Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include signing CA certificate in kube-apiserver's certificate chain #7961

Merged
merged 2 commits into from May 25, 2023
Merged

Include signing CA certificate in kube-apiserver's certificate chain #7961

merged 2 commits into from May 25, 2023

Conversation

rfranzke
Copy link
Member

How to categorize this PR?

/area security
/kind enhancement

What this PR does / why we need it:
With this PR, the certificate chain of kube-apiserver not only includes its server certificate but also the CA certificate used to sign it.

Which issue(s) this PR fixes:
Fixes #7905

Special notes for your reviewer:
/cc @dimityrmirchev

Release note:

The certificate chains served by `kube-apiserver`s does now include the CA certificates used to sign their server certificates.

@gardener-prow gardener-prow bot added area/security Security related kind/enhancement Enhancement, improvement, extension cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels May 19, 2023
@rfranzke rfranzke mentioned this pull request May 19, 2023
Closed
@rfranzke
Copy link
Member Author

/retest

dimityrmirchev
dimityrmirchev reviewed May 22, 2023
View reviewed changes
Copy link
Member

@dimityrmirchev dimityrmirchev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for opening the PR! I have just one question which is not strictly connected to the functionality introduced with this PR. Other looks good.

pkg/utils/secrets/certificate.go
case c.CA != nil:
// The certificate is not a CA certificate, so we add the signing CA certificate to it and use different
// keys in the secret data.
cert := c.CertificatePEM
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am wondering if it make sense to copy/clone the slices always instead of returning the same underlying data in some cases 🤔 Basically if I modify the elements of a slice returned by the SecretData function do I also expect to modify the elements of the Certificate slice? There is the Clone function that can help to prevent that. This will also be included in the std lib with go 1.21.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While you are probably right, I think this is quite theoretical and also already the case in many other places. We can certainly consider streamlining this, but probably in a different PR and not only in this particular file but perhaps the larger code base.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree. I just wanted to point that out as something that can be improved in the future.

dimityrmirchev
dimityrmirchev approved these changes May 23, 2023
View reviewed changes
Copy link
Member

@dimityrmirchev dimityrmirchev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label May 23, 2023
@gardener-prow
Copy link
Contributor

gardener-prow bot commented May 23, 2023

LGTM label has been added.

Git tree hash: 2d97178d14f5b1e580095cacf6d6740044ef7a88

acumino
acumino reviewed May 25, 2023
View reviewed changes
Copy link
Member

@acumino acumino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@gardener-prow
Copy link
Contributor

gardener-prow bot commented May 25, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: acumino, dimityrmirchev

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gardener-prow gardener-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 25, 2023
@acumino
Copy link
Member

acumino commented May 25, 2023

/test pull-gardener-integration

@gardener-prow gardener-prow bot merged commit 6ff99b3 into gardener:master May 25, 2023
16 checks passed
@rfranzke rfranzke deleted the enh/ca-in-server-chain branch May 25, 2023 12:41
andrerun pushed a commit to andrerun/gardener that referenced this pull request Jul 6, 2023
@rfranzke @andrerun
Include signing CA certificate in kube-apiserver's certificate chain (
4c0577c 
gardener#7961)

* Support inclusion of CA in server cert chain

Disabled/false by default

* Include CA in `kube-apiserver`'s server cert chain
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@acumino acumino acumino left review comments

@dimityrmirchev dimityrmirchev dimityrmirchev approved these changes

Assignees

@dimityrmirchev dimityrmirchev

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/security Security related cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. kind/enhancement Enhancement, improvement, extension lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CA not returned by api server during tls handshake
3 participants
@rfranzke @acumino @dimityrmirchev