Certificate Manager Enrollment Over Secure Transport

About

est-operator is a cert-manager External certificate issuer that implements a subset of RFC 7030 Enrollment over Secure Transport (EST). It provides custom resources for EST services and a custom controller that reconciles certificate requests.

est-operator is written in Python using the kopf framework.

This operator covers only a portion of RFC 7030; see this document for an overview of what’s implemented, planned, and not planned.

See this document for an overview of this operator’s design.

Getting Started

Prerequisites

• Kubernetes v1.19.1 or later. est-operator should run on v1.16 or later, but is only tested with v1.19.1.
• Python 3.9 and packages. requirements.txt has all Python package dependencies. Install prerequistest with pip.

  pip install -r requirements.txt
      

  dev-requirements.txt has additional Python packages for development purposes (e.g., building packages). The full set of reqiurements can be installed with pip. The order of requirements files is important; dev-requirements.txt depends on requirement.txt.

  pip install -r requirements.txt -r dev-requirements.txt
      

See FIPS section below for installing dependencies in that mode.

This repository uses pip-tools to build requirements files.

Building

Installing

See *Deployment, below. Also see the design document for a deployment description.

Testing

Style

Component

End-to-end

Deployment

In cluster

TBD.

Out of cluster

The operator can be run “out of cluster,” meaning in a process that runs outside of Kubernetes control. This is useful for development, testing, and debugging est-operator. This mode is not recommended for production.

The kopf command will use the current cluster context in KUBECONFIG by default.

kopf run est-operator.py

See kopf documentation for more details of running in this mode.

Federal Information Processing Standards (FIPS) 140-2 certified mode

The operator can be built to satisfy FIPS 140-2 certification requirements. FIPS 140-2 certification depends on the module and the platform. A platform with Python dynamically linked to OpenSSL and links OpenSSL to a validated version of the OpenSSL FIPS Object Module can demonstrate FIPS 140-2 certification. Consult the NIST Cryptographic Module Validation Program list of OpenSSL modules for combinations of OpenSSL and platform that are certified.

Note: OpenSSL 1.0.2 is no longer supported by the OpenSSL project, but OpenSSL FIPS Object Module 2.0 is not compatible with OpenSSL 1.1. A new version is not available nor certified yet.

Other FIPS certified modules are available (e.g., GnuTLS and Network Security Services) but the work to integrate these modules is extensive. We welcome merge requests on this topic.

Building a FIPS version

Requirements for FIPS mode vary slightly from above. The cryptography package embeds a statically linked version of OpenSSL and is not compatible with OpenSSL 1.0.2, which is the latest FIPS certified version.

Install requirements with the following pip command. You will need OpenSSL headers, Python3 headers, CFFI headers, and GCC. See cryptography build instructions for details.

pip install -r fips-requirements.txt

Building a FIPS container image

Note: This container image demonstrates FIPS 140-2 certification only on Amazon Linux 2 running on AWS EC2.

Dockerfile.fips builds a version of the operator image that maintains FIPS 140-2 certification. The image is built on Amazon Linux 2 and has FIPS validated libraries installed according to AWS documentation. The image runs with the environment variable OPENSSL_FIPS=1 set, and startup code in module initialization enables FIPS mode in the cryptographic library.

docker build -t est-operator:fips -f Dockerfile.fips .

Running a FIPS version out of cluster

If you have a FIPS certified version of OpenSSL installed and installed dependencies as above, the operator can be run “out of cluster” by OPENSSL_FIPS=1 in the shell environment before running kopf. Otherwise we recommend using the container image.

Built with

• Python 3.9
• kopf framework
• Docker

Contibuting

TBD

Versioning

TBD

Authors

• Timothy J. Miller - initial work - Cerebus

License

Apache License v2.0

Acknowledgements

• The MITRE Corporation for allowing this work to be open sourced.
• Jetstack and all the cert-manager contributors for the framework that makes this extension possible.
• Sergey Vasilyev for kopf, so I don’t have to learn Go yet.