Skip to content

Commit

Permalink
Merge pull request #11 from doitintl/gke-autopilot
Browse files Browse the repository at this point in the history
deploy on GKE autopilot
  • Loading branch information
alexei-led authored Apr 3, 2022
2 parents c00b855 + 3284dec commit 496422c
Show file tree
Hide file tree
Showing 5 changed files with 124 additions and 4 deletions.
15 changes: 13 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,6 @@

# Securely access AWS Services from GKE cluster

> :attention: GKE Autopilot deployment is not supported due to the [limitations](https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-overview#webhooks_limitations)
Ever wanted to access AWS services from Google Kubernetes cluster (GKE) without using AWS IAM credentials?

This solution can help you to get and exchange Google OIDC token for temporary AWS IAM security credentials are generated by AWS STS service. This approach allows you to access AWS services form a GKE cluster without pre-generated long-living AWS credentials.
Expand Down Expand Up @@ -89,6 +87,19 @@ certificatesigningrequest.certificates.k8s.io/gtoken-webhook-svc.default approve
secret/gtoken-webhook-certs configured
```

**Note** Gor GKE Autopilot, run the [webhook-create-self-signed-cert.sh](https://github.com/doitintl/gtoken/blob/master/deployment/webhook-create-self-signed-cert.sh) script to generate a self-signed certificate.

Export CA Bundle as environment variable:

```sh
export CA_BUNDLE=[output value of the previous script "Encoded CA:"]
```

Then, we’ll create the webhook service and deployment:

```yaml
```

Create Kubernetes Service Account to be used with `gtoken-webhook`:

```sh
Expand Down
4 changes: 4 additions & 0 deletions deployment/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,10 @@ spec:
- name: gtoken-webhook
image: doitintl/gtoken-webhook
imagePullPolicy: Always
resources:
requests:
cpu: 250m
memory: 512Mi
args:
- --log-level=debug
- server
Expand Down
98 changes: 98 additions & 0 deletions deployment/webhook-create-self-signed-cert.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
#!/bin/bash

set -e

usage() {
cat <<EOF
Generate certificate suitable for use with an gtoken webhook service.
This script generates self-signed certificate for the webhook. See
https://www.velotio.com/engineering-blog/managing-tls-certificate-for-kubernetes-admission-webhook
detailed explantion and additional instructions.
The server key/cert k8s CA cert are stored in a k8s secret.
usage: ${0} [OPTIONS]
The following flags are required.
--service Service name of webhook.
--namespace Namespace where webhook service and secret reside.
--secret Secret name for CA certificate and server certificate/key pair.
EOF
exit 1
}

while [[ $# -gt 0 ]]; do
case ${1} in
--service)
service="$2"
shift
;;
--secret)
secret="$2"
shift
;;
--namespace)
namespace="$2"
shift
;;
*)
usage
;;
esac
shift
done

[ -z ${service} ] && service=gtoken-webhook-svc
[ -z ${secret} ] && secret=gtoken-webhook-certs
[ -z ${namespace} ] && namespace=default

if [ ! -x "$(command -v openssl)" ]; then
echo "openssl not found"
exit 1
fi

csrName=${service}.${namespace}
tmpdir=$(mktemp -d)
echo "creating certs in tmpdir ${tmpdir} "

cat <<EOF >> ${tmpdir}/csr.conf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${service}
DNS.2 = ${service}.${namespace}
DNS.3 = ${service}.${namespace}.svc
EOF

# create CA and Server key/certificate
openssl genrsa -out ${tmpdir}/ca.key 2048
openssl req -x509 -newkey rsa:2048 -key ${tmpdir}/ca.key -out ${tmpdir}/ca.crt -days 1825 -nodes -subj "/CN=${service}.${namespace}.svc"

# create server key/certificate
openssl genrsa -out ${tmpdir}/server.key 2048
openssl req -new -key ${tmpdir}/server.key -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf

# Self sign
openssl x509 -extensions v3_req -req -days 1825 -in ${tmpdir}/server.csr -CA ${tmpdir}/ca.crt -CAkey ${tmpdir}/ca.key -CAcreateserial -out ${tmpdir}/server.crt -extfile ${tmpdir}/csr.conf

# create the secret with CA cert and server cert/key
kubectl create secret generic ${secret} \
--from-file=key.pem=${tmpdir}/server.key \
--from-file=cert.pem=${tmpdir}/server.crt \
--dry-run=client -o yaml |
kubectl -n ${namespace} apply -f -

# -a means base64 encode
caBundle=$(cat ${tmpdir}/ca.crt | openssl enc -a -A)

echo "Encoded CA:"
echo -e "${caBundle} \n"
5 changes: 5 additions & 0 deletions deployment/webhook-create-signed-cert.sh
Original file line number Diff line number Diff line change
Expand Up @@ -129,3 +129,8 @@ kubectl create secret generic ${secret} \
--from-file=cert.pem=${tmpdir}/server-cert.pem \
--dry-run=client -o yaml |
kubectl -n ${namespace} apply -f -

# get CA bundle for use by webhook bootstrap
caBundle=$(kubectl config view --raw --flatten -o json | jq -r '.clusters[] | select(.name == "'$(kubectl config current-context)'") | .cluster."certificate-authority-data"')
echo "Encoded CA:"
echo -e "${caBundle} \n"
6 changes: 4 additions & 2 deletions deployment/webhook-patch-ca-bundle.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,10 @@ set -o errexit
set -o nounset
set -o pipefail


export CA_BUNDLE=$(kubectl config view --raw --flatten -o json | jq -r '.clusters[] | select(.name == "'$(kubectl config current-context)'") | .cluster."certificate-authority-data"')
if [[ -z "${CA_BUNDLE}" ]]; then
echo "CA_BUNDLE not set"
exit 1
fi

if command -v envsubst >/dev/null 2>&1; then
envsubst
Expand Down

0 comments on commit 496422c

Please sign in to comment.