locksmith

command module

v0.0.0-...-7beff56 Latest Latest Go to latest Published: Mar 14, 2023 License: MIT Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/pepabo/locksmith

Links

Open Source Insights

README ¶

locksmith

Open source software that provides AWS temporary credentials with k8s clusters running outside AWS

Setup

(Optional) Create your own root CA certificate and private key

Your new root CA certificate is stored in locksmith/build/secrets/ca_crt.pem
Your new root CA private key is stored in locksmith/build/secrets/ca_key.pem

cd locksmith/build
chmod +x ./create_secret_ca.sh
./create_secret_ca.sh

(Optional) Create your own server certificate and private key

Your new server certificate is stored in locksmith/build/secrets/server_crt.pem
Your new server private key is stored in locksmith/build/secrets/server_key.pem

cd locksmith/build
chmod +x ./create_secret_server.sh
./create_secret_server.sh

Create a trustanchor on AWS

1. Click "Create a trust anchor"

trust-anchor

2. Paste your Root CA key to External certificate bundle

create-trust-anchor

3. Create a special IAM role for IAM Roles Anywhere

rolesanywhere-trust-policy.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "rolesanywhere.amazonaws.com"
            },
            "Action": [
                "sts:AssumeRole",
                "sts:SetSourceIdentity",
                "sts:TagSession"
            ]
        }
    ]
}

4. Create an AWS role that you are planning to assume

5. Create an AWS profile on AWS

6. Create a docker image for locksmith

6.1 Execute commands reuired for building the docker image

cd locksmith
export AWS_TRUST_ANCHOR_ARN=(ARN for your trust anchor)
export AWS_PROFILE_ARN=(ARN for your AWS profile)
export AWS_ROLE_ARN=(ARN for the AWS role that you are going to assume)
export AWS_REGION=(your AWS region)

6.2 Build your docker image

docker compose up -d

7. Create k8s secret for server certificate and private key

kubectl create secret tls tls-secret \
  --cert=(path to your server certificate) \
  --key=(path to your private key)

6. Create k8s secret for AWS ARNS

kubectl create secret generic aws-config \
        --from-literal="aws-trust-anchor-arn=$AWS_TRUST_ANCHOR_ARN" \
        --from-literal="aws-profile-arn=$AWS_PROFILE_ARN" \
        --from-literal="aws-role-arn=$AWS_ROLE_ARN" \
        --from-literal="aws-region=$AWS_REGION"

8. Add locksmith to your manifest file

See an example

9. Run your deployment on your k8s cluster

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

update_secret.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL