search

grafeas / kritis

Deploy-time Policy Enforcer for Kubernetes applications
https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
Apache License 2.0
699 stars 135 forks source link

Certificate Generated using helm certgen is incorrect. #62

Closed tejal29 closed 6 years ago

tejal29 commented 6 years ago

I looked at the certificate generated using the helm certgen plugin.

The 

kubectl get csr tls-webhook-secret-cert -o jsonpath='{.status.certificate}' | base64 --decode > server.crt
openssl x509 -in server.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            38:33:1c:be:10:15:81:cc:85:aa:cd:a8:57:ad:63:04
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = 99461cd8-7b97-4511-9568-fa54f53bfb5f
        Validity
            Not Before: Jul 13 22:40:01 2018 GMT
            Not After : Jul 12 22:40:01 2023 GMT
        Subject: C = US, ST = Washington, L = Seattle, O = Suse, OU = CaaSP, CN = tls-webhook-secret-cert
        Subject Public Key Info:
         ....

The certificate org, state and OU are the defaults defined in the plugin and not what we have here https://github.com/grafeas/kritis/blob/master/kritis-charts/certs.yaml#L8

Debug this by running certgen command locally and see submit a cl upstream if required.

dlorenc commented 6 years ago

We should probably move to generating certs on the cluster instead of in a helm plugin. We can use a helm lifecycle hook to do this before anything else is deployed. Something like a Job/Pod that runs something like:

https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/

Or maybe: https://github.com/SvenDowideit/generate_cert/blob/master/generate_cert.go

and creates secrets.

aaron-prindle commented 6 years ago

fixed, using install-kritis.sh now