diff --git a/.github/ISSUE_TEMPLATE/autocert_bug.md b/.github/ISSUE_TEMPLATE/autocert_bug.md new file mode 100644 index 00000000..c4a75b6e --- /dev/null +++ b/.github/ISSUE_TEMPLATE/autocert_bug.md @@ -0,0 +1,28 @@ +--- +name: Autocert Bug +about: Report a bug you found in autocert +labels: area/autocert bug +--- + +### Subject of the issue +Describe your issue here + +### Environment +* Kubernetes version: +* Cloud provider or hardware configuration: +* OS (e.g., from /etc/os-release): +* Kernel (e.g., `uname -a`): +* Install tools: +* Other: + +### Steps to reproduce +Tell us how to reproduce this issue + +### Expected behaviour +Tell us what should happen + +### Actual behaviour +Tell us what happens instead + +### Additional context +Add any other context about the problem here diff --git a/.github/ISSUE_TEMPLATE/autocert_enhancement.md b/.github/ISSUE_TEMPLATE/autocert_enhancement.md new file mode 100644 index 00000000..5260f5ec --- /dev/null +++ b/.github/ISSUE_TEMPLATE/autocert_enhancement.md @@ -0,0 +1,11 @@ +--- +name: Autocert Enhancement +about: Suggest an enhancement to autocert +labels: area/autocert enhancement +--- + +### What would you like to be added + + +### Why this is needed + diff --git a/autocert/README.md b/autocert/README.md index 488249a6..813cc3bf 100644 --- a/autocert/README.md +++ b/autocert/README.md @@ -17,7 +17,7 @@ To get a certificate **simply annotate your pods** with a name. An X.509 (TLS/HTTPS) certificate is automatically created and mounted at `/var/run/autocert.step.sm/` along with a corresponding private key and root certificate (everything you need for [mTLS](#motivation)). -We ❤️ feedback. [Submit an issue](#TODO). [Fork](https://github.com/smallstep/certificates/fork) and send a PR. [Give us a ⭐](https://github.com/smallstep/certificates/stargazers) if you like what we're doing. +We ❤️ feedback. Please [report bugs](https://github.com/smallstep/certificates/issues/new?template=autocert_bug.md) & [suggest enhancements](https://github.com/smallstep/certificates/issues/new?template=autocert_enhancement.md). [Fork](https://github.com/smallstep/certificates/fork) and send a PR. [Give us a ⭐](https://github.com/smallstep/certificates/stargazers) if you like what we're doing. ![Autocert demo gif](https://raw.githubusercontent.com/smallstep/certificates/autocert/autocert/demo.gif) @@ -51,7 +51,7 @@ Features include: ## Getting Started -> ⚠️ Warning: *this project is in **ALPHA**. DON'T use it for anything mission critical. EXPECT breaking changes in minor revisions with little or not warning. PLEASE provide feedback:* +> ⚠️ Warning: *this project is in **ALPHA**. DON'T use it for anything mission critical. EXPECT breaking changes in minor revisions with little or no warning. PLEASE [provide feedback](https://github.com/smallstep/certificates/issues/new?template=autocert_enhancement.md).* ### Prerequisites @@ -301,13 +301,13 @@ Tokens are [generated by the admission webhook](controller/provisioner.go#L46-L7 2. Use a deploy pipeline based on `git` artifacts 3. Enforce code review on those `git` artifacts - If that doesn't work for you, or if you have a better idea, we'd love to hear! Please [open an issue](https://github.com/smallstep/certificates/issues/new?template=autocert_feature.md)! + If that doesn't work for you, or if you have a better idea, we'd love to hear! Please [open an issue](https://github.com/smallstep/certificates/issues/new?template=autocert_enhancement.md)! #### Why do I have to tell you the name to put in a certificate? Why can't you automatically bind service names? Mostly because monitoring the API server to figure out which services are associated with which workloads is complicated and somewhat magical. And it might not be what you want. -That said, we're not totally opposed to this idea. If anyone has strong feels and a good design please [open an issue](https://github.com/smallstep/certificates/issues/new?template=autocert_feature.md). +That said, we're not totally opposed to this idea. If anyone has strong feels and a good design please [open an issue](https://github.com/smallstep/certificates/issues/new?template=autocert_enhancement.md). #### Doesn't kubernetes already ship with a certificate authority? @@ -317,7 +317,7 @@ In any case, these CAs are meant for control plane communication. You could use #### What permissions does `autocert` require in my cluster and why? -`Autocert` needs permission to create and delete secrets cluster-wide. You can [check out our RBAC config here](install/03-rbac.yaml). These permissions are needed in order to transmit one-time tokens to workloads using secrets, and to clean up afterwards. We'd love to scope these permissions down further. If anyone has any ideas please [open an issue](https://github.com/smallstep/certificates/issues/new?template=autocert_feature.md). +`Autocert` needs permission to create and delete secrets cluster-wide. You can [check out our RBAC config here](install/03-rbac.yaml). These permissions are needed in order to transmit one-time tokens to workloads using secrets, and to clean up afterwards. We'd love to scope these permissions down further. If anyone has any ideas please [open an issue](https://github.com/smallstep/certificates/issues/new?template=autocert_enhancement.md). #### Why does `autocert` create secrets? @@ -369,11 +369,47 @@ https://golang.org/pkg/crypto/ ## Building -TODO +This project is based on four docker containers. They use [multi-stage builds](https://docs.docker.com/develop/develop-images/multistage-build/) so all you need in order to build them is `docker`. + +> Caveat: the `controller` container uses [`dep`](https://github.com/golang/dep) and `dep init` isn't run during the build. You'll need to run `dep init` in the `controller/` subdirectory prior to building, and you'll need to run `dep ensure -update` if you change any dependencies. + +Building `autocert-controller` (the admission webhook): + +``` +cd controller +docker build -t smallstep/autocert-controller:latest . +``` + +Building `autocert-bootstrapper` (the init container that generates a key pair and exchanges a bootstrap token for a certificate): + +``` +cd bootstrapper +docker build -t smallstep/autocert-bootstrapper:latest . +``` + +Building `autocert-renewer` (the sidecar that renews certificates): + +``` +cd renewer +docker build -t smallstep/autocert-renewer:latest . +``` + +Building `autocert-init` (the install script): + +``` +cd init +docker build -t smallstep/autocert-init:latest . +``` + +If you build your own containers you'll probably need to [install manually](INSTALL.md). You'll also need to adjust which images are deployed in the [deployment yaml](install/02-autocert.yaml). ## Contributing -TODO +If you have improvements to `autocert`, send us your pull requests! For those just getting started, Github has a [howto](https://help.github.com/articles/about-pull-requests/). A team member will review your pull requests, provide feedback, and merge your changes. In order to accept contributions we do need you to [sign our contributor license agreement](https://cla-assistant.io/smallstep/certificates). + +If you want to contribute but you're not sure where to start, take a look at the [issues with the "good first issue" label](https://github.com/smallstep/certificates/issues?q=is%3Aopen+label%3A%22good+first+issue%22+label%3Aarea%2Fautocert). These are issues that we believe are particularly well suited for outside contributions, often because we probably won't get to them right now. If you decide to start on an issue, leave a comment so that other people know that you're working on it. If you want to help out, but not alone, use the issue comment thread to coordinate. + +If you've identified a bug or have ideas for improving `autocert` that you don't have time to implement, we'd love to hear about them. Please open an issue to [report a bug](https://github.com/smallstep/certificates/issues/new?template=autocert_bug.md) or [suggest an enhancement](https://github.com/smallstep/certificates/issues/new?template=autocert_enhancement.md)! ## License diff --git a/autocert/connect-with-mtls.png b/autocert/connect-with-mtls.png index 725ae87f..03a04692 100644 Binary files a/autocert/connect-with-mtls.png and b/autocert/connect-with-mtls.png differ