Bug 2052467: Custom route HTTPS certificate SAN validation

[pierreprinetti]

This patch adds a new validation check for custom route HTTPS
certificates: certificates without SAN fields will prevent upgrades.

This change puts in force the long-standing deprecation of the CN field
as a provider for names.

After this patch, custom routes secured with legacy HTTPS certificates
will prevent the upgrade to OCP v4.10. OCP v4.10 is compiled with Go
v1.17 and is incompatible with such legacy certificates; this
deprecation prevents unexpected failures to occur on upgrade.

Addresses: Bug 2052467

[openshift-ci]

@pierreprinetti: This pull request references Bugzilla bug 2052467, which is invalid:

• expected dependent Bugzilla bug 2037274 to be in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE), but it is POST instead
• expected dependent Bugzilla bug 2037274 to target a release in 4.10.0, but it targets "4.9.z" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Bug 2052467: HTTPS certificate validation to check for SAN

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[s-urbaniak]

@pierreprinetti thank you for the PR 👍 did you test this on a cluster-bot cluster? i.e. by configuring a faulty cert and then resetting it to a valid one?

[openshift-ci]

@pierreprinetti: This pull request references Bugzilla bug 2052467, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

6 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.9.z) matches configured target release for branch (4.9.z)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
• dependent bug Bugzilla bug 2031839 is in the state VERIFIED, which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE))
• dependent Bugzilla bug 2031839 targets the "4.10.0" release, which is one of the valid target releases: 4.10.0
• bug has dependents

Requesting review from QA contact:
/cc @xingxingxia

In response to this:

WIP: Bug 2052467: HTTPS certificate validation to check for SAN

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci]

@pierreprinetti: This pull request references Bugzilla bug 2052467, which is valid.

6 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.9.z) matches configured target release for branch (4.9.z)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
• dependent bug Bugzilla bug 2031839 is in the state VERIFIED, which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE))
• dependent Bugzilla bug 2031839 targets the "4.10.0" release, which is one of the valid target releases: 4.10.0
• bug has dependents

Requesting review from QA contact:
/cc @xingxingxia

In response to this:

WIP: Bug 2052467: HTTPS certificate validation to check for SAN

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[stlaz]

This is a redundant change, verifyWithAnyCertificate should already return errors.

You should be looking at https://github.com/openshift/cluster-authentication-operator/blob/55b274c54c4a404799dea0e9e41f1b62e9f84c55/pkg/controllers/customroute/custom_route_controller.go

[pierreprinetti]

Until Go v1.17, the GODEBUG=x509ignoreCN=0 flag (which is embedded in all base images) will prevent verifyWithAnyCertificate, or any other certificate parsing, from failing due to missing SAN fields. This patch is targeted against OCP v4.9 which is compiled with Go v1.16.

[pierreprinetti]

That being said, custom_route_controller seems like a good tip. Do you think that the check should be implemented in both places? @stlaz

[pierreprinetti]

Oh and thank you for the review!

[pierreprinetti]

I have added the check in ValidateServerCert, which is the validation function called in the custom route controller loop. Thank you!

@stlaz PTAL

[stlaz]

I suppose we could have this check even here, although the description should say: "open a bug to the Routing component". cc @openshift/openshift-team-network-edge

[s-urbaniak]

@stlaz i believe we had a discussion round with the router team. their assertion is that they don't provision the cert per se, so it is an exercise on the corresponding operators to do the validation.

[pierreprinetti]

Thank you. I understand that this means that we keep both checks in place.

[s-urbaniak]

we keep both checks in place.

agreed, hence SAN-less certs can happen both in the central route cert and in custom route certs and for both cases we should verify.

[stlaz]

@stlaz i believe we had a discussion round with the router team. their assertion is that they don't provision the cert per se, so it is an exercise on the corresponding operators to do the validation.

I believe they eventually decided to introduce the checks. If they did not check their inputs, our operators would go degraded.

[pierreprinetti]

@pierreprinetti thank you for the PR +1 did you test this on a cluster-bot cluster? i.e. by configuring a faulty cert and then resetting it to a valid one?

Tested on AWS with cluster-bot, following the BZ steps. The certificate is rejected:

$ oc get ingress.config cluster -o yaml
[...]
status:
  componentRoutes:
  - conditions:
    - lastTransitionTime: "2022-02-23T18:22:02Z"
      message: "Error Configuring custom route: [error validating secret openshift-config/custom-auth-component:
        [certificate relies on legacy Common Name field, use SANs instead:\n\tsub=CN=auth-openshift-custom.jkfd.de;\n\tiss=CN=xxia_test_ca]]"
      reason: CustomRouteError
      status: "True"
      type: Degraded
    - lastTransitionTime: "2022-02-23T18:22:02Z"
      message: "Error Configuring custom route: [error validating secret openshift-config/custom-auth-component:
        [certificate relies on legacy Common Name field, use SANs instead:\n\tsub=CN=auth-openshift-custom.jkfd.de;\n\tiss=CN=xxia_test_ca]]"
      reason: CustomRouteError
      status: "False"
      type: Progressing
[...]

[pierreprinetti]

/retest

[openshift-ci]

@pierreprinetti: This pull request references Bugzilla bug 2052467, which is valid.

6 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.9.z) matches configured target release for branch (4.9.z)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
• dependent bug Bugzilla bug 2031839 is in the state CLOSED (ERRATA), which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE))
• dependent Bugzilla bug 2031839 targets the "4.10.0" release, which is one of the valid target releases: 4.10.0, 4.10.z
• bug has dependents

Requesting review from QA contact:
/cc @xingxingxia

In response to this:

Bug 2052467: HTTPS certificate validation to check for SAN

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[pierreprinetti]

/test e2e-agnostic e2e-console-login

[openshift-ci]

@pierreprinetti: This pull request references Bugzilla bug 2052467, which is valid.

6 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target release (4.9.z) matches configured target release for branch (4.9.z)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
• dependent bug Bugzilla bug 2031839 is in the state CLOSED (ERRATA), which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE))
• dependent Bugzilla bug 2031839 targets the "4.10.0" release, which is one of the valid target releases: 4.10.0, 4.10.z
• bug has dependents

Requesting review from QA contact:
/cc @xingxingxia

In response to this:

Bug 2052467: Custom route HTTPS certificate SAN validation

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[pierreprinetti]

Changed the scope of this PR to only validate custom route server certificates.

@stlaz PTAL

[pierreprinetti]

/retest-required

[pierreprinetti]

@stlaz ?

[stlaz]

The art-team sets it in their builds.

[pierreprinetti]

The art-team sets it in their builds.

The flag is embedded in OCP base images since v4.6. As a consequence, our code in this repository expects to run under it. Local runs (triggered with make) should run with the same flag.

If we don't add the flag, the unit tests will fail. And this is a good thing.

So either we add the flag in the Makefile, or at runtime in the test files. I think that here in the Makefile is better because it sets it for every test, thus making the tests behave a little more closely to what they'd do in production.

[pierreprinetti]

/retest

[pierreprinetti]

/retest

[stlaz]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pierreprinetti, stlaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [stlaz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@pierreprinetti: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-agnostic-ipv6	10037e4	link	false	/test e2e-agnostic-ipv6

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[xingxingxia]

/label cherry-pick-approved

[pierreprinetti]

@stlaz Are you the one who can put the backport-risk-assessed label?

[pierreprinetti]

1. If the Bugzilla associated with the PR has the "FastFix" keyword, the subjective assessment on the issue has already been done and a customer is impacted. These PRs should be prioritized for merge.

   • verified
   • does not apply

2. The bug has significant impact either through severity, reduction in supportability, or number of users affected.

   • verified
   • does not apply

3. For branches that are in the Maintenance lifecycle phase:

   • The bug is a critical fix, no reasonable workaround exists, and a recommendation for upgrade has been ruled out, or
   • The bug is a security related bug

4. The severity field of the bug must be set to accurately reflect criticality.

   • verified

5. The PR is merged in the next newer release branch and the bug for that newer release is VERIFIED by QE. The PR’s description is well formed with user-focused release notes that state the bug number, impact, cause, and resolution. Where appropriate, it should also contain information about how a user can identify whether a particular cluster is affected.

   • verified
   • does not apply

[stlaz]

/label backport-risk-assessed

[openshift-ci]

@pierreprinetti: All pull requests linked via external trackers have merged:

• openshift/cluster-authentication-operator#545

Bugzilla bug 2052467 has been moved to the MODIFIED state.

In response to this:

Bug 2052467: Custom route HTTPS certificate SAN validation

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.