Chainguard Container for aws-privateca-issuer-fips

AWS Private CA is an AWS service that can setup and manage private CAs, as well as issue private certificates. cert-manager is a Kubernetes add-on to automate the management and issuance of TLS certificates from various issuing sources. It will ensure certificates are valid, updated periodically and attempt to renew certificates at an appropriate time before expiry. This project acts as an addon (see https://cert-manager.io/docs/configuration/external/) to cert-manager that signs off certificate requests using AWS Private CA.

Chainguard Containers are regularly-updated, secure-by-default container images.

Download this Container Image

For those with access, this container image is available on cgr.dev:

docker pull cgr.dev/ORGANIZATION/aws-privateca-issuer-fips:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.

AWS Private CA is an AWS service that can setup and manage private CAs, as well as issue private certificates. cert-manager is a Kubernetes add-on to automate the management and issuance of TLS certificates from various issuing sources. It will ensure certificates are valid, updated periodically and attempt to renew certificates at an appropriate time before expiry. This project acts as an addon (see https://cert-manager.io/docs/configuration/external/) to cert-manager that signs off certificate requests using AWS Private CA.

Prerequisites

• A Kubernetes cluster preferably eks.
• Helm installed.
• AWS CLI configured with access to your AWS account.
• An AWS Private CA created and activated.
• Installing cert-manager

Installation

For installation instructions, visit the Amazon VPC CNI Install Guide.

Installation using Helm chart

Install cert-manager first

helm repo add jetstack https://charts.jetstack.io
helm repo update

helm install cert-manager jetstack/cert-manager \
     --namespace cert-manager \
     --create-namespace \
     --set installCRDs=true

Install AWS PCA Issuer with Chainguard image

helm repo add awspca https://cert-manager.github.io/aws-privateca-issuer
helm install awspca/aws-privateca-issuer --generate-name \
--set image.repository=cgr.dev/chainguard/aws-privateca-issuer-fips \
--set image.tag=latest

Create IAM Policy and Role:

Ensure your EKS worker nodes or Kubernetes environment have the necessary IAM policies attached for accessing AWS PCA. Policies required typically include:

• acm-pca:IssueCertificate
• acm-pca:GetCertificate
• acm-pca:DescribeCertificateAuthority

A minimal policy to use the issuer with an authority would look like follows:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "awspcaissuer",
      "Action": [
        "acm-pca:DescribeCertificateAuthority",
        "acm-pca:GetCertificate",
        "acm-pca:IssueCertificate"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:acm-pca:<region>:<account_id>:certificate-authority/<resource_id>"
    }
  ]
}

Create an AWSPCACIssuer to integrate with AWS PCA:

apiVersion: awspca.cert-manager.io/v1beta1
kind: AWSPCAIssuer
metadata:
  name: demo-awspcs-issuer
spec:
  arn: "arn:aws:acm-pca:<region>:<account_id>:certificate-authority/<CA_ID>"
  region: "<aws-region>"

Then, kubectl apply -f AWSPCAIssuer.yaml

Verify AWSPCAIssuer installed correctly:

Do kubectl describe AWSPCAIssuer

Check the Events section and you must see the message Issuer verified if everything goes correct:

Normal  Verified  46s (x2 over 46s)  awspcaissuer-controller  Issuer verified

Create Certificate

Create CRD Certificate with name rsa-cert-2048 for dns name rsa-2048.example.com >> Certificate.yaml For th formats other than 2048 check the examples

---
kind: Certificate
apiVersion: cert-manager.io/v1
metadata:
  name: rsa-cert-2048
spec:
  commonName: www.rsa-2048.example.com
  dnsNames:
    - www.rsa-2048.example.com
    - rsa-2048.example.com
  duration: 2160h0m0s
  issuerRef:
    group: awspca.cert-manager.io
    kind: AWSPCAIssuer
    name: demo-awspcs-issuer
  renewBefore: 360h0m0s
  secretName: rsa-example-cert-2048
  usages:
    - server auth
    - client auth
  privateKey:
    algorithm: "RSA"
    size: 2048
---

Then Apply the yaml file

kubectl apply -f Certificate.yaml

Verify Certificate is installed correctly

kubectl  get Certificates

It should output Ready as True as shown below

  NAME            READY   SECRET                  AGE
  rsa-cert-2048   True    rsa-example-cert-2048   31s

Please use kubectl get events for debugging.

kubectl get events  
Sample Output for Successfull Certificate Request
  5s          Normal   cert-manager.io   certificaterequest/rsa-cert-2048.io-zqftp   Certificate request has been approved by cert-manager.io
  2s          Normal   Issued            certificaterequest/rsa-cert-2048.io-zqftp   certificate issued
  5s          Normal   Issuing           certificate/rsa-cert-2048                Issuing certificate as Secret does not exist
  5s          Normal   Generated         certificate/rsa-cert-2048               Stored new private key in temporary Secret resource "rsa-cert-2048-k7zxv"
  5s          Normal   Requested         certificate/rsa-cert-2048                Created new CertificateRequest resource "rsa-cert-2048-zqftp"
  2s          Normal   Issuing           certificate/rsa-cert-2048                The certificate has been successfully issued
  8m22s       Normal   Verified          awspcaissuer/rsa-cert-2048               Issuer verified
  85s         Normal   Verified          awspcaissuer/rsa-cert-2048               Issuer verified

What are Chainguard Containers?

Chainguard Containers are minimal container images that are secure by default.

In many cases, the Chainguard Containers tagged as :latest contain only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager. Chainguard Containers are built with Wolfi, our Linux undistro designed to produce container images that meet the requirements of a more secure software supply chain.

The main features of Chainguard Containers include:

• Minimal design, without unnecessary software bloat
• Daily builds to ensure container images are up-to-date with available security patches
• High quality build-time SBOMs attesting to the provenance of all artifacts within the image
• Verifiable signatures provided by Sigstore
• Reproducible builds with Cosign and apko (read more about reproducibility)

For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a -dev variant.

Although the -dev container image variants have similar security features as their more minimal versions, they feature additional software that is typically not necessary in production environments. We recommend using multi-stage builds to leverage the -dev variants, copying application artifacts into a final minimal container that offers a reduced attack surface that won’t allow package installations or logins.

Learn More

To better understand how to work with Chainguard Containers, please visit Chainguard Academy and Chainguard Courses.

In addition to Containers, Chainguard offers VMs and Libraries. Contact Chainguard to access additional products.

Trademarks

This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.