key.helm - id: - algorithm: "RSA" - ecdsa_curve: "P224" - private_key_pem: - public_key_fingerprint_md5: - public_key_openssh: - public_key_pem: - rsa_bits: "4096" - - + tls_private_key.tiller - id: - algorithm: "RSA" - ecdsa_curve: "P224" - private_key_pem: - public_key_fingerprint_md5: - public_key_openssh: - public_key_pem: - rsa_bits: "4096" - - + tls_self_signed_cert.ca - id: - allowed_uses.#: "1" - allowed_uses.0: "v3_ca" - cert_pem: - early_renewal_hours: "8760" - is_ca_certificate: "true" - key_algorithm: "RSA" - private_key_pem: "6c435a4a25d847452106d0271104a386d269ae6b" - subject.#: "1" - subject.0.organization: "Tiller CA" - validity_end_time: - validity_period_hours: "87600" - validity_start_time: - - -Plan: 14 to add, 0 to change, 0 to destroy. - -Do you want to perform these actions? - Terraform will perform the actions described above. - Only 'yes' will be accepted to approve. - - Enter a value: yes - -... - -Apply complete! Resources: 14 added, 0 changed, 0 destroyed. -``` - -At this point, the important files for us are these: - -``` -# The CA. Make sure the key is kept secret. -ca.cert.pem -ca.key.pem -# The Helm client files -helm.cert.pem -helm.key.pem -# The Tiller server files. -tiller.cert.pem -tiller.key.pem -``` - -Now we're ready to move on to the next steps here: [TLS/SSL for Helm and Tiller - Creating a Custom Tiller Installation](tiller_ssl.md#creating-a-custom-tiller-installation)