Add mtls chart

.circleci/config.yml

@@ -0,0 +1,25 @@
+version: 2
+jobs:
+  build:
+    docker:
+      - image: alpine
+    steps:
+      - add_ssh_keys:
+          fingerprints:
+            - a2:42:ae:5e:a0:61:d0:ac:84:6c:71:ac:01:c9:7b:c9
+      - checkout
+      - run:
+          name: charts
+          command: cat publish.sh | sh
+          environment:
+            - GITHUB_PAGES_REPO: drGrove/charts
+      - run:
+          name: Verify
+          command: |
+            alias helm=/tmp/helm/bin/linux-amd64/helm
+            if [ "$CIRCLE_BRANCH" = "master" ]; then
+              helm repo add drgrove https://drgrove.github.io/charts
+              helm repo update
+              helm repo list
+              helm inspect drgrove/mtls
+            fi

charts/mtls/.gitignore

@@ -0,0 +1,2 @@
+output/
+charts/

charts/mtls/.helmignore

@@ -0,0 +1,25 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+# Artifacts
+ouput/
+charts/

charts/mtls/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+description: A Helm chart for MTLS, a service for generating SSL Client Certificates based on Google Beyond Corp Zero Trust Framework
+name: mtls
+version: 0.1.0
+appVersion: 0.12.0
+home: https://www.github.com/drGrove/mtls-server/
+sources:
+  - https://www.github.com/drGrove/mtls-server/
+  - https://hub.docker.com/r/drgrove/mtls-server/
+maintainers:
+  - name: drGrove
+    email: danny@drgrovellc.com

charts/mtls/README.md

@@ -0,0 +1,86 @@
+# MTLS Helm Chart
+
+This directory contains a Kubernetes chart to deploy a [MTLS Server][mtls-server].
+
+## Prerequisites Details
+
+* Kubernetes 1.11+
+
+## Chart Details
+
+This chart will do the following:
+
+* Implement a MTLS Deployment
+
+This system itself will not use Client Certificate Authentication as it uses a
+detached signed PGP message to check for authentication when generating
+certificates from a CSR.
+
+## Installing the Chart
+
+To install the chart, use the following:
+
+```console
+$ helm repo add incuabor https://storage.googleapis.com/kubernetes-charts-incubator
+# If you do not already have a CA or Intermediate Certificate run the following
+# commands to generate the Root CA and Key which will be used as secrets when
+installing.
+$ ./scripts/setup.sh
+$ ./scripts/create-ca.sh
+$ helm install stable/mtls -f values.yaml
+```
+
+## Securing your Ingress
+
+To add client certificate authentication to your resource you will need to add
+a few annotations to your ingress. These annotations will add the appropriate
+secrets and hide enable client certificate authentication.
+
+NOTE: cert-manager will not work with services that integrate with client-cert
+authentication unless you create mutliple ingresses and specifically open the
+`.well-known`. It is advised that you either add the CA certificate to your
+trust store or specifically add a wildcard or other certificate.
+
+On a service that should integrate with mtls you will need to add the following
+annotations to your ingress:
+
+```
+ingress:
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    # Enable client certificate authentication
+    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+    # Create the secret containing the trusted ca certificates
+    nginx.ingress.kubernetes.io/auth-tls-secret: "<NAMESPACE>/<FULLNAME>-certs"
+    # Specify the verification depth in the client certificates chain
+    nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
+    # Specify if certificates are passed to upstream server
+    nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "false"
+```
+
+## Configuration
+
+The following table lists the configurable parameters of the MTLS Chart and
+their defaults.
+
+| Parameter                   | Description                                             | Default                        |
+| ---------                   | -----------                                             | -------                        |
+| `image.repository`          | `mtls` image repository                                 | `drgrove/mtls`                 |
+| `image.tag`                 | `mtls` image tag.                                       | `v0.12.0`                      |
+| `image.pullPolicy`          | Image pull policy                                       | `IfNotPresent`                 |
+| `secrets.ca_key`            | RSA key for CA                                          |                                |
+| `secrets.ca_crt`            | PEM format CA Certificate                               |                                |
+| `configMaps['config.ini']`  | Base configuration for `mtls`                           | [see values.yaml](values.yaml) |
+| `admin_seeds`               | ASCII Armored PGP Keys for Seeding Admin Trust Database | `{}`                           |
+| `user_seeds`                | ASCII Armored PGP Keys for Seeding User Trust Database  | `{}`                           |
+| `persistence.enabled`       | Create a volume to store data                           | `true`                         |
+| `persistence.size`          | Size of persistent volume claim                         | 10Gi RW                        |
+| `persistence.storageClass`  | Type of persistent volume claim                         | `nil`                          |
+| `persistence.accessMode`    | ReadWriteOnce or ReadOnly                               | `ReadWriteOnce`                |
+| `persistence.existingClaim` | Name of existing persistent volume                      | `nil`                          |
+| `persistence.subPath`       | Subdirectory of the volume to mount                     | `nil`                          |
+| `persistence.annotations`   | Persistent Volume annotations                           | `{}`                           |
+| `nodeSelector`              | Node labels for pod assignment                          | `{}`                           |
+| `tolerations`               | Pod taint tolerations for deployment                    | `{}`                           |
+
+[mtls-server]: https://github.com/drGrove/mtls-server

charts/mtls/scripts/create-ca.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" > /dev/null 2>&1 && pwd )"
+if [[ "$PWD" == "$DIR" ]]; then
+  echo "This script should not be run from scripts. It should be run in the base of the mtls chart"
+  exit 1
+fi
+
+echo "Generating 4096 RSA Key..."
+EXTRA=""
+if [[ -z $NOPASSWORD ]]; then
+  EXTRA="-aes256"
+fi
+openssl \
+  genrsa \
+  $EXTRA  \
+  -out output/ca/private/ca.key.pem 4096
+chmod 400 output/ca/private/ca.key.pem
+
+if [[ -z "$SUBJ" ]]; then
+  if [[ -z "$C" ]]; then
+    read -p 'COUNTRY: ' C
+  fi
+  if [[ -z "$ST" ]]; then
+    read -p 'State/Province: ' ST
+  fi
+  if [[ -z "$L" ]]; then
+    read -p 'Locality: ' L
+  fi
+  if [[ -z "$O" ]]; then
+    read -p 'Organization Name: ' O
+  fi
+  if [[ -z "$OU" ]]; then
+    read -p 'Organizational Unit: ' OU
+  fi
+  if [[ -z "$CN" ]]; then
+    read -p 'Common Name: ' CN
+  fi
+  SUBJ="/CN=$CN/O=$O/OU=$OU/C=$C/ST=$ST/L=$L"
+fi
+
+
+echo "Generating Root CA Certificate..."
+openssl req -config output/ca/openssl.cnf \
+  -subj "$SUBJ" \
+  -key output/ca/private/ca.key.pem \
+  -new -x509 -days 7300 -sha256 -extensions v3_ca \
+  -out output/ca/certs/ca.cert.pem

charts/mtls/scripts/openssl.cnf

@@ -0,0 +1,133 @@
+# OpenSSL root CA configuration file.
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+# DIR should be changed to the current directory for this to work
+dir = /root/ca
+certs = $dir/certs
+crl_dir = $dir/crl
+new_certs_dir = $dir/newcerts
+database = $dir/index.txt
+serial = $dir/serial
+RANDFILE = $dir/private/.rand
+
+# The root key and root certificate.
+private_key = $dir/private/ca.key.pem
+certificate = $dir/certs/ca.cert.pem
+
+# For certificate revocation lists.
+crlnumber = $dir/crlnumber
+crl = $dir/crl/ca.crl.pem
+crl_extensions = crl_ext
+default_crl_days = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 375
+preserve = no
+policy = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName = match
+stateOrProvinceName = match
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits = 2048
+distinguished_name = req_distinguished_name
+string_mask = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName = Country Name (2 letter code)
+stateOrProvinceName = State or Province Name
+localityName = Locality Name
+0.organizationName = Organization Name
+organizationalUnitName = Organizational Unit Name
+commonName = Common Name
+emailAddress = Email Address
+
+# Optionally, specify some defaults.
+countryName_default = US
+stateOrProvinceName_default = California
+localityName_default =
+0.organizationName_default = MTLS CA
+organizationalUnitName_default = IT
+emailAddress_default = example@mtls.network
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning
+

charts/mtls/scripts/setup.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" > /dev/null 2>&1 && pwd )"
+if [[ "$PWD" == "$DIR" ]]; then
+  echo "This script should not be run from scripts. It should be run in the base of the mtls chart"
+  exit 1
+fi
+mkdir -p output/ca/certs output/ca/crl output/ca/newcerts output/ca/private
+chmod 700 output/ca/private
+touch output/ca/index.txt
+echo 1000 > output/ca/serial
+cp $DIR/openssl.cnf output/ca/
+sed -i "s|^dir = /root/ca|dir ="$PWD"/output/ca|g" output/ca/openssl.cnf