djkormo / adcs-issuer Goto Github PK

View Code? Open in Web Editor NEW

This project forked from dimatha/adcs-issuer

17.0 17.0 8.0 1.94 MB

License: BSD 3-Clause "New" or "Revised" License

Dockerfile 1.55% Makefile 11.30% Go 71.78% Shell 13.65% Smarty 1.72%

adcs-issuer's Introduction

Welcome here 👋

adcs-issuer's People

Contributors

Stargazers

Watchers

Forkers

arano-kai migrationsverket-devex jamallorock tosta-mista boxedlunch-us khaos66 mgaffigan pstefka

adcs-issuer's Issues

Microsoft CEP CES instead of HTTP Website

I would prefer if you would connect to the Microsoft Certificate Services CEP/CES instead of the HTTP website. Because the authentication with client certificate or Kerberos would be more secure. And because we do not know how long Microsoft supports the quite old HTTP website and CEP/CES is widely used. I found for example an implementation here: cepces . Do you plan to support CEP/CES in future?

Add helm chart value for nodeSelector

Hi. I'm running this in a mixed cluster with linux and windows nodes. So I need to limit the deployment to linux nodes only.

I'll prepare a quick PR ;)

Update Installation Documentation

After much struggle I cannot get a grasp on how to install this. Could you provide some more info in the documentation! I want to use this cool project.

Hardening deployment of adcs-issuer

TODO
Hardening deployment of adcs-issuer

Starting point

Grade: C
Score: 75%

polaris audit --color --format pretty --only-show-failed-tests

Deployment adcs-issuer-controller-manager in namespace adcs-issuer
    missingPodDisruptionBudget           😬 Warning
        Reliability - Should have a PodDisruptionBudget
    deploymentMissingReplicas            😬 Warning
        Reliability - Only one replica is scheduled
    metadataAndInstanceMismatched        😬 Warning
        Reliability - Label app.kubernetes.io/instance must match metadata.name
    automountServiceAccountToken         😬 Warning
        Security - The ServiceAccount will be automounted
    missingNetworkPolicy                 😬 Warning
        Security - A NetworkPolicy should match pod labels and contain applied egress and ingress rules
    priorityClassNotSet                  😬 Warning
        Reliability - Priority class should be set
    topologySpreadConstraint             😬 Warning
        Reliability - Pod should be configured with a valid topology spread constraint
  Container manager
    insecureCapabilities                 😬 Warning
        Security - Container should not have insecure capabilities
    notReadOnlyRootFilesystem            😬 Warning
        Security - Filesystem should be read only
    privilegeEscalationAllowed           ❌ Danger
        Security - Privilege escalation should not be allowed
    linuxHardening                       😬 Warning
        Security - Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
    readinessProbeMissing                😬 Warning
        Reliability - Readiness probe should be configured
    livenessProbeMissing                 😬 Warning
        Reliability - Liveness probe should be configured

Adding adcs simulator to helm chart

Adding adcs simulator as optional deployment in adcs issuer helm chart

Configure helm chart deployment to disable webook and add more args configuration

  spec:
      containers:
      - args:
        - --enable-leader-election=true
        - --cluster-resource-namespace=cert-manager
        - --zap-log-level=5
        - --disable-approved-check=false
        -
        env:
        - name: ENABLE_WEBHOOKS
          value: "false"
        - name: ENABLE_DEBUG
          value: "false"

"Couldn't get issuer", due to "error loading ADCS CA bundle"

I think I have it as described in the readme, but for some reason I cant get the issuer. Please find the logs attached below.
Aren't you missing sort of decodedCABundle, err := base64.StdEncoding.DecodeString(certs) after https://github.com/djkormo/adcs-issuer/blob/master/issuers/issuer_factory.go#L118 ?

apiVersion: adcs.certmanager.csf.nokia.com/v1
kind: ClusterAdcsIssuer
metadata:
  name: pki.some_company.xyz
spec:
  caBundle: [ 'base64 -i bundle.p7b']
  # (...) remainder omitted

ts=2024-03-12T12:13:17.357193955Z level=error msg="Couldn't get issuer" controller=adcsrequest controllerGroup=adcs.certmanager.csf.nokia.com controllerKind=AdcsRequest AdcsRequest="{tls.dev2.meta.some_company.xyz-v6g6h helm-chart-update}" namespace=helm-chart-update name=tls.dev2.meta.some_company.xyz-v6g6h reconcileID=a113859f-128f-469b-8065-e1aeaab998a3 adcsrequest="{tls.dev2.meta.some_company.xyz-v6g6h helm-chart-update}" issuer="{pki.some_company.xyz ClusterAdcsIssuer adcs.certmanager.csf.nokia.com}" error="error loading ADCS CA bundle" stacktrace="github.com/nokia/adcs-issuer/controllers.(*AdcsRequestReconciler).Reconcile\n\t/workspace/controllers/adcsrequest_controller.go:75\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:227"
ts=2024-03-12T12:13:17.35727353Z level=error msg="Reconciler error" controller=adcsrequest controllerGroup=adcs.certmanager.csf.nokia.com controllerKind=AdcsRequest AdcsRequest="{tls.dev2.meta.some_company.xyz-v6g6h helm-chart-update}" namespace=helm-chart-update name=tls.dev2.meta.some_company.xyz-v6g6h reconcileID=a113859f-128f-469b-8065-e1aeaab998a3 error="error loading ADCS CA bundle" stacktrace="sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:329\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:227"
ts=2024-03-12T12:14:39.277655181Z level=info msg="Processing request" controller=adcsrequest controllerGroup=adcs.certmanager.csf.nokia.com controllerKind=AdcsRequest AdcsRequest="{tls.dev2.meta.some_company.xyz-v6g6h helm-chart-update}" namespace=helm-chart-update name=tls.dev2.meta.some_company.xyz-v6g6h reconcileID=acbb4f24-6cda-4965-ab66-c29894f01275 adcsrequest="{tls.dev2.meta.some_company.xyz-v6g6h helm-chart-update}"```

Incorrect example for Ingress: AdcsClusterIssuer->ClusterAdcsIssuer

There is an example on https://github.com/djkormo/adcs-issuer

metadata:
name: test-ingress
annotations:
cert-manager.io/issuer: "adcs-issuer" #use specific name of issuer
cert-manager.io/issuer-kind: "AdcsIssuer" #or AdcsClusterIssuer
cert-manager.io/issuer-group: "adcs.certmanager.csf.nokia.com"

Need to correct

metadata:
name: test-ingress
annotations:
cert-manager.io/issuer: "adcs-issuer" #use specific name of issuer
cert-manager.io/issuer-kind: "AdcsIssuer" #or ClusterAdcsIssuer
cert-manager.io/issuer-group: "adcs.certmanager.csf.nokia.com"

open /tmp/k8s-webhook-server/serving-certs/tls.crt: no such file or directory

{"level":"error","ts":1651243965.581744,"logger":"setup","msg":"problem running manager","error":"open /tmp/k8s-webhook-server/serving-certs/tls.crt: no such file or directory","stacktrace":"main.main\n\t/workspace/main.go:162\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:255"}

kubernetes-sigs/kubebuilder#1501

Correct RBAC permission for cert-manager

For cert-manager deployed via helm chart it is important to correct RBAC permissions for accepting and denying ADCS issuers.

https://cert-manager.io/docs/concepts/certificaterequest/

chart does not deploy CRDs

Hello,
I'm trying to test this issuer in my environment, and am having a really hard time trying to understand how to apply the CRDs to my environment.

trying to install the helm chart tells me that I need the CRDs installed.

Error: INSTALLATION FAILED: unable to build kubernetes objects from release manifest: resource mapping not found for name: "adcs-sim-adcsclusterissuer" namespace: "" from "": no matches for kind "ClusterAdcsIssuer" in version "adcs.certmanager.csf.nokia.com/v1"

I tried to make the repository like the docs said, and see if that generated the CRDs , but I get the following error:

/home/mark/source/adcs-issuer/bin/controller-gen rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
bash: line 1: /home/mark/source/adcs-issuer/bin/controller-gen: No such file or directory

I feel like I'm missing something here in order to user this issuer.

Make helm charts more customizable

The current chart is very strict.

Switching to a chart library template would give the chart instantly a lot more flexibility.
I used Common library recently and it's a treat

Hardening deployment of adcs simulator

TODO
Hardening deployment of adcs simulator

Starting point

Grade: D
Score: 65%

polaris audit --color --format pretty --only-show-failed-tests

Deployment adcs-sim-deployment in namespace adcs-issuer
    metadataAndInstanceMismatched        😬 Warning
        Reliability - Label app.kubernetes.io/instance must match metadata.name
    missingPodDisruptionBudget           😬 Warning
        Reliability - Should have a PodDisruptionBudget
    deploymentMissingReplicas            😬 Warning
        Reliability - Only one replica is scheduled
    automountServiceAccountToken         😬 Warning
        Security - The ServiceAccount will be automounted
    missingNetworkPolicy                 😬 Warning
        Security - A NetworkPolicy should match pod labels and contain applied egress and ingress rules
    priorityClassNotSet                  😬 Warning
        Reliability - Priority class should be set
    topologySpreadConstraint             😬 Warning
        Reliability - Pod should be configured with a valid topology spread constraint
  Container manager
    runAsRootAllowed                     ❌ Danger
        Security - Should not be allowed to run as root
    linuxHardening                       😬 Warning
        Security - Use one of AppArmor, Seccomp, SELinux, or dropping Linux Capabilities to restrict containers using unwanted privileges
    notReadOnlyRootFilesystem            😬 Warning
        Security - Filesystem should be read only
    privilegeEscalationAllowed           ❌ Danger
        Security - Privilege escalation should not be allowed
    insecureCapabilities                 😬 Warning
        Security - Container should not have insecure capabilities
    livenessProbeMissing                 😬 Warning
        Reliability - Liveness probe should be configured
    readinessProbeMissing                😬 Warning
        Reliability - Readiness probe should be configured


ConfigMap adcs-sim-configmap in namespace adcs-issuer
    sensitiveConfigmapContent            ❌ Danger
        Security - Potentially sensitive content is detected in the ConfigMap keys or values

Customizing adcs simulator

Customize how long the generated certificate is valid.

https://github.com/search?q=repo%3Adjkormo/adcs-issuer%20NotAfter&type=code

Bypassing TLS check during cert issuing by ADCS Certserv

Hello,
Is there a way to bypass the TLS check when calling the ADCS Certserv.
In my company, the ADCS server certificate is expired, and I'm not able to renew it by myself. I've encountered the following error :
ts=2024-03-13T17:28:38.789851847Z level=error logger=RequestCertificate msg="ADCS Certserv error" template=WebServer error="Post \"https://<adcs_server>/certsrv/certfnsh.asp\": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2024-03-13T17:28:38Z is after 2019-06-12T14:47:53Z" stacktrace="github.com/nokia/adcs-issuer/adcs.(*NtlmCertsrv).RequestCertificate\n\t/workspace/adcs/ntlm_certsrv.go:262\ngithub.com/nokia/adcs-issuer/issuers.(*Issuer).Issue\n\t/workspace/issuers/issuer.go:57\ngithub.com/nokia/adcs-issuer/controllers.(*AdcsRequestReconciler).Reconcile\n\t/workspace/controllers/adcsrequest_controller.go:83\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:227"

Can we ignore this kind of errors ?
Thanks

Create helm chart

Create helm chart for adcs-issuer operator

Align default image tag on chart default values

Hello,

I'm starting to use this plugin and I've noticed that the default version is still 2.0.8.

I imagine that the release 2.0.10 (for the docker image will arrive soon), so I made a PR to put in the meantime the version 2.0.9 by default.

adcs-issuer/charts/adcs-issuer/values.yaml

Line 8 in dee0d74

tag: 2.0.8

Thank you for maintaining this plugin and for the work you've done.

namespace=adcs-issuer error="Secret \"adcs-issuer-secret\" not found"

@djkormo Cześć Krzysztof
First of all, thank you for this repo.
I rolled out the controller using the helmet chart. It runs in the namespace adcs-isuer.
The missing and claimed secret adcs-issuer-secret is actually also in the same namespace.

namespace=adcs-issuer error="Secret \"adcs-issuer-secret\" not found"

So i don't understand why he can't find the secret.
Any idea what I am doing wrong here?

Pozdrowienia z Niemiec do Polski.

Thank your for maintaining adcs-issuer

I just want to thank you for maintaining adcs-issuer.
I appreciate it because this software is useful for me and og repo by nokia seems to be inactive.

Thank you very much.

Error during Installation with Helm Chart

Using the 2.0.5 Helm Chart for installation, I'm getting this error

ts=2023-11-29T08:42:03.489508343Z level=info logger=setup msg="Starting ADCS Issuer" version=adcs-operator-by-djkormo buildtime=2022-12-18:11:00
ts=2023-11-29T08:42:03.489879343Z level=error logger=controller-runtime.client.config msg="unable to get kubeconfig" error="invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable" errorCauses="["error=\"no configuration has been provided, try setting KUBERNETES_MASTER environment variable\""]" stacktrace="sigs.k8s.io/controller-runtime/pkg/client/config.GetConfigOrDie\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/client/config/config.go:153\nmain.main\n\t/workspace/main.go:112\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:255"

As far as I can tell, the missing "KUBERNETES_MASTER" variable is never set during installation.

Current Environment:
-Kubernetes v1.24.10 RKE2 Cluster
-Rancher 2.7.0
-Certmanager 1.12.0

Incorrect Tag in values.yaml?

I noticed in values.yaml, it's still pointing to 2.1.0 even though 2.1.1 is mentioned as the latest release. Is this accurate?

adcs-issuer/charts/adcs-issuer/values.yaml

Line 11 in ae5eb47

tag: 2.1.0

Secret credentials not found

I just can't figure out why the adcs-issuer pod outputs this error on the console:

Error

ts=2024-04-09T15:09:01.543158806Z level=error msg="Reconciler error" controller=adcsrequest 
controllerGroup=adcs.certmanager.csf.nokia.com controllerKind=AdcsRequest AdcsRequest="{tls-bagetter-1 bagetter}" 
namespace=bagetter name=tls-bagetter-1 reconcileID=5f20f147-1bf9-4317-a6b9-630b1c715416 error="Secret \"adcs-issuer-
credentials\" not found" stacktrace="sigs.k8s.io/controller-runtime/pkg/internal/controller.
(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/controller-
[email protected]/pkg/internal/controller/controller.go:329\nsigs.k8s.io/controller-runtime/pkg/internal/controller.
(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-
[email protected]/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.
(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:227"

Steps

These are the steps I took:

I have deployed the helm chart to my cluster
I have created a Secret and a AdcsClusterIssuer see below
I have deployed an Ingress and added the annotations

Resources

---
apiVersion: v1
kind: Secret
metadata:
  name: adcs-issuer-credentials
  namespace: cert-manager
type: Opaque
data: # Base64 encoded
  password: REDACTED # Password
  username: REDACTED # Username
---
apiVersion: adcs.certmanager.csf.nokia.com/v1
kind: AdcsClusterIssuer
metadata:
  name: my-adcs
  namespace: cert-manager
spec:
  caBundle: [  .... ]
  credentialsRef:
    name: adcs-issuer-credentials
  statusCheckInterval: 5m
  retryInterval: 5m
  url: "http://myca/certsrv"
  templateName: "My-Webserver-2Y"

Ingress

This is from another helm chart

  values:
     ingress:
        bagetter-ingress:
          enabled: true
          className: nginx
          annotations:
            kubernetes.io/ingress.class: nginx
            cert-manager.io/issuer: my-adcs
            cert-manager.io/issuer-kind: ClusterAdcsIssuer
            cert-manager.io/issuer-group: adcs.certmanager.csf.nokia.com
            cert-manager.io/renew-before: 48h

Result

Ingress shows event CreateCertificate
Certificate shows events Requested and Issuing
Certificate Request shows events Pending and approved by cert-manager
adcs-issuer pod shows error message from up there

The secret can be access via kubectl get secret adcs-issuer-credentials -n cert-manager
I just can't find the issue...

Revoke of a Certificate

Hi, I am currently implementing the adcs plugin with cert-manager, and I can't see any reference to revoking certificates when deleting the certificate item from the cluster.