{"id":25190172,"url":"https://github.com/keyfactor/k8s-csr-signer","last_synced_at":"2025-05-07T18:24:42.067Z","repository":{"id":104073447,"uuid":"378514365","full_name":"Keyfactor/k8s-csr-signer","owner":"Keyfactor","description":"Proxy to sign CSRs through Keyfactor via kubernetes csr signer API","archived":false,"fork":false,"pushed_at":"2023-12-14T17:59:34.000Z","size":321,"stargazers_count":3,"open_issues_count":2,"forks_count":1,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-03-31T12:58:07.375Z","etag":null,"topics":["csr","istio","k8s","keyfactor","kubernetes","pki","signer"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Keyfactor.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2021-06-19T22:19:37.000Z","updated_at":"2023-06-28T15:37:15.000Z","dependencies_parsed_at":null,"dependency_job_id":"edc755e7-0bfe-49bf-88ab-d1de1078561e","html_url":"https://github.com/Keyfactor/k8s-csr-signer","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Fk8s-csr-signer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Fk8s-csr-signer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Fk8s-csr-signer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Keyfactor%2Fk8s-csr-signer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Keyfactor","download_url":"https://codeload.github.com/Keyfactor/k8s-csr-signer/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252932590,"owners_count":21827337,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["csr","istio","k8s","keyfactor","kubernetes","pki","signer"],"created_at":"2025-02-09T21:19:10.467Z","updated_at":"2025-05-07T18:24:42.044Z","avatar_url":"https://github.com/Keyfactor.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# k8s-csr-signer\n## api-client\n\nSigner for Kubernetes CSR signing API that passes certificate requests to the Keyfactor Web API for signing with a trusted enterprise CA\n\n\u003c!-- add integration specific information below --\u003e\n*** \n\n## Use Cases\n\nThis signer operates within the [kubernetes certificate signing request API](https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/) and listens for approved CSRs designated for the signer (by default, it matches CSRs with \u0026quot;keyfactor.com/*\u0026quot;). This allows workloads within the cluster or Istio service mesh to obtain trusted identity certificates from an enterprise PKI while providing InfoSec and OpSec teams with insight into the certificates being issued and control over the certificate issuance requirements and content.\n\n## Configuration\n\n1. Configure your Keyfactor environment with an account, API application, and certificate template for enrollment. Information can be found in the Keyfactor reference guide.\n\n2. Create the following string metadata fields in your Keyfactor instance:\n- Cluster\n- Service\n- PodName\n- PodIP\n- PodNamespace\n- TrustDomain\n\n3. Clone this repository or download and unzip the binary release to a suitable location in your cluster control plane.\n\n4. Install kubectl, helm, and their dependencies if not already present.\n\n5. Open credentials/credentials.yaml and enter the following information:\n\\# Endpoint of Keyfactor Platform  \nendPoint: \"http://192.168.0.24\"  \n\\# Name of certificate authority for enrollment  \ncaName: \"Keyfactor.thedemodrive.com\\\\Keyfactor Test Drive CA 2 \"  \n\\# Basic auth credentials for authentication header: \"Basic ....\"  \nauthToken: \"Basic RE9NQUlOXFVzZXI6UGFzc3dvcmQ=\"  \n\\# API path to enroll new certificate from Keyfactor  \nenrollPath: \"/KeyfactorAPI/Enrollment/CSR\"  \n\\# Certificate Template for Istio certificate enrollment  \ncaTemplate: \"KubernetesNode\"  \n\\# ApiKey from Api Setting, to enroll certificates for Istio  \nappKey: \"uYl+FKUbuFpRWg==\"  \n\\# ApiKey for auto provisioning TLS server / client certificates  \nprovisioningAppKey: \"uYl+FKUbuFpRWg==\"  \n\\# CA Template for auto provisioning TLS server / client certificates  \nprovisioningTemplate: \"KubernetesNode\"\n\n6. Create the keyfactor namespace with these credentials as a secret:  \nkubectl create namespace keyfactor  \nkubectl create secret generic keyfactor-credentials -n keyfactor --from-file credentials/credentials.yaml\n\n7. Install Keyfactor signer with helm  \nhelm package charts  \nhelm install keyfactor-k8s -n keyfactor ./keyfactor-kubernetes-0.0.1.tgz -f charts/values.yaml\n\n8. When the pod in the keyfactor namespace is up, you can test the configuration with the provided sample CSR. Note that depending on your selected template and Keyfactor configuration, this may not represent a valid request.  \nkubectl apply -f sample/test-csr.yaml  \nkubectl approve TestABCDEFNAME\n\nAfter a few seconds, you should be able to see two certificates issued in your Keyfactor instance: one for the pod created in the keyfactor namespace to communicate via mTLS within the cluster, and one from the sample CSR (if the CSR issuance failed, your Keyfactor instance will reflect that instead).\n\n\n***\n\n### License\n[Apache](https://apache.org/licenses/LICENSE-2.0)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeyfactor%2Fk8s-csr-signer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkeyfactor%2Fk8s-csr-signer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkeyfactor%2Fk8s-csr-signer/lists"}