Archives
/
smallstep-certificates
mirror of https://github.com/smallstep/certificates
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
dependabot/go_modules/github.com/slackhq/nebula-1.9.0
wire-acme-extensions
mariano/init-provisioners
fix-1637
herman/wire-dpop-struct
herman/fix-nebula-curve-param
herman/wrapped-listener
herman/configure-server-http-timeout
josh/fips
herman/acme-macos-properties
josh/webhook-error-response-content
user-regex
max/nebula-sign-curve
carl/bootstrap-error-clarity
max/capabilities
herman/acme-cname-txt
max/test
herman/acme-da-roots
backports
but
collections
update-step-env-vars
panos/api/flow
errors-internal
docker-dns-names
docker-init
carl/sysd-update
carl/readmes
carl/ssh-host-matchbug
nosql-0.3.2
dcow/challenge-retry
ssh
printAud
getHosts
ssh-config
certificate-transparency
seb/ct-local
seb/markdown-issues
seb/anchors
v0.25.3-rc7
v0.25.3-rc6
v0.25.3-rc4
v0.25.3-rc.1
v0.22.2-rc14
v0.22.2-rc13
v0.0.1-rc.1
v0.0.1-rc.2
v0.0.1-rc.3
v0.10.0
v0.11.0
v0.11.0-rc.1
v0.11.0-rc.2
v0.11.0-rc.3
v0.11.0-rc.4
v0.12.0
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.14.0
v0.14.0-rc.1
v0.14.0-rc.10.badger2
v0.14.0-rc.14
v0.14.0-rc.15
v0.14.0-rc.16
v0.14.0-rc.2
v0.14.0-rc.3
v0.14.0-rc.4.badger2
v0.14.0-rc.5
v0.14.0-rc.6
v0.14.0-rc.7
v0.14.0-rc.8
v0.14.0-rc.9
v0.14.0.rc.11.badger2
v0.14.0.rc.12.badger2
v0.14.0.rc.13.badger2
v0.14.1
v0.14.2
v0.14.3
v0.14.3-rc.1.badger2
v0.14.3-rc.2.32bitbadger2
v0.14.4
v0.14.5
v0.14.5-rc.1.100MB.badgerV2
v0.14.5-rc.2.100MB.badgerV2
v0.14.5-rc.3.cullACMEOrders
v0.14.5-rc.4
v0.14.6
v0.14.7-rc.1.docker-buildx
v0.14.7-rc.2.deb-name-test
v0.15.0
v0.15.0-rc.1
v0.15.1
v0.15.1-rc.1
v0.15.10
v0.15.11
v0.15.12
v0.15.12-rc1
v0.15.12-rc2
v0.15.12-rc3
v0.15.12-rc4
v0.15.12-rc5
v0.15.13
v0.15.14
v0.15.15
v0.15.16
v0.15.16-rc1.test-arm6
v0.15.16-rc2.test-arm6
v0.15.16-rc3.test-arm6
v0.15.16-rc4
v0.15.16-rc5
v0.15.16-rc6
v0.15.16-rc7
v0.15.2
v0.15.2-rc.1
v0.15.3
v0.15.4
v0.15.5
v0.15.5-rc.1
v0.15.6
v0.15.7
v0.15.7-rc.1
v0.15.8
v0.15.9
v0.15.9-rc1
v0.15.9-rc10
v0.15.9-rc11
v0.15.9-rc12
v0.15.9-rc13
v0.15.9-rc14
v0.15.9-rc15
v0.15.9-rc16
v0.15.9-rc17
v0.15.9-rc18
v0.15.9-rc19
v0.15.9-rc2
v0.15.9-rc3
v0.15.9-rc4
v0.15.9-rc5
v0.15.9-rc6
v0.15.9-rc7
v0.15.9-rc8
v0.15.9-rc9
v0.16.0
v0.16.0-rc.1
v0.16.0-rc.2
v0.16.1
v0.16.2
v0.16.3
v0.16.4
v0.17.0
v0.17.0-rc1
v0.17.1
v0.17.2
v0.17.2-rc1
v0.17.3
v0.17.3-rc1
v0.17.3-rc2
v0.17.3-rc3
v0.17.3-rc4
v0.17.3-rc5
v0.17.3-rc6
v0.17.3-rc7
v0.17.3-rc8
v0.17.3-rc9
v0.17.4
v0.17.4-rc1
v0.17.5
v0.17.5-rc1
v0.17.6
v0.17.6-rc1
v0.17.6-rc2
v0.17.7-rc1
v0.18.0
v0.18.1
v0.18.1-rc1
v0.18.1-rc2
v0.18.1-rc3
v0.18.2
v0.18.3-rc1
v0.18.3-rc2
v0.18.3-rc3
v0.18.3-rc4
v0.19.0
v0.20.0
v0.21.0
v0.22.0
v0.22.1
v0.22.2-rc10
v0.22.2-rc11
v0.22.2-rc12
v0.22.2-rc15
v0.22.2-rc16
v0.22.2-rc17
v0.22.2-rc18
v0.22.2-rc2
v0.22.2-rc3
v0.22.2-rc4
v0.22.2-rc5
v0.22.2-rc6
v0.22.2-rc7
v0.22.2-rc8
v0.22.2-rc9
v0.23.0
v0.23.0-rc.1
v0.23.0-rc.2
v0.23.0-rc.3
v0.23.1
v0.23.1-rc.1
v0.23.2
v0.24.0
v0.24.0-rc.2
v0.24.0-rc1
v0.24.1
v0.24.2
v0.24.3-rc.1
v0.24.3-rc.2
v0.24.3-rc.3
v0.24.3-rc.4
v0.24.3-rc.5
v0.24.3-rc1
v0.25.0
v0.25.1
v0.25.2
v0.25.3-rc2
v0.25.3-rc3
v0.25.3-rc5
v0.26.0
v0.26.0-rc1
v0.26.0-rc2
v0.26.1
v0.8.1
v0.8.1-rc.1
v0.8.1-rc.2
v0.8.2
v0.8.2-rc.1
v0.8.3
v0.8.4
v0.8.4-rc.1
v0.8.4-rc.2
v0.8.5
v0.8.5-rc.1
v0.8.5-rc.2
v0.8.5-rc.3
v0.8.5-rc.4
v0.8.5-rc.5
v0.9.0
v0.9.0-rc.1
v0.9.1
v0.9.1-rc.1
v0.9.1-rc.2
v0.9.2
v0.9.2-rc.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5b84961f42'
${ noResults }
smallstep-certificates/autocert/RUNBOOK.md

122 lines
3.8 KiB
Markdown
Raw Blame History

# Runbook
## Common admin tasks
#### Recover `admin` and CA password
```
kubectl -n step get secret ca-password -o jsonpath='{$.data.password}' | base64 -D
```
#### Recover `autocert` password
```
kubectl -n step get secret autocert-password -o jsonpath='{$.data.password}' | base64 -D
```
#### Recompute root certificate fingerprint
```
export CA_POD=$(kubectl -n step get pods -l app=ca -o jsonpath={$.items[0].metadata.name})
kubectl -n step exec -it $CA_POD step certificate fingerprint /home/step/.step/certs/root_ca.crt
```
> Tip: Some slight fanciness is necessary to trim this string if you want to put it into an environment variable:
>
> ```
> export FINGERPRINT="$(kubectl -n step exec -it $CA_POD step certificate fingerprint /home/step/.step/certs/root_ca.crt | tr -d '[:space:]')"
> ```
#### Inspect a certificate
```
kubectl exec -it <pod> -c autocert-renewer -- step certificate inspect /var/run/autocert.step.sm/site.crt
```
#### Labelling a namespace (enabling `autocert` for a namespace)
To enable `autocert` for a namespace it must be labelled. To label an existing namespace run:
```
kubectl label namespace <namespace> autocert.step.sm=enabled
```
#### Checking which namespaces are labelled
```
kubectl get namespace -L autocert.step.sm
```
#### Removing a label from a namespace (disabling `autocert` for a namespace)
```
kubectl label namespace <namespace> autocert.step.sm-
```
#### Naming considerations
Use hostnames. Must be global. Everyone who connects to the service using mTLS must use the same hostname. For internal communication it's easy enough to use the FQDN of a service. For stuff you expose publicly you'll need to manage DNS yourself...
In any case, the critical invariant is: ...
Diagram here?
#### Cleaning up one-time token secrets
```
for ns in $(kubectl get namespace --selector autocert.step.sm=enabled -o jsonpath='{$.items[*].metadata.name}'); do
kubectl -n "$ns" delete secrets --selector="autocert.step.sm/token=true"
done
```
### TODO:
* Change admin password
* Change autocert password
* Federating with another CA
* DNS tips and tricks
* Multiple SANs
* Getting rid of the sidecar
* Getting logs from the CA (certificates weren't issued)
* Getting logs from the init container / renewer (didn't start properly)
* Adjusting certificate expiration (default 24h)
* Remove label
* Clean up secrets
* Naming considerations (maybe this should be in hello-mtls)
## Federation
TODO: Example of federating a CA running in kubernetes with another CA.
For now, see https://smallstep.com/blog/step-v0.8.3-federation-root-rotation.html
## Multiple intermediates
TODO: Example of creating an additional intermediate signing certificate off of our kubernetes root CA.
For now, see https://smallstep.com/docs/cli/ca/init/ (specifically, the `--root` flag)
## Exposing the CA
Beware that the CA exposes an unauthenticated endpoint that lists your configured provisioners and their encrypted private keys. For this reason, you may not want to expose it directly to the public internet.
## Uninstalling
To uninstall `autocert` completely simply delete the mutating webhook configuration, the `step` namespace and the `autocert` RBAC artifacts:
```
kubectl delete mutatingwebhookconfiguration autocert-webhook-config
kubectl delete namespace step
kubectl delete clusterrolebinding autocert-controller
kubectl delete clusterrole autocert-controller
```
Remove any namespace labels and clean up any stray secrets that `autocert` hasn't cleaned up yet:
```
for ns in $(kubectl get namespace --selector autocert.step.sm=enabled -o jsonpath='{$.items[*].metadata.name}'); do
kubectl label namespace "$ns" autocert.step.sm-
kubectl -n "$ns" delete secrets --selector="autocert.step.sm/token=true"
done
```
Any remaining sidecar containers will go away once you remove annotations and re-deploy your workloads.
Reference in New Issue View Git Blame Copy Permalink