Monitor public certificates (public keys) for services running on a disconnected private network.
Within your secure network, run the getpublickey service and expose its API endpoint externally. Use this API to retrieve self-signed public certificates from the internal services you wish to consume. After verifying these certificates, configure your internal services to utilize them, ensuring secure communication when interacting with self-signed services inside the secure network.
On Openshift cluster with Openshift MTV operator installed:
# deploy - deploy the service on openshift-mtv namespace
kubectl apply -f https://raw.githubusercontent.com/kubev2v/getpublickey/main/ci/deployment.ocp.yaml
# optional - patch console plugin proxy
curl https://raw.githubusercontent.com/kubev2v/getpublickey/main/ci/consoleplugin.patch.yaml \
-o /tmp/consoleplugin.patch.yaml &&\
kubectl patch consoleplugin forklift-console-plugin \
--type=merge --patch-file /tmp/consoleplugin.patch.yaml
# Service will be available at:
# https://[openshift console url]/api/proxy/plugin/forklift-console-plugin/getpublickey/?url=[service url]Refer to the 'ci' folder for detailed instructions on deploying the getpublickey service to an external cluster.
getpublickey is a utility that provides an API for applications to obtain the server public certificate. This is particularly valuable in secure environments where services utilize self-signed keys. Instead of disabling certificate verification within the secure network, this utility enables them to utilize TLS by retrieving the self-signed public certificate, allowing users to verify the acquired public certificate before using it for further communication.
Note
This utility is intended for applications that can't fetch the public certificate directly, for example applications that run on a network that does not have access to the service. If your applicaion have access to the service you can get a public certificate without the need of a service running on a different network.
For example if the service is running on the same network you can use command line tools like openssl to get the public certificate directly:
echo | openssl s_client -connect google.com:443 2>/dev/null | openssl x509 -text
To start using getpublickey, follow these simple steps:
To get started with getpublickey, the first step is to clone the repository to your local machine.
git clone https://github.com/kubev2v/getpublickey.git
cd getpublickeyBefore you run the server, ensure your environment is properly set up:
Install Python: getpublickey requires Python to run. If you haven't already, download and install Python.
Install isort for imports sorting:
pip install isortInstall black for code formatting:
pip install blackInstall podman if you wish to build and use container images. Follow the installation guide specific to your operating system.
Set up a kind Kubernetes cluster if you want to run the server in a cluster environment. Detailed instructions can be found on the kind GitHub repository.
python ./src/getpublickey.py --help--port: Specify the port for the server to listen to. (Default is 8443)
python ./src/getpublickey.py --port 8080--listen: Set the listen address. (Default is 0.0.0.0)
python ./src/getpublickey.py --listen 192.168.1.100--tls-key and --tls-cert: Point to files containing the server PEM certs. (Default are tls.key and tls.crt)
python ./src/getpublickey.py --tls-key certs/tls.key --tls-cert certs/tls.crtmkdir certs
openssl req -x509 -newkey rsa:4096 -keyout certs/tls.key -out certs/tls.crt -days 365 -nodesNote
This will create a certs directory with two files: tls.key (the private key) and tls.crt (the certificate).
With the server up and running, you can access the API to retrieve public certificates. Use the curl CLI utility:
curl -k -G https://127.0.0.1:8443/ --data 'url=github.com'Note
Replace the url parameter value with the desired server's URL from which you want to retrieve the public certificate.
To build the container image using Podman:
podman build -t quay.io/kubev2v/getpublickey:latest .This command builds the container and tags it as quay.io/kubev2v/getpublickey:latest.
Once the image is built, you can run it locally using the following command:
podman run -it -p 8443:8443 \
-v $(pwd)/certs:/var/run/secrets/getpublickey-serving-cert:Z \
quay.io/kubev2v/getpublickey:latestNote
This command:
- Maps port 8443 on the host to port 8443 in the container.
- Mounts the
certsdirectory (with the self-signed certificates) to/var/run/secrets/getpublickey-serving-certin the container. - Uses the
:Zoption to ensure the mounted directory has the correct SELinux label. - Runs the container image
quay.io/kubev2v/getpublickey:latest.
After executing the command, your service should be accessible at https://localhost:8443.
Follow these guidelines to deploy the getpublickey server on a Kubernetes cluster:
- Make sure you've installed
kubectland have set it up correctly to interact with your cluster. Ensure you possess the rights to initiate newnamespacesanddeploymentswithin the cluster.
- Cluster Authentication: Confirm that you're connected to your Kubernetes cluster and have the requisite privileges.
- Application Deployment: Refer to the 'ci' folder for detailed instructions on deploying the
getpublickeyservice to an external cluster.