autocert icon indicating copy to clipboard operation
autocert copied to clipboard

Published 20 hours ago verified publisher icon smallstep

Support issuing/renewing SSH Host Certificates

Open ckwalsh opened this issue 4 years ago • 4 comments

This pull request adds support for generating, distributing, and maintaining SSH Host certificates within smallstep/autocert. For ease of review, it is split into several diffs with various goals:

  1. Update step dependencies to 0.15.3. I'm not sure exactly when SSH host support landed, but I figured having the latest version wasn't a bad idea.
  2. Refactor the autocert controller to avoid assumptions it was working with TLS certificates. This logic was moved to structs that implement IdentityRequest, but the general structure/certificate issuing flow was not significantly changed.
  3. Add support for SSH Host certs. This adds the SSHIdentityRequest to the controller, a new bootstrapper, and a new renewer.

These changes should be backwards compatible, and should not break existing deployments.

Future Work:

  1. SSH renewer improvements. Unlike TLS certificates, step ssh doesn't have a renewal daemon mode. Instead, the renewer is a bash script that implements a while-true-sleep-work loop based on env vars. Assuming an ssh renewal daemon is added, it shouldn't be too hard to swap it in.
  2. Documentation and config file updates. Especially need to fill in the SSHHost* fields in the autocert.yaml config.
  3. SSH Client cert support. I implemented the code with the assumption it would be added, but didn't actually do so, as I don't need it. I'll leave it as an exercise to others.
  4. Testing. I updated the unit tests to confirm no breakages, and with some tweaked config files, ran this on my homelab k8s install.

Notes:

  1. This was my holiday project, and it was a lot of fun. I had heard of smallstep, and read yet another article about how certificates > passwords, and finally got around to diving into it a couple days before Christmas. Took a bit of time to grok the certificate distribution flow, but once I did, it's a pretty awesome project you guys built.
  2. This is my first foray into Golang, the code was really easy to understand, modify, and build. Please point out if I broke any significant Go idioms.

ckwalsh avatar Dec 28 '20 09:12 ckwalsh

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

CLAassistant avatar Dec 28 '20 09:12 CLAassistant

Codecov Report

Merging #24 (e31da80) into master (ef4f27c) will decrease coverage by 1.63%. The diff coverage is 11.73%.

Impacted file tree graph

@@            Coverage Diff            @@
##           master     #24      +/-   ##
=========================================
- Coverage    8.00%   6.36%   -1.64%     
=========================================
  Files           2       2              
  Lines         500     581      +81     
=========================================
- Hits           40      37       -3     
- Misses        459     544      +85     
+ Partials        1       0       -1
Impacted Files Coverage Δ
controller/main.go 6.95% <11.73%> (-2.04%) :arrow_down:
controller/client.go 0.00% <0.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 16d2f60...e31da80. Read the comment docs.

codecov[bot] avatar Dec 28 '20 09:12 codecov[bot]

Ping?

ckwalsh avatar Jan 16 '21 10:01 ckwalsh

@ckwalsh Pong, sorry it went out of my radar. I will take a look asap.

maraino avatar Jan 20 '21 18:01 maraino