infra
/
kubernetes
1
0
Fork 0
Code Pull Requests 4 Activity

sshca: Configure user CA 

SSHCA now supports issuing user certificates.  It uses OpenID Connect to
authenticate requests, and issues certificates based on the user's ID
token.
etcd
Dustin 2024-02-01 09:02:11 -06:00
parent 834d0f804f
commit 2cd4a8b097
4 changed files with 59 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
authelia/configuration.yml
View File

@ -110,6 +110,17 @@ identity_providers:
- email - email
- groups - groups
- offline_access - offline_access
- id: sshca
description: SSHCA
public: true
pre_configured_consent_duration: 4h
redirect_uris:
- http://127.0.0.1
scopes:
- openid
- profile
- email
- groups
log: log:
level: trace level: trace

8
sshca/config.toml
View File

@ -1,9 +1,17 @@
machine_ids = "/var/lib/sshca/machine-ids.json" machine_ids = "/var/lib/sshca/machine-ids.json"
[oidc]
discovery_url = "https://auth.pyrocufflink.blue"
client_id = "sshca"
[ca.host] [ca.host]
private_key_file = "/run/sshca/secrets/host/key/host-ca-key" private_key_file = "/run/sshca/secrets/host/key/host-ca-key"
private_key_passphrase_file = "/run/sshca/secrets/host/passphrase/host-ca-key.passphrase" private_key_passphrase_file = "/run/sshca/secrets/host/passphrase/host-ca-key.passphrase"
[ca.user]
private_key_file = "/run/sshca/secrets/user/key/user-ca-key"
private_key_passphrase_file = "/run/sshca/secrets/user/passphrase/user-ca-key.passphrase"
[[libvirt]] [[libvirt]]
uri = "qemu+ssh://sshca@vmhost0.pyrocufflink.blue/system?keyfile=/run/sshca/libvirt/sshkey" uri = "qemu+ssh://sshca@vmhost0.pyrocufflink.blue/system?keyfile=/run/sshca/libvirt/sshkey"

28
sshca/secrets.yaml
View File

@ -68,3 +68,31 @@ spec:
metadata: metadata:
name: sshca-data name: sshca-data
namespace: sshca namespace: sshca
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: sshca-user-passphrase
namespace: sshca
spec:
encryptedData:
user-ca-key.passphrase: AgBqGswkCI3U7E1eqlo2yQX7qmIoPYrXO1XbDhW1Y70RXXUFY0rWT5ce+MW5ADSdQ2dbMDur0lnyKae0sERobT+8bjq8SnFPpW6tBUKEqqhEo3CzwD89CNatPnbd19RlFxodWbPgGZUP0/lgq2j+ZJX7RYga0Wjx4C2kQ90uLVz4sFL+PElDl+MIGhJ2FfC7uf1OQZ/ZVOq203OcklWhQOF5+QstUGy3JQGniWvPJ0/19k+XIuZ1UL8etxvRodPyjwKk/vAn4qaHYaitxPXbFYFeELYr8lePo4JIa0HjwVkR3azAwZ+T0RPDBzzWLe4Ej6X+ZXS7Q0X+1qqPTYPq6vyeqATlIroE4XBxUCFDqnrnnXYSi9uRFA38K4g7ClEJc9AgC3lPFrGd9tuLw+ZdR8GNyOZvP+m72elg80qQQr3FvSrHfi0k0Ky8Ebz5401mm2UrhHfsd/a5KwDNopgyflWA/hnaQYA4XctK6aKImmkGmTiZmMC6P5FD4uktl6ZrvNgbPH9rvpJccSXhJApzpckzg39PUuFq3uHxVHU7XbKzeTFsE8dnAp3HqpjReX/2PJC+EM3RGG8XD5oSV6RXqdh6fbCGJmahcP7OY38YyWWGCizAF1LpelLo3DZyiczbQBnT8nK5G+OgXZako4pMwtgg6+i3t/bF0lvgl/2H+Fe37oHoE9BPML0KI4VIdLF6d93HXIZjPDQgAZan0k/J+wY9wFZP7JK5WqDkvRo8pvKEVJguBsvoGXqJE4e8NHz4gz+wZ5ZVYd8Udr7WYS8aeGiJ
template:
metadata:
name: sshca-user-passphrase
namespace: sshca
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: sshca-user-key
namespace: sshca
spec:
encryptedData:
user-ca-key: AgB3b4J1W2NMzMT3de4i+z99YnToEyJ0uf4oJJAUeIEo1h2R5Lhz4SWyPkqFCzERHNw8dz60MhHc+tOLjMoo5XUTAznEMLARgnCPngs99OEKmpcoi7AXTiTeGATwso0fNbtth3AOjseSepjmvfx7/HBxPHZtCjFDPadeUpnGm+uZwE8LqlobxxbdEtV/lyJCYA8F75lajDyx4TzMsfGgqFeyj2jwByk07AFx+QFg4dfWSlkGpumnMkj2cUlH7y5fWphiATP7kMDfkbBWW+nffYqpubt9uZyQA+vPtKD4K8tYijI5zn9edsGb7bHT6Nih/wawP5wdB0DwlMHj5qMCtpGiHhz7H7zaICd2Cz2zkZ09fLOWkJO7nv4CVzEchb6v7rKIYrc2SDffshif96B8VzAznj6gk77bGWnM44+yh+hNDV6fpOajrQSHiaeyvQVw7wi/Q4c/R6BCWGdpk8dunlfEtAPqyE1Zbws+2MnRaBBW9t+wPbEpIEiCa2tjOMzWnECA7k1mKP24rbsY0STB9xkMdIStS3Gvsukrn4zkjaGUN8s3feyCdQZAnq71lePEWkAS0dsEos94TNF7oIhdqyySSnvZp3Mktwozk4/CD5TEkVh38tNQRIb1s2rh9fmb3YbV9Ruy5WzZhsU4I9KqpBeFOs2nHMDIDTEy0/L7aNCgnNpVDvr75e3i82BZFpr+7ywcmu/vpkq7geFH4co4EZP8/707Yu38C2O9GAHu1WMo3rzfSCy4naU+0tGK1ttwuFAbPfY1MIrBDI08QIjHyyE37mWr/VdaJwQIREdcXcggDIcfJKeIQmERveXT7dPTTv+3S6k2nfd5NZgBMtcWkYJ4cSENWTi+T/g2EaLduniUBTM3olIKpIgm66waGGRsGdYpPBMQ9kjerRTeHWObOMtM9oqsDQmPUA9EvciAjiT09F3Q78OCvGIZjC8jsjR05vouHOJ4rEQGlJLWDh+g1f4icXcV1rdpMakhnxLcCt3ExES0Q+qrmnegsgEfMuUAoPwZZFvHZdtV4mfHLei/NiPi4vUMANtWrF70RFOp7tbxWDhvyXyXnZFTdR9wpGLOmuiGpGJn+DYDPPazTQnNRZNSvFEDJYnQ+gGE9DcvVwbFYJmusHiTqHH6RX2RGscCUPeuEnqSDYRUwIb+ZWnU0iTiertq3QJtHKEAC2hf1+8Eh1OFUOzOkcS6lB2mIEKIbJ2kMhfMQWXjo9j/nVvY1t+QURHHEYqLlph59RqNMNlooDL8xW01lRiTD+Bk6iCmu7ViOhfowKiA3CObKS8tm1pOXEPoasl6FcHjj90VPNXsdA==
template:
metadata:
name: sshca-user-key
namespace: sshca

12
sshca/sshca.yaml
View File

@ -84,6 +84,12 @@ spec:
- mountPath: /run/sshca/secrets/host/passphrase - mountPath: /run/sshca/secrets/host/passphrase
name: sshca-host-passphrase name: sshca-host-passphrase
readOnly: true readOnly: true
- mountPath: /run/sshca/secrets/user/key
name: sshca-user-key
readOnly: true
- mountPath: /run/sshca/secrets/user/passphrase
name: sshca-user-passphrase
readOnly: true
- mountPath: /var/lib/sshca - mountPath: /var/lib/sshca
name: sshca-data name: sshca-data
readOnly: true readOnly: true
@ -108,6 +114,12 @@ spec:
- name: sshca-libvirt-key - name: sshca-libvirt-key
secret: secret:
secretName: sshca-libvirt-sshkey secretName: sshca-libvirt-sshkey
- name: sshca-user-key
secret:
secretName: sshca-user-key
- name: sshca-user-passphrase
secret:
secretName: sshca-user-passphrase
- name: ssh-known-hosts - name: ssh-known-hosts
configMap: configMap:
name: ssh-known-hosts name: ssh-known-hosts