diff --git a/docs/README.ingress-tls.md b/docs/README.ingress-tls.md new file mode 100644 index 000000000..ed1c244ba --- /dev/null +++ b/docs/README.ingress-tls.md @@ -0,0 +1,9 @@ +# Using Secrets Store CSI to Enable NGINX Ingress Controller with TLS + +The Secrets Store CSI Driver can be used to enable applications to work with NGINX Ingress Controller with TLS stored in an External Secrets Store. +For more information on securing an Ingress with TLS, refer to: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + +Checkout provider samples on how to get started - + +- [Using Secrets Store CSI and Azure Key Vault Provider](https://github.com/Azure/secrets-store-csi-driver-provider-azure/blob/master/sample/ingress-controller/README.md) +- [Using Secrets Store CSI and Hashicorp Vault Provider](https://github.com/hashicorp/secrets-store-csi-driver-provider-vault/blob/master/sample/ingress-controller/README.md) \ No newline at end of file diff --git a/ingress-tls.crt b/ingress-tls.crt new file mode 100644 index 000000000..ee71ce0f4 --- /dev/null +++ b/ingress-tls.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC2DCCAcACCQDvaF+AC+HGNjANBgkqhkiG9w0BAQsFADAuMRYwFAYDVQQDDA1k +ZW1vLnRlc3QuY29tMRQwEgYDVQQKDAtpbmdyZXNzLXRsczAeFw0yMDA1MjkwMTQy +MTlaFw0yMTA1MjkwMTQyMTlaMC4xFjAUBgNVBAMMDWRlbW8udGVzdC5jb20xFDAS +BgNVBAoMC2luZ3Jlc3MtdGxzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAtaDYyBsuoZVCgONLO5BydkkDccYCeVNgdNOigD9rC8EumSIOZ+KN4eYIc9L1 +KFR5iNwc1HvrldOIqxzLVovDnVCpD3ngzDxPGjc6QqQtxLFuU6RUOlV4+Nb+lQfR +PD0+0VGNFtC6wbtNfXpEHY3ek1wIF4ryOsdmvslxtNk7Uu9SoVjyAjNOYTctwbYO +RjlQy0xUyo3GYZoHzjbz49rDVVdmxMO6NQTOKgDUTvtvKQL0gkUYr9gdGr5h6y1/ +zeCkkMBfPxvUeEvZTo1NQU10Q4zEqLzkBGw6RXSMQitaekwBtrK/2bKhXuQFkE7N +YIKLGXflyzQM6YP2Fu+dhG+S+wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBRdoVQ +86IdM8rQbYTFwANLi2oJhQ7qHbCDVSRYOHdOUcFQUiPcblFFyhf5grSG8vKXKMwG +sEV3f9cS3mxEanLj37WzOzoPiCg+kIOv1pTJdOQrm1cj7cEjLXk49QG1W0oa13zR +ibM//Yw0vx/fzbyQXb8wiBaykYwiABJbJgrE9hc7A1K2aX4vx2SLkSZRbh74LZiP +uqhysCqXjlh+LqzwxpxGtTatGqhnIJ1RQkaBZS8ejzMLXBJvVvNFGe3hd0w54I9d +dmDF22WRtVuFB2/B6QeJTPmTVjRL7393zegQXvDHYON5qX5A0sEk5+uhJ+Wy154w +LRuTbtMoOHVEppuB +-----END CERTIFICATE----- diff --git a/ingress-tls.key b/ingress-tls.key new file mode 100644 index 000000000..c279d47fa --- /dev/null +++ b/ingress-tls.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC1oNjIGy6hlUKA +40s7kHJ2SQNxxgJ5U2B006KAP2sLwS6ZIg5n4o3h5ghz0vUoVHmI3BzUe+uV04ir +HMtWi8OdUKkPeeDMPE8aNzpCpC3EsW5TpFQ6VXj41v6VB9E8PT7RUY0W0LrBu019 +ekQdjd6TXAgXivI6x2a+yXG02TtS71KhWPICM05hNy3Btg5GOVDLTFTKjcZhmgfO +NvPj2sNVV2bEw7o1BM4qANRO+28pAvSCRRiv2B0avmHrLX/N4KSQwF8/G9R4S9lO +jU1BTXRDjMSovOQEbDpFdIxCK1p6TAG2sr/ZsqFe5AWQTs1ggosZd+XLNAzpg/YW +752Eb5L7AgMBAAECggEAaVfYQ/+YBTnn749lJC/8Y2SnrcZ1yt6z9C6HcrDVqmSq +XUDmcBRzzFC6GEuDy5drQhjAU/Fny2d8PhqeSR0ZINYWqBY9bteP3ZmondxRe2KZ +pcOK4qaOWm2ADPoSvkibdZZCKbh4iULUh/FxLl8JeBiJzPXW1oaurftyirzv7oJL +SIi3NH9X69ibpSKmuR5ngLHk20GOmS9/XXfX0yz/ene9dEmtbflSmoqRubXTJ2K/ +O3nfxlk39uC63WG2sauXtOiK0pGZlSjlxKOxSi02V8sDsJAn2A+Vyra9Aw3AC+Td +FvJ4aHqtcDex+56JXaMuQGHM+OFCWgXtc3sNoyx0CQKBgQDp9G6UKkr2xoI/Y0jD +mTNMJdodsiHeBIxofBColpF+UAiXQyofr+kz31nZbiVfxL/pVsjKbjVFQ9ypQh33 +qInYMpW3RB11AbqEkExBL9oBjFVEMvGsRPZvG4ynBnjBmWMvm7jxiLpnScj3oZks +yPFSkbMbufDwYvdGcASJFK1W1QKBgQDGviuYhC60nl+rupQV7EpMjdZyaJj99RDZ +9IGY3F0Lq4RMs3Nnuk06bZXBz8ebozvadHNfn8o6BtfLu5yFATs61/jjGvYZ96is +tfJlxWWtsW+UeqTcHIpJ8+icds3+eg+/no7w5MC37LPA178p/UtMx0PSCy+LhX2E +FoaIqLjKjwKBgCjDgTzpvZQP9IPM7dG+8NQ0yDNiZUpE6p4N9+0YBxPGKCkK99z7 +jpuOMB6VdYehRXsHtwamezutXlZTgds0D4iPD80V3jgT7AbLCa5WAxs/819lrPxC +K9oiJ7i2hPXenwydinTzSN9UWOLk0kaeYIXtgxKyrEuGQuWQAQpNgwJdAoGAdiHV +sgtn4657uYzmtv1D0KtCe7DWt6VyhctDOURK/kPOGPVVtKNVglRe/tvtjwKA8kHj +zkQhpUop/QygZaKsvTZg10VQYXEHTtm7omiqHotogn4//iHsxTZ43n/zw750G/c4 +idG/B9RnqEnVdDT+DD4pfvFtKmaHi/sDrrlzVdsCgYEAvMbxiM9K9bYLlCiWQcYl +w3KSk7TWu92O+p2hkOi4mkyS87q/1BOjD62lUmI4XnSv0CtTe446P9XV1AAXw+qy +z4c5NtaSBqdM3jEpPWxcrxgWE+8RG3G7VA1X+b/Wkdsk1NRWPP3HHSD2VhW1A2ac +1q3amWXPK4kENxxEJpcI82c= +-----END PRIVATE KEY----- diff --git a/sample/ingress-controller-tls/README.md b/sample/ingress-controller-tls/README.md deleted file mode 100644 index 5f8e5c5fc..000000000 --- a/sample/ingress-controller-tls/README.md +++ /dev/null @@ -1,119 +0,0 @@ -# Using Secrets Store CSI to Enable NGINX Ingress Controller with TLS -This guide demonstrates steps required to setup Secrets Store CSI driver to enable applications to work with NGINX Ingress Controller with TLS stored in an external Secrets store. -For more information on securing an Ingress with TLS, refer to: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls - -# Generate a TLS Cert - -```bash -openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ - -out ingress-tls.crt \ - -keyout ingress-tls.key \ - -subj "/CN=demo.test.com/O=ingress-tls" -``` - -# Store Cert in External Secrets Store Service -- [Azure Key Vault](https://docs.microsoft.com/en-us/azure/key-vault/certificates/certificate-scenarios#import-a-certificate) -- [HashiCorp Vault](https://www.vaultproject.io/docs/commands#reading-and-writing-data) - -# Deploy Secrets-store CSI and the Provider -https://github.com/kubernetes-sigs/secrets-store-csi-driver#usage - -# Deploy Ingress Controller - -Create a namespace - -```bash -kubectl create ns ingress-test -``` - -Helm install ingress-controller - -```bash -helm install stable/nginx-ingress --generate-name \ - --namespace ingress-test \ - --set controller.replicaCount=2 \ - --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux \ - --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux -``` - -# Deploy a SecretsProviderClass Resource -> NOTE: For this sample, we are using the `azure` provider. For more information, head over to: https://github.com/Azure/secrets-store-csi-driver-provider-azure#usage - -```bash -kubectl apply -f sample/ingress-controller-tls/secretproviderclass-azure-tls.yaml -n ingress-test -``` - -# [OPTIONAL] Create a Secret Required by Provider - -```bash -kubectl create secret generic secrets-store-creds --from-literal clientid=xxxx --from-literal clientsecret=xxxx -n ingress-test -``` - -# Deploy Test Apps with Reference to Secrets Store CSI - -> NOTE: These apps reference a Secrets Store CSI volume and a `secretProviderClass` object created earlier. A Kubernetes secret `ingress-tls-csi` will be created by the CSI driver as a result of the app creation. - -```yaml - volumes: - - name: secrets-store-inline - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: "azure-tls" - nodePublishSecretRef: - name: secrets-store-creds -``` - -```bash -kubectl apply -f sample/ingress-controller-tls/deployment-app-one.yaml -n ingress-test -kubectl apply -f sample/ingress-controller-tls/deployment-app-two.yaml -n ingress-test - -``` - -# Check for the Kubernetes Secret created by the CSI driver -```bash -kubectl get secret -n ingress-test - -NAME TYPE DATA AGE -ingress-tls-csi kubernetes.io/tls 2 1m34s -``` - -# Deploy an Ingress Resource referencing the Secret created by the CSI driver - -> NOTE: The ingress resource references the Kubernetes secret `ingress-tls-csi` created by the CSI driver as a result of the app creation. - -```yaml -tls: - - hosts: - - demo.test.com - secretName: ingress-tls-csi -``` - -```bash -kubectl apply -f sample/ingress-controller-tls/ingress.yaml -n ingress-test -``` - -# Get the External IP of the Ingress Controller - -```bash - kubectl get service -l app=nginx-ingress --namespace ingress-test -NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE -nginx-ingress-1588032400-controller LoadBalancer 10.0.255.157 52.xx.xx.xx 80:31293/TCP,443:31265/TCP 19m -nginx-ingress-1588032400-default-backend ClusterIP 10.0.223.214 80/TCP 19m -``` - -# Test Ingress with TLS -Using `curl` to verify ingress configuration using TLS. -Replace the public IP with the external IP of the ingress controller service from the previous step. - -```bash -curl -v -k --resolve demo.test.com:443:52.xx.xx.xx https://demo.test.com - -# You should see the following in your output -* subject: CN=demo.test.com; O=ingress-tls -* start date: Apr 15 04:23:46 2020 GMT -* expire date: Apr 15 04:23:46 2021 GMT -* issuer: CN=demo.test.com; O=ingress-tls -* SSL certificate verify result: self signed certificate (18), continuing anyway. -``` diff --git a/sample/ingress-controller-tls/deployment-app-one.yaml b/sample/ingress-controller-tls/deployment-app-one.yaml deleted file mode 100644 index 161e1d9b7..000000000 --- a/sample/ingress-controller-tls/deployment-app-one.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-one - labels: - app: nginx-one -spec: - replicas: 1 - selector: - matchLabels: - app: nginx-one - template: - metadata: - labels: - app: nginx-one - spec: - containers: - - image: nginx - name: nginx - volumeMounts: - - name: secrets-store-inline - mountPath: "/mnt/secrets-store" - readOnly: true - volumes: - - name: secrets-store-inline - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: "azure-tls" - nodePublishSecretRef: - name: secrets-store-creds ---- -apiVersion: v1 -kind: Service -metadata: - name: nginx-one -spec: - type: ClusterIP - ports: - - port: 80 - selector: - app: nginx-one diff --git a/sample/ingress-controller-tls/deployment-app-two.yaml b/sample/ingress-controller-tls/deployment-app-two.yaml deleted file mode 100644 index fc0ef8c5d..000000000 --- a/sample/ingress-controller-tls/deployment-app-two.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-two - labels: - app: nginx-two -spec: - replicas: 1 - selector: - matchLabels: - app: nginx-two - template: - metadata: - labels: - app: nginx-two - spec: - containers: - - image: nginx - name: nginx - volumeMounts: - - name: secrets-store-inline - mountPath: "/mnt/secrets-store" - readOnly: true - volumes: - - name: secrets-store-inline - csi: - driver: secrets-store.csi.k8s.io - readOnly: true - volumeAttributes: - secretProviderClass: "azure-tls" - nodePublishSecretRef: - name: secrets-store-creds ---- -apiVersion: v1 -kind: Service -metadata: - name: nginx-two -spec: - type: ClusterIP - ports: - - port: 80 - selector: - app: nginx-two diff --git a/sample/ingress-controller-tls/ingress.yaml b/sample/ingress-controller-tls/ingress.yaml deleted file mode 100644 index f771a9829..000000000 --- a/sample/ingress-controller-tls/ingress.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: ingress-tls - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/rewrite-target: /$1 -spec: - tls: - - hosts: - - demo.test.com - secretName: ingress-tls-csi - rules: - - host: demo.test.com - http: - paths: - - backend: - serviceName: nginx-one - servicePort: 80 - path: /(.*) - - backend: - serviceName: nginx-two - servicePort: 80 - path: /two(/|$)(.*) diff --git a/sample/ingress-controller-tls/secretproviderclass-azure-tls.yaml b/sample/ingress-controller-tls/secretproviderclass-azure-tls.yaml deleted file mode 100644 index 3db7884ac..000000000 --- a/sample/ingress-controller-tls/secretproviderclass-azure-tls.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 -kind: SecretProviderClass -metadata: - name: azure-tls -spec: - provider: azure - secretObjects: - - secretName: ingress-tls-csi - type: kubernetes.io/tls - data: - - objectName: ingresscert - key: tls.key - - objectName: ingresscert - key: tls.crt - parameters: - usePodIdentity: "false" - keyvaultName: "azkv" # the name of the KeyVault - objects: | - array: - - | - objectName: ingresscert - objectType: secret - tenantId: "xx-xxxxxxxx-xx"