Skip to content
This repository has been archived by the owner on Sep 22, 2024. It is now read-only.
/ k8s-pki Public archive

The PKI for WirePact in Kubernetes.

License

Notifications You must be signed in to change notification settings

WirePact/k8s-pki

Repository files navigation

Kubernetes PKI for WirePact

This is the PKI for WirePact in Kubernetes.

The PKI is responsible to provide translators and other types of participants with key material used in WirePact to sign the transmitted identity and to create the mTLS connection.

Read about WirePact (aka Distributed Authentication Mesh) in Distributed Authentication Mesh and Common Identities in a Distributed Authentication Mesh.

The operator will install a PKI it its own namespace in Kubernetes. To communicate with the PKI, use the provided proto file to fetch the CA certificate as well as send a certificate signing request to the PKI. The PKI supports authorization through a pre-shared API key. The operator will create a random API key and configures the PKI with API key by default. Thus, it is possible to expose the PKI to the public without risking unauthorized access.

To see an example (in rust), head over to the example file.

Configuration

The PKI can be configured via environment variables or command line arguments.

  • PORT (-p --port <PORT>): Defines the port that the PKI listens to gRPC connections (Default: 8080)
  • SECRET_NAME (-s --secret-name <NAME>): The name of the Kubernetes secret, that stores the CA and the key (Default: wirepact-pki-ca)
  • API_KEY (--api-key <KEY>): The API key that is used to authorize all api calls. If omitted, the PKI will not check the incoming requests for authorization.
  • LOCAL (-l --local): If set, the CA and other elements of the key material gets stored locally instead of in a Kubernetes secret
  • DEBUG (-d --debug): If set, debug log messages are emitted by the PKI