smallstep / step-sds Goto Github PK

🔭 Secret discovery service (SDS): simplifying certificate management for relying parties (such as Envoy)

License: Apache License 2.0

Go 93.66% Makefile 6.13% Shell 0.21%

step-sds's Introduction

step-sds

The secret discovery service (SDS) simplifies certificate management and was originally created by the Envoy project to provide a flexible API to deliver secrets/certificates to the Envoy proxy.

Step SDS server implements the server-side API of SDS which pushes certificates to the client. Both mTLS and Unix Domain Sockets configuration are supported. Use the one that better suits your environment/requirements.

mTLS initialization

Using step-sds

To use mTLS between Envoy and our SDS server we need to initialize a PKI running with step-sds init. We will need the destination url and root certificate of your CA (step certificates).

$ step-sds init --ca-url https://ca.smallstep.com:9000 --root ~/.step/certs/root.crt
✔ What would you like to name your new PKI? (e.g. SDS): SDS
✔ What do you want your PKI password to be? [leave empty and we'll generate one]:
✔ What address will your new SDS server listen at? (e.g. :443): :8443
✔ What DNS names or IP addresses would you like to add to your SDS server? (e.g. sds.smallstep.com[,1.1.1.1,etc.]): sds.smallstep.com
✔ What would you like to name your SDS client certificate? (e.g. envoy.smallstep.com): envoy.smallstep.com
✔ What do you want your certificates password to be? [leave empty and we'll generate one]:
✔ Key ID: jO37dtDbku-Qnabs5VR0Yw6YFFv9weA18dp3htvdEjs ([email protected])

✔ Root certificate: /home/user/.step/sds/root_ca.crt
✔ Root private key: /home/user/.step/sds/root_ca_key
✔ Intermediate certificate: /home/user/.step/sds/intermediate_ca.crt
✔ Intermediate private key: /home/user/.step/sds/intermediate_ca_key
✔ SDS certificate: /home/user/.step/sds/sds_server.crt
✔ SDS private key: /home/user/.step/sds/sds_server_key
✔ SDS client certificate: /home/user/.step/sds/sds_client.crt
✔ SDS client private key: /home/user/.step/sds/sds_client_key
✔ SDS configuration: /home/user/.step/config/sds.json

Your PKI is ready to go.
You can always generate new certificates or change passwords using step.

The init command will generate a root and intermediate certificate, with both keys encrypted using the same password. And a server certificate for the step-sds (sds_server.crt) and a client certificate (sds_client.crt) for Envoy to be used to connect to the SDS server via mTLS. The SDS server and client keys will be encrypted with own password separate from the intermediate/root keys. init will also generate an initial configuration file. All files generated will be stored in your STEPPATH (just run step path to know where).

If you want to change the passwords or create your own PKI you can leverage the corresponding subcommands available in step CLI.

Using step CLI

As we mention before we can use step CLI in lieu of the init-flow. Assuming that the SDS is running on sds.smallstep.com and we name the envoy client certificate as envoy.smallstep.com we can just run:

# Root and intermediate
step certificate create --profile root-ca "Smallstep SDS Root CA" root.crt root.key
step certificate create --profile intermediate-ca --ca root.crt --ca-key root.key "Smallstep SDS Intermediate CA" int.crt int.key

# Step SDS
step certificate create --profile leaf --ca int.crt --ca-key int.key --no-password --insecure --not-after 87600h sds.smallstep.com sds.pem sds.key
step certificate bundle sds.pem int.crt sds.crt

# Envoy
step certificate create --profile leaf --ca int.crt --ca-key int.key --no-password --insecure --not-after 87600h envoy.smallstep.com envoy.pem envoy.key
step certificate bundle envoy.pem int.crt envoy.crt

Running the SDS server

With the PKI and configuration file ready, we can run the SDS server:

$ bin/step-sds run ~/.step/config/sds.json
Please enter the password to decrypt the provisioner key:
Please enter the password to decrypt /Users/mariano/.step/sds/sds_server_key:
INFO[0002] Serving at tcp://[::]:8443 ...                grpc.start_time="2019-04-11T19:19:37-07:00"

By default it will ask you for the password to decrypt the provisioner key, and for the certificate key password (if encrypted). You can avoid prompts using the --password-file and --provisioner-password-file flags.

$ bin/step-sds run ~/.step/config/sds.json --password-file /run/secrets/key.password --provisioner-password-file /run/secrets/provisioner.password
INFO[0000] Serving at tcp://[::]:8443 ...                grpc.start_time="2019-04-11T19:21:59-07:00"

Alternatively, to avoid interactive prompts, you can always specify passwords in the sds.json config file:

{
   "network": "tcp",
   "address": ":8443",
   "root": "/home/user/.step/sds/root_ca.crt",
   "crt": "/home/user/.step/sds/sds_server.crt",
   "key": "/home/user/.step/sds/sds_server_key",
   "password": "[my-certificate-key-password]",
   "authorizedIdentity": "envoy.smallstep.com",
   "authorizedFingerprint": "8597a5d0b86f4a630f64fbb903b613ceb04756319a156bb6a6faed95394040ff",
   "provisioner": {
      "issuer": "[email protected]",
      "kid": "jO37dtDbku-Qnabs5VR0Yw6YFFv9weA18dp3htvdEjs",
      "ca-url": "https://ca.smallstep.com:9000",
      "root": "/home/user/.step/certs/root_ca.crt",
      "password": "[my-provisioner-password]"
   },
   "logger": {
      "format": "text"
   }
}

And then just:

$ bin/step-sds run ~/.step/config/sds.json
INFO[0000] Serving at tcp://[::]:8443 ...                grpc.start_time="2019-04-11T19:24:09-07:00"

SDS clients (such as Envoy) can connect to the server via UNIX domain socket. If you decide to use UNIX domain sockets the sds.json configuration file will look different as it won't be necessary to configure TLS certificates. Instead, you will only need to set the right network type (unix), address (file path for socket) and a provisioner configured in your certificates CA:

{
    "network": "unix",
    "address": "/tmp/sds.unix",
    "provisioner": {
       "issuer": "[email protected]",
       "kid": "oA1x2nV3yClaf2kQdPOJ_LEzTGw5ow4r2A5SWl3MfMg",
       "ca-url": "https://ca:9000",
       "root": "/home/user/.step/certs/root_ca.crt"
    },
    "logger": {
       "format": "text"
    }
 }

Docker-Compose example

In examples/docker directory you'll find a docker-compose example that initializes a CA, a SDS server, and Envoy proxying request to two different servers, frontend & backend respectively. The SDS init-flow will generate certificates and send them to Envoy, the CommonName and DNS names of the certificates will be specified by the tls_certificate_sds_secret_configs name in the envoy configuration. In our example we are using hello.smallstep.com for the frontend server and internal.smallstep.com for the backend server. The use of a client certificate to access the backend server is mandatory. This certificate must be signed by the CA server.

Assuming a docker daemon is running you can bring up the example running following commands inside the main step-sds directory:

make docker
cd examples/docker/
docker-compose up

Once everything is running we can configure our environment to allow exploration: First, we'll need to add the following entries in our /etc/hosts file.

127.0.0.1       ca.smallstep.com
127.0.0.1       internal.smallstep.com
127.0.0.1       hello.smallstep.com

Now we bootstrap a step certificates environment in a temporary STEPPATH so we won't permanently pollute up our local environment:

$ export STEPPATH=/tmp
$ step ca bootstrap --ca-url https://ca.smallstep.com:9000 --fingerprint 154fa6239ba9839f50b6a17f71addb77e4c478db116a2fbb08256faa786245f5
The root certificate has been saved in /tmp/certs/root_ca.crt.
Your configuration has been saved in /tmp/config/defaults.json.

Now we can use curl to connect. If we don't specify the root certificate we will get the following well-known error:

$ curl https://hello.smallstep.com:10000
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.

Passing the --cacert /tmp/certs/root_ca.crt flag will make it work as expected, and we'll get a response from the frontend server:

$ curl --cacert /tmp/certs/root_ca.crt https://hello.smallstep.com:10000
Hello TLS!

Trying the same with the backend server we will result in an error because a mutual TLS connection is required:

$ curl --cacert /tmp/certs/root_ca.crt https://internal.smallstep.com:10001
curl: (35) error:1401E410:SSL routines:CONNECT_CR_FINISHED:sslv3 alert handshake failure

We will need to get a client certificate from our internal CA:

$ step ca certificate client.smallstep.com client.crt client.key
✔ Key ID: oA1x2nV3yClaf2kQdPOJ_LEzTGw5ow4r2A5SWl3MfMg ([email protected])
✔ Please enter the password to decrypt the provisioner key: password
✔ CA: https://ca.smallstep.com:9000
✔ Certificate: client.crt
✔ Private Key: client.key

Now trying curl again with both root & client (we've just generated) certificates, we will get a successful response from the backend server:

$ curl --cacert /tmp/certs/root_ca.crt --cert client.crt --key client.key https://internal.smallstep.com:10001
Hello mTLS!

This docker-compose example also includes a SDS server configuration using UNIX domain sockets. Without further modifications we can run the same test sequence against a different set of ports:

$ curl --cacert /tmp/certs/root_ca.crt https://hello.smallstep.com:10010
Hello TLS!
$ curl --cacert /tmp/certs/root_ca.crt https://internal.smallstep.com:10011
curl: (35) error:1401E410:SSL routines:CONNECT_CR_FINISHED:sslv3 alert handshake failure
$ curl --cacert /tmp/certs/root_ca.crt --cert client.crt --key client.key https://internal.smallstep.com:10011
Hello mTLS!

Emojivoto example

The examples/emojivoto directory contains an example of using Envoy, step-sds and step certificates on a simple microservice application that allows users to vote for their favorite emoji, and tracks votes received on a leaderboard. This example uses Buoyant's emojivoto as its basis.

The application is composed of the following 3 services:

emojivoto-web: Web frontend and REST API
emojivoto-emoji-svc: gRPC API for finding and listing emoji
emojivoto-voting-svc: gRPC API for voting and leaderboard

Besides using gRPC, the application does not come with mutual TLS support out of the box. We will use Envoy and step-sds as a highly simplified service mesh that will handle the communications between services using mutual TLS.

In our example, all the services will be behind an ingress proxy and a TLS certificate will be available for all of them. Both gRPC services will require a client certificate from our internal Certificate Authority, so only mTLS connections will be allowed. The web service that is the one connecting to the gRPC services will use an egress proxy in Envoy with a client certificate, so it will be able to connect to it.

The emojivoto example uses kubernetes, so you will need to have access to a kubernetes cluster, if you don't minikube or docker provides you with options.

Run the following commands to set up this emojivoto example:

$ cd examples/emojivoto
$ make
kubectl apply -f ca.yaml
namespace/step created
secret/step-certificates-ca-password created
secret/step-certificates-provisioner-password created
configmap/step-certificates-config created
configmap/step-certificates-certs created
configmap/step-certificates-secrets created
service/ca created
deployment.apps/step-certificates created
sleep 2
kubectl -n step wait --for=condition=Ready -l app.kubernetes.io/name=step-certificates pod
pod/step-certificates-6fc86d5689-spzvv condition met
kubectl apply -f emojivoto.yaml
namespace/emojivoto created
serviceaccount/emoji created
serviceaccount/voting created
serviceaccount/web created
secret/step-sds-secrets created
configmap/step-sds-certs created
configmap/step-sds-config created
configmap/envoy-web-config created
configmap/envoy-emoji-config created
configmap/envoy-voting-config created
deployment.apps/emoji created
service/emoji-svc created
deployment.apps/voting created
service/voting-svc created
deployment.apps/web created
service/web-svc created

This will install step certificates as a online Certificate Authority in the step namespace and the emojivoto services in the namespace with the same name. To test it locally you will need to edit your /etc/hosts file and point web-svc.emojivoto to the ClusterIP of the web-svc service, and then just go to https://web-svc.emojivoto. Here's how you retrieve the ClusterIP:

$ kubectl get service -n emojivoto web-svc
NAME      TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
web-svc   ClusterIP   10.59.249.130   <none>        443/TCP   1h

In case web-svc's ClusterIP is not route-able (running inside AWS or GCP) you can use kubectl port forwarding instead. Make sure to point your /etc/hosts entry for web-svc.emojivoto at 127.0.0.1 and run following command:

$ kubectl port-forward -n emojivoto service/web-svc --address 127.0.0.1 7443:443

The certificate of our web app is signed by our internal CA and you will see the unsafe warning in your browser as its not included in local trust stores. If you want to avoid the warning message you can always install the root certificate into your trust store:

$ cat <<EOF > /tmp/root_ca.crt
-----BEGIN CERTIFICATE-----
MIIBhTCCASugAwIBAgIQTiiy0M/WWuVz2cDakLykdzAKBggqhkjOPQQDAjAhMR8w
HQYDVQQDExZTbWFsbHN0ZXAgVGVzdCBSb290IENBMB4XDTE5MDcxMjIyMTQxNFoX
DTI5MDcwOTIyMTQxNFowITEfMB0GA1UEAxMWU21hbGxzdGVwIFRlc3QgUm9vdCBD
QTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNsTsgcRwTakVB+ouxeWzefBaLxu
hq/7d4qLbGw5pGixG0f6kN4HtIVxjZru+ABRL3PjKWUffXWiJD8XK2/QJSmjRTBD
MA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBSF
idiUKAm0h3qnuYHq4MqgpzZsODAKBggqhkjOPQQDAgNIADBFAiEAwwKqV1AxH4ss
U69xQ6ZYIjv6l7xLWkFwDaZQXFtLsyYCIBuUpyIHlZBA0Vp5TPZgdiXIpcIrr8+z
5bpQRw86QnPY
-----END CERTIFICATE-----
EOF
$ step certificate install /tmp/root_ca.crt
Certificate /tmp/root_ca.crt has been installed.
X.509v3 Root CA Certificate (ECDSA P-256) [Serial: 1038...4951]
  Subject:     Smallstep Test Root CA
  Issuer:      Smallstep Test Root CA
  Valid from:  2019-07-12T22:14:14Z
          to:  2029-07-09T22:14:14Z

Remember to remove the root certificate from your local trust store after local testing as this certificate is public (as part of this repo) and anyone can use it:

$ step certificate uninstall /tmp/root_ca.crt
Certificate /tmp/root_ca.crt has been removed.
X.509v3 Root CA Certificate (ECDSA P-256) [Serial: 1038...4951]
  Subject:     Smallstep Test Root CA
  Issuer:      Smallstep Test Root CA
  Valid from:  2019-07-12T22:14:14Z
          to:  2029-07-09T22:14:14Z

step-sds's People

Contributors

Stargazers

Watchers

Forkers

dev-idoxtreme-com dio h2atecnologia morphar dcecco minimalstep guliujian petedmarsh factisresearch evan-cleary

step-sds's Issues

Docker-Compose example not working

Hi, I'm trying to run your Docker-Compose example, however its failing with a ERROR: Service 'envoy' failed to build : Build failed error.

I've included the output from the make and docker-compose commands:

make docker output:

make docker
mkdir -p output/docker/
V= GOOS_OVERRIDE='GOOS=linux GOARCH=amd64' PREFIX=output/docker/ make output/docker/bin/step-sds
make[1]: Entering directory '/home/cb/development/step-sds'
github.com/dgraph-io/badger/options
golang.org/x/crypto/cryptobyte/asn1
google.golang.org/grpc/resolver
github.com/shurcooL/sanitized_anchor_name
golang.org/x/crypto/curve25519
golang.org/x/net/html/atom
golang.org/x/crypto/internal/subtle
google.golang.org/grpc/resolver/passthrough
google.golang.org/grpc/internal/grpcsync
github.com/gogo/protobuf/sortkeys
golang.org/x/crypto/pbkdf2
golang.org/x/text/transform
google.golang.org/grpc/encoding
github.com/lunixbochs/vtclean
golang.org/x/crypto/poly1305
golang.org/x/crypto/ed25519/internal/edwards25519
google.golang.org/grpc/internal/grpcrand
google.golang.org/grpc/internal
github.com/dgryski/go-farm
google.golang.org/grpc/keepalive
golang.org/x/net/context
golang.org/x/crypto/internal/chacha20
google.golang.org/grpc/tap
github.com/pkg/errors
os/user
github.com/smallstep/cli/pkg/blackfriday
net
github.com/samfoo/ansi
golang.org/x/net/html
github.com/urfave/cli
golang.org/x/net/internal/timeseries
google.golang.org/grpc/metadata
google.golang.org/grpc/grpclog
google.golang.org/grpc/internal/envconfig
google.golang.org/grpc/codes
golang.org/x/text/unicode/bidi
github.com/golang/protobuf/proto
golang.org/x/net/http2/hpack
golang.org/x/crypto/cryptobyte
github.com/manifoldco/promptui/list
github.com/manifoldco/promptui/screenbuf
gopkg.in/square/go-jose.v2/cipher
google.golang.org/grpc/internal/backoff
gopkg.in/square/go-jose.v2/json
github.com/AndreasBriese/bbloom
github.com/smallstep/nosql/database
go.etcd.io/bbolt
github.com/rs/xid
google.golang.org/grpc/connectivity
github.com/juju/ansiterm/tabwriter
github.com/smallstep/cli/crypto/randutil
golang.org/x/text/unicode/norm
github.com/smallstep/cli/config
github.com/newrelic/go-agent/internal/jsonx
github.com/newrelic/go-agent/internal/logger
github.com/newrelic/go-agent/internal/sysinfo
github.com/gogo/protobuf/proto
golang.org/x/crypto/ed25519
github.com/newrelic/go-agent/internal/cat
golang.org/x/text/secure/bidirule
github.com/smallstep/nosql/bolt
github.com/smallstep/cli/errs
golang.org/x/net/idna
google.golang.org/grpc/credentials/internal
google.golang.org/grpc/stats
vendor/golang.org/x/net/http/httpproxy
google.golang.org/grpc/naming
google.golang.org/grpc/resolver/dns
net/textproto
crypto/x509
github.com/smallstep/cli/pkg/x509
github.com/chzyer/readline
golang.org/x/sys/unix
google.golang.org/grpc/encoding/proto
github.com/golang/protobuf/ptypes/duration
github.com/golang/protobuf/ptypes/timestamp
github.com/golang/protobuf/ptypes/any
github.com/dgraph-io/badger/protos
github.com/golang/protobuf/protoc-gen-go/descriptor
google.golang.org/genproto/googleapis/rpc/status
github.com/golang/protobuf/ptypes
google.golang.org/grpc/binarylog/grpc_binarylog_v1
vendor/golang.org/x/net/http/httpguts
golang.org/x/net/http/httpguts
net/mail
mime/multipart
google.golang.org/grpc/status
google.golang.org/grpc/internal/binarylog
golang.org/x/crypto/ocsp
gopkg.in/square/go-jose.v2
golang.org/x/crypto/ssh
crypto/tls
github.com/smallstep/cli/crypto/keys
github.com/lyft/protoc-gen-validate/validate
google.golang.org/grpc/internal/syscall
github.com/mattn/go-isatty
github.com/sirupsen/logrus
github.com/mattn/go-colorable
github.com/juju/ansiterm
github.com/gogo/protobuf/protoc-gen-gogo/descriptor
github.com/gogo/protobuf/types
github.com/manifoldco/promptui
github.com/smallstep/cli/ui
gopkg.in/square/go-jose.v2/jwt
github.com/gogo/protobuf/gogoproto
github.com/gogo/googleapis/google/api
net/http/httptrace
google.golang.org/grpc/credentials
github.com/go-sql-driver/mysql
net/http
google.golang.org/grpc/peer
google.golang.org/grpc/balancer
google.golang.org/grpc/internal/channelz
google.golang.org/grpc/balancer/base
google.golang.org/grpc/balancer/roundrobin
github.com/envoyproxy/go-control-plane/envoy/type
github.com/gogo/googleapis/google/rpc
github.com/envoyproxy/go-control-plane/envoy/api/v2/core
github.com/smallstep/nosql/mysql
github.com/smallstep/certificates/server
net/http/pprof
expvar
golang.org/x/net/trace
net/http/httputil
github.com/smallstep/cli/usage
github.com/newrelic/go-agent/internal/utilization
github.com/smallstep/certificates/logging
github.com/go-chi/chi
github.com/newrelic/go-agent/internal
golang.org/x/net/http2
github.com/envoyproxy/go-control-plane/envoy/api/v2/cluster
github.com/envoyproxy/go-control-plane/envoy/api/v2/auth
github.com/envoyproxy/go-control-plane/envoy/api/v2/endpoint
github.com/envoyproxy/go-control-plane/envoy/api/v2/route
github.com/smallstep/cli/command
github.com/dgraph-io/badger/y
github.com/smallstep/cli/command/version
github.com/smallstep/cli/utils
github.com/dgraph-io/badger/skl
github.com/dgraph-io/badger/table
github.com/smallstep/cli/crypto/pemutil
github.com/envoyproxy/go-control-plane/envoy/api/v2/listener
github.com/dgraph-io/badger
github.com/smallstep/cli/crypto/x509util
github.com/smallstep/cli/jose
github.com/newrelic/go-agent
github.com/smallstep/cli/token
github.com/smallstep/cli/crypto/tlsutil
github.com/smallstep/certificates/authority/provisioner
github.com/smallstep/cli/token/provision
google.golang.org/grpc/internal/transport
github.com/smallstep/nosql/badger
github.com/smallstep/nosql
github.com/smallstep/certificates/db
github.com/smallstep/certificates/acme
github.com/smallstep/certificates/monitoring
github.com/smallstep/certificates/authority
github.com/smallstep/certificates/api
google.golang.org/grpc
github.com/smallstep/certificates/acme/api
github.com/smallstep/certificates/ca
github.com/smallstep/cli/crypto/pki
github.com/grpc-ecosystem/go-grpc-middleware
github.com/envoyproxy/go-control-plane/envoy/api/v2
github.com/smallstep/step-sds/logging
github.com/envoyproxy/go-control-plane/envoy/service/discovery/v2
github.com/smallstep/step-sds/sds
github.com/smallstep/step-sds/commands
github.com/smallstep/step-sds/cmd/step-sds
make[1]: Leaving directory '/home/cbourne/development/step-sds'
Sending build context to Docker daemon  305.5MB
Step 1/5 : FROM smallstep/step-cli:0.14.4
0.14.4: Pulling from smallstep/step-cli
cbdbe7a5bc2a: Pull complete 
ecf68018f075: Pull complete 
ceeb07a4d9a2: Pull complete 
a0fb69659bf7: Pull complete 
Digest: sha256:db8f27f2560f6d9d29cc931e73465647f5966e5a1b9e9c0456823046b5c73fe8
Status: Downloaded newer image for smallstep/step-cli:0.14.4
 ---> bf931f148017
Step 2/5 : ARG BINPATH="bin/step-sds"
 ---> Running in eadc460c2214
Removing intermediate container eadc460c2214
 ---> f2bb0b247bd0
Step 3/5 : COPY $BINPATH "/usr/local/bin/step-sds"
 ---> bb80d6021bbc
Step 4/5 : STOPSIGNAL SIGTERM
 ---> Running in 375b86ccbcb8
Removing intermediate container 375b86ccbcb8
 ---> e3bacd7581a1
Step 5/5 : CMD /bin/bash
 ---> Running in 98defdc5f7e7
Removing intermediate container 98defdc5f7e7
 ---> 42d566cb0e0a
Successfully built 42d566cb0e0a
Successfully tagged smallstep/step-sds:latest

docker-compose up output

docker-compose up 
Creating network "docker_default" with the default driver
Building ca
Sending build context to Docker daemon   12.8kB
Step 1/5 : FROM smallstep/step-ca:latest
latest: Pulling from smallstep/step-ca
540db60ca938: Pull complete 
71eeae74b394: Pull complete 
2673436c3f82: Pull complete 
ab3e57fc4f9c: Pull complete 
b86549922319: Pull complete 
Digest: sha256:8a9dbc0b8beb2916c0426208266ff17f96045e8bc3148c482b6cef7d2d668fb7
Status: Downloaded newer image for smallstep/step-ca:latest
 ---> d5130802ec9b
Step 2/5 : USER step
 ---> Running in a8ad100e48a3
Removing intermediate container a8ad100e48a3
 ---> ffc027762ee1
Step 3/5 : COPY --chown=step:step steppath /home/step
 ---> 46ad3e86ed3e
Step 4/5 : STOPSIGNAL SIGTERM
 ---> Running in edd38830289e
Removing intermediate container edd38830289e
 ---> 571819c98020
Step 5/5 : CMD /usr/local/bin/step-ca --password-file /run/secrets/password /home/step/config/ca.json
 ---> Running in 122664b30a65
Removing intermediate container 122664b30a65
 ---> 3e7e930a449b
Successfully built 3e7e930a449b
Successfully tagged docker_ca:latest
WARNING: Image for service ca was built because it did not already exist. To rebuild this image you must use `docker-compose build` or `docker-compose up --build`.
Building sds
Sending build context to Docker daemon  26.48MB
Step 1/9 : FROM smallstep/step-sds:latest
 ---> 42d566cb0e0a
Step 2/9 : USER step
 ---> Running in e1d483dbc8f2
Removing intermediate container e1d483dbc8f2
 ---> 18e701230d81
Step 3/9 : RUN mkdir /home/step/secrets
 ---> Running in 6b01d4583f1c
Removing intermediate container 6b01d4583f1c
 ---> 293d3063cdc0
Step 4/9 : COPY --chown=step:step steppath /home/step
 ---> bddc413ff3d0
Step 5/9 : COPY --chown=step:step entrypoint.sh /home/step
 ---> 43125727d27c
Step 6/9 : STOPSIGNAL SIGTERM
 ---> Running in 39d76b3a5b24
Removing intermediate container 39d76b3a5b24
 ---> 2af37d957e42
Step 7/9 : WORKDIR /home/step
 ---> Running in 63e1ba9af1b6
Removing intermediate container 63e1ba9af1b6
 ---> 4f8e2bce58b2
Step 8/9 : ENTRYPOINT [ "/home/step/entrypoint.sh" ]
 ---> Running in 819781d72d47
Removing intermediate container 819781d72d47
 ---> a87d735e5a52
Step 9/9 : CMD /usr/local/bin/step-sds run /home/step/config/sds.json --password-file /run/secrets/password --provisioner-password-file /run/secrets/password
 ---> Running in f796a2cc6a4b
Removing intermediate container f796a2cc6a4b
 ---> 93daa6fccdc7
Successfully built 93daa6fccdc7
Successfully tagged docker_sds:latest
WARNING: Image for service sds was built because it did not already exist. To rebuild this image you must use `docker-compose build` or `docker-compose up --build`.
Building frontend
Sending build context to Docker daemon  4.096kB
Step 1/6 : FROM python:3-alpine
3-alpine: Pulling from library/python
540db60ca938: Already exists 
d037ddac5dde: Pull complete 
629719f9106a: Pull complete 
f9ef3a05a91e: Pull complete 
0faf4e7f2207: Pull complete 
Digest: sha256:02311d686cd35b0f838854d6035c679acde2767a4fd09904e65355fbd9780f8a
Status: Downloaded newer image for python:3-alpine
 ---> 2d64a2341b7c
Step 2/6 : RUN mkdir /src
 ---> Running in 1327ea119111
Removing intermediate container 1327ea119111
 ---> fcb0f806c667
Step 3/6 : ADD server.py /src
 ---> 07556a422294
Step 4/6 : ADD requirements.txt /src
 ---> 4964be97cfe4
Step 5/6 : RUN pip3 install -r /src/requirements.txt
 ---> Running in 18cebc84dd3a
Collecting Flask
  Downloading Flask-2.0.1-py3-none-any.whl (94 kB)
Collecting Jinja2>=3.0
  Downloading Jinja2-3.0.1-py3-none-any.whl (133 kB)
Collecting Werkzeug>=2.0
  Downloading Werkzeug-2.0.1-py3-none-any.whl (288 kB)
Collecting click>=7.1.2
  Downloading click-8.0.1-py3-none-any.whl (97 kB)
Collecting itsdangerous>=2.0
  Downloading itsdangerous-2.0.1-py3-none-any.whl (18 kB)
Collecting MarkupSafe>=2.0
  Downloading MarkupSafe-2.0.1.tar.gz (18 kB)
Building wheels for collected packages: MarkupSafe
  Building wheel for MarkupSafe (setup.py): started
  Building wheel for MarkupSafe (setup.py): finished with status 'done'
  Created wheel for MarkupSafe: filename=MarkupSafe-2.0.1-py3-none-any.whl size=9761 sha256=a1b1f7b224b19113267e91289534f4c6b5ebd333f3229d39c533f6baff501626
  Stored in directory: /root/.cache/pip/wheels/9f/6d/c8/1f59b07cf85ae842908006ec28f4477f7e4578df72c3eb0e46
Successfully built MarkupSafe
Installing collected packages: MarkupSafe, Werkzeug, Jinja2, itsdangerous, click, Flask
Successfully installed Flask-2.0.1 Jinja2-3.0.1 MarkupSafe-2.0.1 Werkzeug-2.0.1 click-8.0.1 itsdangerous-2.0.1
WARNING: Running pip as root will break packages and permissions. You should install packages reliably by using venv: https://pip.pypa.io/warnings/venv
Removing intermediate container 18cebc84dd3a
 ---> c85f1a36d6e5
Step 6/6 : CMD ["python3", "/src/server.py"]
 ---> Running in f6331c14b103
Removing intermediate container f6331c14b103
 ---> 62ab9739d324
Successfully built 62ab9739d324
Successfully tagged docker_frontend:latest
WARNING: Image for service frontend was built because it did not already exist. To rebuild this image you must use `docker-compose build` or `docker-compose up --build`.
Building backend
Sending build context to Docker daemon  4.096kB
Step 1/6 : FROM python:3-alpine
 ---> 2d64a2341b7c
Step 2/6 : RUN mkdir /src
 ---> Using cache
 ---> fcb0f806c667
Step 3/6 : ADD server.py /src
 ---> 59cb046f7c07
Step 4/6 : ADD requirements.txt /src
 ---> 9fc9b216c9b8
Step 5/6 : RUN pip3 install -r /src/requirements.txt
 ---> Running in eb50ca94f291
Collecting Flask
  Downloading Flask-2.0.1-py3-none-any.whl (94 kB)
Collecting Jinja2>=3.0
  Downloading Jinja2-3.0.1-py3-none-any.whl (133 kB)
Collecting itsdangerous>=2.0
  Downloading itsdangerous-2.0.1-py3-none-any.whl (18 kB)
Collecting click>=7.1.2
  Downloading click-8.0.1-py3-none-any.whl (97 kB)
Collecting Werkzeug>=2.0
  Downloading Werkzeug-2.0.1-py3-none-any.whl (288 kB)
Collecting MarkupSafe>=2.0
  Downloading MarkupSafe-2.0.1.tar.gz (18 kB)
Building wheels for collected packages: MarkupSafe
  Building wheel for MarkupSafe (setup.py): started
  Building wheel for MarkupSafe (setup.py): finished with status 'done'
  Created wheel for MarkupSafe: filename=MarkupSafe-2.0.1-py3-none-any.whl size=9761 sha256=9b639ab60d4b3d9661b54720d3ea04557fb50dfcbff42275055bb0a7cd2d15b7
  Stored in directory: /root/.cache/pip/wheels/9f/6d/c8/1f59b07cf85ae842908006ec28f4477f7e4578df72c3eb0e46
Successfully built MarkupSafe
Installing collected packages: MarkupSafe, Werkzeug, Jinja2, itsdangerous, click, Flask
Successfully installed Flask-2.0.1 Jinja2-3.0.1 MarkupSafe-2.0.1 Werkzeug-2.0.1 click-8.0.1 itsdangerous-2.0.1
WARNING: Running pip as root will break packages and permissions. You should install packages reliably by using venv: https://pip.pypa.io/warnings/venv
Removing intermediate container eb50ca94f291
 ---> f94d8795d951
Step 6/6 : CMD ["python3", "/src/server.py"]
 ---> Running in 776a8afc9c51
Removing intermediate container 776a8afc9c51
 ---> e2fc160bf5c4
Successfully built e2fc160bf5c4
Successfully tagged docker_backend:latest
WARNING: Image for service backend was built because it did not already exist. To rebuild this image you must use `docker-compose build` or `docker-compose up --build`.
Building envoy
Sending build context to Docker daemon  26.54MB
Step 1/11 : FROM envoyproxy/envoy-alpine
manifest for envoyproxy/envoy-alpine:latest not found: manifest unknown: manifest unknown
ERROR: Service 'envoy' failed to build : Build failed

Use GitHub action

Description

Use GH Actions instead of Travis for builds and releases.

docker-compose fails because of missing docker image

Hello.

I was trying to build your product according to your instructions but it fails as it can't find the appropriate docker file for the sds service:

Building sds
Step 1/9 : FROM smallstep/step-sds:latest
Trying to pull repository docker.io/smallstep/step-sds ...
ERROR: Service 'sds' failed to build: repository docker.io/smallstep/step-sds not found: does not exist or no pull access

Can you please advise how should I proceed?

Thank you,
Apostolos

Add support for ACME on step-sds

Description

Adding support for ACME on step-sds will provide a simple way to provision Let's Encrypt certificates to envoy.

Upgrade go-control-plane to support the new protocol

Hello,
while docker-compose is able to start and it spawns the envoy, envoy-sds, sds, ca, back/front ends containers, I'm getting constantly the following error:
...

ca_1 | time="2020-05-25T22:38:05Z" level=info certificate="MIICKzCCAdCgAwIBAgIQE+g/M1e/lN4oljJ6reWXCzAKBggqhkjOPQQDAjAkMSIwIAYDVQQDExlTbWFsbHN0ZXAgSW50ZXJtZWRpYXRlIENBMB4XDTIwMDUyNTIyMzcwNVoXDTIwMDUyNTIyMzkwNVowHjEcMBoGA1UEAxMTaGVsbG8uc21hbGxzdGVwLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLIgc4UmQ7KeEN0tu8tq0A3Ecy1euAdIiDgqSItASSXOedR1OuD1M2+q8G7fFxw1KxvbNoGENvo91NvULqwwTYyjgekwgeYwHwYDVR0jBBgwFoAUQzNYWbowdwotixBbGLCXiifU9w0wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUFWFuZssc4Yw5qtBBeJ3SaaOMvWswHgYDVR0RBBcwFYITaGVsbG8uc21hbGxzdGVwLmNvbTBVBgwrBgEEAYKkZMYoQAEERTBDAgEBBBFzZHNAc21hbGxzdGVwLmNvbQQrb0ExeDJuVjN5Q2xhZjJrUWRQT0pfTEV6VEd3NW93NHIyQTVTV2wzTWZNZzAKBggqhkjOPQQDAgNJADBGAiEAqga5TdvAlZ/WxSSCaDZ1d7ymMjUGbbtDKEdchiRe5OoCIQDZTI/v9IzdUBTkU1JLaN/1EoG8TXnKUnw/dxBugVjNug==" duration="644.95µs" duration-ns=644950 fields.time="2020-05-25T22:38:05Z" issuer="Smallstep Intermediate CA" method=POST name=ca path=/renew protocol=HTTP/2.0 provisioner="[email protected] (oA1x2nV3yClaf2kQdPOJ_LEzTGw5ow4r2A5SWl3MfMg)" public-key="ECDSA P-256" referer= remote-address=172.19.0.5 request-id=br64hjecu46ennni73fg serial=26461226650691603572053979974223632139 size=3150 status=201 subject=hello.smallstep.com user-agent=Go-http-client/2.0 user-id= valid-from="2020-05-25T22:37:05Z" valid-to="2020-05-25T22:39:05Z"
sds_1 | time="2020-05-25T22:38:05Z" level=info msg="Certificate renewed" cluster=hello-tls grpc.duration="390.443µs" grpc.duration-ns=390443 grpc.method=StreamSecrets grpc.package=envoy.service.discovery.v2 grpc.service=SecretDiscoveryService grpc.start_time="2020-05-25T22:38:05Z" node=envoy.smallstep.com nonce=1de73470625bf32e23532c9dfb9ad0b127bb1baff058fdf09f71d2f865c29708 resourceNames="[internal.smallstep.com]" responseNonce= span.kind=server system=grpc versionInfo=
sds_1 | time="2020-05-25T22:38:05Z" level=info msg="Certificate renewed" cluster=hello-tls grpc.duration="415.592µs" grpc.duration-ns=415592 grpc.method=StreamSecrets grpc.package=envoy.service.discovery.v2 grpc.service=SecretDiscoveryService grpc.start_time="2020-05-25T22:38:05Z" node=envoy.smallstep.com nonce=ff7e52f5dd8f5acd350f96f317cd4bf70de083995875d5892642a830ffdfef1e resourceNames="[hello.smallstep.com]" responseNonce= span.kind=server system=grpc versionInfo=
envoy-sds_1 | [2020-05-25 22:38:12.367][24][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:92] StreamSecrets gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure
envoy-sds_1 | [2020-05-25 22:38:12.787][24][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:92] StreamSecrets gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure
envoy-sds_1 | [2020-05-25 22:38:21.643][24][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:92] StreamSecrets gRPC config stream closed: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure

Could you please advice what's the issue here? No changes from my side, except I'm using envoy-alpine:v1.14.1 as envoy image.

Additionally, how the ca communicates with sds?

Many thanks,
Apostolos

smallstep / step-sds Goto Github PK

step-sds's Introduction

step-sds

mTLS initialization

Using step-sds

Using step CLI

Running the SDS server

Docker-Compose example

Emojivoto example

step-sds's People

Contributors

Stargazers

Watchers

Forkers

step-sds's Issues

Description

Description

Recommend Projects

Recommend Topics

Recommend Org