Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ca: change the PrivateKey type/bits validation #12267

Merged
merged 4 commits into from
Feb 4, 2022
Merged

ca: change the PrivateKey type/bits validation #12267

merged 4 commits into from
Feb 4, 2022

Conversation

dnephin
Copy link
Contributor

@dnephin dnephin commented Feb 3, 2022
edited

Fixes #12246

This commit makes two changes to the validation.

Previously we would call this validation in GenerateRoot, which happens
both on initialization (when a follower becomes leader), and when a
configuration is updated. We only want to do this validation during
config update so the logic was moved to the UpdateConfiguration
method.

Previously we would compare the config values against the actual cert.
This caused problems when the cert was created manually in Vault (not
created by Consul). Now we compare the new config against the previous
config. Using an already created CA cert should never error now.

Adding the key bit and types to the config should only error when
the previous values were not the defaults.

This does mean that changing these values away from the defaults without
changing the root_pki_path will continue to silently do nothing, but I think
that is a better trade-off than return an error incorrectly at times.

In the future we should look to better structure the CA config to indicate which
values are supposed to rotate the root cert, and which ones are not.

I believe the original change only went into 1.11.x, so I am only backporting to one
release branch.

@dnephin
ca: small cleanup of TestConnectCAConfig_Vault_TriggerRotation_Fails
d707173 
Before adding more test cases
@dnephin
ca: relax and move private key type/bit validation for vault
608597c 
This commit makes two changes to the validation.

Previously we would call this validation in GenerateRoot, which happens
both on initialization (when a follower becomes leader), and when a
configuration is updated. We only want to do this validation during
config update so the logic was moved to the UpdateConfiguration
function.

Previously we would compare the config values against the actual cert.
This caused problems when the cert was created manually in Vault (not
created by Consul).  Now we compare the new config against the previous
config. Using a already created CA cert should never error now.

Adding the key bit and types to the config should only error when
the previous values were not the defaults.
@dnephin dnephin added type/bug Feature does not function as expected theme/certificates Related to creating, distributing, and rotating certificates in Consul labels Feb 3, 2022
@github-actions github-actions bot added theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies and removed theme/certificates Related to creating, distributing, and rotating certificates in Consul labels Feb 3, 2022
@dnephin dnephin requested a review from a team February 3, 2022 22:31
@vercel vercel bot temporarily deployed to Preview – consul February 3, 2022 22:39 Inactive
@vercel vercel bot temporarily deployed to Preview – consul-ui-staging February 3, 2022 22:39 Inactive
kisunji
kisunji reviewed Feb 3, 2022
View reviewed changes
agent/consul/leader_connect_ca.go
// ValidateConfigurationUpdate will be called when a user attempts to change the
// CA configuration, and the provider type has not changed from the previous
// configuration.
type ValidateConfigUpdater interface {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

aside: I think ConfigUpdateValidator is less ambiguous but ConfigUpdateValidate() OTOH is less clear

Copy link
Contributor Author

@dnephin dnephin Feb 3, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ya, this interface could probably use a better name. It is hard to name things in Consul because we have way too many things in these packages. It forces us to include many terms in the name to remove ambiguity, which leads to unfortunate names like this

@kisunji kisunji requested a review from a team February 3, 2022 23:19
@vercel vercel bot temporarily deployed to Preview – consul February 3, 2022 23:44 Inactive
@vercel vercel bot temporarily deployed to Preview – consul-ui-staging February 3, 2022 23:44 Inactive
@dnephin dnephin merged commit 74ee46e into main Feb 4, 2022
@dnephin dnephin deleted the dnephin/ca-relax-key-bit-validation branch February 4, 2022 17:44
@hc-github-team-consul-core
Copy link
Collaborator

🍒 If backport labels were added before merging, cherry-picking will start automatically.

To retroactively trigger a backport after merging, add backport labels and re-run https://circleci.com/gh/hashicorp/consul/576482.

@hc-github-team-consul-core
Copy link
Collaborator

🍒✅ Cherry pick of commit 74ee46e onto release/1.11.x succeeded!

hc-github-team-consul-core pushed a commit that referenced this pull request Feb 4, 2022
@dnephin @hc-github-team-consul-core
Merge pull request #12267 from hashicorp/dnephin/ca-relax-key-bit-val…
285704b 
…idation

ca: change the PrivateKey type/bits validation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kisunji kisunji kisunji approved these changes

Assignees
No one assigned
Labels
theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies type/bug Feature does not function as expected
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ca: relax (or remove) validation of PrivateKeyType/PrivateKeyBits
3 participants
@dnephin @hc-github-team-consul-core @kisunji