(DOCSP-5850): Adding instructions for creating x.509 certs (#62)

* (DOCSP-5850): Adding instructions for creating x.509 certs

* quick fix

* Apply suggestions from code review

Co-Authored-By: Anthony Sansone <[email protected]>

* Updates per Tony's feedback

* Apply suggestions from code review

Co-Authored-By: Anthony Sansone <[email protected]>

* tweaks

* Apply suggestions from code review

Co-Authored-By: Anthony Sansone <[email protected]>

* updates per Tony's feedback

Author: jeff-allen-mongo

source/deploy.txt

@@ -1,5 +1,7 @@
 :noprevnext:
 
+.. _deploy-resources:
+
 ================
 Deploy Resources
 ================

source/includes/steps-connect-to-x509-deployment.yaml

@@ -0,0 +1,88 @@
+---
+title: "Copy and save the following example |k8s-configmap|."
+level: 4
+stepnum: 1
+ref: copy-k8s-x509-configmap
+content: |
+
+  Save the following ConfigMap as ``x509-mongodb-user.yaml``:
+
+  .. code-block:: none
+     :linenos:
+
+     ---
+     apiVersion: mongodb.com/v1
+     kind: MongoDBUser
+     metadata:
+       name: new-x509-user
+     spec:
+       username: "CN=my-x509-authenticated-user, OU=organizationalunit, O=organization"
+       db: "$external"
+       project: my-project
+       roles:
+         - db: "admin"
+           name: "clusterAdmin"
+
+  This ConfigMap ``.yaml`` file describes a ``MongoDBUser`` custom object. You
+  can use these custom objects to create MongoDB users.
+  
+  In this example, the ConfigMap describes the user as an X.509
+  user that the client can use to connect to MongoDB with the
+  corresponding X.509 certificate.
+---
+title: "Create the X.509 MongoDB user."
+level: 4
+stepnum: 2
+ref: create-x509-user
+content: |
+  Run the following command to apply the ConfigMap and create the
+  X.509 MongoDB user:
+
+  .. code-block:: sh
+
+     kubectl -n {namespace} apply -f x509-mongodb-user.yaml
+
+  You should see an output similar to the following:
+
+  .. code-block:: sh
+     :copyable: false
+
+     mongodbuser.mongodb.com/new-x509-user created
+---
+title: "Verify your newly created user"
+level: 4
+stepnum: 3
+ref: verify-x509-user
+content: |
+  Run the following command to check the state of the ``new-x509-user``:
+
+  .. code-block:: sh
+
+     kubectl -n {namespace} get mdbu/new-x509-user -o yaml
+
+  You should see an output similar to the following:
+
+  .. code-block:: sh
+     :copyable: false
+
+     NAME            CREATED AT
+     new-x509-user   8m
+---
+title: "Use your X.509 user to connect to the MongoDB deployment"
+level: 4
+stepnum: 4
+ref: connect-with-x509-user
+content: |
+  Once you have created your X.509 user, try to connect to the
+  deployment using the mongo Shell:
+
+  .. code-block:: sh
+
+     mongo --host {host} --ssl --sslCAFile /var/run/secrets/kubernetes.io/serviceaccount/ca.crt --sslPEMKeyFile x509-full.pem --authenticationMode MONGODB-X509
+
+  .. note::
+
+     On Kubernetes Pods, the |certauth| file is saved in
+     ``/var/run/secrets/kubernetes.io/serviceaccount/ca.crt``, which
+     is the file location used for the ``--sslCAFile`` connection
+     option.

source/includes/steps-create-cert-signing-req.yaml

@@ -0,0 +1,92 @@
+---
+title: "Create a new directory to complete this tutorial."
+level: 4
+stepnum: 1
+ref: create-new-dire
+content: |
+  Run the following command to create a new directory for
+  the configuration files used in this tutorial:
+
+  .. code-block:: sh
+
+     mkdir client-x509-certs-tutorial
+---
+title: "Enter your newly created directory."
+level: 4
+stepnum: 2
+ref: cd-new-directory
+content: |
+  
+  .. code-block:: sh
+
+     cd client-x509-certs-tutorial
+---
+title: "Copy and save the following example JSON."
+level: 4
+stepnum: 3
+ref: copy-k8s-user-configmap
+content: |
+
+  In the ``client-x509-certs-tutorial`` directory, save the following
+  JSON as  ``x509_user.json``:
+  
+  .. code-block:: json
+
+     {
+       "names": [
+         {"O": "organization"},
+         {"OU": "organizationalunit"}
+       ],
+       "CN": "my-x509-authenticated-user",
+       "key": {
+         "algo": "rsa",
+         "size": 4096
+       }
+     }
+
+---
+title: "Generate a key file."
+level: 4
+stepnum: 4
+ref: gen-key-file
+content: |
+
+  Run the following command to pass the JSON from the previous step
+  to ``CFSSL`` and generate a key file:
+
+  .. code-block:: sh
+
+     cfssl genkey x509_user.json > x509_user_key.json
+
+  You should see output similar to the following:
+
+  .. code-block:: sh
+     :copyable: false
+
+     2019/06/04 18:12:38 [INFO] generate received request
+     2019/06/04 18:12:38 [INFO] received CSR
+     2019/06/04 18:12:38 [INFO] generating key: rsa-4096
+     2019/06/04 18:12:40 [INFO] encoded CSR
+
+  You now have a file called ``x509_user_key.json`` containing
+  a new private key.
+---
+title: "Generate the Certificate Signing Request."
+level: 4
+stepnum: 5
+ref: gen-cert-req
+content: |
+   Run the following command to use your ``x509_user_key.json`` key
+   file to generate a certificate signing request (CSR):
+
+   .. code-block:: sh
+
+      cfssljson -f x509_user_key.json -bare x509_user
+
+   This command generates two files:
+
+   - ``x509_user-key.pem``, the private key for the user
+
+   - ``x509_user.csr``, the CSR that represents the user
+
+...

source/includes/steps-get-cert-from-k8s-ca.yaml

@@ -0,0 +1,31 @@
+---
+title: "Generate the X.509 certificate from the :abbr:`CSR (Certificate Signing Request)`."
+level: 4
+stepnum: 1
+ref: save-csr-file
+content: |
+
+  Run the following command to generate the certificate from the
+  CSR object to a file called ``client.crt``:
+
+  .. code-block:: sh
+
+     kubectl get csr x509-user.some-namespace -o jsonpath='{.status.certificate}' | base64 --decode > client.crt
+
+  A |mongod| client can use the ``client.crt``
+  certificate to connect to the X.509-enabled MongoDB deployment.
+---
+title: "Concatenate the user private key and Kubernetes certificate."
+level: 4
+stepnum: 2
+ref: cat-pem-crt
+content: |
+  You need both the ``x509_user-key.pem`` and ``client.crt`` files
+  to connect to the deployment. Run the following command to
+  concatenate the two files into the a new ``.pem`` file:
+
+  .. code-block:: sh
+
+     cat x509_user-key.pem client.crt > x509-full.pem
+
+...

source/includes/steps-submit-cert-request.yaml

@@ -0,0 +1,90 @@
+---
+title: "Create a |csr| in Kubernetes."
+level: 4
+stepnum: 1
+ref: create-cert-request-k8s
+content: |
+
+  Run the following command to create a CSR
+  in Kubernetes:
+
+  .. code-block:: sh
+     :linenos:
+     :emphasize-lines: 3
+
+     cat <<EOF | kubectl apply -f -
+     apiVersion: certificates.k8s.io/v1beta1
+     kind: CertificateSigningRequest
+     metadata:
+       name: x509-user.some-namespace
+     spec:
+       groups:
+       - system:authenticated
+       request: $(cat x509_user.csr | base64 | tr -d '\n')
+       usages:
+       - digital signature
+       - key encipherment
+       - client auth
+     EOF
+---
+title: "View your CSRs."
+level: 4
+stepnum: 2
+ref: view-cert-reqs
+content: |
+  Run the following command to view a list of CSRs:
+
+  .. code-block:: sh
+
+     kubectl get csr
+
+  You should see an output similar to the following:
+
+  .. code-block:: sh
+     :copyable: false
+
+     NAME                         AGE    REQUESTOR                                 CONDITION
+     x509-user.some-namespace     1m     system:serviceaccount:some-namespace      Pending
+---
+title: "Approve the CSR."
+level: 4
+stepnum: 3
+ref: approve-cert-req
+content: |
+
+  The CSR remains in ``Pending`` condition
+  until Kubernetes approves it. Run the following command to
+  approve the certificate:
+
+  .. code-block:: sh
+
+     kubectl certificate approve x509-user.some-namespace
+
+  You should see an output similar to the following:
+
+  .. code-block:: sh
+     :copyable: false
+
+     certificatesigningrequest.certificates.k8s.io/x509-user.some-namespace approved
+---
+title: "Verify that your certificate has been approved"
+level: 4
+stepnum: 4
+ref: verify-approval
+content: |
+  Run the following command to verify that the Kubernetes |certauth| has
+  approved your certificate:
+
+  .. code-block:: sh
+
+     kubectl get csr
+
+  You should see an output similar to the following:
+
+  .. code-block:: sh
+     :copyable: false
+
+     NAME                       AGE   REQUESTOR                              CONDITION
+     x509-user.some-namespace   45m   system:serviceaccount:some-namespace   Approved,Issued
+
+...

source/includes/toc-installation.yaml

@@ -12,7 +12,13 @@ description: |
   Create a |k8s-configmap| to link the |k8s-op-short| to your |com|
   Project.
 ---
+file: /tutorial/create-x509-client-certs
+description:
+  Create an X.509 certificate to connect to an X.509-enabled
+  MongoDB deployment.
+---
 file: /upgrade
 description:
   Upgrade from earlier versions of |k8s-op-short|.
+
 ...

source/installation.txt

@@ -24,4 +24,5 @@ Install and Configure the |k8s-op-short|
       /tutorial/install-k8s-operator
       /tutorial/create-operator-credentials
       /tutorial/create-project-using-configmap
+      /tutorial/create-x509-client-certs
       /upgrade

source/release-notes.txt

@@ -51,7 +51,7 @@ Release Notes for |k8s-op-full|
 
 - Manages MongoDB users.
 
-- Supports x.509 authentication to your MongoDB databases.
+- Supports X.509 authentication to your MongoDB databases.
 
 .. seealso::
    To learn how to install and configure the Operator, see :doc:`/installation`.

source/tutorial/create-operator-credentials.txt

@@ -22,6 +22,9 @@ only |k8s| can access them.
 Multiple secrets can exist in the same namespace. Each user should
 have their own secret.
 
+Procedure
+---------
+
 To create your |k8s| secret:
 
 1. Make sure you have the Public and Private Keys for your desired
@@ -67,3 +70,6 @@ To create your |k8s| secret:
       ====
       publicApiKey:  31 bytes
       user:          22 bytes
+
+Next Steps
+----------