Bug 1882176: Validate certs for the current IP address of the node #461

retroflexer · 2020-10-02T18:36:50Z

Currently cluster-etcd-operator only checks the existence of the certificates, but doesn't verify the SAN configured in the certs against the current node IP address (hostname).

This PR fixes the problem by parsing the certificate to validate the SAN. If there is a SAN mismatch, it generates a new set of certificates.

openshift-ci-robot · 2020-10-02T18:36:54Z

@retroflexer: This pull request references Bugzilla bug 1882176, which is invalid:

expected the bug to target the "4.6.0" release, but it targets "4.7.0" instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Bug 1882176: Verify the certs are valid for the current configured IP address

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

pkg/operator/etcdcertsigner/etcdcertsignercontroller.go

retroflexer · 2020-10-03T12:33:09Z

/retest

retroflexer · 2020-10-04T12:56:38Z

/retest

pkg/operator/etcdcertsigner/etcdcertsignercontroller.go

retroflexer · 2020-10-08T15:30:10Z

/bugzilla refresh

openshift-ci-robot · 2020-10-08T15:30:18Z

@retroflexer: This pull request references Bugzilla bug 1882176, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target release (4.7.0) matches configured target release for branch (4.7.0)
bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

retroflexer · 2020-10-09T19:42:14Z

/retest

openshift-ci-robot · 2020-10-14T14:00:28Z

@retroflexer: The following tests failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/prow/e2e-upgrade	`cd2a644`	link	`/test e2e-upgrade`
ci/prow/e2e-disruptive	`cd2a644`	link	`/test e2e-disruptive`

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

retroflexer · 2020-10-15T20:31:32Z

/test e2e-upgrade

retroflexer · 2021-01-13T15:53:44Z

/hold cancel

retroflexer · 2021-01-13T15:54:32Z

/test verify

retroflexer · 2021-01-13T17:16:36Z

/retest

retroflexer · 2021-01-14T15:29:22Z

/test e2e-agnostic

hexfusion

@retroflexer looks good a few optional things to look at here. I can tag when you are ready.

/approve

pkg/operator/etcdcertsigner/etcdcertsignercontroller.go

pkg/operator/etcdendpointscontroller/etcdendpointscontroller_test.go

pkg/operator/etcdcertsigner/etcdcertsignercontroller.go

hexfusion · 2021-01-14T18:58:56Z

/lgtm

…he node

hexfusion · 2021-01-14T19:09:39Z

/lgtm

openshift-ci-robot · 2021-01-14T19:10:00Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hexfusion, retroflexer

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [hexfusion]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-bot · 2021-01-15T14:07:31Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-01-15T23:26:24Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-01-16T00:45:16Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2021-01-16T03:33:23Z

/retest

Please review the full test history for this PR and help us cut down flakes.

openshift-ci-robot · 2021-01-16T05:08:08Z

@retroflexer: All pull requests linked via external trackers have merged:

openshift/cluster-etcd-operator#461

Bugzilla bug 1882176 has been moved to the MODIFIED state.

In response to this:

Bug 1882176: Validate certs for the current IP address of the node

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci-robot added the bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. label Oct 2, 2020

openshift-ci-robot added the bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. label Oct 2, 2020

openshift-ci-robot requested review from hexfusion and ironcladlou October 2, 2020 18:37

hexfusion reviewed Oct 2, 2020

View reviewed changes

pkg/operator/etcdcertsigner/etcdcertsignercontroller.go Outdated Show resolved Hide resolved

retroflexer force-pushed the regen-certs-if-san-mismatch branch from dbbf87c to 4a4dfe6 Compare October 3, 2020 01:51

retroflexer changed the title ~~Bug 1882176: Verify the certs are valid for the current configured IP address~~ Bug 1882176: Validate certs for the current IP address of the node Oct 3, 2020