| commit | 97810e1ee09e42f474e6f8176e4f34d737cd5144 | [log] [tgz] |
|---|---|---|
| author | Sergiusz Bazanski <q3k@q3k.org> | Mon Aug 27 21:00:46 2018 +0100 |
| committer | Sergiusz Bazanski <q3k@q3k.org> | Mon Aug 27 21:00:46 2018 +0100 |
| tree | 31174e5f995e73e8386aac0a1b58274ee94847bd | |
| parent | e08e6da775f56a0c8eff33a3e6bbedaa48182abc [diff] |
Add README.md
Our Arista 7148S does not support gRPC/OpenConfig, so we have to make our own damn gRPC proxy.
The schema is supposed to be 1:1 mapped to the JSON-RPC EAPI. This is just a dumb proxy.
This project is a testing ground for the HSCloud PKI setup. Long story short, all gRPC is mutually authenticated via TLS (server & client certs).
All certs for mutual auth have the following CN/SAN format:
..
For example, if principal maps into a 'group' and job into a 'user':
arista-proxy-dcr01u23.prod.c.example.com
job = arista-proxy-dcr01u23 principal = cluster-management-prod realm = c.example.com
The Realm is a DNS name that is global to all jobs that need mutual authentication.
The Principal is any name that carries significance for logical grouping of jobs. It can, but doesn't need to, group jobs by similar permissions.
The Job is any name that identifies uniquely (within the principal) a security endpoint that describes a single security policy for a gRPC endpoint.
The entire CN should be DNS resolvable into an IP address that would respond to gRPC requests on port 42000 (with a server TLS certificate that represents this CN) if the job represents a service.
This maps nicely to the Kubernetes Cluster DNS format if you set realm to svc.cluster.local. Then, principal maps to a Kubernetes namespace, and job maps into a Kubernetes service.
arista-proxy-dcr01u23.arista-prod.svc.cluster.local job/service = arista-proxy-dcr01u23 principal/namespace = arista-prod realm = svc.cluster.local
ACLs based on job/principal are yet to be implemented :).
In production, those certs will be automatigacally provided for you by automation. In development, you'll have to do the following:
cd pki ./gen.sh
This will generate:
pki/ca.pem - CA certificatepki/client{,-key}.pem - certificate and key for developer.humans.svc.cluster.localpki/service{,-key}.pem - certificate and key for test.arista-proxy.svc.cluster.localYou will have to setup an /etc/hosts alias to make test.arista-proxy.svc.cluster.local resolve to your machine.
# cat /etc/hosts ... 127.0.0.1 test.arista-proxy.svc.cluster.local ...
You can then start arista-proxy with default flags and talk to it via gRPC:
./arista-proxy alias grpc-dev="grpc -cacert $(pwd)/pki/ca.pem -key $(pwd)/pki/client-key.pem -cert $(pwd)/pki/client.pem" grpc-dev test.arista-proxy.svc.cluster.local:42000 proto.AristaProxy.ShowVersion