diff --git a/autocert/README.md b/autocert/README.md index a5c019f5..488249a6 100644 --- a/autocert/README.md +++ b/autocert/README.md @@ -1,25 +1,23 @@ ![Autocert architecture diagram](https://raw.githubusercontent.com/smallstep/certificates/autocert/autocert/autocert-logo.png) # Autocert -[![GitHub stars](https://img.shields.io/github/stars/smallstep/certificates.svg)](https://github.com/smallstep/certificates/stargazers) [![GitHub release](https://img.shields.io/github/release/smallstep/certificates.svg)](https://github.com/smallstep/certificates/releases) [![CA Image](https://images.microbadger.com/badges/image/smallstep/step-ca.svg)](https://microbadger.com/images/smallstep/step-ca) [![Go Report Card](https://goreportcard.com/badge/github.com/smallstep/certificates)](https://goreportcard.com/report/github.com/smallstep/certificates) +[![GitHub stars](https://img.shields.io/github/stars/smallstep/certificates.svg?style=social)](https://github.com/smallstep/certificates/stargazers) +[![Twitter followers](https://img.shields.io/twitter/follow/smallsteplabs.svg?label=Follow&style=social)](https://twitter.com/intent/follow?screen_name=smallsteplabs) + - - **Autocert** is a kubernetes add-on that automatically injects TLS/HTTPS certificates into your containers. To get a certificate **simply annotate your pods** with a name. An X.509 (TLS/HTTPS) certificate is automatically created and mounted at `/var/run/autocert.step.sm/` along with a corresponding private key and root certificate (everything you need for [mTLS](#motivation)). -> *Note: this project is in **ALPHA**. DON'T use it for anything mission critical. EXPECT breaking changes in minor revisions with little or not warning. PLEASE provide feedback:* - -TODO: Twitter, Slack, Issues (tagged with #autocert / special template)... +We ❤️ feedback. [Submit an issue](#TODO). [Fork](https://github.com/smallstep/certificates/fork) and send a PR. [Give us a ⭐](https://github.com/smallstep/certificates/stargazers) if you like what we're doing. ![Autocert demo gif](https://raw.githubusercontent.com/smallstep/certificates/autocert/autocert/demo.gif) @@ -53,6 +51,8 @@ Features include: ## Getting Started +> ⚠️ Warning: *this project is in **ALPHA**. DON'T use it for anything mission critical. EXPECT breaking changes in minor revisions with little or not warning. PLEASE provide feedback:* + ### Prerequisites All you need to get started is [`kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl/#install-kubectl) and a cluster running kubernetes `1.9` or later with [admission webhooks](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhooks) enabled: @@ -219,8 +219,7 @@ kubectl expose deployment hello-mtls --name=hello-mtls-lb --port=443 --type=Load To connect we need a certificate. There are a [couple](RUNBOOK.md#federation) [different](RUNBOOK.md#multiple-intermediates) [ways](RUNBOOK.md#exposing-the-ca) to get one, but for simplicity we'll just forward a port. ``` -$ export CA_POD=$(kubectl -n step get pods -l app=ca -o jsonpath={$.items[0].metadata.name}) -$ kubectl -n step port-forward $CA_POD 4443:4443 +kubectl -n step port-forward $(kubectl -n step get pods -l app=ca -o jsonpath={$.items[0].metadata.name}) 4443:4443 ``` In another window we'll use `step` to grab the root certificate, generate a key pair, and get a certificate. @@ -287,6 +286,13 @@ It integrates with [`step certificates`](https://github.com/smallstep/certificat Tokens are [generated by the admission webhook](controller/provisioner.go#L46-L72) and [transmitted to the injected init container via a kubernetes secret](controller/main.go#L91-L125). The init container [uses the one-time token](bootstrapper/bootstrapper.sh) to obtain a certificate. A sidecar is also installed to [renew certificates](renewer/Dockerfile#L8) before they expire. Renewal simply uses mTLS with the CA. +## Further Reading + + * We tweet [@smallsteplabs](https://twitter.com/smallsteplabs) + * Read [our blog](https://smallstep.com/blog) + * Check out the [runbook](RUNBOOK.md) + * Check out [`step` CLI](https://github.com/smallstep/cli) + ## Questions #### Wait, so any pod can get a certificate with any identity? How is that secure? diff --git a/autocert/connect-with-mtls.png b/autocert/connect-with-mtls.png index e761c20b..725ae87f 100644 Binary files a/autocert/connect-with-mtls.png and b/autocert/connect-with-mtls.png differ