This repository has been archived by the owner on Dec 14, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
89887bb
commit 2f863cd
Showing
22 changed files
with
549 additions
and
70 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,3 @@ | ||
_dev-env | ||
irsa-operator | ||
|
||
# Binaries for programs and plugins | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
k8s-pki | ||
webhook |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
start_kind: | ||
sudo rm -rf ./k8s-pki | ||
mkdir ./k8s-pki | ||
kind create cluster --config ./kind-config.yml | ||
sudo chmod 644 ./k8s-pki/sa.* | ||
|
||
start_docker_compose: | ||
USER_ID=$(shell id -u) GROUP_ID=$(shell id -g) docker-compose up -d | ||
|
||
register_oidc: | ||
AWS_ACCESS_KEY_ID=test AWS_SECRET_ACCESS_KEY=test AWS_REGION=us-east-1 aws --endpoint-url=http://localhost:4566 iam create-open-id-connect-provider --url https://hydra.local:4444 --client-id-list sts.amazonaws.com --thumbprint-list $(shell ./get-hydra-thumbprint.sh) | ||
|
||
check: | ||
AWS_ACCESS_KEY_ID=test AWS_SECRET_ACCESS_KEY=test AWS_REGION=us-east-1 PAGER= aws --no-cli-pager --endpoint-url=http://localhost:4566 iam list-open-id-connect-providers | ||
|
||
wait_for_localstack: | ||
./wait-for-localstack.sh | ||
echo "localstack ready" | ||
|
||
start: start_kind start_docker_compose wait_for_localstack register_oidc | ||
|
||
tear_down: | ||
kind delete clusters irsa-operator | ||
USER_ID=$(shell id -u) GROUP_ID=$(shell id -g) docker-compose down | ||
sudo rm -rf ./k8s-pki |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,130 @@ | ||
# dev env | ||
|
||
## caveats | ||
- localstack (community edition) doesn't enforce IAM | ||
- k8s version compatibility issue with | ||
|
||
## clean up | ||
``` | ||
sudo rm -rf ./k8s-pki | ||
mkdir ./k8s-pki | ||
``` | ||
|
||
## start the k8s cluster | ||
|
||
``` | ||
kind create cluster --config ./kind-config.yml | ||
sudo chmod 644 ./k8s-pki/sa.* | ||
``` | ||
|
||
- it will create the kubernetes cluster, the `kind` docker network we'll join later, populate the `./k8s-pki/` folder with all the kubernetes pki keys. | ||
- `kubectl get nodes` should return a `Ready` node. | ||
|
||
|
||
## start the other services | ||
|
||
we'll start 3 other services : | ||
- aws localstack to fake aws | ||
- hydra to have an oidc provider | ||
- a local container registry (accessible from the outside at `localhost:5000`, from inside the `kind` network at `local-registry:5000`) | ||
|
||
``` | ||
docker-compose up -d | ||
``` | ||
|
||
2 short-lived containers will : | ||
- setup hydra's sqlite | ||
- load the serviceaccount `sa` keys in hydra | ||
|
||
### check | ||
|
||
a `docker ps` should only return only 3 containers : `hydra`, `aws-localstack` & `kind` | ||
|
||
if you see one of the 2 other ones restarting, they have a problem, check their logs : | ||
- `hydra-db-migrate` logs should print `Successfully applied migrations!` | ||
- `hydra-add-keys` logs should print `JSON Web Key Set successfully imported!` | ||
|
||
``` | ||
curl https://localhost:4444/.well-known/openid-configuration -k | ||
curl https://localhost:4444/.well-known/jwks.json -k | ||
``` | ||
|
||
should return no error | ||
|
||
## register the oidc provider on aws | ||
|
||
register hydra as an oidc provider | ||
|
||
``` | ||
export AWS_ACCESS_KEY_ID=test | ||
export AWS_SECRET_ACCESS_KEY=test | ||
export AWS_REGION=us-east-1 | ||
aws --endpoint-url=http://localhost:4566 iam create-open-id-connect-provider --url https://hydra.local:4444 --client-id-list sts.amazonaws.com --thumbprint-list $(./get-hydra-thumbprint.sh) | ||
``` | ||
|
||
NB : with set the client-id used by AWS to a value provided to the api-server (see ./kind-config.yml) | ||
|
||
### check | ||
``` | ||
aws --endpoint-url=http://localhost:4566 iam list-open-id-connect-providers | ||
``` | ||
should return | ||
|
||
``` | ||
{ | ||
"OpenIDConnectProviderList": [ | ||
{ | ||
"Arn": "arn:aws:iam::000000000000:oidc-provider/hydra.local:4444" | ||
} | ||
] | ||
} | ||
``` | ||
|
||
you can also get details using | ||
``` | ||
aws --endpoint-url=http://localhost:4566 iam get-open-id-connect-provider --open-id-connect-provider-arn arn:aws:iam::000000000000:oidc-provider/hydra.local:4444 | ||
``` | ||
|
||
## aws setup | ||
create : s3 bucket, upload this README, full-access to s3 bucket policy, role with the oidc provider, attach policy to role | ||
|
||
``` | ||
aws --endpoint-url=http://localhost:4566 s3api create-bucket --bucket irsa-test | ||
aws --endpoint-url=http://localhost:4566 s3 cp ./README.md s3://irsa-test | ||
aws --endpoint-url=http://localhost:4566 iam create-policy --policy-name my-test-policy --policy-document file://./test/policy.json | ||
aws --endpoint-url=http://localhost:4566 iam create-role --role-name my-app-role --assume-role-policy-document file://./test/trust-role.json | ||
aws --endpoint-url=http://localhost:4566 iam attach-role-policy --role-name my-app-role --policy-arn arn:aws:iam::000000000000:policy/my-test-policy | ||
``` | ||
|
||
## setup the webhook | ||
|
||
``` | ||
cd ./webhook | ||
./deploy.sh | ||
cd .. | ||
``` | ||
|
||
## deploy irsa-tester | ||
``` | ||
kubectl create -f ./test/irsa-tester.yml | ||
``` | ||
|
||
### check | ||
``` | ||
k exec irsa-tester -- env | grep AWS | ||
``` | ||
|
||
should return | ||
``` | ||
AWS_ROLE_ARN=arn:aws:iam::000000000000:role/my-app-role | ||
AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token | ||
``` | ||
|
||
|
||
## resources | ||
|
||
https://blog.mikesir87.io/2020/09/eks-pod-identity-webhook-deep-dive/ | ||
|
||
https://www.eksworkshop.com/beginner/110_irsa/ | ||
|
||
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
version: '3.7' | ||
|
||
services: | ||
local-registry: | ||
image: registry:2 | ||
ports: | ||
- "5000:5000" | ||
restart: unless-stopped | ||
|
||
# AWS | ||
aws-local: | ||
image: localstack/localstack:0.12.12 | ||
ports: | ||
- "4566:4566" | ||
environment: | ||
- SERVICES=iam,s3,sts | ||
- DEBUG=1 | ||
|
||
# OIDC | ||
hydra.local: | ||
image: oryd/hydra:v1.9.0-alpha.3-sqlite | ||
ports: | ||
- "4444:4444" # Public port | ||
- "4445:4445" # Admin port | ||
- "5555:5555" # Port for hydra token user | ||
environment: | ||
- DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true | ||
- SERVE_TLS_KEY_PATH=/etc/config/certs/hydra.local.key | ||
- SERVE_TLS_CERT_PATH=/etc/config/certs/hydra.local.crt | ||
user: "${USER_ID}:${GROUP_ID}" | ||
command: | ||
serve -c /etc/config/hydra.yml all | ||
volumes: | ||
- type: volume | ||
source: hydra-sqlite | ||
target: /var/lib/sqlite | ||
read_only: false | ||
- type: bind | ||
source: ./oidc-provider/hydra.yml | ||
target: /etc/config/hydra.yml | ||
- type: bind | ||
source: ./oidc-provider/tls | ||
target: /etc/config/certs | ||
restart: unless-stopped | ||
depends_on: | ||
- hydra-migrate-db | ||
|
||
hydra-migrate-db: | ||
image: oryd/hydra:v1.9.0-alpha.3-sqlite | ||
environment: | ||
- DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true | ||
user: "${USER_ID}:${GROUP_ID}" | ||
command: | ||
migrate -c /etc/config/hydra.yml sql -e --yes | ||
volumes: | ||
- type: volume | ||
source: hydra-sqlite | ||
target: /var/lib/sqlite | ||
read_only: false | ||
- type: bind | ||
source: ./oidc-provider/hydra.yml | ||
target: /etc/config/hydra.yml | ||
restart: on-failure | ||
|
||
hydra-add-keys: | ||
image: oryd/hydra:v1.9.0-alpha.3-sqlite | ||
environment: | ||
- DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true | ||
- HYDRA_ADMIN_URL=https://hydra.local:4445 | ||
user: "${USER_ID}:${GROUP_ID}" | ||
command: | ||
keys import my-set /etc/pki/sa.key /etc/pki/sa.pub --skip-tls-verify | ||
volumes: | ||
- type: bind | ||
source: ./k8s-pki | ||
target: /etc/pki | ||
restart: on-failure | ||
depends_on: | ||
- hydra.local | ||
|
||
|
||
volumes: | ||
hydra-sqlite: | ||
|
||
networks: | ||
default: | ||
external: | ||
name: kind |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
openssl s_client -connect localhost:4444 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin | sed 's/.*=\|://g' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
kind: Cluster | ||
apiVersion: kind.x-k8s.io/v1alpha4 | ||
name: irsa-operator | ||
kubeadmConfigPatches: | ||
- | | ||
kind: ClusterConfiguration | ||
apiServer: | ||
extraArgs: | ||
service-account-issuer: "https://hydra.local:4444" | ||
service-account-key-file: "/etc/kubernetes/pki/sa.pub" | ||
service-account-signing-key-file: "/etc/kubernetes/pki/sa.key" | ||
api-audiences: "sts.amazonaws.com" | ||
containerdConfigPatches: | ||
- |- | ||
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5000"] | ||
endpoint = ["http://local-registry:5000"] | ||
nodes: | ||
- role: control-plane | ||
image: kindest/node:v1.20.7 | ||
extraMounts: | ||
- hostPath: ./k8s-pki/ | ||
containerPath: /etc/kubernetes/pki |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
serve: | ||
cookies: | ||
same_site_mode: Lax | ||
|
||
urls: | ||
self: | ||
issuer: https://hydra.local:4444 | ||
|
||
secrets: | ||
system: | ||
- youReallyNeedToChangeThis | ||
|
||
oidc: | ||
subject_identifiers: | ||
supported_types: | ||
- pairwise | ||
- public | ||
pairwise: | ||
salt: youReallyNeedToChangeThis | ||
|
||
webfinger: | ||
oidc_discovery: | ||
supported_claims: | ||
- sub | ||
- iss |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
key & cert used for ory tls (mandatory to be added as an oidc provider on aws) | ||
|
||
|
||
``` | ||
openssl genrsa -out hydra.local.key 4096 | ||
openssl req -new -key hydra.local -out hydra.local.csr | ||
openssl req -new -x509 -sha256 -key key.pem -out cert.crt -days 365 -subj "/CN=hydra" | ||
``` | ||
|
||
(old school, should use SAN instead [https://geekflare.com/san-ssl-certificate/](https://geekflare.com/san-ssl-certificate/) ) | ||
|
||
## todo | ||
CN should include port ? (`4444`) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
-----BEGIN CERTIFICATE----- | ||
MIIFPTCCAyUCFGapjFo1S6WfW2F+Ldv8EZlXj64SMA0GCSqGSIb3DQEBCwUAMFsx | ||
CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl | ||
cm5ldCBXaWRnaXRzIFB0eSBMdGQxFDASBgNVBAMMC2h5ZHJhLmxvY2FsMB4XDTIw | ||
MTIyMzIwMjEzMFoXDTIxMTIyMzIwMjEzMFowWzELMAkGA1UEBhMCQVUxEzARBgNV | ||
BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0 | ||
ZDEUMBIGA1UEAwwLaHlkcmEubG9jYWwwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw | ||
ggIKAoICAQDD1xNXxGDUhO03+hHm3XKcu5WldW5LWUw75z/0qzXrjPUfDSyieCi6 | ||
9YcU5jstWU9zApvIU0pw75MZgdoh+KRELfrprnAJIkNtnAN2AHUVqplTE9uyvkGc | ||
trMVHzZe6GZJdosSKFZvwzEhbBek1JLHFB+1FCydVhxzagK3SK1YzW9ZoMP3e58f | ||
Bbg6UvKFgJe+h17jbarbLCvxj5+HdPV6QI4+pJSZYU3jPlxhTGG4c9p39BMv24SD | ||
9Kkx0GM/4gW+pM+GZgYpDyr3nJi8wV8/Cv3kBy8hRwpKy0vqoa2kZ669PoUKO0Mc | ||
mLFMCvvMPkuL3/40/Qo3BUmRx0exqC/C/bKg3uhZ8Zm5q2gO5SAjeWrO5xJfdd6w | ||
E/pAjdTQ8Syqp3DKbY7Roz9VQOKtoLJdcVaozUOQ5ET0ESOZVVgSeP6MzCb52RQk | ||
h/JAtSFnd1xopjquVGJUm9K9FGiyufI2Uv7e18Yeq74Yh/HEI1pWVmtO/niEmwui | ||
HODElQV5aRCX0BRLcYegFlFlnFp5ti+wxH7KgGalVvykc68fXO1NKf2qWw5G/mJ2 | ||
mKWm5pOpPLLYjhowHc9nDOQaehhNVlA3ZRaYRJwmPPpAVkjwr8pCnkvI28Im5ZQX | ||
wGBAB4sbelIUyDn5/Jd72ZsGT5QGuaTLT07pBtVzmCSKkk3rqOla0wIDAQABMA0G | ||
CSqGSIb3DQEBCwUAA4ICAQC2v9hbOvrU4yj5lXrpcZIyWDHOg1jjMuolVIWLnWkp | ||
io2FwuAAAzu87WDLaS4xHHveWFI5KgAK3MPJvewPZqhxOdp8MlcGKQTpc2OlXbcQ | ||
dMUHw1rqJaip4nr6uBy3qp1rJz+luPCqAcC50AUb3F7EyIbIFD/OuR36ZkdVN2+R | ||
CxBnstQyRLigvq3juAE5wDw6io1062Y4/3lEqIBLybKZft/WR4BnCcamCY0Wo/w6 | ||
7y05JQ3knkCos8SZ+OLW4tK8jlALiB51fKtZdkPpK4wA5KgcuJ2aYIW7iCwK31sU | ||
DnwYyHrBUWS91d15MnmgYtpiKlHDrWaUqO+2FmbtN12nyc2fFFlESwGQSInZuzZ/ | ||
Z9eTYeq9cSIa1vOlmGDcunHOvDnRqYbNTHlGXdQ13B5RjtQQTliIQ1DZHuyrpJIi | ||
Yb/QZRvm0C6+ZI7N1I9sxwL6mZoTBEggU621XYfC7J4mjWGEsg2/WYe69pWMaOmV | ||
v0XUS0SnnmsJtllvLY3mbgNWz7kWW+JQeHi3x7HDSNhj9ZE3VuY9mjZAsa7kRrkW | ||
OoWT1TH9tNWkqjTQU2fto3rQFl/DbaEvRnXNhx5jngm7I5i0MP1dM2XCEBs3vMkm | ||
zdTtmADjuMmk6fgBz0C5dPklVzOTkhvanMzLY0vaa8jBfih3AUcxILl+V3XbsQxt | ||
2Q== | ||
-----END CERTIFICATE----- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
-----BEGIN CERTIFICATE REQUEST----- | ||
MIIEoDCCAogCAQAwWzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx | ||
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UEAwwLaHlk | ||
cmEubG9jYWwwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDD1xNXxGDU | ||
hO03+hHm3XKcu5WldW5LWUw75z/0qzXrjPUfDSyieCi69YcU5jstWU9zApvIU0pw | ||
75MZgdoh+KRELfrprnAJIkNtnAN2AHUVqplTE9uyvkGctrMVHzZe6GZJdosSKFZv | ||
wzEhbBek1JLHFB+1FCydVhxzagK3SK1YzW9ZoMP3e58fBbg6UvKFgJe+h17jbarb | ||
LCvxj5+HdPV6QI4+pJSZYU3jPlxhTGG4c9p39BMv24SD9Kkx0GM/4gW+pM+GZgYp | ||
Dyr3nJi8wV8/Cv3kBy8hRwpKy0vqoa2kZ669PoUKO0McmLFMCvvMPkuL3/40/Qo3 | ||
BUmRx0exqC/C/bKg3uhZ8Zm5q2gO5SAjeWrO5xJfdd6wE/pAjdTQ8Syqp3DKbY7R | ||
oz9VQOKtoLJdcVaozUOQ5ET0ESOZVVgSeP6MzCb52RQkh/JAtSFnd1xopjquVGJU | ||
m9K9FGiyufI2Uv7e18Yeq74Yh/HEI1pWVmtO/niEmwuiHODElQV5aRCX0BRLcYeg | ||
FlFlnFp5ti+wxH7KgGalVvykc68fXO1NKf2qWw5G/mJ2mKWm5pOpPLLYjhowHc9n | ||
DOQaehhNVlA3ZRaYRJwmPPpAVkjwr8pCnkvI28Im5ZQXwGBAB4sbelIUyDn5/Jd7 | ||
2ZsGT5QGuaTLT07pBtVzmCSKkk3rqOla0wIDAQABoAAwDQYJKoZIhvcNAQELBQAD | ||
ggIBAI6wLFUBfAqIkGrvFIWhy7PeoDKSK4wSrBgAxa8rvnLdRluiYNKITW56ay0h | ||
WRyntGjmR/4JJ9PZXQSDpZAvajtoO8UOkTjxZgc1IvS3GTbM0BIrl2sADWba9kSm | ||
HjNd9qemzkJ4JwWBq8k0GpwK5uWckEXKtPaDpiNnerqsge9p5e7hLCjL41n+aGVQ | ||
0LjzwUm/nvzxMEx6elHrxREhVZPxnqUzU7LQO4DrizbCJZ5p2WlbX8P7Xbm4mUtz | ||
s0NPW/TYmJH8NIVIzd6+6A75KRQrMtNSuIWIgfokFy7/fEJc9L+COFMAQGTKGiGO | ||
BHcXhvcNVRm+h10q7WwR0KdeAC60/QtgAl763G2zS1/QkN3Oe2eCSfEW1L3Bi3cA | ||
czL1E4iXH2G2YiAEfRe2UbSMcq1ydppMipUs9aXg4XQ88pgSOwqw7Pphz8zKZGjl | ||
+fVcgdMPQRYUs+xpmHZ2BMP/hesUzdp43+EY3kFf5sez6r/uw7DvGL/ojk6A7tBT | ||
uhF4Ok0ocR5PmXMijaSQvi9k/wnSJbMaJRXOavicCShw7gDqrBTyDoSUIX39IqXl | ||
BigpRXuxCEFNqgiKbR8R1647tCLMoqRtiuDKfQXnyBb/3ik9n93Tv+lZtQLbY1oC | ||
B32HQAvftNpAS0DZij1FyBl2Mj9raaW8mI9RR3GIUOCzx5D+ | ||
-----END CERTIFICATE REQUEST----- |
Oops, something went wrong.