From 2ed42013c41e0ed192fa8f0095550097bacda63a Mon Sep 17 00:00:00 2001 From: Joshua Bussdieker Date: Fri, 26 Apr 2019 14:27:41 -0700 Subject: [PATCH 1/4] Add docs for configuring SSL using Terraform. Signed-off-by: Joshua Bussdieker --- docs/tiller_ssl.md | 2 + docs/tiller_ssl_terraform.md | 311 +++++++++++++++++++++++++++++++++++ 2 files changed, 313 insertions(+) create mode 100644 docs/tiller_ssl_terraform.md diff --git a/docs/tiller_ssl.md b/docs/tiller_ssl.md index 3d64635ae..5bb7a55c6 100644 --- a/docs/tiller_ssl.md +++ b/docs/tiller_ssl.md @@ -42,6 +42,8 @@ on getting ready within a small amount of time. For production configurations, we urge readers to read [the official documentation](https://www.openssl.org) and consult other resources. +Alternatively you can use Terraform to quickly create all the necessary certificates: [Generating Certificate Authorities and Certificates using Terraform](tiller_ssl_terraform.md). + ### Generate a Certificate Authority The simplest way to generate a certificate authority is to run two commands: diff --git a/docs/tiller_ssl_terraform.md b/docs/tiller_ssl_terraform.md new file mode 100644 index 000000000..40591e36f --- /dev/null +++ b/docs/tiller_ssl_terraform.md @@ -0,0 +1,311 @@ +# Generating Certificate Authorities and Certificates using Terraform + +It's possible to create all the necessary keys and certificates to secure Helm using +Terraform. Simply create the following file and apply it using `terraform`. + +## tiller_certs.tf + +```terraform +# Generate the Tiller CA key +resource "tls_private_key" "ca" { + algorithm = "RSA" + rsa_bits = 4096 +} + +# Generate a self signed CA certificate +resource "tls_self_signed_cert" "ca" { + key_algorithm = "${tls_private_key.ca.algorithm}" + private_key_pem = "${tls_private_key.ca.private_key_pem}" + is_ca_certificate = true + validity_period_hours = 87600 + early_renewal_hours = 8760 + + allowed_uses = [ + "v3_ca", + ] + + subject { + organization = "Tiller CA" + } +} + +# Write the CA key to file +resource "local_file" "ca_key" { + content = "${tls_private_key.ca.private_key_pem}" + filename = "${path.module}/ca.key.pem" +} + +# Write the CA cert to file +resource "local_file" "ca_cert" { + content = "${tls_self_signed_cert.ca.cert_pem}" + filename = "${path.module}/ca.cert.pem" +} + +# Generate the Tiller Server key +resource "tls_private_key" "tiller" { + algorithm = "RSA" + rsa_bits = 4096 +} + +# Generate a signing request for the Tiller Server certificate +resource "tls_cert_request" "tiller" { + key_algorithm = "${tls_private_key.tiller.algorithm}" + private_key_pem = "${tls_private_key.tiller.private_key_pem}" + + ip_addresses = [ + "127.0.0.1", + ] + + subject { + organization = "Tiller Server" + } +} + +# Write the Tiller Server key to file +resource "local_file" "tiller_key" { + content = "${tls_private_key.tiller.private_key_pem}" + filename = "${path.module}/tiller.key.pem" +} + +# Write the Tiller Server cert to file +resource "local_file" "tiller_cert" { + content = "${tls_locally_signed_cert.tiller.cert_pem}" + filename = "${path.module}/tiller.cert.pem" +} + +# Sign the Tiller Server certificate signing request +resource "tls_locally_signed_cert" "tiller" { + cert_request_pem = "${tls_cert_request.tiller.cert_request_pem}" + ca_key_algorithm = "${tls_private_key.ca.algorithm}" + ca_private_key_pem = "${tls_private_key.ca.private_key_pem}" + ca_cert_pem = "${tls_self_signed_cert.ca.cert_pem}" + validity_period_hours = 87600 + allowed_uses = [] +} + +# Generate a key for the Helm Client +resource "tls_private_key" "helm" { + algorithm = "RSA" + rsa_bits = 4096 +} + +# Generate a signing request for the Helm Client certificate +resource "tls_cert_request" "helm" { + key_algorithm = "${tls_private_key.helm.algorithm}" + private_key_pem = "${tls_private_key.helm.private_key_pem}" + + subject { + organization = "Helm Client" + } +} + +# Sign the Helm Client certificate signing request +resource "tls_locally_signed_cert" "helm" { + cert_request_pem = "${tls_cert_request.helm.cert_request_pem}" + ca_key_algorithm = "${tls_private_key.ca.algorithm}" + ca_private_key_pem = "${tls_private_key.ca.private_key_pem}" + ca_cert_pem = "${tls_self_signed_cert.ca.cert_pem}" + validity_period_hours = 87600 + allowed_uses = [] +} + +# Write the Helm Client key to file +resource "local_file" "helm_key" { + content = "${tls_private_key.helm.private_key_pem}" + filename = "${path.module}/helm.key.pem" +} + +# Write the Helm Client cert to file +resource "local_file" "helm_cert" { + content = "${tls_locally_signed_cert.helm.cert_pem}" + filename = "${path.module}/helm.cert.pem" +} +``` + +Now simply run Terraform init and apply: + +```console +$ terraform init + +Initializing provider plugins... +- Checking for available provider plugins on https://releases.hashicorp.com... +- Downloading plugin for provider "tls" (2.0.0)... +- Downloading plugin for provider "local" (1.2.1)... + +The following providers do not have any version constraints in configuration, +so the latest version was installed. + +To prevent automatic upgrades to new major versions that may contain breaking +changes, it is recommended to add version = "..." constraints to the +corresponding provider blocks in configuration, with the constraint strings +suggested below. + +* provider.local: version = "~> 1.2" +* provider.tls: version = "~> 2.0" + +Terraform has been successfully initialized! + +You may now begin working with Terraform. Try running "terraform plan" to see +any changes that are required for your infrastructure. All Terraform commands +should now work. + +If you ever set or change modules or backend configuration for Terraform, +rerun this command to reinitialize your working directory. If you forget, other +commands will detect it and remind you to do so if necessary. +``` + +```console +$ terraform apply + +An execution plan has been generated and is shown below. +Resource actions are indicated with the following symbols: + + create + +Terraform will perform the following actions: + + + local_file.ca_cert + id: + content: "${tls_self_signed_cert.ca.cert_pem}" + filename: "/home/user/ca.cert.pem" + + + local_file.ca_key + id: + content: "${tls_private_key.ca.private_key_pem}" + filename: "/home/user/ca.key.pem" + + + local_file.helm_cert + id: + content: "${tls_locally_signed_cert.helm.cert_pem}" + filename: "/home/user/helm.cert.pem" + + + local_file.helm_key + id: + content: "${tls_private_key.helm.private_key_pem}" + filename: "/home/user/helm.key.pem" + + + local_file.tiller_cert + id: + content: "${tls_locally_signed_cert.tiller.cert_pem}" + filename: "/home/user/tiller.cert.pem" + + + local_file.tiller_key + id: + content: "${tls_private_key.tiller.private_key_pem}" + filename: "/home/user/tiller.key.pem" + + + tls_cert_request.helm + id: + cert_request_pem: + key_algorithm: "RSA" + private_key_pem: "088d7282d5fd07c60edbb06a0391bbfef9ed0752" + subject.#: "1" + subject.0.organization: "Helm Client" + + + tls_cert_request.tiller + id: + cert_request_pem: + ip_addresses.#: "1" + ip_addresses.0: "127.0.0.1" + key_algorithm: "RSA" + private_key_pem: "ce4d1f657394357cb9df6394e1749953ede611c0" + subject.#: "1" + subject.0.organization: "Tiller Server" + + + tls_locally_signed_cert.helm + id: + ca_cert_pem: "67c5245fc6ca7f0c9c84221a0286253194dbb985" + ca_key_algorithm: "RSA" + ca_private_key_pem: "6c435a4a25d847452106d0271104a386d269ae6b" + cert_pem: + cert_request_pem: "e9cbcf1529e9b4532c56ae91defc2c387fbdef94" + early_renewal_hours: "0" + validity_end_time: + validity_period_hours: "87600" + validity_start_time: + + + tls_locally_signed_cert.tiller + id: + ca_cert_pem: "67c5245fc6ca7f0c9c84221a0286253194dbb985" + ca_key_algorithm: "RSA" + ca_private_key_pem: "6c435a4a25d847452106d0271104a386d269ae6b" + cert_pem: + cert_request_pem: "c7444562da59395a93599d2b6693dee3d39a6469" + early_renewal_hours: "0" + validity_end_time: + validity_period_hours: "87600" + validity_start_time: + + + tls_private_key.ca + id: + algorithm: "RSA" + ecdsa_curve: "P224" + private_key_pem: + public_key_fingerprint_md5: + public_key_openssh: + public_key_pem: + rsa_bits: "4096" + + + tls_private_key.helm + id: + algorithm: "RSA" + ecdsa_curve: "P224" + private_key_pem: + public_key_fingerprint_md5: + public_key_openssh: + public_key_pem: + rsa_bits: "4096" + + + tls_private_key.tiller + id: + algorithm: "RSA" + ecdsa_curve: "P224" + private_key_pem: + public_key_fingerprint_md5: + public_key_openssh: + public_key_pem: + rsa_bits: "4096" + + + tls_self_signed_cert.ca + id: + allowed_uses.#: "1" + allowed_uses.0: "v3_ca" + cert_pem: + early_renewal_hours: "8760" + is_ca_certificate: "true" + key_algorithm: "RSA" + private_key_pem: "6c435a4a25d847452106d0271104a386d269ae6b" + subject.#: "1" + subject.0.organization: "Tiller CA" + validity_end_time: + validity_period_hours: "87600" + validity_start_time: + + +Plan: 14 to add, 0 to change, 0 to destroy. + +Do you want to perform these actions? + Terraform will perform the actions described above. + Only 'yes' will be accepted to approve. + + Enter a value: yes + +... + +Apply complete! Resources: 14 added, 0 changed, 0 destroyed. +``` + +At this point, the important files for us are these: + +``` +# The CA. Make sure the key is kept secret. +ca.cert.pem +ca.key.pem +# The Helm client files +helm.cert.pem +helm.key.pem +# The Tiller server files. +tiller.cert.pem +tiller.key.pem +``` + +Now we're ready to move on to the next steps here: [TLS/SSL for Helm and Tiller - Creating a Custom Tiller Installation](tiller_ssl.md#creating-a-custom-tiller-installation) From aff106f97f075854c66995f597799c374df50c29 Mon Sep 17 00:00:00 2001 From: Joshua Bussdieker Date: Sun, 5 May 2019 17:53:55 -0700 Subject: [PATCH 2/4] Update to reflect location of docs Signed-off-by: Joshua Bussdieker --- docs/tiller_ssl.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/tiller_ssl.md b/docs/tiller_ssl.md index 5bb7a55c6..d6f207f1b 100644 --- a/docs/tiller_ssl.md +++ b/docs/tiller_ssl.md @@ -42,7 +42,7 @@ on getting ready within a small amount of time. For production configurations, we urge readers to read [the official documentation](https://www.openssl.org) and consult other resources. -Alternatively you can use Terraform to quickly create all the necessary certificates: [Generating Certificate Authorities and Certificates using Terraform](tiller_ssl_terraform.md). +There are other alternative ways to generating SSL CAs in addition to `openssl`, for example Terraform. They are not documented here but you can find links to these alternative means in Related Projects and Documentation. ### Generate a Certificate Authority From 422f0929b404a4587f396895c589992b9860ff27 Mon Sep 17 00:00:00 2001 From: Joshua Bussdieker Date: Sun, 5 May 2019 18:02:32 -0700 Subject: [PATCH 3/4] Move actual docs to another repo and update related docs list Signed-off-by: Joshua Bussdieker --- docs/related.md | 1 + docs/tiller_ssl_terraform.md | 311 ----------------------------------- 2 files changed, 1 insertion(+), 311 deletions(-) delete mode 100644 docs/tiller_ssl_terraform.md diff --git a/docs/related.md b/docs/related.md index 3f8c73d4a..4a38e68f1 100644 --- a/docs/related.md +++ b/docs/related.md @@ -19,6 +19,7 @@ or [pull request](https://github.com/helm/helm/pulls). - [Writing a Helm Chart](https://www.influxdata.com/packaged-kubernetes-deployments-writing-helm-chart/) - [A basic walk through Kubernetes Helm](https://github.com/muffin87/helm-tutorial) - [Tillerless Helm v2](https://rimusz.net/tillerless-helm/) +- [Generating Certificate Authorities and Certificates using Terraform](https://github.com/jbussdieker/tiller-ssl-terraform) ## Video, Audio, and Podcast diff --git a/docs/tiller_ssl_terraform.md b/docs/tiller_ssl_terraform.md deleted file mode 100644 index 40591e36f..000000000 --- a/docs/tiller_ssl_terraform.md +++ /dev/null @@ -1,311 +0,0 @@ -# Generating Certificate Authorities and Certificates using Terraform - -It's possible to create all the necessary keys and certificates to secure Helm using -Terraform. Simply create the following file and apply it using `terraform`. - -## tiller_certs.tf - -```terraform -# Generate the Tiller CA key -resource "tls_private_key" "ca" { - algorithm = "RSA" - rsa_bits = 4096 -} - -# Generate a self signed CA certificate -resource "tls_self_signed_cert" "ca" { - key_algorithm = "${tls_private_key.ca.algorithm}" - private_key_pem = "${tls_private_key.ca.private_key_pem}" - is_ca_certificate = true - validity_period_hours = 87600 - early_renewal_hours = 8760 - - allowed_uses = [ - "v3_ca", - ] - - subject { - organization = "Tiller CA" - } -} - -# Write the CA key to file -resource "local_file" "ca_key" { - content = "${tls_private_key.ca.private_key_pem}" - filename = "${path.module}/ca.key.pem" -} - -# Write the CA cert to file -resource "local_file" "ca_cert" { - content = "${tls_self_signed_cert.ca.cert_pem}" - filename = "${path.module}/ca.cert.pem" -} - -# Generate the Tiller Server key -resource "tls_private_key" "tiller" { - algorithm = "RSA" - rsa_bits = 4096 -} - -# Generate a signing request for the Tiller Server certificate -resource "tls_cert_request" "tiller" { - key_algorithm = "${tls_private_key.tiller.algorithm}" - private_key_pem = "${tls_private_key.tiller.private_key_pem}" - - ip_addresses = [ - "127.0.0.1", - ] - - subject { - organization = "Tiller Server" - } -} - -# Write the Tiller Server key to file -resource "local_file" "tiller_key" { - content = "${tls_private_key.tiller.private_key_pem}" - filename = "${path.module}/tiller.key.pem" -} - -# Write the Tiller Server cert to file -resource "local_file" "tiller_cert" { - content = "${tls_locally_signed_cert.tiller.cert_pem}" - filename = "${path.module}/tiller.cert.pem" -} - -# Sign the Tiller Server certificate signing request -resource "tls_locally_signed_cert" "tiller" { - cert_request_pem = "${tls_cert_request.tiller.cert_request_pem}" - ca_key_algorithm = "${tls_private_key.ca.algorithm}" - ca_private_key_pem = "${tls_private_key.ca.private_key_pem}" - ca_cert_pem = "${tls_self_signed_cert.ca.cert_pem}" - validity_period_hours = 87600 - allowed_uses = [] -} - -# Generate a key for the Helm Client -resource "tls_private_key" "helm" { - algorithm = "RSA" - rsa_bits = 4096 -} - -# Generate a signing request for the Helm Client certificate -resource "tls_cert_request" "helm" { - key_algorithm = "${tls_private_key.helm.algorithm}" - private_key_pem = "${tls_private_key.helm.private_key_pem}" - - subject { - organization = "Helm Client" - } -} - -# Sign the Helm Client certificate signing request -resource "tls_locally_signed_cert" "helm" { - cert_request_pem = "${tls_cert_request.helm.cert_request_pem}" - ca_key_algorithm = "${tls_private_key.ca.algorithm}" - ca_private_key_pem = "${tls_private_key.ca.private_key_pem}" - ca_cert_pem = "${tls_self_signed_cert.ca.cert_pem}" - validity_period_hours = 87600 - allowed_uses = [] -} - -# Write the Helm Client key to file -resource "local_file" "helm_key" { - content = "${tls_private_key.helm.private_key_pem}" - filename = "${path.module}/helm.key.pem" -} - -# Write the Helm Client cert to file -resource "local_file" "helm_cert" { - content = "${tls_locally_signed_cert.helm.cert_pem}" - filename = "${path.module}/helm.cert.pem" -} -``` - -Now simply run Terraform init and apply: - -```console -$ terraform init - -Initializing provider plugins... -- Checking for available provider plugins on https://releases.hashicorp.com... -- Downloading plugin for provider "tls" (2.0.0)... -- Downloading plugin for provider "local" (1.2.1)... - -The following providers do not have any version constraints in configuration, -so the latest version was installed. - -To prevent automatic upgrades to new major versions that may contain breaking -changes, it is recommended to add version = "..." constraints to the -corresponding provider blocks in configuration, with the constraint strings -suggested below. - -* provider.local: version = "~> 1.2" -* provider.tls: version = "~> 2.0" - -Terraform has been successfully initialized! - -You may now begin working with Terraform. Try running "terraform plan" to see -any changes that are required for your infrastructure. All Terraform commands -should now work. - -If you ever set or change modules or backend configuration for Terraform, -rerun this command to reinitialize your working directory. If you forget, other -commands will detect it and remind you to do so if necessary. -``` - -```console -$ terraform apply - -An execution plan has been generated and is shown below. -Resource actions are indicated with the following symbols: - + create - -Terraform will perform the following actions: - - + local_file.ca_cert - id: - content: "${tls_self_signed_cert.ca.cert_pem}" - filename: "/home/user/ca.cert.pem" - - + local_file.ca_key - id: - content: "${tls_private_key.ca.private_key_pem}" - filename: "/home/user/ca.key.pem" - - + local_file.helm_cert - id: - content: "${tls_locally_signed_cert.helm.cert_pem}" - filename: "/home/user/helm.cert.pem" - - + local_file.helm_key - id: - content: "${tls_private_key.helm.private_key_pem}" - filename: "/home/user/helm.key.pem" - - + local_file.tiller_cert - id: - content: "${tls_locally_signed_cert.tiller.cert_pem}" - filename: "/home/user/tiller.cert.pem" - - + local_file.tiller_key - id: - content: "${tls_private_key.tiller.private_key_pem}" - filename: "/home/user/tiller.key.pem" - - + tls_cert_request.helm - id: - cert_request_pem: - key_algorithm: "RSA" - private_key_pem: "088d7282d5fd07c60edbb06a0391bbfef9ed0752" - subject.#: "1" - subject.0.organization: "Helm Client" - - + tls_cert_request.tiller - id: - cert_request_pem: - ip_addresses.#: "1" - ip_addresses.0: "127.0.0.1" - key_algorithm: "RSA" - private_key_pem: "ce4d1f657394357cb9df6394e1749953ede611c0" - subject.#: "1" - subject.0.organization: "Tiller Server" - - + tls_locally_signed_cert.helm - id: - ca_cert_pem: "67c5245fc6ca7f0c9c84221a0286253194dbb985" - ca_key_algorithm: "RSA" - ca_private_key_pem: "6c435a4a25d847452106d0271104a386d269ae6b" - cert_pem: - cert_request_pem: "e9cbcf1529e9b4532c56ae91defc2c387fbdef94" - early_renewal_hours: "0" - validity_end_time: - validity_period_hours: "87600" - validity_start_time: - - + tls_locally_signed_cert.tiller - id: - ca_cert_pem: "67c5245fc6ca7f0c9c84221a0286253194dbb985" - ca_key_algorithm: "RSA" - ca_private_key_pem: "6c435a4a25d847452106d0271104a386d269ae6b" - cert_pem: - cert_request_pem: "c7444562da59395a93599d2b6693dee3d39a6469" - early_renewal_hours: "0" - validity_end_time: - validity_period_hours: "87600" - validity_start_time: - - + tls_private_key.ca - id: - algorithm: "RSA" - ecdsa_curve: "P224" - private_key_pem: - public_key_fingerprint_md5: - public_key_openssh: - public_key_pem: - rsa_bits: "4096" - - + tls_private_key.helm - id: - algorithm: "RSA" - ecdsa_curve: "P224" - private_key_pem: - public_key_fingerprint_md5: - public_key_openssh: - public_key_pem: - rsa_bits: "4096" - - + tls_private_key.tiller - id: - algorithm: "RSA" - ecdsa_curve: "P224" - private_key_pem: - public_key_fingerprint_md5: - public_key_openssh: - public_key_pem: - rsa_bits: "4096" - - + tls_self_signed_cert.ca - id: - allowed_uses.#: "1" - allowed_uses.0: "v3_ca" - cert_pem: - early_renewal_hours: "8760" - is_ca_certificate: "true" - key_algorithm: "RSA" - private_key_pem: "6c435a4a25d847452106d0271104a386d269ae6b" - subject.#: "1" - subject.0.organization: "Tiller CA" - validity_end_time: - validity_period_hours: "87600" - validity_start_time: - - -Plan: 14 to add, 0 to change, 0 to destroy. - -Do you want to perform these actions? - Terraform will perform the actions described above. - Only 'yes' will be accepted to approve. - - Enter a value: yes - -... - -Apply complete! Resources: 14 added, 0 changed, 0 destroyed. -``` - -At this point, the important files for us are these: - -``` -# The CA. Make sure the key is kept secret. -ca.cert.pem -ca.key.pem -# The Helm client files -helm.cert.pem -helm.key.pem -# The Tiller server files. -tiller.cert.pem -tiller.key.pem -``` - -Now we're ready to move on to the next steps here: [TLS/SSL for Helm and Tiller - Creating a Custom Tiller Installation](tiller_ssl.md#creating-a-custom-tiller-installation) From 51c99b125224093802def010a48d763ffab5b6df Mon Sep 17 00:00:00 2001 From: Joshua Bussdieker Date: Tue, 7 May 2019 03:36:56 -0700 Subject: [PATCH 4/4] Fix missing link Signed-off-by: Joshua Bussdieker --- docs/tiller_ssl.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/tiller_ssl.md b/docs/tiller_ssl.md index d6f207f1b..3705723fa 100644 --- a/docs/tiller_ssl.md +++ b/docs/tiller_ssl.md @@ -42,7 +42,7 @@ on getting ready within a small amount of time. For production configurations, we urge readers to read [the official documentation](https://www.openssl.org) and consult other resources. -There are other alternative ways to generating SSL CAs in addition to `openssl`, for example Terraform. They are not documented here but you can find links to these alternative means in Related Projects and Documentation. +There are other alternative ways to generating SSL CAs in addition to `openssl`, for example Terraform. They are not documented here but you can find links to these alternative means in [Related Projects and Documentation](https://helm.sh/docs/related/). ### Generate a Certificate Authority