diff --git a/charts/certsigner/README.md b/charts/certsigner/README.md new file mode 100644 index 0000000..35a6f6e --- /dev/null +++ b/charts/certsigner/README.md @@ -0,0 +1,211 @@ +# Project Userspace + +## One provisioner to rule them all + +### Quickstart + +1. Start Docker +2. Run createprojectspace.sh + +```bash +./createprojectspace.sh +``` + +### Update a user + +```bash +export USER=user +helm template $USER ./namespace | kubectl --context admin apply -f - +``` + +### Objectives + +1. Provision a namespace with clusterroles, rolebindings, and a dedicated nfs-provisioner with one helm chart +2. Create an easy way for users to sign their certificates +3. Create a cleanup script without deleting user data +4. profit + +### Userspace + +#### Namespace + +```yaml +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Release.Name }} +``` + +#### Roles + +```yaml +kind: Role +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: namespace-manager + namespace: {{ .Release.Name }} +rules: +- apiGroups: + - "" + - extensions + - apps + - batch + - autoscaling + - networking.k8s.io + - traefik.containo.us + - rbac.authorization.k8s.io + - metrics.k8s.io + resources: + - deployments + - replicasets + - pods + - pods/exec + - pods/log + - pods/attach + - daemonsets + - statefulsets + - replicationcontrollers + - horizontalpodautoscalers + - services + - ingresses + - persistentvolumeclaims + - jobs + - cronjobs + - secrets + - configmaps + - serviceaccounts + - rolebindings + - ingressroutes + - middlewares + - endpoints + verbs: + - "*" +- apiGroups: + - "" + - metrics.k8s.io + - rbac.authorization.k8s.io + resources: + - resourcequotas + - roles + verbs: + - list +``` + +#### Rolebinding + +```yaml +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + namespace: {{ .Release.Name }} + name: namespace-manager +subjects: +- kind: User + name: {{ .Release.Name }} + apiGroup: "" +roleRef: + kind: ClusterRole + name: namespace-manager + apiGroup: "" +``` + +### Create a kubernetes certsigner pod + +This keeps the client-ca crt and key secret and allows the cert to be signed and stored on the pod + +#### Create the certsigner secret + +```bash +kubectl -n kube-system create secret generic certsigner --from-file /var/lib/rancher/k3s/server/tls/client-ca.crt --from-file /var/lib/rancher/k3s/server/tls/client-ca.key +``` + +#### Set up the certsigner pod + +```bash +kubectl --context admin apply -f certsigner +``` + +#### Generate a cert + +```bash +export USER= +docker run -it -v $(pwd)/users/$USER:/$USER python:latest openssl genrsa -out /$USER/$USER.key 2048 +docker run -it -v $(pwd)/users/$USER:/$USER python:latest openssl req -new -key /$USER/$USER.key -out /$USER/$USER.csr -subj "/CN=$USER/O=user" +``` + +#### Create a new Userspace + +```bash +helm template $USER ./namespace | kubectl --context admin apply -f - +``` + +#### Sign the cert + +```bash +export USER= +kubectl --context admin cp $(pwd)/users/$USER/$USER.csr certsigner:/certs/$USER.csr +kubectl --context admin exec -it --context admin certsigner -- openssl x509 -in /certs/$USER.csr -req -CA /keys/client-ca.crt -CAkey /keys/client-ca.key -CAcreateserial -out /certs/$USER.crt -days 5000 +kubectl --context admin cp certsigner:/certs/$USER.crt $(pwd)/users/$USER/$USER.crt +``` + +#### Add to the config + +```bash +kubectl config set-credentials $USER --client-certificate=$USER.crt --client-key=$USER.key +kubectl config set-context $USER --cluster=mainframe --namespace=$USER --user=$USER +``` + +#### Delete + +```bash +kubectl config delete-context $USER +helm template $USER ./namespace | kubectl --context admin delete -f - +``` + +### Signing a user cert - detailed notes + +NOTE: ca.crt and ca.key are in /var/lib/rancher/k3s/server/tls/client-ca.* + +```bash +# First we create the credentials +# /CN= - the user +# /O= - the group + +# Navigate to the user directory +export USER= +cd $USER + +# Generate a private key +openssl genrsa -out $USER.key 2048 +# Check the key +# openssl pkey -in ca.key -noout -text +# Generate and send me the CSR +# The "user" group is my default group +openssl req -new -key $USER.key -out $USER.csr -subj "/CN=$USER/O=user" + +# Check the CSR +# openssl req -in $USER.csr -noout -text +# If satisfactory, sign the CSR +# Copy from /var/lib/rancher/k3s/server/tls/client-ca.crt and client-ca.key +openssl x509 -req -in $USER.csr -CA ../client-ca.crt -CAkey ../client-ca.key -CAcreateserial -out $USER.crt -days 5000 +# Review the certificate +# openssl x509 -in $USER.crt -text -noout + +# Send back the crt +# cp $USER.crt $USER.key ../server-ca.crt ~/.kube/ +kubectl config set-credentials $USER --client-certificate=$USER.crt --client-key=$USER.key +kubectl config set-context $USER --cluster=mainframe --namespace=$USER --user=$USER + +# Now we create the namespace, rolebindings, and resource quotas +# kubectl apply -f k8s/ + +# Add the cluster +# CA file can be found at https://3.14.3.100:6443/cacerts +- cluster: + certificate-authority: server-ca.crt + server: https://3.14.3.100:6443 + name: mainframe + +# Test if everything worked +kubectl --context=$USER-context get pods +``` diff --git a/charts/certsigner/app-readme.md b/charts/certsigner/app-readme.md new file mode 100644 index 0000000..6dc02bb --- /dev/null +++ b/charts/certsigner/app-readme.md @@ -0,0 +1,3 @@ +# Certsigner + +Signs your certs. What more could you want? diff --git a/charts/certsigner/item.yaml b/charts/certsigner/item.yaml new file mode 100644 index 0000000..8e9feaf --- /dev/null +++ b/charts/certsigner/item.yaml @@ -0,0 +1,3 @@ +categories: + - generic +icon_url: "http://ix_url" diff --git a/charts/certsigner/questions.yaml b/charts/certsigner/questions.yaml new file mode 100644 index 0000000..006c0f9 --- /dev/null +++ b/charts/certsigner/questions.yaml @@ -0,0 +1,36 @@ +groups: + - name: "Container Images" + description: "Image to be used for container" +questions: + - variable: image + description: "Docker Image Details" + group: "Container Images" + schema: + type: dict + required: true + attrs: + - variable: repository + description: "Docker image repository" + label: "Image repository" + schema: + type: string + required: true + - variable: tag + description: "Tag to use for specified image" + label: "Image Tag" + schema: + type: string + default: "latest" + - variable: pullPolicy + description: "Docker Image Pull Policy" + label: "Image Pull Policy" + schema: + type: string + default: "IfNotPresent" + enum: + - value: "IfNotPresent" + description: "Only pull image if not present on host" + - value: "Always" + description: "Always pull image even if present on host" + - value: "Never" + description: "Never pull image even if it's not present on host" diff --git a/charts/namespace/README.md b/charts/namespace/README.md new file mode 100644 index 0000000..35a6f6e --- /dev/null +++ b/charts/namespace/README.md @@ -0,0 +1,211 @@ +# Project Userspace + +## One provisioner to rule them all + +### Quickstart + +1. Start Docker +2. Run createprojectspace.sh + +```bash +./createprojectspace.sh +``` + +### Update a user + +```bash +export USER=user +helm template $USER ./namespace | kubectl --context admin apply -f - +``` + +### Objectives + +1. Provision a namespace with clusterroles, rolebindings, and a dedicated nfs-provisioner with one helm chart +2. Create an easy way for users to sign their certificates +3. Create a cleanup script without deleting user data +4. profit + +### Userspace + +#### Namespace + +```yaml +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Release.Name }} +``` + +#### Roles + +```yaml +kind: Role +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: namespace-manager + namespace: {{ .Release.Name }} +rules: +- apiGroups: + - "" + - extensions + - apps + - batch + - autoscaling + - networking.k8s.io + - traefik.containo.us + - rbac.authorization.k8s.io + - metrics.k8s.io + resources: + - deployments + - replicasets + - pods + - pods/exec + - pods/log + - pods/attach + - daemonsets + - statefulsets + - replicationcontrollers + - horizontalpodautoscalers + - services + - ingresses + - persistentvolumeclaims + - jobs + - cronjobs + - secrets + - configmaps + - serviceaccounts + - rolebindings + - ingressroutes + - middlewares + - endpoints + verbs: + - "*" +- apiGroups: + - "" + - metrics.k8s.io + - rbac.authorization.k8s.io + resources: + - resourcequotas + - roles + verbs: + - list +``` + +#### Rolebinding + +```yaml +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + namespace: {{ .Release.Name }} + name: namespace-manager +subjects: +- kind: User + name: {{ .Release.Name }} + apiGroup: "" +roleRef: + kind: ClusterRole + name: namespace-manager + apiGroup: "" +``` + +### Create a kubernetes certsigner pod + +This keeps the client-ca crt and key secret and allows the cert to be signed and stored on the pod + +#### Create the certsigner secret + +```bash +kubectl -n kube-system create secret generic certsigner --from-file /var/lib/rancher/k3s/server/tls/client-ca.crt --from-file /var/lib/rancher/k3s/server/tls/client-ca.key +``` + +#### Set up the certsigner pod + +```bash +kubectl --context admin apply -f certsigner +``` + +#### Generate a cert + +```bash +export USER= +docker run -it -v $(pwd)/users/$USER:/$USER python:latest openssl genrsa -out /$USER/$USER.key 2048 +docker run -it -v $(pwd)/users/$USER:/$USER python:latest openssl req -new -key /$USER/$USER.key -out /$USER/$USER.csr -subj "/CN=$USER/O=user" +``` + +#### Create a new Userspace + +```bash +helm template $USER ./namespace | kubectl --context admin apply -f - +``` + +#### Sign the cert + +```bash +export USER= +kubectl --context admin cp $(pwd)/users/$USER/$USER.csr certsigner:/certs/$USER.csr +kubectl --context admin exec -it --context admin certsigner -- openssl x509 -in /certs/$USER.csr -req -CA /keys/client-ca.crt -CAkey /keys/client-ca.key -CAcreateserial -out /certs/$USER.crt -days 5000 +kubectl --context admin cp certsigner:/certs/$USER.crt $(pwd)/users/$USER/$USER.crt +``` + +#### Add to the config + +```bash +kubectl config set-credentials $USER --client-certificate=$USER.crt --client-key=$USER.key +kubectl config set-context $USER --cluster=mainframe --namespace=$USER --user=$USER +``` + +#### Delete + +```bash +kubectl config delete-context $USER +helm template $USER ./namespace | kubectl --context admin delete -f - +``` + +### Signing a user cert - detailed notes + +NOTE: ca.crt and ca.key are in /var/lib/rancher/k3s/server/tls/client-ca.* + +```bash +# First we create the credentials +# /CN= - the user +# /O= - the group + +# Navigate to the user directory +export USER= +cd $USER + +# Generate a private key +openssl genrsa -out $USER.key 2048 +# Check the key +# openssl pkey -in ca.key -noout -text +# Generate and send me the CSR +# The "user" group is my default group +openssl req -new -key $USER.key -out $USER.csr -subj "/CN=$USER/O=user" + +# Check the CSR +# openssl req -in $USER.csr -noout -text +# If satisfactory, sign the CSR +# Copy from /var/lib/rancher/k3s/server/tls/client-ca.crt and client-ca.key +openssl x509 -req -in $USER.csr -CA ../client-ca.crt -CAkey ../client-ca.key -CAcreateserial -out $USER.crt -days 5000 +# Review the certificate +# openssl x509 -in $USER.crt -text -noout + +# Send back the crt +# cp $USER.crt $USER.key ../server-ca.crt ~/.kube/ +kubectl config set-credentials $USER --client-certificate=$USER.crt --client-key=$USER.key +kubectl config set-context $USER --cluster=mainframe --namespace=$USER --user=$USER + +# Now we create the namespace, rolebindings, and resource quotas +# kubectl apply -f k8s/ + +# Add the cluster +# CA file can be found at https://3.14.3.100:6443/cacerts +- cluster: + certificate-authority: server-ca.crt + server: https://3.14.3.100:6443 + name: mainframe + +# Test if everything worked +kubectl --context=$USER-context get pods +``` diff --git a/charts/namespace/app-readme.md b/charts/namespace/app-readme.md new file mode 100644 index 0000000..c259925 --- /dev/null +++ b/charts/namespace/app-readme.md @@ -0,0 +1,3 @@ +# Namespace + +Makes a namespace. Good Stuff. diff --git a/charts/namespace/item.yaml b/charts/namespace/item.yaml new file mode 100644 index 0000000..8e9feaf --- /dev/null +++ b/charts/namespace/item.yaml @@ -0,0 +1,3 @@ +categories: + - generic +icon_url: "http://ix_url" diff --git a/charts/namespace/questions.yaml b/charts/namespace/questions.yaml new file mode 100644 index 0000000..006c0f9 --- /dev/null +++ b/charts/namespace/questions.yaml @@ -0,0 +1,36 @@ +groups: + - name: "Container Images" + description: "Image to be used for container" +questions: + - variable: image + description: "Docker Image Details" + group: "Container Images" + schema: + type: dict + required: true + attrs: + - variable: repository + description: "Docker image repository" + label: "Image repository" + schema: + type: string + required: true + - variable: tag + description: "Tag to use for specified image" + label: "Image Tag" + schema: + type: string + default: "latest" + - variable: pullPolicy + description: "Docker Image Pull Policy" + label: "Image Pull Policy" + schema: + type: string + default: "IfNotPresent" + enum: + - value: "IfNotPresent" + description: "Only pull image if not present on host" + - value: "Always" + description: "Always pull image even if present on host" + - value: "Never" + description: "Never pull image even if it's not present on host"