Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support issuing/renewing SSH Host Certificates #24

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
+661 −158
Open

Support issuing/renewing SSH Host Certificates #24

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
10cf14f
Update dependencies to v0.15.3
ckwalsh Dec 27, 2020
037a024
Add --ssh to ca init
ckwalsh Dec 27, 2020
6e191ea
Refactor controller to abstract out TLS specific logic
ckwalsh Dec 27, 2020
307377f
Add controller support for SSH Host Certificates
ckwalsh Dec 27, 2020
629a159
Move bootstrapper and renewer to tls specific dirs
ckwalsh Dec 27, 2020
6355342
Implement ssh bootstrapper
ckwalsh Dec 27, 2020
e31da80
Add ssh renewer
ckwalsh Dec 28, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,11 +156,13 @@ DOCKER_OUTPUT=$(OUTPUT_ROOT)docker/
DOCKER_MAKE=V=$V GOOS_OVERRIDE='GOOS=linux GOARCH=amd64' PREFIX=$(1) make $(1)bin/$(2)
DOCKER_BUILD=$Q docker build -t smallstep/$(1):latest -f $(2) --build-arg BINPATH=$(DOCKER_OUTPUT)bin/$(1) .

docker: docker-make controller/Dockerfile init/Dockerfile bootstrapper/Dockerfile renewer/Dockerfile
docker: docker-make controller/Dockerfile init/Dockerfile bootstrapper/tls/Dockerfile renewer/tls/Dockerfile bootstrapper/ssh/Dockerfile renewer/ssh/Dockerfile
$(call DOCKER_BUILD,autocert-controller,controller/Dockerfile)
$(call DOCKER_BUILD,autocert-init,init/Dockerfile)
$(call DOCKER_BUILD,autocert-bootstrapper,bootstrapper/Dockerfile)
$(call DOCKER_BUILD,autocert-renewer,renewer/Dockerfile)
$(call DOCKER_BUILD,autocert-bootstrapper,bootstrapper/tls/Dockerfile)
$(call DOCKER_BUILD,autocert-renewer,renewer/tls/Dockerfile)
$(call DOCKER_BUILD,autocert-ssh-bootstrapper,bootstrapper/ssh/Dockerfile)
$(call DOCKER_BUILD,autocert-ssh-renewer,renewer/ssh/Dockerfile)

docker-make:
mkdir -p $(DOCKER_OUTPUT)
Expand Down
11 changes: 11 additions & 0 deletions bootstrapper/ssh/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
FROM smallstep/step-cli:0.15.3

USER root
ENV USER_KEY="/var/run/autocert.step.sm/ssh_user_key"
ENV USER_CA="/var/run/autocert.step.sm/ssh_user_ca.pub"
ENV HOST_KEY="/var/run/autocert.step.sm/ssh_host_key"
ENV HOST_CA="/var/run/autocert.step.sm/ssh_host_ca.pub"

COPY bootstrapper/ssh/bootstrapper.sh /home/step/
RUN chmod +x /home/step/bootstrapper.sh
CMD ["/home/step/bootstrapper.sh"]
23 changes: 23 additions & 0 deletions bootstrapper/ssh/bootstrapper.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
#!/bin/sh

set -e

# Download the root certificate and set permissions
if [ "$STEP_HOST" == "" ];
then
KEY=$USER_KEY
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If user keys are not supported, why not just exit 0 here?

else
KEY=$HOST_KEY
fi

step ca bootstrap -f

step ssh certificate $KEY_ID $KEY --insecure --no-password -f
chmod 644 $KEY $KEY.pub $KEY-cert.pub

unset STEP_TOKEN
unset STEP_HOST

STEP_HOST=false step ssh config --roots > $USER_CA
STEP_HOST=true step ssh config --roots > $HOST_CA
Comment on lines +21 to +22
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Easier to see if we do it like this:

step ssh config --roots > $USER_CA
step ssh config --host --roots > $HOST_CA

chmod 644 $USER_CA $HOST_CA
4 changes: 2 additions & 2 deletions bootstrapper/Dockerfile → bootstrapper/tls/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
FROM smallstep/step-cli:0.15.0
FROM smallstep/step-cli:0.15.3

USER root
ENV CRT="/var/run/autocert.step.sm/site.crt"
ENV KEY="/var/run/autocert.step.sm/site.key"
ENV STEP_ROOT="/var/run/autocert.step.sm/root.crt"

COPY bootstrapper/bootstrapper.sh /home/step/
COPY bootstrapper/tls/bootstrapper.sh /home/step/
RUN chmod +x /home/step/bootstrapper.sh
CMD ["/home/step/bootstrapper.sh"]
2 changes: 2 additions & 0 deletions bootstrapper/bootstrapper.sh → bootstrapper/tls/bootstrapper.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
#!/bin/sh

set -e

# Download the root certificate and set permissions
if [ "$DURATION" == "" ];
then
Expand Down
2 changes: 1 addition & 1 deletion controller/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# build stage
FROM golang:alpine AS build-env
RUN apk update && apk upgrade && \
apk add --no-cache git
apk add --no-cache git build-base

WORKDIR $GOPATH/src/github.com/autocert/controller
COPY go.mod go.sum ./
Expand Down
Loading