https://github.com/wirepact/k8s-pki

The PKI for WirePact in Kubernetes.
https://github.com/wirepact/k8s-pki

pki wirepact

Last synced: 5 months ago
JSON representation

The PKI for WirePact in Kubernetes.

• Host: GitHub
• URL: https://github.com/wirepact/k8s-pki
• Owner: WirePact
• License: apache-2.0
• Created: 2021-11-03T21:59:43.000Z (over 4 years ago)
• Default Branch: main
• Last Pushed: 2024-05-22T23:04:35.000Z (about 2 years ago)
• Last Synced: 2024-05-22T23:56:05.718Z (about 2 years ago)
• Topics: pki, wirepact
• Language: Rust
• Size: 1 MB
• Stars: 2
• Watchers: 0
• Forks: 0
• Open Issues: 7
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Kubernetes PKI for WirePact

This is the PKI for WirePact in Kubernetes.

The PKI is responsible to provide translators and other types of

participants with key material used in WirePact to sign

the transmitted identity and to create the mTLS connection.

Read about WirePact (aka Distributed Authentication Mesh) in

[Distributed Authentication Mesh](https://buehler.github.io/mse-project-thesis-1/report.pdf)

and [Common Identities in a Distributed Authentication Mesh](https://buehler.github.io/mse-project-thesis-2/report.pdf).

The operator will install a PKI it its own namespace in Kubernetes.

To communicate with the PKI, use the provided

[proto file](./proto/pki.proto)

to fetch the CA certificate as well as send a certificate signing

request to the PKI.

The PKI supports authorization through a pre-shared API key.

The operator will create a random API key and configures the PKI

with API key by default. Thus, it is possible to expose the PKI

to the public without risking unauthorized access.

To see an example (in rust), head over to the

[example file](./examples/send_csr.rs).

### Configuration

The PKI can be configured via environment variables or command line

arguments.

- `PORT` (`-p --port `): Defines the port that the PKI listens

  to gRPC connections (Default: `8080`)

- `SECRET_NAME` (`-s --secret-name `): The name of the Kubernetes

  secret, that stores the CA and the key (Default: `wirepact-pki-ca`)

- `API_KEY` (`--api-key `): The API key that is used to authorize all api calls.

  If omitted, the PKI will not check the incoming requests for authorization.

- `LOCAL` (`-l --local`): If set, the CA and

  other elements of the key material gets

  stored locally instead of in a Kubernetes secret

- `DEBUG` (`-d --debug`): If set, debug log messages are emitted

  by the PKI