-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 2052467: Custom route HTTPS certificate SAN validation #545
Conversation
@pierreprinetti: This pull request references Bugzilla bug 2052467, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@pierreprinetti thank you for the PR 👍 did you test this on a cluster-bot cluster? i.e. by configuring a faulty cert and then resetting it to a valid one? |
63355fd
to
de2ed0e
Compare
@pierreprinetti: This pull request references Bugzilla bug 2052467, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 6 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
de2ed0e
to
0293f49
Compare
0293f49
to
1a91831
Compare
@pierreprinetti: This pull request references Bugzilla bug 2052467, which is valid. 6 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@@ -207,6 +207,13 @@ func (c *routerCertsDomainValidationController) validateRouterCertificates() ope | |||
return newRouterCertsDegradedf("InvalidServerCertRouterCerts", "secret/%v.spec.data[%v] -n %v: certificate could not validate route hostname %v: %v", c.defaultSecretName, ingressDomain, c.secretNamespace, verifyOptions.DNSName, err) | |||
} | |||
|
|||
// check the server certificates for reliance on the deprecated CN field |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a redundant change, verifyWithAnyCertificate
should already return errors.
You should be looking at https://github.com/openshift/cluster-authentication-operator/blob/55b274c54c4a404799dea0e9e41f1b62e9f84c55/pkg/controllers/customroute/custom_route_controller.go
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Until Go v1.17, the GODEBUG=x509ignoreCN=0
flag (which is embedded in all base images) will prevent verifyWithAnyCertificate
, or any other certificate parsing, from failing due to missing SAN fields. This patch is targeted against OCP v4.9 which is compiled with Go v1.16.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That being said, custom_route_controller
seems like a good tip. Do you think that the check should be implemented in both places? @stlaz
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh and thank you for the review!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have added the check in ValidateServerCert
, which is the validation function called in the custom route controller loop. Thank you!
@stlaz PTAL
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suppose we could have this check even here, although the description should say: "open a bug to the Routing component". cc @openshift/openshift-team-network-edge
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@stlaz i believe we had a discussion round with the router team. their assertion is that they don't provision the cert per se, so it is an exercise on the corresponding operators to do the validation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you. I understand that this means that we keep both checks in place.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we keep both checks in place.
agreed, hence SAN-less certs can happen both in the central route cert and in custom route certs and for both cases we should verify.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@stlaz i believe we had a discussion round with the router team. their assertion is that they don't provision the cert per se, so it is an exercise on the corresponding operators to do the validation.
I believe they eventually decided to introduce the checks. If they did not check their inputs, our operators would go degraded.
1a91831
to
9c9ee6e
Compare
Tested on AWS with cluster-bot, following the BZ steps. The certificate is rejected:
|
/retest |
@pierreprinetti: This pull request references Bugzilla bug 2052467, which is valid. 6 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test e2e-agnostic e2e-console-login |
@pierreprinetti: This pull request references Bugzilla bug 2052467, which is valid. 6 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Changed the scope of this PR to only validate custom route server certificates. @stlaz PTAL |
/retest-required |
@stlaz ? |
@@ -1,6 +1,8 @@ | |||
all: build | |||
.PHONY: all | |||
|
|||
export GODEBUG := x509ignoreCN=0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The art-team sets it in their builds.
This patch adds a new validation check for custom route HTTPS certificates: certificates without SAN fields will prevent upgrades. This change puts in force the long-standing deprecation of the CN field as a provider for names. After this patch, custom routes secured with legacy HTTPS certificates will prevent the upgrade to OCP v4.10. OCP v4.10 is compiled with Go v1.17 and is incompatible with such legacy certificates; this deprecation prevents unexpected failures to occur on upgrade. Addresses: Bug 2052467
3b539f3
to
10037e4
Compare
The flag is embedded in OCP base images since v4.6. As a consequence, our code in this repository expects to run under it. Local runs (triggered with make) should run with the same flag. If we don't add the flag, the unit tests will fail. And this is a good thing. So either we add the flag in the Makefile, or at runtime in the test files. I think that here in the Makefile is better because it sets it for every test, thus making the tests behave a little more closely to what they'd do in production. |
/retest |
1 similar comment
/retest |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: pierreprinetti, stlaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@pierreprinetti: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/label cherry-pick-approved |
@stlaz Are you the one who can put the |
|
/label backport-risk-assessed |
@pierreprinetti: All pull requests linked via external trackers have merged: Bugzilla bug 2052467 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This patch adds a new validation check for custom route HTTPS
certificates: certificates without SAN fields will prevent upgrades.
This change puts in force the long-standing deprecation of the CN field
as a provider for names.
After this patch, custom routes secured with legacy HTTPS certificates
will prevent the upgrade to OCP v4.10. OCP v4.10 is compiled with Go
v1.17 and is incompatible with such legacy certificates; this
deprecation prevents unexpected failures to occur on upgrade.
Addresses: Bug 2052467