acme: external account binding support

[JoshVanL]

fixes #1676

Adds ACME external account binding support

/assign
/hold

[jetstack-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JoshVanL

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [JoshVanL]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[munnerz]

This feels like a sensitive value, given it is used to authenticate/bind a registration to some external system?

[munnerz]

Also, how come this is a base64 encoded string? Does this really mean it is a []byte?

[JoshVanL]

Indeed, makes sense to move to a secret

[JoshVanL]

In theory you can should be able to use raw []byte data for your symmetric MAC key. base64 encoding makes then becomes a requirement

[munnerz]

Does this mean we only test with EAB enabled now? I'd be happy to just see the suite run using e.g. HTTP01 with EAB enabled (I don't think we really need to run the full DNS01 && HTTP01 suite with EAB enabled), but I'd also like to see this run without EAB enabled too (as before).

[JoshVanL]

This should run the acme tests with and without EAB. the passed in eab struct can be nil

[munnerz]

Can you update the comments on every function/method you've changed the signature on to explain what the new parameter is, what it can be set to, and its behaviour if not set?

[munnerz]

Also, how come you've changed this to accept a nonce instead of just retrieving one as before?

[munnerz]

All in all, we should attempt to keep the diff in third_party as minimal as possible IMO 😄

[JoshVanL]

Yes, this signature shouldn't need to change I think. Some things moved around in dev but was moved back. Forgot about reverting this change

[munnerz]

Not sure why Pebble is returning this:

  Warning  Failed     4m31s  cert-manager  Accepting challenge authorization failed: acme: authorization error for efsxk.certmanager.kubernetes.network: 400 urn:ietf:params:acme:error:connection: Get https://efsxk.certmanager.kubernetes.network/.well-known/acme-challenge/TRrVcMxk3V2oH6r6WK3kbMzmNvWopGCiRRtsqJHNe3k: http: server gave HTTP response to HTTPS client

in some of the ACME test cases where nginx is configured to redirect to a HTTPS address. This implies to me that nginx is responding with HTTP content on the HTTPS port 🤔

Retesting to see if this is a flake, and will audit changes to Pebble since the old vs new commit as I've not seen this before!

/retest

[munnerz]

After some digging in pebble, I think I have identified the cause and I've opened this issue to track it: letsencrypt/pebble#293

[JoshVanL]

A couple comments.

We also need to add to the checks for secrets that are referenced by a possible EAB account and have been updated

/unassign
/assign @munnerz

[JoshVanL]

KeyID can be potentially sensitive information. We should er on the side of caution and make this a secret reference

[munnerz]

I think at this point we can keep it as keyID - it's effectively the 'username' parameter here, and the 'secret' value should be sufficient to protect user accounts. It's not really explored in the RFC, and if needed in future, we can add an additional field for a secret ref variant of this, for those who are more sensitive about key IDs.

[JoshVanL]

Looks good to me :)

[munnerz]

/lgtm