From 5d69d2070323f91536b8f97166c78ec9d7f0845a Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Thu, 28 May 2020 18:30:56 -0700 Subject: [PATCH] add docs for ingress tls with vault --- docs/README.ingress-tls.md | 9 ++ sample/ingress-controller-tls/README.md | 119 ------------------ .../deployment-app-one.yaml | 43 ------- .../deployment-app-two.yaml | 43 ------- sample/ingress-controller-tls/ingress.yaml | 24 ---- .../secretproviderclass-azure-tls.yaml | 23 ---- 6 files changed, 9 insertions(+), 252 deletions(-) create mode 100644 docs/README.ingress-tls.md delete mode 100644 sample/ingress-controller-tls/README.md delete mode 100644 sample/ingress-controller-tls/deployment-app-one.yaml delete mode 100644 sample/ingress-controller-tls/deployment-app-two.yaml delete mode 100644 sample/ingress-controller-tls/ingress.yaml delete mode 100644 sample/ingress-controller-tls/secretproviderclass-azure-tls.yaml diff --git a/docs/README.ingress-tls.md b/docs/README.ingress-tls.md new file mode 100644 index 000000000..ed1c244ba --- /dev/null +++ b/docs/README.ingress-tls.md @@ -0,0 +1,9 @@ +# Using Secrets Store CSI to Enable NGINX Ingress Controller with TLS + +The Secrets Store CSI Driver can be used to enable applications to work with NGINX Ingress Controller with TLS stored in an External Secrets Store. +For more information on securing an Ingress with TLS, refer to: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + +Checkout provider samples on how to get started - + +- [Using Secrets Store CSI and Azure Key Vault Provider](https://github.com/Azure/secrets-store-csi-driver-provider-azure/blob/master/sample/ingress-controller/README.md) +- [Using Secrets Store CSI and Hashicorp Vault Provider](https://github.com/hashicorp/secrets-store-csi-driver-provider-vault/blob/master/sample/ingress-controller/README.md) \ No newline at end of file diff --git a/sample/ingress-controller-tls/README.md b/sample/ingress-controller-tls/README.md deleted file mode 100644 index 5f8e5c5fc..000000000 --- a/sample/ingress-controller-tls/README.md +++ /dev/null @@ -1,119 +0,0 @@ -# Using Secrets Store CSI to Enable NGINX Ingress Controller with TLS -This guide demonstrates steps required to setup Secrets Store CSI driver to enable applications to work with NGINX Ingress Controller with TLS stored in an external Secrets store. -For more information on securing an Ingress with TLS, refer to: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls - -# Generate a TLS Cert - -```bash -openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ - -out ingress-tls.crt \ - -keyout ingress-tls.key \ - -subj "/CN=demo.test.com/O=ingress-tls" -``` - -# Store Cert in External Secrets Store Service -- [Azure Key Vault](https://docs.microsoft.com/en-us/azure/key-vault/certificates/certificate-scenarios#import-a-certificate) -- [HashiCorp Vault](https://www.vaultproject.io/docs/commands#reading-and-writing-data) - -# Deploy Secrets-store CSI and the Provider -https://github.com/kubernetes-sigs/secrets-store-csi-driver#usage - -# Deploy Ingress Controller - -Create a namespace - -```bash -kubectl create ns ingress-test -``` - -Helm install ingress-controller - -```bash -helm install stable/nginx-ingress --generate-name \ - --namespace ingress-test \ - --set controller.replicaCount=2 \ - --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux \ - --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux -``` - -# Deploy a SecretsProviderClass Resource -> NOTE: For this sample, we are using the `azure` provider. For more information, head over to: https://github.com/Azure/secrets-store-csi-driver-provider-azure#usage - -```bash -kubectl apply -f sample/ingress-controller-tls/secretproviderclass-azure-tls.yaml -n ingress-test -``` - -# [OPTIONAL] Create a Secret Required by Provider - -```bash -kubectl create secret generic secrets-store-creds --from-literal clientid=xxxx --from-literal clientsecret=xxxx -n ingress-test -``` - -# Deploy Test Apps with Reference to Secrets Store CSI - -> NOTE: These apps reference a Secrets Store CSI volume and a `secretProviderClass` object created earlier. A Kubernetes secret `ingress-tls-csi` will be created by the CSI driver as a result of the app creation. - -```yaml - volumes: - - name: secrets-store-inline - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: "azure-tls" - nodePublishSecretRef: - name: secrets-store-creds -``` - -```bash -kubectl apply -f sample/ingress-controller-tls/deployment-app-one.yaml -n ingress-test -kubectl apply -f sample/ingress-controller-tls/deployment-app-two.yaml -n ingress-test - -``` - -# Check for the Kubernetes Secret created by the CSI driver -```bash -kubectl get secret -n ingress-test - -NAME TYPE DATA AGE -ingress-tls-csi kubernetes.io/tls 2 1m34s -``` - -# Deploy an Ingress Resource referencing the Secret created by the CSI driver - -> NOTE: The ingress resource references the Kubernetes secret `ingress-tls-csi` created by the CSI driver as a result of the app creation. - -```yaml -tls: - - hosts: - - demo.test.com - secretName: ingress-tls-csi -``` - -```bash -kubectl apply -f sample/ingress-controller-tls/ingress.yaml -n ingress-test -``` - -# Get the External IP of the Ingress Controller - -```bash - kubectl get service -l app=nginx-ingress --namespace ingress-test -NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE -nginx-ingress-1588032400-controller LoadBalancer 10.0.255.157 52.xx.xx.xx 80:31293/TCP,443:31265/TCP 19m -nginx-ingress-1588032400-default-backend ClusterIP 10.0.223.214 80/TCP 19m -``` - -# Test Ingress with TLS -Using `curl` to verify ingress configuration using TLS. -Replace the public IP with the external IP of the ingress controller service from the previous step. - -```bash -curl -v -k --resolve demo.test.com:443:52.xx.xx.xx https://demo.test.com - -# You should see the following in your output -* subject: CN=demo.test.com; O=ingress-tls -* start date: Apr 15 04:23:46 2020 GMT -* expire date: Apr 15 04:23:46 2021 GMT -* issuer: CN=demo.test.com; O=ingress-tls -* SSL certificate verify result: self signed certificate (18), continuing anyway. -``` diff --git a/sample/ingress-controller-tls/deployment-app-one.yaml b/sample/ingress-controller-tls/deployment-app-one.yaml deleted file mode 100644 index 161e1d9b7..000000000 --- a/sample/ingress-controller-tls/deployment-app-one.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-one - labels: - app: nginx-one -spec: - replicas: 1 - selector: - matchLabels: - app: nginx-one - template: - metadata: - labels: - app: nginx-one - spec: - containers: - - image: nginx - name: nginx - volumeMounts: - - name: secrets-store-inline - mountPath: "/mnt/secrets-store" - readOnly: true - volumes: - - name: secrets-store-inline - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: "azure-tls" - nodePublishSecretRef: - name: secrets-store-creds ---- -apiVersion: v1 -kind: Service -metadata: - name: nginx-one -spec: - type: ClusterIP - ports: - - port: 80 - selector: - app: nginx-one diff --git a/sample/ingress-controller-tls/deployment-app-two.yaml b/sample/ingress-controller-tls/deployment-app-two.yaml deleted file mode 100644 index fc0ef8c5d..000000000 --- a/sample/ingress-controller-tls/deployment-app-two.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-two - labels: - app: nginx-two -spec: - replicas: 1 - selector: - matchLabels: - app: nginx-two - template: - metadata: - labels: - app: nginx-two - spec: - containers: - - image: nginx - name: nginx - volumeMounts: - - name: secrets-store-inline - mountPath: "/mnt/secrets-store" - readOnly: true - volumes: - - name: secrets-store-inline - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: "azure-tls" - nodePublishSecretRef: - name: secrets-store-creds ---- -apiVersion: v1 -kind: Service -metadata: - name: nginx-two -spec: - type: ClusterIP - ports: - - port: 80 - selector: - app: nginx-two diff --git a/sample/ingress-controller-tls/ingress.yaml b/sample/ingress-controller-tls/ingress.yaml deleted file mode 100644 index f771a9829..000000000 --- a/sample/ingress-controller-tls/ingress.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: ingress-tls - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: /$1 -spec: - tls: - - hosts: - - demo.test.com - secretName: ingress-tls-csi - rules: - - host: demo.test.com - http: - paths: - - backend: - serviceName: nginx-one - servicePort: 80 - path: /(.*) - - backend: - serviceName: nginx-two - servicePort: 80 - path: /two(/|$)(.*) diff --git a/sample/ingress-controller-tls/secretproviderclass-azure-tls.yaml b/sample/ingress-controller-tls/secretproviderclass-azure-tls.yaml deleted file mode 100644 index 3db7884ac..000000000 --- a/sample/ingress-controller-tls/secretproviderclass-azure-tls.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 -kind: SecretProviderClass -metadata: - name: azure-tls -spec: - provider: azure - secretObjects: - - secretName: ingress-tls-csi - type: kubernetes.io/tls - data: - - objectName: ingresscert - key: tls.key - - objectName: ingresscert - key: tls.crt - parameters: - usePodIdentity: "false" - keyvaultName: "azkv" # the name of the KeyVault - objects: | - array: - - | - objectName: ingresscert - objectType: secret - tenantId: "xx-xxxxxxxx-xx"