-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support issuing/renewing SSH Host Certificates #24
base: master
Are you sure you want to change the base?
Conversation
|
Codecov Report
@@ Coverage Diff @@
## master #24 +/- ##
=========================================
- Coverage 8.00% 6.36% -1.64%
=========================================
Files 2 2
Lines 500 581 +81
=========================================
- Hits 40 37 -3
- Misses 459 544 +85
+ Partials 1 0 -1
Continue to review full report at Codecov.
|
Ping? |
@ckwalsh Pong, sorry it went out of my radar. I will take a look asap. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pretty much ok, I've added some comments, and some questions.
if req.duration != "" { | ||
b.Env = append(b.Env, corev1.EnvVar{ | ||
Name: "STEP_NOT_AFTER", | ||
Value: req.duration, | ||
}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will work but I still see references to the DURATION environment variable in bootstrapper/tls/bootstrapper.sh
With the environment variable named STEP_NOT_AFTER
we don't need the if condition in the bootstrapper.sh
STEP_HOST=false step ssh config --roots > $USER_CA | ||
STEP_HOST=true step ssh config --roots > $HOST_CA |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Easier to see if we do it like this:
step ssh config --roots > $USER_CA
step ssh config --host --roots > $HOST_CA
# Download the root certificate and set permissions | ||
if [ "$STEP_HOST" == "" ]; | ||
then | ||
KEY=$USER_KEY |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If user keys are not supported, why not just exit 0
here?
|
||
if [ "$STEP_HOST" == "" ]; | ||
then | ||
KEY=$USER_KEY |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If user keys are not supported, why not just exit 0
here?
This pull request adds support for generating, distributing, and maintaining SSH Host certificates within smallstep/autocert. For ease of review, it is split into several diffs with various goals:
These changes should be backwards compatible, and should not break existing deployments.
Future Work:
step ssh
doesn't have a renewal daemon mode. Instead, the renewer is a bash script that implements a while-true-sleep-work loop based on env vars. Assuming an ssh renewal daemon is added, it shouldn't be too hard to swap it in.Notes: