diff --git a/README.md b/README.md index cd0f184..aa4a34e 100644 --- a/README.md +++ b/README.md @@ -2,8 +2,6 @@ # Securely access AWS Services from GKE cluster -> :attention: GKE Autopilot deployment is not supported due to the [limitations](https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-overview#webhooks_limitations) - Ever wanted to access AWS services from Google Kubernetes cluster (GKE) without using AWS IAM credentials? This solution can help you to get and exchange Google OIDC token for temporary AWS IAM security credentials are generated by AWS STS service. This approach allows you to access AWS services form a GKE cluster without pre-generated long-living AWS credentials. @@ -89,6 +87,19 @@ certificatesigningrequest.certificates.k8s.io/gtoken-webhook-svc.default approve secret/gtoken-webhook-certs configured ``` +**Note** Gor GKE Autopilot, run the [webhook-create-self-signed-cert.sh](https://github.com/doitintl/gtoken/blob/master/deployment/webhook-create-self-signed-cert.sh) script to generate a self-signed certificate. + +Export CA Bundle as environment variable: + +```sh +export CA_BUNDLE=[output value of the previous script "Encoded CA:"] +``` + +Then, we’ll create the webhook service and deployment: + +```yaml +``` + Create Kubernetes Service Account to be used with `gtoken-webhook`: ```sh diff --git a/deployment/deployment.yaml b/deployment/deployment.yaml index 10b95e8..a51f36d 100644 --- a/deployment/deployment.yaml +++ b/deployment/deployment.yaml @@ -18,6 +18,10 @@ spec: - name: gtoken-webhook image: doitintl/gtoken-webhook imagePullPolicy: Always + resources: + requests: + cpu: 250m + memory: 512Mi args: - --log-level=debug - server diff --git a/deployment/webhook-create-self-signed-cert.sh b/deployment/webhook-create-self-signed-cert.sh new file mode 100755 index 0000000..f2750e8 --- /dev/null +++ b/deployment/webhook-create-self-signed-cert.sh @@ -0,0 +1,98 @@ +#!/bin/bash + +set -e + +usage() { + cat <> ${tmpdir}/csr.conf +[req] +req_extensions = v3_req +distinguished_name = req_distinguished_name +[req_distinguished_name] +[ v3_req ] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +subjectAltName = @alt_names +[alt_names] +DNS.1 = ${service} +DNS.2 = ${service}.${namespace} +DNS.3 = ${service}.${namespace}.svc +EOF + +# create CA and Server key/certificate +openssl genrsa -out ${tmpdir}/ca.key 2048 +openssl req -x509 -newkey rsa:2048 -key ${tmpdir}/ca.key -out ${tmpdir}/ca.crt -days 1825 -nodes -subj "/CN=${service}.${namespace}.svc" + +# create server key/certificate +openssl genrsa -out ${tmpdir}/server.key 2048 +openssl req -new -key ${tmpdir}/server.key -subj "/CN=${service}.${namespace}.svc" -out ${tmpdir}/server.csr -config ${tmpdir}/csr.conf + +# Self sign +openssl x509 -extensions v3_req -req -days 1825 -in ${tmpdir}/server.csr -CA ${tmpdir}/ca.crt -CAkey ${tmpdir}/ca.key -CAcreateserial -out ${tmpdir}/server.crt -extfile ${tmpdir}/csr.conf + +# create the secret with CA cert and server cert/key +kubectl create secret generic ${secret} \ + --from-file=key.pem=${tmpdir}/server.key \ + --from-file=cert.pem=${tmpdir}/server.crt \ + --dry-run=client -o yaml | + kubectl -n ${namespace} apply -f - + +# -a means base64 encode +caBundle=$(cat ${tmpdir}/ca.crt | openssl enc -a -A) + +echo "Encoded CA:" +echo -e "${caBundle} \n" \ No newline at end of file diff --git a/deployment/webhook-create-signed-cert.sh b/deployment/webhook-create-signed-cert.sh index c23ddbe..f3e2bad 100755 --- a/deployment/webhook-create-signed-cert.sh +++ b/deployment/webhook-create-signed-cert.sh @@ -129,3 +129,8 @@ kubectl create secret generic ${secret} \ --from-file=cert.pem=${tmpdir}/server-cert.pem \ --dry-run=client -o yaml | kubectl -n ${namespace} apply -f - + +# get CA bundle for use by webhook bootstrap +caBundle=$(kubectl config view --raw --flatten -o json | jq -r '.clusters[] | select(.name == "'$(kubectl config current-context)'") | .cluster."certificate-authority-data"') +echo "Encoded CA:" +echo -e "${caBundle} \n" \ No newline at end of file diff --git a/deployment/webhook-patch-ca-bundle.sh b/deployment/webhook-patch-ca-bundle.sh index 1749274..4c96499 100755 --- a/deployment/webhook-patch-ca-bundle.sh +++ b/deployment/webhook-patch-ca-bundle.sh @@ -6,8 +6,10 @@ set -o errexit set -o nounset set -o pipefail - -export CA_BUNDLE=$(kubectl config view --raw --flatten -o json | jq -r '.clusters[] | select(.name == "'$(kubectl config current-context)'") | .cluster."certificate-authority-data"') +if [[ -z "${CA_BUNDLE}" ]]; then + echo "CA_BUNDLE not set" + exit 1 +fi if command -v envsubst >/dev/null 2>&1; then envsubst