Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Write go-spiffe compatible keys #12

Closed
wants to merge 2 commits into from
Closed

Write go-spiffe compatible keys #12

wants to merge 2 commits into from

Conversation

charlieegan3
Copy link

@charlieegan3 charlieegan3 commented May 3, 2022
edited
Loading

We have been using csi-driver-spiffe with a workload based on go-spiffe and found that the EC private key created by the driver is not compatible. go-spiffe uses https://cs.opensource.google/go/go/+/go1.18.1:src/crypto/x509/pkcs8.go;l=33

We are calling Load:
https://github.com/spiffe/go-spiffe/blob/31de176038793c17cf7e77f23e61401160c7d6c9/v2/svid/x509svid/svid.go#L33

This eventually calls:
https://github.com/spiffe/go-spiffe/blob/31de176038793c17cf7e77f23e61401160c7d6c9/v2/internal/pemutil/pem.go#L110-L114

This PR when complete will have the csi driver write a compatible key format instead so that keys can be used by go-spiffe based workloads.

Signed-off-by: Charlie Egan charlieegan3@users.noreply.github.com

@jetstack-bot jetstack-bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels May 3, 2022
jakexks
jakexks approved these changes May 3, 2022
View reviewed changes
internal/csi/driver/driver.go Outdated Show resolved Hide resolved
@jetstack-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: charlieegan3, jakexks
To complete the pull request process, please assign joshvanl after the PR has been reviewed.
You can assign the PR to them by writing /assign @joshvanl in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

JoshVanL
JoshVanL requested changes May 3, 2022
View reviewed changes
Copy link
Contributor

@JoshVanL JoshVanL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a test to ensure that the x509.Load function call will work on written key pairs from this function.

internal/csi/driver/driver.go Show resolved Hide resolved
@jetstack-bot jetstack-bot added dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. and removed dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. labels May 3, 2022
@charlieegan3
Write go-spiffe compatible keys
45425f9 
Signed-off-by: Charlie Egan <charlieegan3@users.noreply.github.com>
@jetstack-bot jetstack-bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. and removed dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. labels May 3, 2022
@charlieegan3
Test certificate can be loaded
f71daf7 
This test has been added to show that the generated PEM encoded key file can be loaded by go-spiffe

Signed-off-by: Charlie Egan <charlieegan3@users.noreply.github.com>
@jetstack-bot jetstack-bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels May 3, 2022
@charlieegan3
Copy link
Author

Please add a test to ensure that the x509.Load function call will work on written key pairs from this function.

I tried to create a driver and test the writeKeyPair function on that but wasn't able to create a mount when running the tests on macOS so have extracted it to a separate function and tested that in f71daf7.

Let me know what you think.

@JoshVanL
Copy link
Contributor

JoshVanL commented May 3, 2022

@charlieegan3 can we not write a unit test that unit tests the writeKeyPair?

Driver will be mostly empty, expect for the store. We can use an inmemory store.

@jetstack-bot
Copy link
Contributor

@charlieegan3: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-cert-manager-csi-driver-spiffe-verify f71daf7 link true /test pull-cert-manager-csi-driver-spiffe-verify

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@charlieegan3
Copy link
Author

@charlieegan3 can we not write a unit test that unit tests the writeKeyPair?

Driver will be mostly empty, expect for the store. We can use an inmemory store.

Perhaps I can fashion one without using New. Let me have a play.

@jetstack-bot
Copy link
Contributor

@charlieegan3: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jetstack-bot jetstack-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 4, 2022
@charlieegan3
Copy link
Author

Closing in favour of #13

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JoshVanL JoshVanL JoshVanL requested changes

@jakexks jakexks jakexks approved these changes

Assignees
No one assigned
Labels
dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@charlieegan3 @jetstack-bot @JoshVanL @jakexks