Also, what's a good way to do the <webhook-create-...
# kubernetesw
worried-city-86458
09/30/2020, 5:11 AMAlso, what's a good way to do the webhook-create-signed-cert.sh dance to automate creating a secret for the
vpc-admission-webhookworried-city-86458
09/30/2020, 6:49 PM@gorgeous-egg-16927 sorry to ping you but hoping you can quickly give me a direction and confirm there's no "easy" way to do this that I might have missed
worried-city-86458
09/30/2020, 6:55 PMFor example, trying to cobble this together with pulumi stuff in dotnet/c#:
Copy code
// windows vpc admission webhook; <https://docs.aws.amazon.com/eks/latest/userguide/windows-support.html>
var windowsKey = new PrivateKey($"{prefix}-vpc-aw-key",
new PrivateKeyArgs { Algorithm = "ECDSA" });
var windowsCr = new CertRequest($"{prefix}-vpc-aw-cr",
new CertRequestArgs
{
KeyAlgorithm = "ECDSA",
PrivateKeyPem = windowsKey.PrivateKeyPem,
Subjects = { new CertRequestSubjectArgs { CommonName = "vpc-admission-webhook.kube-system.svc" } },
DnsNames =
{
"vpc-admission-webhook",
"vpc-admission-webhook.kube-system",
"vpc-admission-webhook.kube-system.svc"
}
});
var windowsCsr = new CertificateSigningRequest($"{prefix}-vpc-aw-csr",
new CertificateSigningRequestArgs
{
Metadata = new ObjectMetaArgs { Name = "vpc-admission-webhook" },
Spec = new CertificateSigningRequestSpecArgs
{
SignerName = "",
Request = windowsCr.CertRequestPem,
Groups = { "system:authenticated" },
Usages = { "digital signature", "key encipherment", "server auth" }
}
},
new CustomResourceOptions { Provider = kubeProvider });
//TODO approve cert and wait for it
var windowsSecret = new Secret($"{prefix}-vpc-aw-sec",
new SecretArgs
{
Metadata = new ObjectMetaArgs
{
Namespace = "kube-system",
Name = "vpc-admission-webhook-certs"
},
Data =
{
{ "key.pem", windowsKey.PrivateKeyPem },
{ "cert.pem", windowsCsr.Status.Apply(status => status.Certificate) }
}
},
new CustomResourceOptions { Provider = kubeProvider });worried-city-86458
09/30/2020, 6:56 PMI'm not sure what to specify for the
SignerNameworried-city-86458
09/30/2020, 7:04 PMAlso, terraform have a similar kubernetes_certificate_signing_request with an
auto_approveg
gorgeous-egg-16927
09/30/2020, 8:04 PMSorry, I’m not familiar with that particular API. In general, I’d suggest dynamic providers for this type of thing, but just found out yesterday that they aren’t currently supported for Go or .NET.
gorgeous-egg-16927
09/30/2020, 8:04 PMSo, I’m not quite sure what to suggest. @billowy-army-68599 any ideas?
b
billowy-army-68599
09/30/2020, 8:13 PM
@worried-city-86458 it's been a while since I worked with this, but I believe the
SignerNamestatusApprovedbillowy-army-68599
09/30/2020, 8:14 PM
if you set the
signerName<http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet>billowy-army-68599
09/30/2020, 8:14 PM
fwiw, this is the weirdest of the k8s apis, and that's saying something...
w
worried-city-86458
09/30/2020, 8:30 PM@billowy-army-68599 yeah I noticed
<http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet>client authserver authworried-city-86458
10/01/2020, 1:34 AMI found the kubernetes terraform provider source with auto approve: https://github.com/hashicorp/terraform-provider-kubernetes/blob/master/kubernetes/resource_kubernetes_certificate_signing_request.go#L114-L134
This is definitely not available via pulumi, right?
g
gorgeous-egg-16927
10/01/2020, 4:18 PMNo, we don’t currently have any special logic for that resource. It’s just the CRUD operations.
w
worried-city-86458
10/02/2020, 12:23 AMWith the following changes I've hacked together an auto approve in dotnet/c#:
Copy code
// windows vpc admission webhook; <https://docs.aws.amazon.com/eks/latest/userguide/windows-support.html>
var windowsKey = new PrivateKey($"{prefix}-vpc-aw-key",
new PrivateKeyArgs { Algorithm = "RSA" });
var windowsCr = new CertRequest($"{prefix}-vpc-aw-cr",
new CertRequestArgs
{
KeyAlgorithm = "RSA",
PrivateKeyPem = windowsKey.PrivateKeyPem,
Subjects = { new CertRequestSubjectArgs { CommonName = "vpc-admission-webhook.kube-system.svc" } },
DnsNames =
{
"vpc-admission-webhook",
"vpc-admission-webhook.kube-system",
"vpc-admission-webhook.kube-system.svc"
}
});
var windowsCsr = new CertificateSigningRequest($"{prefix}-vpc-aw-csr",
new CertificateSigningRequestArgs
{
Metadata = new ObjectMetaArgs { Name = "vpc-admission-webhook" },
Spec = new CertificateSigningRequestSpecArgs
{
Request = windowsCr.CertRequestPem.Apply(pem => Convert.ToBase64String(Encoding.ASCII.GetBytes(pem))),
Groups = { "system:authenticated" },
Usages = { "digital signature", "key encipherment", "server auth" }
}
},
new CustomResourceOptions { Provider = kubeProvider });
var windowsSecret = new Secret($"{prefix}-vpc-aw-sec",
new SecretArgs
{
Metadata = new ObjectMetaArgs
{
Namespace = "kube-system",
Name = "vpc-admission-webhook-certs-2"
},
Data =
{
{ "key.pem", windowsKey.PrivateKeyPem.Apply(pem => Convert.ToBase64String(Encoding.ASCII.GetBytes(pem))) },
{ "cert.pem", windowsCsr.AutoApprove(KubeConfig) }
}
},
new CustomResourceOptions { Provider = kubeProvider });worried-city-86458
10/02/2020, 12:23 AM Copy code
public static class CertificateSigningRequestExtensions
{
public static Output<string> AutoApprove(this CertificateSigningRequest csr, Output<string> kubeConfig) =>
Output.Tuple(csr.Metadata, kubeConfig)
.Apply(async ((ObjectMeta Metadata, string KubeConfig) tuple) =>
{
if (Deployment.Instance.IsDryRun)
{
return tuple.Metadata.Name;
}
var k8SConfig = Yaml.LoadFromString<K8SConfiguration>(tuple.KubeConfig);
var clientConfig = KubernetesClientConfiguration.BuildConfigFromConfigObject(k8SConfig);
var client = new Kubernetes(clientConfig);
var issuedCert = Array.Empty<byte>();
var issuedEvent = new AsyncManualResetEvent();
await client.WatchCertificateSigningRequestAsync(tuple.Metadata.Name,
onEvent: (type, watchedCsr) =>
{
if (watchedCsr.Status.Conditions?.Any(condition => condition.Type == "Approved") == true &&
watchedCsr.Status.Certificate?.Length > 0)
{
issuedCert = watchedCsr.Status.Certificate;
issuedEvent.Set();
}
});
var pendingCsr = await client.ReadCertificateSigningRequestAsync(tuple.Metadata.Name);
pendingCsr.Status.Conditions ??= new List<V1beta1CertificateSigningRequestCondition>();
if (pendingCsr.Status.Conditions.All(condition => condition.Type != "Approved"))
{
Log.Debug("Approving certificate signing request...");
var approval = new V1beta1CertificateSigningRequestCondition
{
Type = "Approved",
Reason = "PulumiAutoApprove",
Message = "This CSR was approved by Pulumi auto approve."
};
pendingCsr.Status.Conditions.Add(approval);
await client.ReplaceCertificateSigningRequestApprovalAsync(pendingCsr, tuple.Metadata.Name);
Log.Debug("Approved certificate signing request");
}
Log.Debug("Waiting for certificate to be issued...");
await Task.WhenAny(issuedEvent.WaitAsync(), Task.Delay(TimeSpan.FromMinutes(1)));
if (!issuedEvent.IsSet)
{
throw new TimeoutException("Timed out waiting for certificate to be issued");
}
Log.Debug("Waited for certificate to be issued");
return Convert.ToBase64String(issuedCert);
});
}worried-city-86458
10/02/2020, 12:26 AMI resorted to using https://github.com/kubernetes-client/csharp to interact with the api
worried-city-86458
10/02/2020, 12:28 AM@gorgeous-egg-16927 @billowy-army-68599 now I've got the problem of how to actually do it properly; i.e. make it behave idempotently
... which I suspect is what dynamic resources would help me with?
worried-city-86458
10/02/2020, 12:34 AMCSRs are auto deleted by k8s after ~1h. The tls key and tls CR are only used to feed the k8s CSR.
It's like this should just be a k8s secret resource with everything else being an implementation detail of that resource.
Not sure how to proceed from here...
b
billowy-army-68599
10/02/2020, 1:21 AM
So you need something to accept the CSR right? You might have to write an operator that does it
w
worried-city-86458
10/02/2020, 1:39 AMThe code above auto approves the CSR
worried-city-86458
10/02/2020, 1:41 AMThe problem now is I'm not sure how to bundle this so that I avoid subsequent runs blowing up with:
Copy code
Type Name Status Info
pulumi:pulumi:Stack aws-alpha **failed** 1 error
~ └─ kubernetes:<http://admissionregistration.k8s.io:MutatingWebhookConfiguration|admissionregistration.k8s.io:MutatingWebhookConfiguration> alpha-eks-vpc-aw-cfg updated [diff: ~apiVersion]
Diagnostics:
pulumi:pulumi:Stack (aws-alpha):
error: Running program 'D:\Devel\Mps\devops-gemini-pulumi\Aws\bin\Debug\Aws.dll' failed with an unhandled exception:
Microsoft.Rest.HttpOperationException: Operation returned an invalid status code 'NotFound'
at k8s.Kubernetes.ReadCertificateSigningRequestWithHttpMessagesAsync(String name, Nullable`1 exact, Nullable`1 export, String pretty, Dictionary`2 customHeaders, CancellationToken cancellationToken)
at k8s.KubernetesExtensions.ReadCertificateSigningRequestAsync(IKubernetes operations, String name, Nullable`1 exact, Nullable`1 export, String pretty, CancellationToken cancellationToken)
at Pharos.Gemini.CertificateSigningRequestExtensions.<>c.<<AutoApprove>b__0_0>d.MoveNext() in D:\Devel\Mps\devops-gemini-pulumi\Aws\Extensions\CertificateSigningRequestExtensions.cs:line 44
...worried-city-86458
10/02/2020, 1:55 AMComparing to the terraform code that helped me get there, the lifetime of the k8s CSR is scoped to resourceKubernetesCertificateSigningRequestCreate
i.e. it creates it and deletes it (when the function exits). There are also resourceKubernetesCertificateSigningRequestRead and resourceKubernetesCertificateSigningRequestDelete no-ops.
Excuse my ignorance but is this what a pulumi dynamic provider would model? (in which case I'm screwed until there's dotnet/c# support)
worried-city-86458
10/02/2020, 2:34 AMMore info in the terraform PR: https://github.com/hashicorp/terraform-provider-kubernetes/pull/922
6 Views