worried-city-86458
09/30/2020, 5:11 AMvpc-admission-webhook
?// windows vpc admission webhook; <https://docs.aws.amazon.com/eks/latest/userguide/windows-support.html>
var windowsKey = new PrivateKey($"{prefix}-vpc-aw-key",
new PrivateKeyArgs { Algorithm = "ECDSA" });
var windowsCr = new CertRequest($"{prefix}-vpc-aw-cr",
new CertRequestArgs
{
KeyAlgorithm = "ECDSA",
PrivateKeyPem = windowsKey.PrivateKeyPem,
Subjects = { new CertRequestSubjectArgs { CommonName = "vpc-admission-webhook.kube-system.svc" } },
DnsNames =
{
"vpc-admission-webhook",
"vpc-admission-webhook.kube-system",
"vpc-admission-webhook.kube-system.svc"
}
});
var windowsCsr = new CertificateSigningRequest($"{prefix}-vpc-aw-csr",
new CertificateSigningRequestArgs
{
Metadata = new ObjectMetaArgs { Name = "vpc-admission-webhook" },
Spec = new CertificateSigningRequestSpecArgs
{
SignerName = "",
Request = windowsCr.CertRequestPem,
Groups = { "system:authenticated" },
Usages = { "digital signature", "key encipherment", "server auth" }
}
},
new CustomResourceOptions { Provider = kubeProvider });
//TODO approve cert and wait for it
var windowsSecret = new Secret($"{prefix}-vpc-aw-sec",
new SecretArgs
{
Metadata = new ObjectMetaArgs
{
Namespace = "kube-system",
Name = "vpc-admission-webhook-certs"
},
Data =
{
{ "key.pem", windowsKey.PrivateKeyPem },
{ "cert.pem", windowsCsr.Status.Apply(status => status.Certificate) }
}
},
new CustomResourceOptions { Provider = kubeProvider });
SignerName
in this case and not sure if I can somehow make the csr auto approveauto_approve
argument but this is not available to me via pulumi AFAIK and I'm not sure what it's doing exactly.gorgeous-egg-16927
09/30/2020, 8:04 PMbillowy-army-68599
09/30/2020, 8:13 PMSignerName
can be anything you want, you just need to update the status
to be Approved
https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#approval-rejection-api-clientsignerName
of <http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet>
i believe it'll autoapproveworried-city-86458
09/30/2020, 8:30 PM<http://kubernetes.io/kube-apiserver-client-kubelet|kubernetes.io/kube-apiserver-client-kubelet>
would auto approve, but wasn't sure what could use it, plus it says permitted key usages client auth
and this is for server auth
... unless I'm misunderstanding something?
I'm not sure it's available but I'll try to find terraform source for their api above for some clues.gorgeous-egg-16927
10/01/2020, 4:18 PMworried-city-86458
10/02/2020, 12:23 AM// windows vpc admission webhook; <https://docs.aws.amazon.com/eks/latest/userguide/windows-support.html>
var windowsKey = new PrivateKey($"{prefix}-vpc-aw-key",
new PrivateKeyArgs { Algorithm = "RSA" });
var windowsCr = new CertRequest($"{prefix}-vpc-aw-cr",
new CertRequestArgs
{
KeyAlgorithm = "RSA",
PrivateKeyPem = windowsKey.PrivateKeyPem,
Subjects = { new CertRequestSubjectArgs { CommonName = "vpc-admission-webhook.kube-system.svc" } },
DnsNames =
{
"vpc-admission-webhook",
"vpc-admission-webhook.kube-system",
"vpc-admission-webhook.kube-system.svc"
}
});
var windowsCsr = new CertificateSigningRequest($"{prefix}-vpc-aw-csr",
new CertificateSigningRequestArgs
{
Metadata = new ObjectMetaArgs { Name = "vpc-admission-webhook" },
Spec = new CertificateSigningRequestSpecArgs
{
Request = windowsCr.CertRequestPem.Apply(pem => Convert.ToBase64String(Encoding.ASCII.GetBytes(pem))),
Groups = { "system:authenticated" },
Usages = { "digital signature", "key encipherment", "server auth" }
}
},
new CustomResourceOptions { Provider = kubeProvider });
var windowsSecret = new Secret($"{prefix}-vpc-aw-sec",
new SecretArgs
{
Metadata = new ObjectMetaArgs
{
Namespace = "kube-system",
Name = "vpc-admission-webhook-certs-2"
},
Data =
{
{ "key.pem", windowsKey.PrivateKeyPem.Apply(pem => Convert.ToBase64String(Encoding.ASCII.GetBytes(pem))) },
{ "cert.pem", windowsCsr.AutoApprove(KubeConfig) }
}
},
new CustomResourceOptions { Provider = kubeProvider });
public static class CertificateSigningRequestExtensions
{
public static Output<string> AutoApprove(this CertificateSigningRequest csr, Output<string> kubeConfig) =>
Output.Tuple(csr.Metadata, kubeConfig)
.Apply(async ((ObjectMeta Metadata, string KubeConfig) tuple) =>
{
if (Deployment.Instance.IsDryRun)
{
return tuple.Metadata.Name;
}
var k8SConfig = Yaml.LoadFromString<K8SConfiguration>(tuple.KubeConfig);
var clientConfig = KubernetesClientConfiguration.BuildConfigFromConfigObject(k8SConfig);
var client = new Kubernetes(clientConfig);
var issuedCert = Array.Empty<byte>();
var issuedEvent = new AsyncManualResetEvent();
await client.WatchCertificateSigningRequestAsync(tuple.Metadata.Name,
onEvent: (type, watchedCsr) =>
{
if (watchedCsr.Status.Conditions?.Any(condition => condition.Type == "Approved") == true &&
watchedCsr.Status.Certificate?.Length > 0)
{
issuedCert = watchedCsr.Status.Certificate;
issuedEvent.Set();
}
});
var pendingCsr = await client.ReadCertificateSigningRequestAsync(tuple.Metadata.Name);
pendingCsr.Status.Conditions ??= new List<V1beta1CertificateSigningRequestCondition>();
if (pendingCsr.Status.Conditions.All(condition => condition.Type != "Approved"))
{
Log.Debug("Approving certificate signing request...");
var approval = new V1beta1CertificateSigningRequestCondition
{
Type = "Approved",
Reason = "PulumiAutoApprove",
Message = "This CSR was approved by Pulumi auto approve."
};
pendingCsr.Status.Conditions.Add(approval);
await client.ReplaceCertificateSigningRequestApprovalAsync(pendingCsr, tuple.Metadata.Name);
Log.Debug("Approved certificate signing request");
}
Log.Debug("Waiting for certificate to be issued...");
await Task.WhenAny(issuedEvent.WaitAsync(), Task.Delay(TimeSpan.FromMinutes(1)));
if (!issuedEvent.IsSet)
{
throw new TimeoutException("Timed out waiting for certificate to be issued");
}
Log.Debug("Waited for certificate to be issued");
return Convert.ToBase64String(issuedCert);
});
}
billowy-army-68599
10/02/2020, 1:21 AMworried-city-86458
10/02/2020, 1:39 AMType Name Status Info
pulumi:pulumi:Stack aws-alpha **failed** 1 error
~ └─ kubernetes:<http://admissionregistration.k8s.io:MutatingWebhookConfiguration|admissionregistration.k8s.io:MutatingWebhookConfiguration> alpha-eks-vpc-aw-cfg updated [diff: ~apiVersion]
Diagnostics:
pulumi:pulumi:Stack (aws-alpha):
error: Running program 'D:\Devel\Mps\devops-gemini-pulumi\Aws\bin\Debug\Aws.dll' failed with an unhandled exception:
Microsoft.Rest.HttpOperationException: Operation returned an invalid status code 'NotFound'
at k8s.Kubernetes.ReadCertificateSigningRequestWithHttpMessagesAsync(String name, Nullable`1 exact, Nullable`1 export, String pretty, Dictionary`2 customHeaders, CancellationToken cancellationToken)
at k8s.KubernetesExtensions.ReadCertificateSigningRequestAsync(IKubernetes operations, String name, Nullable`1 exact, Nullable`1 export, String pretty, CancellationToken cancellationToken)
at Pharos.Gemini.CertificateSigningRequestExtensions.<>c.<<AutoApprove>b__0_0>d.MoveNext() in D:\Devel\Mps\devops-gemini-pulumi\Aws\Extensions\CertificateSigningRequestExtensions.cs:line 44
...
Since the CSR is transient (deleted after ~1h), regardless of approval.