From 57b1aef485436ebe0261f56a6286f89c3709744a Mon Sep 17 00:00:00 2001 From: Joakim Olsson Date: Wed, 10 Dec 2025 07:46:52 +0100 Subject: [PATCH] feat(certificates): add self-signed CA and corresponding certificate Adds a self-signed CA configuration and a certificate for the shiny organization. This change creates a Kubernetes Secret for the CA key pair and an Issuer that references this Secret. A Certificate resource is created to automate certificate provisioning for specified DNS names, improving the infrastructure's security and facilitating testing. --- certs/README.md | 38 ++++++++++++++++++++++++++++++++++++++ certs/local-ca.key | 28 ++++++++++++++++++++++++++++ certs/local-ca.pem | 23 +++++++++++++++++++++++ kind/certificates.yaml | 30 +++++++++++++++++++++++++++++- 4 files changed, 118 insertions(+), 1 deletion(-) create mode 100644 certs/README.md create mode 100644 certs/local-ca.key create mode 100644 certs/local-ca.pem diff --git a/certs/README.md b/certs/README.md new file mode 100644 index 0000000..75469bb --- /dev/null +++ b/certs/README.md @@ -0,0 +1,38 @@ +# Certificates + +This section contains the CA certificates used for testing. +The only step necessary is to [install](#install-and-trust-the-CA) the CA. +The rest of the documentation is for reference. + +## Setup + +First we generate a key for our CA certificate: + +```shell +openssl genrsa -out local-ca.key 2048 +``` + +Then generate the CA certificate: + +```shell +openssl req -new -x509 -nodes -days 365000 \ + -key local-ca.key \ + -out local-ca.pem +``` + +Generate a k8s secret: + +```shell +kubectl create secret generic ca-key-pair2 \ + --from-literal=tls.crt="$(cat local-ca.pem)" \ + --from-literal=tls.key="$(cat local-ca.key)" +``` + +The [certificates.yaml](../kind/certificates.yaml) contains the secrets already and wil be used by cert-manager +to sign certificates. + +## Install and trust the CA + +```shell +sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" local-ca.pem +``` diff --git a/certs/local-ca.key b/certs/local-ca.key new file mode 100644 index 0000000..0c41234 --- /dev/null +++ b/certs/local-ca.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC1t0ZQvIylVS86 +KoHI2zraBpyUOj+rwOBoGNhk9hkqyE4tZHGbV5/iIp6t7V+pJydkqwlO2TsSFG0d +We3ubxGANE+rsxejGfd2Mo7s/IwAs1ifdu1mOKj+JOY0ypMkykIoS9KywYd6v40H +WL57IC5ITMB3TEc4pTOJm5PyOobHgVc6YofjQlh2kyrU//XPoV45neXZ/rlPsIKi +rD+8mHZ55pt3yvT0wSGw4DZRkTRgBQY99jcKX89waw1iNGR1viMqbhgONOqBd9UX +kyMPWUNqEbfYIw2mqLijdKjsvYIIKy4my+TDUEJCvom0wMd0cPF2uWEvjRQW/3kS +S73aVD6RAgMBAAECggEAA1d4rlw2GFKpHBOGcEbBarUCBO/O4yR+4l5imSi1bPkv +oHVFnMSCjWQMyvufulQ2ZnGGw35wyacg6PZ4aHdLORi9LLxazB/ahYy63omeZ+NK +1yCwXCR6mk6pAehS+gA5ZNUc7Z1r4mP9y4uXcfUB8a5uDUOUo7c8a8sCo34g1smQ +FMarqKWWDeEfQv5nMO9OG6o9WdGjCi6xkyB+n8ZgRGCtfYOEgO5SDcxBsgLUavF+ +Lwv+xCgLyJCttMgO1vHbnrdPH2uPYVrlibbXbKfJxaVKpAarluw0Ad17MXjpGvDj +W0FOutRjwwWPmYUwXuxCceaOer2vKUIVjmbn1E+USQKBgQD+1nk9WP5/YfGZXUhr +D0W+I8Fd1ob+3qVTEsiDHnbcKIk/weGw0OwvSQlXF9DUOyvpYG77IK+SvEvNo+UK +k8QR8hz58qq1vk7l6AqlELKjLIfblSMwlmWjXngmo31Zgzatgj+0wJ57/yQRA6WH +PkAP5mL5Ok2ryaMMCtmXtGbl3wKBgQC2i24rVTy7XxDM1Wt1exdDAy4jEACt/XZ2 +oYwwyvNJshv2j7e6UPF0t44/2+xhovSSbWvUemGoOYESO1gDWFrkfcp7ahKTOBkc +bWRlHzCaf4AdEK0wanRAE9CybcN6CFAIIbrr7J7fHSxPQQoyKy53aIfx67Ji1Yzw +HKyOT9sJjwKBgQCg8XcUhZYFgSgCgeVwp+6WDSLcTtZnNNoYwy4bkSvkEz3LJHmT +H/9qRag+du4Oe2haNeshcx0vgPgm4bGPoo8b/lrKiLXDnnNZw9ilMwx+/Wq4BVJ6 +JyH9sXYUgQBzfekUX8Q4NcZh7Vsr26+44Fm5MPmlCWtwaSIuQtP1eZva5QKBgQCL +UkGEWyreCwGEhELeyFKJt8ynwBf0s2WNx2B7APrMPV7wQOJGFm8i2NF91blFD51A +gLjy03DjdvgW1Sooa2/7wjIfHWcN65vmwWsFbtemozdBd6/nKuiM21LGS9YMtnl2 +q1/Bnrfmq5pc5tQEVEbDpglTz8M3gatuu0PL3hDb6wKBgE0J+j4DiqDajPiBZCCm +LChDx05Y1N11yl/aiclfuUJ6ay1CANM+/pFFtDwhC75Grog2hKn6ISu7R1Q7Of6u +zHL59It4RDWvTDBZZNOESk3zgnyRp8h1ooe6+cyBwuz0CL5zAcLSOVxXCczeJ+bA +I81gVl6G430Q8uVsQNriTTgk +-----END PRIVATE KEY----- diff --git a/certs/local-ca.pem b/certs/local-ca.pem new file mode 100644 index 0000000..895f720 --- /dev/null +++ b/certs/local-ca.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID6zCCAtOgAwIBAgIUJ5L6dCicY2Pr7gYosf23mTIYWWAwDQYJKoZIhvcNAQEL +BQAwgYMxCzAJBgNVBAYTAlNFMR4wHAYDVQQIDBVWw4PCpHN0cmEgR8ODwrZ0YWxh +bmQxEjAQBgNVBAcMCVN2YW5lc3VuZDEwMC4GA1UECgwnVW5ib3VuZCBTb2Z0d2Fy +ZSBEZXZlbG9wbWVudCBTdmVuc2thIEFCMQ4wDAYDVQQDDAVsb2NhbDAgFw0yNTEy +MTAwNjM1NDBaGA8zMDI1MDQxMjA2MzU0MFowgYMxCzAJBgNVBAYTAlNFMR4wHAYD +VQQIDBVWw4PCpHN0cmEgR8ODwrZ0YWxhbmQxEjAQBgNVBAcMCVN2YW5lc3VuZDEw +MC4GA1UECgwnVW5ib3VuZCBTb2Z0d2FyZSBEZXZlbG9wbWVudCBTdmVuc2thIEFC +MQ4wDAYDVQQDDAVsb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +ALW3RlC8jKVVLzoqgcjbOtoGnJQ6P6vA4GgY2GT2GSrITi1kcZtXn+Iinq3tX6kn +J2SrCU7ZOxIUbR1Z7e5vEYA0T6uzF6MZ93Yyjuz8jACzWJ927WY4qP4k5jTKkyTK +QihL0rLBh3q/jQdYvnsgLkhMwHdMRzilM4mbk/I6hseBVzpih+NCWHaTKtT/9c+h +Xjmd5dn+uU+wgqKsP7yYdnnmm3fK9PTBIbDgNlGRNGAFBj32Nwpfz3BrDWI0ZHW+ +IypuGA406oF31ReTIw9ZQ2oRt9gjDaaouKN0qOy9gggrLibL5MNQQkK+ibTAx3Rw +8Xa5YS+NFBb/eRJLvdpUPpECAwEAAaNTMFEwHQYDVR0OBBYEFArFf7jQ/EcwPsDq +PuBqaVgL5bqEMB8GA1UdIwQYMBaAFArFf7jQ/EcwPsDqPuBqaVgL5bqEMA8GA1Ud +EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACN8RLwk4vj8s8KGM1aDydlX +UbHjdZVa7Cgq6oCm/Le5DuEqRAcNv6/E6LT7g6nMwmJPRROh217MX26+LcrifLiD +1dpYHl79A+7RvHW2okvOucXg+qN03qShhv70jgJu0q4BfNJjRo27u0QoUMmJZ5ZG +vyeLTi72d3iuwKtPk6/Q7nUGMiGDN9cKY+GvMB65U4sWX807ZbgxtfOfB/Lrbydo +UEQSpMGe6DiDj5gZcvHcNEEP6ZG8riaF406At3y86LA19XbYj4AJI1xZVPO+eb/C +mW5CaMrDgyLhGx1XRoVY9KfWjzJzjR/A1MPevpVbA1Oom0DkV3OCeaBcncr5faA= +-----END CERTIFICATE----- diff --git a/kind/certificates.yaml b/kind/certificates.yaml index 08776d8..dc9b858 100644 --- a/kind/certificates.yaml +++ b/kind/certificates.yaml @@ -1,7 +1,35 @@ +apiVersion: v1 +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ2ekNDQXRPZ0F3SUJBZ0lVSjVMNmRDaWNZMlByN2dZb3NmMjNtVElZV1dBd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZTXhDekFKQmdOVkJBWVRBbE5GTVI0d0hBWURWUVFJREJWV3c0UENwSE4wY21FZ1I4T0R3clowWVd4aApibVF4RWpBUUJnTlZCQWNNQ1ZOMllXNWxjM1Z1WkRFd01DNEdBMVVFQ2d3blZXNWliM1Z1WkNCVGIyWjBkMkZ5ClpTQkVaWFpsYkc5d2JXVnVkQ0JUZG1WdWMydGhJRUZDTVE0d0RBWURWUVFEREFWc2IyTmhiREFnRncweU5URXkKTVRBd05qTTFOREJhR0E4ek1ESTFNRFF4TWpBMk16VTBNRm93Z1lNeEN6QUpCZ05WQkFZVEFsTkZNUjR3SEFZRApWUVFJREJWV3c0UENwSE4wY21FZ1I4T0R3clowWVd4aGJtUXhFakFRQmdOVkJBY01DVk4yWVc1bGMzVnVaREV3Ck1DNEdBMVVFQ2d3blZXNWliM1Z1WkNCVGIyWjBkMkZ5WlNCRVpYWmxiRzl3YldWdWRDQlRkbVZ1YzJ0aElFRkMKTVE0d0RBWURWUVFEREFWc2IyTmhiRENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQgpBTFczUmxDOGpLVlZMem9xZ2NqYk90b0duSlE2UDZ2QTRHZ1kyR1QyR1NySVRpMWtjWnRYbitJaW5xM3RYNmtuCkoyU3JDVTdaT3hJVWJSMVo3ZTV2RVlBMFQ2dXpGNk1aOTNZeWp1ejhqQUN6V0o5MjdXWTRxUDRrNWpUS2t5VEsKUWloTDByTEJoM3EvalFkWXZuc2dMa2hNd0hkTVJ6aWxNNG1iay9JNmhzZUJWenBpaCtOQ1dIYVRLdFQvOWMraApYam1kNWRuK3VVK3dncUtzUDd5WWRubm1tM2ZLOVBUQkliRGdObEdSTkdBRkJqMzJOd3BmejNCckRXSTBaSFcrCkl5cHVHQTQwNm9GMzFSZVRJdzlaUTJvUnQ5Z2pEYWFvdUtOMHFPeTlnZ2dyTGliTDVNTlFRa0sraWJUQXgzUncKOFhhNVlTK05GQmIvZVJKTHZkcFVQcEVDQXdFQUFhTlRNRkV3SFFZRFZSME9CQllFRkFyRmY3alEvRWN3UHNEcQpQdUJxYVZnTDVicUVNQjhHQTFVZEl3UVlNQmFBRkFyRmY3alEvRWN3UHNEcVB1QnFhVmdMNWJxRU1BOEdBMVVkCkV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQ044Ukx3azR2ajhzOEtHTTFhRHlkbFgKVWJIamRaVmE3Q2dxNm9DbS9MZTVEdUVxUkFjTnY2L0U2TFQ3ZzZuTXdtSlBSUk9oMjE3TVgyNitMY3JpZkxpRAoxZHBZSGw3OUErN1J2SFcyb2t2T3VjWGcrcU4wM3FTaGh2NzBqZ0p1MHE0QmZOSmpSbzI3dTBRb1VNbUpaNVpHCnZ5ZUxUaTcyZDNpdXdLdFBrNi9RN25VR01pR0ROOWNLWStHdk1CNjVVNHNXWDgwN1piZ3h0Zk9mQi9McmJ5ZG8KVUVRU3BNR2U2RGlEajVnWmN2SGNORUVQNlpHOHJpYUY0MDZBdDN5ODZMQTE5WGJZajRBSkkxeFpWUE8rZWIvQwptVzVDYU1yRGd5TGhHeDFYUm9WWTlLZldqekp6alIvQTFNUGV2cFZiQTFPb20wRGtWM09DZWFCY25jcjVmYUE9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRQzF0MFpRdkl5bFZTODYKS29ISTJ6cmFCcHlVT2orcndPQm9HTmhrOWhrcXlFNHRaSEdiVjUvaUlwNnQ3VitwSnlka3F3bE8yVHNTRkcwZApXZTN1YnhHQU5FK3JzeGVqR2ZkMk1vN3MvSXdBczFpZmR1MW1PS2orSk9ZMHlwTWt5a0lvUzlLeXdZZDZ2NDBICldMNTdJQzVJVE1CM1RFYzRwVE9KbTVQeU9vYkhnVmM2WW9malFsaDJreXJVLy9YUG9WNDVuZVhaL3JsUHNJS2kKckQrOG1IWjU1cHQzeXZUMHdTR3c0RFpSa1RSZ0JRWTk5amNLWDg5d2F3MWlOR1IxdmlNcWJoZ09OT3FCZDlVWApreU1QV1VOcUViZllJdzJtcUxpamRLanN2WUlJS3k0bXkrVERVRUpDdm9tMHdNZDBjUEYydVdFdmpSUVcvM2tTClM3M2FWRDZSQWdNQkFBRUNnZ0VBQTFkNHJsdzJHRktwSEJPR2NFYkJhclVDQk8vTzR5Uis0bDVpbVNpMWJQa3YKb0hWRm5NU0NqV1FNeXZ1ZnVsUTJabkdHdzM1d3lhY2c2UFo0YUhkTE9SaTlMTHhhekIvYWhZeTYzb21lWitOSwoxeUN3WENSNm1rNnBBZWhTK2dBNVpOVWM3WjFyNG1QOXk0dVhjZlVCOGE1dURVT1VvN2M4YThzQ28zNGcxc21RCkZNYXJxS1dXRGVFZlF2NW5NTzlPRzZvOVdkR2pDaTZ4a3lCK244WmdSR0N0ZllPRWdPNVNEY3hCc2dMVWF2RisKTHd2K3hDZ0x5SkN0dE1nTzF2SGJucmRQSDJ1UFlWcmxpYmJYYktmSnhhVktwQWFybHV3MEFkMTdNWGpwR3ZEagpXMEZPdXRSand3V1BtWVV3WHV4Q2NlYU9lcjJ2S1VJVmptYm4xRStVU1FLQmdRRCsxbms5V1A1L1lmR1pYVWhyCkQwVytJOEZkMW9iKzNxVlRFc2lESG5iY0tJay93ZUd3ME93dlNRbFhGOURVT3l2cFlHNzdJSytTdkV2Tm8rVUsKazhRUjhoejU4cXExdms3bDZBcWxFTEtqTElmYmxTTXdsbVdqWG5nbW8zMVpnemF0Z2orMHdKNTcveVFSQTZXSApQa0FQNW1MNU9rMnJ5YU1NQ3RtWHRHYmwzd0tCZ1FDMmkyNHJWVHk3WHhETTFXdDFleGREQXk0akVBQ3QvWFoyCm9Zd3d5dk5Kc2h2Mmo3ZTZVUEYwdDQ0LzIreGhvdlNTYld2VWVtR29PWUVTTzFnRFdGcmtmY3A3YWhLVE9Ca2MKYldSbEh6Q2FmNEFkRUswd2FuUkFFOUN5YmNONkNGQUlJYnJyN0o3ZkhTeFBRUW95S3k1M2FJZng2N0ppMVl6dwpIS3lPVDlzSmp3S0JnUUNnOFhjVWhaWUZnU2dDZ2VWd3ArNldEU0xjVHRabk5Ob1l3eTRia1N2a0V6M0xKSG1UCkgvOXFSYWcrZHU0T2UyaGFOZXNoY3gwdmdQZ200YkdQb284Yi9scktpTFhEbm5OWnc5aWxNd3grL1dxNEJWSjYKSnlIOXNYWVVnUUJ6ZmVrVVg4UTROY1poN1ZzcjI2KzQ0Rm01TVBtbENXdHdhU0l1UXRQMWVadmE1UUtCZ1FDTApVa0dFV3lyZUN3R0VoRUxleUZLSnQ4eW53QmYwczJXTngyQjdBUHJNUFY3d1FPSkdGbThpMk5GOTFibEZENTFBCmdMankwM0RqZHZnVzFTb29hMi83d2pJZkhXY042NXZtd1dzRmJ0ZW1vemRCZDYvbkt1aU0yMUxHUzlZTXRubDIKcTEvQm5yZm1xNXBjNXRRRVZFYkRwZ2xUejhNM2dhdHV1MFBMM2hEYjZ3S0JnRTBKK2o0RGlxRGFqUGlCWkNDbQpMQ2hEeDA1WTFOMTF5bC9haWNsZnVVSjZheTFDQU5NKy9wRkZ0RHdoQzc1R3JvZzJoS242SVN1N1IxUTdPZjZ1CnpITDU5SXQ0UkRXdlREQlpaTk9FU2szemdueVJwOGgxb29lNitjeUJ3dXowQ0w1ekFjTFNPVnhYQ2N6ZUorYkEKSTgxZ1ZsNkc0MzBROHVWc1FOcmlUVGdrCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0= +kind: Secret +metadata: + name: ca-key-pair + namespace: default +type: Opaque +--- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: self-signed namespace: default spec: - selfSigned: {} + ca: + secretName: ca-key-pair +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: self-signed-cert + namespace: default +spec: + subject: + organizations: + - shiny + dnsNames: + - shiny + - auth0 + - staging-shiny.unbound.se + secretName: self-signed-cert-tls + issuerRef: + name: self-signed