Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding SAN to fleet autoscaler certs and updating documentation #1910

Merged
merged 3 commits into from
Nov 30, 2020
Merged

Adding SAN to fleet autoscaler certs and updating documentation #1910

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1d10075
Adding SAN to fleet autoscaler certs and updating documentation
kdima Nov 25, 2020
03cdb8c
Update site/content/en/docs/Getting Started/create-webhook-fleetautos…
kdima Nov 26, 2020
11ac06c
Merge branch 'master' into feature/SAN-fix
markmandel Nov 30, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 21 additions & 3 deletions site/content/en/docs/Getting Started/create-webhook-fleetautoscaler.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -307,14 +307,32 @@ Every webhook that you wish to install a trusted certificate will need to go thr
openssl genrsa -out webhook.key 2048
```

Once the key is created, you’ll generate the certificate signing request, use valid hostname which is `autoscaler-tls-service.default.svc` as `Common Name (eg, fully qualified host name)` when prompted:
Next create configuration file `cert.conf` for the certificate signing request:
```
openssl req -new -key webhook.key -out webhook.csr
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
CN = autoscaler-tls-service.default.svc
[v3_req]
keyUsage = digitalSignature
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can also use the existing configurations in openssl.cnf and only set SAN. Here is an example of doing it in the old version of Agones documentations: https://1-4-0.agones.dev/site/docs/advanced/allocator-service/#server-tls-certificate

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oooh!

I have no strong opinions either way. Whichever is easier to explain?

Do we feel like having a file better, because it's easier for automation tools to utilise?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am happy to change it to use the /etc/ssl/openssl.cnf, but my thinking is that if you use that we are appending extra config to a fairly chunk example file. Whereas if we use a custom cert.conf it is easier for people to follow what is actually happening.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am happy to change it to use the /etc/ssl/openssl.cnf, but my thinking is that if you use that we are appending extra config to a fairly chunk example file. Whereas if we use a custom cert.conf it is easier for people to follow what is actually happening.

Yeah, I would agree. Also wouldn't want people editing/thinking they have to edit the /etc/ssl/openssl.cnf file either.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shall I keep it as is then?

[alt_names]
DNS.1 = autoscaler-tls-service.default.svc
```

Generate the certificate signing request, use valid hostname which in this case will be `autoscaler-tls-service.default.svc` as `Common Name (eg, fully qualified host name)` as well as `DNS.1` in the `alt_names` section of the config file.

Check the [Kubernetes documentation](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#a-aaaa-records) to see how Services get assigned DNS entries.
```
openssl req -new -out webhook.csr -key webhook.key -config cert.conf
```

Once that’s done, you’ll sign the CSR, which requires the CA root key:
```
openssl x509 -req -in webhook.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out webhook.crt -days 500 -sha256
openssl x509 -req -in webhook.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out webhook.crt -days 500 -sha256 -extfile cert.conf -extensions v3_req
```
This would generate webhook.crt certificate

Expand Down
120 changes: 60 additions & 60 deletions test/e2e/fleetautoscaler_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -461,76 +461,76 @@ func TestAutoscalerWebhook(t *testing.T) {

var webhookKey = `
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxNq5ql070cs/foKC+Abj6ETgcIq8HJlYT85wbl8wE5sUqsGx
5iItWZMwFJpEFyW97YNOizc8dYOAGCSLUeEY1aHg0vVSj3tV3jjVD82PtSGhTuE8
HGN5WdzEHavJHraRZB4wYMdjm4cFB6TJ3k8qBz5I8Rjp9CcLtpXTcvm0uWieScVy
yOvhO3XCYXbGo1HLj4wkxL+bYrci8XltTICXmQxT365+YmGNWvaWAUYKm2krmzdv
ObZBowzXFohWIsCYpGMaVRbVoYHry/a1S/DXxQ32WuoyRqnFERrV8mrq6kxYQ0Lc
GvWay5n/p0/glyU1IEOi7gEuy9Wccaf1miegQwIDAQABAoIBAQCj/mdwYw2DoCP8
O7Pp9quFA2RKvXkrBiDJE30cpdYCb06PVp/izZQkLHeAomeZNQr9xEb5uYF3kJ50
/nTGOJUc3CfU9yTZfXEymPv+l0xiJGsisIcIS2J8F2uWIFeDa6rB0liRN2pm1du9
222E80RbFmtj11KH4MNkT3sBLL9/OQ21Hymyd+ACTbK+lls9crxq9IqQNMYz2Gxu
HRHsVFGc+j5+gxVLY4tRrTQb5BGr51g3LOFo7LgYguWxBDJdL+f2qNaOtpFfzysO
3bReYqImxfTT3pFEionSHU83UQdpGUgdinj7XC/8N//vyEQDWmyk6p53LrYGaan9
+NoZ4YY5AoGBAPiBo8QKQa/MBNM0ro84fAXIOI8q+XanjB0Qa9eOB3ZxSp63sR3M
Xm3CcrMRLz6To+AOE8uyvxV22NWmN3jZgUhoMS59EdCRlsI1otMUfpAw4Iw1wZ4g
fZ1Phj8fr9B7zNHzRDm55KXhp99AX+WKEFAUA+z2Q5B4LJuUHa14or+lAoGBAMrK
Ws7vknNx4Xju/JBur0vLKFOqoQdmLcPCJWsf7kz+wfCbolal4ohAQ01zVKGwj8yD
MFyZXm1A6MyjLUrn+r4BHtYfS4bBZUyykyGTyiWpfh4AvOqKqBTPWK/XGFfl2dT4
Os8osgmh2DlutyIk7piEx9K6+yeW0h5T1SAsYVvHAoGAXlhRhU7ji0tolYrNruAh
7cwK9Qe6t/p6LlqaprZsTOJMEx/oJUj+nKsTArrGdfp1X83YZCBTfWGmhs5ZBw+E
jqnH6j9fcRCk7MySKZMBTdrQlUqfXFo3dm7Hp9Vu2Tb3FspFn6jcjsGyCwcUoT+e
W9iNePwxwHpvbQ15iu9e0mUCgYAEsBbXT8x35LsMm6G1CQn+W4zsGjaswBzwuI06
47sThpQfJsni7OTGt42WvcLIFhfM5393tIftSKHZETCb2a7/M3FuC70oOVJJKpui
HBOBOWDT+rpjRZ9LE9v9/J/wcDzP4okhftRWyqn/8eJD5MyrM+6WnYHu0Vq8Hr3/
h2ccwwKBgQCha4ox+SaXzlYROr1qge8xgqK+lpg1i2f32PgK3Ipodjk3esAuzeNM
L5o5pDLorHu4EFtveIneRsV+kf8YPVuid18lYzMAJBqlXvcUik2Izk57cWB/P9so
3/03jXI8iT8BbIU+PoII2EvQEPeAI07BYMU9cvsiFvFoB6z162DJhw==
MIIEpQIBAAKCAQEAzTtFY02SAY4jHiryJbBRT4+2wn1OlqL4WTWUFtKaWEjm+gAn
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh that's awesome - so we now also know that using a SAN works with the current Agones install and Go toolchain.

Fantastic!

vLlmNB/dBPL36r1vDbYGPO2MiWF5ULfoe1y/YsQzmwQLnGFhEX5Ou72J2pHQfa1h
VqYiLDz7Pi70qxjABIh/4U/x6x6nfDpvk3a0PBcCnPDDrJvkqpYqJnqfYkKT7LNr
NYCTn12RTIRJTxffDkuQBs9y4RGhmX0Nh9bb5iwpYXQRrKHnwMniR1D9MvJ27aKC
KwpDR+TkdYl/FXYIguFgipPUdw78KYcFA8DJipwkyIqcRvWml1o5yhhwJpNDck3s
S73g+IvoF/YPRy42dCQHhRu4b+JoqOT2jpUD8QIDAQABAoIBAD0orpLbKOmBvAFf
du24T2LQRvxKb0MAqdWb29e5RvmMMBjMNwtMjKJ35Ft3NF4luZRybAV4HOtLuuVN
CODKUNZT9bT6TaN6eXzHERttbklOLr1lD57Mv15DhfOP9qWOKJqxOrqgIk2YwvyI
RXvCYg+OI980+HrVsh0Lxt/Upu6Ws84L+PHSr0McAr7bWaR2ATRKsfQYxNFTtk3v
7ckSGzyIFCy7ijE4g5m2MrZZb/AUzaXfp8PSZgoFC+2dQcKhPshJb9tEBHAv9wPc
JkKZZfmR5n4VbtRekvf9rU5oODfbDOHXzt8b3dsskiZvAbeBdrHVS0kXrPsKj4Li
a1OVRokCgYEA8FKB88YK3PYNH+X7nlUWLHsXjbP9r8bMtYBuvPKkBI06gvJfrDKr
cOhkoZyWzDQbwf1F1UiWvxAkIWNmvGezps+rOY8YyIOELOnWe/5MOBzK2KlEys88
fbJ8G2uHe59N/1cAS6jvPq57TT2SQPe1jjibr0QvbitQ93tt3sjQhdsCgYEA2p67
RX8W5ubToU/oeykzQBXkQa1ppWYG2PBCuW8bqYNsR5mG+YjsQWNDxOTEiwBm5hXO
xb6IdwaOsKHc7dT3ItcLyQPEPvBdYzbxwl9NZMvooPvbFKLHJD8Rlwp4pQpO4K7+
3XH7r82cjiAH4+6WYjFBi/JXQDEEVwVvJYkzVSMCgYEAndsUUTO83vcgF9vRM2dg
cUdJaWLZOCS1QmNiWepnojXCQVFDVrDRvBBqSV26D9gKg5oBzN8pZccMdIH+cbMM
Zn3yUpSUCuGYaIgQwtF+7zy6YSaOcUk+yrH6o2g2ThWN/jL/lrMYs2uYwlu3PcV4
FDtKyA1ZulvpiyYgPT5a+hECgYEApFl4B4LHQMZ+imJ8LzqF4MOUWRt4tHLC6wuT
3bt9XC4ElL8CDU217mIlbDte1fBzar0yOM5H4NL5KihE4jabo4FuxqsiOP6R9ig0
Dx9+Gyx/saYkyJqmgsU3AAlLMSdSrO5hgzBROZSlAONrixqtyxukXwTMOuGelZzs
NZezE2kCgYEAyScA3it+gul6VXvOQIgSh656iCFZBxkWnElC+5FJ7MhMbIzNRFU6
ez6oDiXtqPuC5Y24zYzFsSV+ufTdF2NUNX44aopz+zmhMua04Fs41gZC12thIDPK
DhTkOAfCsisbX2bdrLJaSFySr+lf/yqQdTZo2YBRL3sHAhB0RKjDxaQ=
-----END RSA PRIVATE KEY-----`

var caPem = `
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUQWAeRC5nziGEM6YlkpDp4ZIY/jEwDQYJKoZIhvcNAQEL
MIIDazCCAlOgAwIBAgIUZcFCLeoSpuSYusLxYkgGvaAF3cMwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA1MTgyMDM4MzRaFw0yMzAz
MDgyMDM4MzRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDExMjUxMzM4MzlaFw0yMzA5
MTUxMzM4MzlaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDV8IUgXP7sJxpSGZdpbK0fs+5JGO8kZDMM0AOGi5ne
HRPjmxIjOPyUQ3xRA1D/l+gvYflfdksfvSLfyz/yL/Sbsun+TatL25xfTcSP5d14
r99kZoARD9ZWyr1L+0DjnkzhzKIZuucuXiitQ4EX5IBIutwpmpPG4BIOLA8ADYct
IjeKNuh37FdDqCbgEsJxkU3oODE+JUve+ZS+ft6VR8IqvSYmigsvSV2tUyabQ/c3
+iXoTg+3yXmNnMeIYczW674YVHqMnMxbPXo2MI3uYX8b/3gqYPywWYVolF+TgPjO
LpUOOy+dfF2gQYNAlv+/PAjwYm7Q5wNwArUH/gFz8467AgMBAAGjUzBRMB0GA1Ud
DgQWBBS8VyQTvN8fDv7GRpN7j8OCFRx9hjAfBgNVHSMEGDAWgBS8VyQTvN8fDv7G
RpN7j8OCFRx9hjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCd
sS/UT6lU8AK4gvidULJhtz05fKP9vFZC2h/vc2zViREUHzQBHOKPHG7Hi76/e/sh
vTZEz7KSDygYbv+wWYtM1sLbt6OaEzNYHUqv6TCi5E6Pdisy+XBjwIqdB0RxxcrP
VQBmsXMBhM4qvhyANuw6O40GgTs2vCbxJkPwFjGwOcOIu5eQm9G/DqJ/Tm66u4YU
C4ll3vZPDgrJoZgou8ufa/+ekLZx0eJ/y/Wn3Wiqm/uEOewoVHCpf70cXNzJ2tT/
Tur3yJmj1KbPlTY5RTZaB/TZSGVBRhPRcu8nMJlp2nZVQtq2Z1NKqF3qFMDy9wyM
kUZOQ8SewyYktz5l+z8N
AQUAA4IBDwAwggEKAoIBAQDEm12qM8qZ4BsFRCXAMTutdvRRLWAeICjOkoK037eX
F+X8P0yDY9d8PkWafhvtL0qSfS30a0Hj3tyazzsF7GqdRWGadzPMARTlIxij9w7f
Odd1KQ4/zFpA9WhciBcoIQsiwEhojMoXx8kLrX6ELnbh4zdGnsn0K9g3ZdYKKIu7
kc3iwzDMTJ2hzvgdB/hAOoYRSZXr/+wLGL8DzriT7slkI/T+n83UuaoTMPO41d7v
5272Ify+DJxI6bUQTAxS/5UAh9DHCUKuR9fB4eIniv/Zc5TA8BLQaa7DERRhJPfp
o9pjQVGFsb4gzxY0kY3QPnQHjkSpVc5qQ5KgJHFB7hLvAgMBAAGjUzBRMB0GA1Ud
DgQWBBRmwkHbhsi96Kuz09+UML+gVV/GkzAfBgNVHSMEGDAWgBRmwkHbhsi96Kuz
09+UML+gVV/GkzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAv
8hh3hxuLgpMfWNe8C/ODBwUkkSuPhvCHJyevTihLV07go+Cj/cBEN6R3hQbMJ+qJ
JfD3T1fYAn3phq+kcPrZ4auYCDMTw+RoTWjpiknak+iDpUXbBV5Y/Km6ybgFtnlR
MNvCirTyBjE/uQ3PuJpLMGyaePzwhk0sVdvt8Ei7ZXJVMr6APcXJA3TotdTu3wPZ
LKBEJ3UpxePZr0IiZjpdlLngkcIzbHQbBhxQzVCHFtH31A56w/l6N75H/sdA/Jcr
1OJXwNg9mWihC2HVsJl5RKq7WibRmjNICf3v8Mqgkn+2MOps1DXLNqKsKuNOUDhR
0/GqbK5s1fmTucB5JysM
-----END CERTIFICATE-----`

var webhookCrt = `
-----BEGIN CERTIFICATE-----
MIIDPjCCAiYCFEB3Nm7h3CeNWSnE/YtRSTAOqUw7MA0GCSqGSIb3DQEBCwUAMEUx
CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
cm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMjAwNTE4MjA0MDIzWhcNMjEwOTMwMjA0
MDIzWjByMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UE
CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMSswKQYDVQQDDCJhdXRvc2NhbGVy
LXRscy1zZXJ2aWNlLmRlZmF1bHQuc3ZjMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAxNq5ql070cs/foKC+Abj6ETgcIq8HJlYT85wbl8wE5sUqsGx5iIt
WZMwFJpEFyW97YNOizc8dYOAGCSLUeEY1aHg0vVSj3tV3jjVD82PtSGhTuE8HGN5
WdzEHavJHraRZB4wYMdjm4cFB6TJ3k8qBz5I8Rjp9CcLtpXTcvm0uWieScVyyOvh
O3XCYXbGo1HLj4wkxL+bYrci8XltTICXmQxT365+YmGNWvaWAUYKm2krmzdvObZB
owzXFohWIsCYpGMaVRbVoYHry/a1S/DXxQ32WuoyRqnFERrV8mrq6kxYQ0LcGvWa
y5n/p0/glyU1IEOi7gEuy9Wccaf1miegQwIDAQABMA0GCSqGSIb3DQEBCwUAA4IB
AQC7S1ZBndfsMDK+58l2N1N/8Gm50XhqsG8u0dFf5bVhLgohOhUCMpj246z0lSLo
hWbdokSjrnUWyvM1Dv+ZWTQ+eS/4UamDyr6993Je1p9fVvHAGped97YAxlSAj5dL
CYr+9xqTPtOAVEwiddbEK2wId4XNuD2yPt0YHP22bATh7UyeyqxWTks6LamNJitZ
qrh1J4ZuqSJtnSXdwh3Zm9aoDxAd966dFXZgsoEg9/Au/C7PpyUx4JH5eTV9wBSy
6T4qnpkTnD01dUdLpwBlshAkVrdJRuKVE/152gQcOJ+tm+eXO0VCs6JWpUowZWAt
rteG9laTLeoJFDeCvc+pzWX+
MIIDUzCCAjugAwIBAgIUB3HgoTF9rHLt++aLHjEAzU80KHYwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDExMjUxMzM4MzlaFw0yMjA0
MDkxMzM4MzlaMC0xKzApBgNVBAMMImF1dG9zY2FsZXItdGxzLXNlcnZpY2UuZGVm
YXVsdC5zdmMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNO0VjTZIB
jiMeKvIlsFFPj7bCfU6WovhZNZQW0ppYSOb6ACe8uWY0H90E8vfqvW8NtgY87YyJ
YXlQt+h7XL9ixDObBAucYWERfk67vYnakdB9rWFWpiIsPPs+LvSrGMAEiH/hT/Hr
Hqd8Om+TdrQ8FwKc8MOsm+Sqliomep9iQpPss2s1gJOfXZFMhElPF98OS5AGz3Lh
EaGZfQ2H1tvmLClhdBGsoefAyeJHUP0y8nbtooIrCkNH5OR1iX8VdgiC4WCKk9R3
DvwphwUDwMmKnCTIipxG9aaXWjnKGHAmk0NyTexLveD4i+gX9g9HLjZ0JAeFG7hv
4mio5PaOlQPxAgMBAAGjUzBRMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEF
BQcDATAtBgNVHREEJjAkgiJhdXRvc2NhbGVyLXRscy1zZXJ2aWNlLmRlZmF1bHQu
c3ZjMA0GCSqGSIb3DQEBCwUAA4IBAQBsaIyIEFzPthS73i0+3EiJh3mIJ1vAJPUQ
E2TEG8Nh/IsqnsCOkwX1LBN3PWhwS1KDVK4Ed1Ct0y7Q7kcni7kTj3TqPVXXm/M9
33K5SBOdcl4GPVREMMmy7spttHbrydMoHMojbTn5/Dk6tDlGUdreMXWzaN9m3Mtd
wbX2rOVB9Uq7S077wTviS08Wvox+ia4rnSOquCId6XSPUziBbBccbxLfVSyzvDvm
ZPGiDqt2GpLYQp2VnVpigB0AACqk8QWjN6hIQ+mmyuXaN+kzwbPWPt5K0Yf9UT75
0WFzbkggv+mugnl9t1HEdImGdKmUNx1mL/dbODIikDz3bKsQHutd
-----END CERTIFICATE-----`

func TestFleetAutoscalerTLSWebhook(t *testing.T) {
Expand Down