带有Vault后端的证书管理实用程序
knox的Python项目详细描述
什么是Knox v0.1.11
这个名字来源于历史上最安全的存放贵重物品的地方“诺克斯堡”。至少这是个神话。此工具或实用程序集显式用于管理TLS证书,包括有关TLS证书的元数据并将其存储在后端。在
使用的主要组件是Python、Hashicorp Vault、Let's Encrypt和certbot。在
[让我们加密](<;https://letsencrypt.org>;)是由[Internet Security Research Group(ISRG)](<;https://www.abetterinternet.org/about/>;)管理的证书颁发机构。它利用[Automated Certificate Management Environment(ACME)](<;https://github.com/ietf-wg-acme/acme/>;)自动部署几乎所有主流浏览器都信任的免费SSL证书。[可以在此处找到证书兼容性列表](<;https://letsencrypt.org/docs/certificate-compatibility/>;)。LestEncrypt彻底改变了面向公共服务器的证书分发。在
[Hashicorp Vault](<;https://www.vaultproject.io/>;)是存储机密的工具。它有一个[PKI Secret Engine](<;https://www.vaultproject.io/docs/secrets/pki/index.html>;)后端,允许在内部公钥基础结构部署中将其用作证书颁发机构。到目前为止,保险库最适合颁发私人证书。在
让我们来加密和Hashicorp保险库在证书管理中是互补的。在
数据流图
啊![](deployment-3D.png)
在Certbot或Devops代理之间可能不一定有一个容器,但关键是通过knox命令管理证书的所有访问权。一旦就位,就可以通过部署机制直接从保险库访问cert,无论是否使用knox。实际上,它只是json的键值路径。Knox只是统一了存储的方式和内容,并为管理证书提供了方便的方法。在
安装
要开始:
pip install knox
您还可以安装开发中版本:
^{pr2}$或将其作为容器运行:
docker run 8x8cloud/knox
请参见[Dynaconf](https://dynaconf.readthedocs.io/)了解如何读入配置。最简单的方法是将环境变量添加到.env文件中。在
元数据
Knox将完整地存储证书主体,以及与证书详细信息相关的元数据。数据将被组织和检索使用一个树结构模仿DNS命名层次结构。在
树形结构:
certificates: ├── com │ └── example │ └── cloud │ ├── acceptance │ ├── production │ └── staging ├── internal │ └── example └── net └── example
因此主机名www.example.com网站存储路径为/com/example/www
附加数据将与证书主体一起存储。将提供jinja模板。虽然证书正文和证书数据将有备用的RBAC规则进行访问。下面是一个示例:
{ "cert_info": { "subject": { "commonName": "www.example.com", "countryName": "US", "emailAddress": "cert@example.com", "localityName": "San Jose", "organizationName": "Example, Inc.", "organizationalUnitName": "Engineering", "stateOrProvinceName": "CA" }, "issuer": { "commonName": "www.example.com", "countryName": "US", "emailAddress": "cert@example.com", "localityName": "San Jose", "organizationName": "Example, Inc.", "organizationalUnitName": "Engineering", "stateOrProvinceName": "CA" }, "key_details": { "fingerprint_sha256": "f6874a226e4d2ea54eed11d8d71e27f5fbd965630aa84f71414209b0227c448c", "key": { "size": 4096, "type": "RSA" }, "serial_number": "11672594923309745709", "version": "v1" }, "validity": { "not_valid_after": "2021-05-17 18:49:00", "not_valid_before": "2020-05-17 18:49:00" } }, "cert_body": { "private": "REDACTED", "chain": "REDACTED", "public": "REDACTED" } }
发展
这个项目是使用一个非常酷的python项目模板工具初始化的,这个工具名为[cookiecutter pylibrary](https://github.com/ionelmc/cookiecutter-pylibrary),来自[Ionel Cristian Mărieș](https://github.com/ionelmc)。一定要看看所有可用的工具和良好的使用文档。在
要执行所有操作,请执行以下操作:
tox
要查看所有毒物环境:
tox -l
仅生成文档:
tox -e docs
要构建并验证生成的包是否正确以及其他代码QA检查:
tox -e check
要更新[Travis CI](https://travis-ci.org)配置:
tox -e bootstrap
您需要一个在本地运行的[Vault](https://hub.docker.com/_/vault)服务器:
>docker run \ --cap-add=IPC_LOCK \ -p 8201:8201 \ -p 8200:8200 \ -e 'VAULT_DEV_ROOT_TOKEN_ID=knox' \ -d --name=dev-vault \ vault >docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES d89fbfd340c3 vault "docker-entrypoint.s…" 5 hours ago Up 5 hours 0.0.0.0:8200-8201->8200-8201/tcp dev-vault
将令牌ID和容器名称设置为您的首选项。 验证您是否可以使用vault cli与vault对话:
>export VAULT_ADDR=http://0.0.0.0:8200 >export VAULT_TOKEN=knox >vault status Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 1 Threshold 1 Version 1.4.1 Cluster Name vault-cluster-31da8ea9 Cluster ID 043bfc14-09b1-6033-1c3b-8aeace3adc60 HA Enabled false
设置你的本地应用角色:
# Add the cert admin policy >vault policy write cert_admin config/cert_admin-policy.hcl Success! Uploaded policy: cert_admin # Enable approle auth >vault auth enable approle Success! Enabled approle auth method at: approle/ # Create an app role >vault write auth/approle/role/knox-admin \ bind_secret_id=true \ period=0 \ policies="cert_admin" \ token_num_uses=1 \ token_ttl=5m \ token_max_tll=30m \ secret_id_num_uses=0 \ secret_id_ttl=0 \ token_no_default_policy=true Success! Data written to: auth/approle/role/knox-admin # Read role-id vault read auth/approle/role/knox-admin/role-id export KNOX_VAULT_APPROLE=$(vault read -format=json auth/approle/role/knox-admin/role-id | jq -r '.data.role_id') # generate secret-id vault write -f auth/approle/role/knox-admin/secret-id export KNOX_VAULT_SECRET_ID=$(vault write -f -format=json auth/approle/role/knox-admin/secret-id | jq -r '.data.secret_id')
使用.env或直接环境变量更新knox配置:
ENVVAR_PREFIX_FOR_DYNACONF=KNOX INCLUDES_FOR_DYNACONF='./config/*' KNOX_TEMP=/tmp KNOX_LOG_LEVEL=DEBUG KNOX_STORE_ENGINE=vault KNOX_VAULT_URL=http://127.0.0.1:8200 KNOX_VAULT_TOKEN="knox" KNOX_VAULT_MOUNT="certificates" KNOX_VAULT_CLIENT_MAX_VERSIONS=10 KNOX_VAULT_CLIENT_CAS=False KNOX_FILE_HOME=./test
和或使用设置文件:
{ "default": { "ENVVAR_PREFIX_FOR_DYNACONF": "KNOX", "INCLUDES_FOR_DYNACONF": "./config/*", "KNOX_TEMP": "./tmp", "KNOX_LOG_LEVEL": "DEBUG", "KNOX_STORE_ENGINE": "vault", "KNOX_VAULT_URL": "http://127.0.0.1:8200", "KNOX_VAULT_TOKEN": "knox", "KNOX_VAULT_MOUNT": "certificates", "KNOX_VAULT_CLIENT_MAX_VERSIONS": "10", "KNOX_VAULT_CLIENT_CAS": "True", "KNOX_FILE_HOME": "./test" }, "development": { "ENVVAR_PREFIX_FOR_DYNACONF": "KNOX", "INCLUDES_FOR_DYNACONF": "./config/*" }, "production": { "ENVVAR_PREFIX_FOR_DYNACONF": "KNOX", "INCLUDES_FOR_DYNACONF": "./config/*" } }
生成一些测试自签名证书:
# create a config file for openssl [req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = VA L = SomeCity O = MyCompany OU = MyDivision CN = www.company.com [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = www.company.net DNS.2 = company.com DNS.3 = company.net openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 \ -keyout cert-key.pem \ -out cert-pub.pem \ -config san.cnf -extensions 'v3_req' xtensions 'v3_req' Generating a 2048 bit RSA private key ..................................+++ ...........+++ writing new private key to 'cert-key.pem' -----
将证书保存到保管库:
export VAULT_ADDR=http://localhost:8200 export KNOX_VAULT_URL=http://localhost:8200 export KNOX_VAULT_TOKEN=knox export KNOX_VAULT_APPROLE=$(vault read -format=json auth/approle/role/knox-admin/role-id | jq -r '.data.role_id') export KNOX_VAULT_SECRET_ID=$(vault write -f -format=json auth/approle/role/knox-admin/secret-id | jq -r '.data.secret_id') knox cert --pub cert-pub.pem --key cert-key.pem save www.company.com
搜索存储的证书:
knox store find \* # list all the certificates info knox store find www.company.com knox store find *.example.com # list all the *.example.com certificates knox store find com/example/www # list about www.example.com
不想安装python,我知道了:
docker run --net=host 8x8cloud/knox --help Usage: knox [OPTIONS] COMMAND [ARGS]... Utilities for managing and storing TLS certificates using backing store (Vault). Options: -l, --log [TRACE|DEBUG|INFO|SUCCESS|WARNING|ERROR|CRITICAL] Sets the level of logging displayed [default: INFO] -v, --verbose Display log output to console --version Show the version and exit. --help Show this message and exit. Commands: cert Certificate utilities. store Store commands.
如果使用docker装入卷要拿到证书:
docker run --net=host \ -v ~/dev/knox/examples/:/examples \ 8x8cloud/knox cert \ --pub /examples/sample_cert1.pem \ --key /examples/sample_key1.pem \ save www.example.com
变更日志
- PyPI的第一个版本。在
- 项目
标签: