New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[release-4.9] Bug 2060111: Set Upgradeable=False if default cert has no SAN #711
[release-4.9] Bug 2060111: Set Upgradeable=False if default cert has no SAN #711
Conversation
Don't use infraConfig.Status.PlatformStatus directly; infraConfig.Status could be nil. Follow-up to commit 9d4a41b. * pkg/operator/controller/ingress/status.go: Use GetPlatformStatus.
@Miciah: This pull request references Bugzilla bug 2060111, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
f305946
to
082ddfb
Compare
Verified via pre-merge verification workflow, more references related to the test can be found in: |
/test e2e-gcp-serial |
/test e2e-aws-operator |
1 similar comment
/test e2e-aws-operator |
Must-gather failed. |
/assign @candita |
Installer failed:
/test e2e-aws-operator |
foundSAN = true | ||
} | ||
} | ||
if cert.Subject.CommonName == domain && !foundSAN { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there always going to be a common name, even if there is a SAN?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, but what we really care about is the situation where a serving certificate is accepted by older clients and rejected by newer clients. Checking that the CN matches the ingresscontroller domain and that no SAN does is the best approach I've come up with to warn when there is a problem without causing false positives. Consider these four cases:
- The certificate has no SAN and no CN; such a certificate wouldn't work at all as a serving certificate even for older clients, so we should ignore it.
- The certificate has no CN and does have a SAN; this is fine: if the SAN is valid, the certificate will be accepted by both old clients as well as new clients (and if the SAN is invalid, it won't be accepted by old or new clients), so we should ignore it.
- The certificate has a CN that doesn't match the ingresscontroller domain; in this case, the certificate is presumably not the serving certificate but rather an intermediate, and anyway, as with the previous case, either it has a valid SAN, in which case both old as well as new clients will accept it, or it does not, in which case both old as well as new clients will reject it, so we should ignore it.
- The certificate has a CN that does match the ingresscontroller domain; in this case, the certificate most likely is the serving certificate, and we need to make sure it has a SAN with the same domain in order to still be accepted by newer Go clients.
The last case is really the only one that matters for upgrades, so it is the only one where we set Upgradeable=True
if we find a mismatch.
// <https://bugzilla.redhat.com/show_bug.cgi?id=2057762>. This check can be | ||
// removed after OpenShift 4.9. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is in 4.9, right?
// <https://bugzilla.redhat.com/show_bug.cgi?id=2057762>. This check can be | |
// removed after OpenShift 4.9. | |
// <https://bugzilla.redhat.com/show_bug.cgi?id=2057762>. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, this is the 4.9 backport. Usually I keep the backport as close as possible to the original change (in this case, #708) to minimize risk of breaking something and to simplify future backports.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was thinking that if someone saw "This check can be removed after OpenShift 4.9." that they might remove it in a later 4.9 version. Or it would at least cause some questions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm, I guess someone could interpret "after OpenShift 4.9" as including newer z-stream releases of 4.9. Maybe I should have said "in OpenShift 4.10 or later" in the original commit. However, even if someone interpreted "after OpenShift 4.9" in that way, I think the risk that someone would remove this in a 4.9 z-stream is low since we have extra levels of review and scrutiny for backports.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've amended the comment.
/retest |
If an ingresscontroller's default certificate has a Common Name (CN) for the ingress domain but has no Subject Alternative Name (SAN) for the same, report that the cluster cannot be upgraded by setting the Upgradeable=False status condition on the ingresscontroller and clusteroperator. Clients built using Go 1.17 reject certificates without SANs. OpenShift 4.10 is built using Go 1.17, which means that various operators that connect to routes that use the default certificate would reject the certificate and fail to complete the TLS handshake after upgrading to OpenShift 4.10 if the ingress operator didn't block the upgrade on a cluster with a problematic certificate. The commit is related to bug 2057762. https://bugzilla.redhat.com/show_bug.cgi?id=2057762 * pkg/operator/controller/ingress/status.go (syncIngressControllerStatus): Get the default certificate secret and pass it to computeIngressUpgradeableCondition. (computeIngressUpgradeableCondition): Add a parameter for the default certificate secret. Use the argument value to call the new checkDefaultCertificate function to check for problematic certificates. (checkDefaultCertificate): New function. Return a non-nil error value if the default certificate in the provided secret has a CN for the ingress domain and no SAN for the same. * pkg/operator/controller/ingress/status_test.go (TestComputeIngressUpgradeableCondition): Verify that computeIngressUpgradeableCondition reports Upgradeable=False if the default certificate has a CN and no SAN for the ingress domain and reports Upgradeable=True otherwise.
082ddfb
to
ffef526
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: candita, Miciah The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/bugzilla refresh Recalculating validity in case the underlying Bugzilla bug has changed. |
/bugzilla refresh Recalculating validity in case the underlying Bugzilla bug has changed. |
@openshift-bot: This pull request references Bugzilla bug 2060111, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/bugzilla refresh Recalculating validity in case the underlying Bugzilla bug has changed. |
@openshift-bot: This pull request references Bugzilla bug 2060111, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/bugzilla refresh Recalculating validity in case the underlying Bugzilla bug has changed. |
@openshift-bot: This pull request references Bugzilla bug 2060111, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/bugzilla refresh Recalculating validity in case the underlying Bugzilla bug has changed. |
@openshift-bot: This pull request references Bugzilla bug 2060111, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/bugzilla refresh Recalculating validity in case the underlying Bugzilla bug has changed. |
@openshift-bot: This pull request references Bugzilla bug 2060111, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/bugzilla refresh Recalculating validity in case the underlying Bugzilla bug has changed. |
@openshift-bot: This pull request references Bugzilla bug 2060111, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/bugzilla refresh Recalculating validity in case the underlying Bugzilla bug has changed. |
@openshift-bot: This pull request references Bugzilla bug 2060111, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/label cherry-pick-approved |
/bugzilla refresh |
@lihongan: This pull request references Bugzilla bug 2060111, which is valid. 6 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
2 similar comments
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/test e2e-aws-operator |
1 similar comment
/test e2e-aws-operator |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
@Miciah: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@Miciah: All pull requests linked via external trackers have merged: Bugzilla bug 2060111 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This is a manual cherry-pick of #708 with an additional fix for an issue introduced in #709 (see #709 (comment)).
status: Use
GetPlatformStatus
Don't use
infraConfig.Status.PlatformStatus
directly;infraConfig.Status
could be nil.Follow-up to #709.
pkg/operator/controller/ingress/status.go
: UseGetPlatformStatus
.Set
Upgradeable=False
if default cert has no SANIf an ingresscontroller's default certificate has a Common Name (CN) for the ingress domain but has no Subject Alternative Name (SAN) for the same, report that the cluster cannot be upgraded by setting the
Upgradeable=False
status condition on the ingresscontroller and clusteroperator.Clients built using Go 1.17 reject certificates without SANs. OpenShift 4.10 is built using Go 1.17, which means that various operators that connect to routes that use the default certificate would reject the certificate and fail to complete the TLS handshake after upgrading to OpenShift 4.10 if the ingress operator didn't block the upgrade on a cluster with a problematic certificate.
pkg/operator/controller/ingress/status.go
(syncIngressControllerStatus
): Get the default certificate secret and pass it tocomputeIngressUpgradeableCondition
.(
computeIngressUpgradeableCondition
): Add a parameter for the default certificate secret. Use the argument value to call the newcheckDefaultCertificate
function to check for problematic certificates.(
checkDefaultCertificate
): New function. Return a non-nil error value if the default certificate in the provided secret has a CN for the ingress domain and no SAN for the same.pkg/operator/controller/ingress/status_test.go
(TestComputeIngressUpgradeableCondition
): Verify thatcomputeIngressUpgradeableCondition
reportsUpgradeable=False
if the default certificate has a CN and no SAN for the ingress domain and reportsUpgradeable=True
otherwise.