Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubeadm: check all available CA certs against pinned certs #76500

Merged
merged 1 commit into from
Apr 23, 2019
Merged

kubeadm: check all available CA certs against pinned certs #76500

merged 1 commit into from
Apr 23, 2019

Conversation

rojkov
Copy link

@rojkov rojkov commented Apr 12, 2019

What type of PR is this?
/kind bug

What this PR does / why we need it:
Currently kubeadm produces an error upon parsing multiple certificates stored in the cluster-info configmap resulting in kubernetes/kubeadm#1399. Yet it's expected to check all available certificates in a scenario like CA key rotation. So, check all available CA certs against pinned certificate hashes.

Which issue(s) this PR fixes:
Fixes kubernetes/kubeadm#1399

Does this PR introduce a user-facing change?:

NONE

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/bug Categorizes issue or PR as related to a bug. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Apr 12, 2019
@k8s-ci-robot
Copy link
Contributor

Hi @rojkov. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Apr 12, 2019
@k8s-ci-robot k8s-ci-robot added area/kubeadm sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Apr 12, 2019
neolit123
neolit123 reviewed Apr 12, 2019
View reviewed changes
Copy link
Member

@neolit123 neolit123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rojkov the PR seems good to me.
added a couple of suggested changes.

/approve
/ok-to-test
/priority backlog
/test pull-kubernetes-e2e-kind

cmd/kubeadm/app/util/pubkeypin/pubkeypin.go Outdated
}
return errors.Errorf("public key %s not pinned", Hash(certificate))
return errors.Errorf("non of the public keys '%s' are pinned", strings.Join(hashes, ":"))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

%s -> %q

cmd/kubeadm/app/discovery/token/token.go
if len(trailingData) != 0 {
return nil, errors.New("trailing data after first PEM block")
// parsePEMCerts decodes a PEM-formatted certificates into a slice of x509.Certificates
func parsePEMCerts(certData []byte) ([]*x509.Certificate, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please modify this function to:

// parsePEMCerts decodes PEM-formatted certificates into a slice of x509.Certificates
func parsePEMCerts(certData []byte) ([]*x509.Certificate, error) {
	var certificates []*x509.Certificate
	var pemBlock *pem.Block

	for {
		pemBlock, certData = pem.Decode(certData)
		if pemBlock == nil {
			return nil, errors.New("invalid PEM data")
		}

		cert, err := x509.ParseCertificate(pemBlock.Bytes)
		if err != nil {
			return nil, errors.Wrap(err, "unable to parse certificate")
		}
		certificates = append(certificates, cert)

		if len(certData) == 0 {
			break
		}
	}
	return certificates, nil
}

note the a PEM- -> PEM change in the function comment.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Fixed

@k8s-ci-robot k8s-ci-robot added priority/backlog Higher priority than priority/awaiting-more-evidence. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Apr 12, 2019
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: neolit123, rojkov

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 12, 2019
@neolit123
Copy link
Member

@kubernetes/sig-cluster-lifecycle-pr-reviews
for visibility before merge.

/lgtm
/hold

@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Apr 12, 2019
bart0sh
bart0sh reviewed Apr 15, 2019
View reviewed changes
cmd/kubeadm/app/util/pubkeypin/pubkeypin.go Outdated
}
return errors.Errorf("public key %s not pinned", Hash(certificate))
return errors.Errorf("non of the public keys %q are pinned", strings.Join(hashes, ":"))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

non -> none ?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Corrected.

kubeadm: check all available CA certs against pinned certs
7f8fc5d 
Currently kubeadm produces an error upon parsing multiple
certificates stored in the cluster-info configmap. Yet it
should check all available certificates in a scenario like
CA key rotation.

Check all available CA certs against pinned certificate hashes.

Fixes kubernetes/kubeadm#1399
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 15, 2019
@bart0sh
Copy link
Contributor

bart0sh commented Apr 15, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 15, 2019
@rojkov
Copy link
Author

rojkov commented Apr 15, 2019

/test pull-kubernetes-e2e-gce

yagonobre
yagonobre reviewed Apr 16, 2019
View reviewed changes
Copy link
Member

@yagonobre yagonobre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @rojkov
/lgtm

@bart0sh
Copy link
Contributor

bart0sh commented Apr 23, 2019

@neolit123 please unhold if you don't mind. Thanks.

@neolit123
Copy link
Member

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 23, 2019
@k8s-ci-robot k8s-ci-robot merged commit 0f617a3 into kubernetes:master Apr 23, 2019
@rojkov rojkov deleted the issue-1399 branch April 24, 2019 08:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@neolit123 neolit123 neolit123 left review comments

@yagonobre yagonobre yagonobre left review comments

@bart0sh bart0sh bart0sh left review comments

@luxas luxas Awaiting requested review from luxas

Assignees

@neolit123 neolit123

@yagonobre yagonobre

@bart0sh bart0sh

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubeadm cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. priority/backlog Higher priority than priority/awaiting-more-evidence. release-note-none Denotes a PR that doesn't merit a release note. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

kubeadm join aborts during CA key rotation
5 participants
@rojkov @k8s-ci-robot @neolit123 @bart0sh @yagonobre