Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove the experimental.cert-manager.io/ca annotation from CertificateSigningRequests #4143

Merged
merged 1 commit into from Jun 28, 2021
Merged

Remove the experimental.cert-manager.io/ca annotation from CertificateSigningRequests #4143

merged 1 commit into from Jun 28, 2021

Conversation

JoshVanL
Copy link
Collaborator

CertificateSigningRequests do not have a status.CA field. To account for this, we add an experimental.cert-manager.io/ca annotation on signed CertificateSigningRequests which include the base64 encoded CA certificate.

The status of a CertificateSigningRequest is a subresource, and as such, a separate API endpoint to the main object. In practice this means that when updating a CertificateSigningRequest with the signed certificate and CA, we have to make 2 API calls. An edge case can occur whereby the 2nd API call fails, causing the the second API call to never happen:

  1. Update status.Certificate
  2. Fail to set CA certificate
  3. CA certificate cannot be retrieved on the next sync, and is never set.

The status.Certificate field must be set first, otherwise when the annotation is updated, a re-sync would immediately occur and a second issuance would happen.

Other mitigations considered:

  • Clients using cert-manager signers could be made aware of this edge case. If a request was signed, but the CA field was never set, the client could have requested another certificate after a timeout.
  • Add the CA to status.Certificate. This is generally a bad idea as clients in practice do not expect the CA to be present in this chain. There would need to be some middleware to extract it out, causing lots of headaches.

Path forward:
A mechanism for sharing the signer's CA falls under the "trust distribution" feature. Until cert-manager has some mechanism for "trust distribution", clients are suggested to find other means. Kubernetes and istio have success with a controller populating a well-known configmap in all namespaces.

I have updated the website PR by removing reference to this annotation.

This is a breaking change however is fine, since this is an alpha API and under the "experimental" group. This group has fair warning that behaviour and API is subject to change.

Regression: CertificateSigningRequests will no longer have a `experimental.cert-manager.io/ca` annotation set.

@JoshVanL
Remove the experimental.cert-manager.io/ca annotation from the
7e8bf73 
CertificateSigningRequest

Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
@JoshVanL JoshVanL added area/api Indicates a PR directly modifies the 'pkg/apis' directory kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. labels Jun 25, 2021
@JoshVanL JoshVanL added this to the v1.5 milestone Jun 25, 2021
@jetstack-bot jetstack-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. area/testing Issues relating to testing approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jun 25, 2021
@maelvls maelvls mentioned this pull request Jun 25, 2021
Merged
SgtCoDFish
SgtCoDFish approved these changes Jun 28, 2021
View reviewed changes
Copy link
Member

@SgtCoDFish SgtCoDFish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great. I've not run it locally because I feel like the existing e2e tests cover this well; I think it's good to go as-is.

/lgtm

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Jun 28, 2021
@jetstack-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JoshVanL, SgtCoDFish

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [JoshVanL,SgtCoDFish]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot merged commit 59c2a2d into cert-manager:master Jun 28, 2021
@JoshVanL JoshVanL mentioned this pull request Jul 29, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SgtCoDFish SgtCoDFish SgtCoDFish approved these changes

Assignees

@SgtCoDFish SgtCoDFish

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/api Indicates a PR directly modifies the 'pkg/apis' directory area/testing Issues relating to testing dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.5
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@JoshVanL @jetstack-bot @SgtCoDFish