Create tls-artifacts-registry enhancement #1502
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
vrutkovs
force-pushed
the
tls-artifacts-registry
branch
from
2d49949
to
68323c2
Compare
| and consults it to ensure that a particular certificate is platform-managed. The administrator can use JIRA component metadata to file a | ||
| new issue related to this certificate. | ||
|
|
||
| Similarly, TRT members use this registry to file issues found in |
There was a problem hiding this comment.
probably not TRT.
Can you describe the workflow for adding a new cert? I think it looks like
- open PR adding new cert to operator repo
- CI fails due to new cert appearing
- CI includes the new raw-tls info required, but it's still missing an owner
- dev takes the file and adds it to origin PR
- origin PR fails CI because he forgot to update
- dev runs the hack/update
- origin PR fails CI because dev doesn't have an owner (or other annotation like "works with recert tool) for his new cert
- dev fakes in his origin PR, thus taking ownership. OR
- dev goes to his operator PR and adds the necessary annotations, redoes his origin, PR
- origin PR now passes CI and merges
- operator PR can now land.
There was a problem hiding this comment.
- dev runs the hack/update
would fail if owner is unset, so step 7 won't happen.
I expect the happy path to look like this:
- Developer is aware of this enhancement, so they create a PR with necessary annotation
- PR merges and TLS test in origin shows a flaking test - certificate is not registered in TLS registry
- Dev creates a PR to origin, updates ownership,
hack/updategenerates new expected raw TLS info file - After PR is merged TLS info test no longer flakes
Most unhappy path:
- open PR adding new cert to operator repo
- CI fails due to new cert appearing
- CI includes the new raw-tls info required, but it's still missing an owner
- dev takes the file and adds it to origin PR
- origin PR fails CI because he forgot to update
- dev runs the hack/update.
hack/validate-tls-inforequires owner to be set - dev updates the owner thus taking ownership, origin PR is approved, operator PR can now land
There was a problem hiding this comment.
However, TRT may be interested in this too, as if they encounter a problem with certificate its easy to find the team owning it - and quickly find a bug before reverting the offending PR (if available)
There was a problem hiding this comment.
I wonder if adding a new cert is considered a failure based on the scenario that David described? Adding a new cert that meets all requirements (such as valid annotations, ownership info and proper expiration time) should be fine.
There was a problem hiding this comment.
Added expected flow in "Workflow Description" section
|
|
||
| ### Workflow Description | ||
|
|
||
| The cluster administrator opens the TLS artifacts registry in the `origin` repo |
There was a problem hiding this comment.
I know we have a test designed to detect issues with certificates and I expect folks will look at the test to see what certificates needs to be fixed or issues need to be addressed. However, I wonder if we can generate a text-based output that will summarize all of failures that admin/dev can see quickly instead of having to go through the whole markdown that contains both good and bad certs.
There was a problem hiding this comment.
The test will exclude known violations. Currently all certs are added there, so the test would fail only on the certificates added in the PR
| and consults it to ensure that a particular certificate is platform-managed. The administrator can use JIRA component metadata to file a | ||
| new issue related to this certificate. | ||
|
|
||
| Similarly, TRT members use this registry to file issues found in |
There was a problem hiding this comment.
I wonder if adding a new cert is considered a failure based on the scenario that David described? Adding a new cert that meets all requirements (such as valid annotations, ownership info and proper expiration time) should be fine.
| being generated, so that most operators would use the recommended | ||
| method. | ||
|
|
||
| ### Workflow Description |
There was a problem hiding this comment.
I think we should make it clear in this enhancement that the registry is a snapshot and auto-generated of the current stage of certificates on cluster and serves as a source of truth for validation purposes. It is meant to be immutable from viewer perspective as you shouldn't open a PR in origin to change the registry. Instead, you should open PR to address the issues directly to where the problematic certs are.
There was a problem hiding this comment.
I wonder if adding a new cert is considered a failure based on the scenario that David described?
Yes. The cert name first needs to be registered in origin repo and then have the PR adding it merged.
Before we start adding more metadata requirements in the test we'll ensure PRs to add necessary metadata are merged
There was a problem hiding this comment.
serves as a source of truth for validation purposes
Good point, will add this to the enhancement
It is meant to be immutable from viewer perspective as you shouldn't open a PR in origin to change the registry.
The violations list is meant to be remove-only, but users are expected to update expected metadata (i.e. description) and move certs from violations list after certificate metadata (==annotations) are updated
vrutkovs
force-pushed
the
tls-artifacts-registry
branch
from
68323c2
to
8f6f40e
Compare
|
|
||
| Similarly, TRT members use this registry to file issues found in | ||
| periodic or release-blocking jobs. | ||
|
|
There was a problem hiding this comment.
Add a section about, "how to add capability/X to all certificates".
Intro about potential capabilities: on demand rotation, on demand revocation, auto regeneration on expiry, recert for single node.
- create new directory under
origin/tls/<capability>peer to ownership - directory must contain a readme.MD that is manually created
- directory must contain a generated
<capability>.mdthat organized by owning component (jira components) . Generator lives in blah and has matching verify script in blah, point to examples. The markdown file is for humans to follow progress achieving capability/X - directory must contain json file for machine reability of progress.
- generator must read from rawTLS to generate the json and markdown. raw TLS gathers data from annotations specified on kube resources.
- to have PKI indicate they support capability/X, the owning team will merge a PR adding the annotation AFTER that team is satisfied that it is supported and has some regression protection.
- more and more.
|
cc @omertuc @jakobmoellerdev PTAL |
| ## Summary | ||
|
|
||
| This enhancement describes a single registry to store all produced | ||
| TLS artifacts. Both engineering and customers have expressed concern |
There was a problem hiding this comment.
TLS artifacts
The registry should possibly also cover non-TLS cryptography, such as JWT tokens, the private keys used to sign them and their corresponding public keys
There was a problem hiding this comment.
JWT tokens
Could you give me an example where these can be stored and detected?
the private keys used to sign them and their corresponding public keys
Yes, that is something we cover. Should we specify the way we find those?
Currently its "list secrets and look for values which can be decoded as either certificate or the key" and "find files which can be decoded as certificate or a key", but I don't mind having it expanded.
There was a problem hiding this comment.
Could you give me an example where these can be stored and detected?
There are many of them, but one particular example:
e.g. a JWT could be found in Secret openshift-kube-apiserver:default-token-bzg9f .data.token
Signed by the private key at Secret openshift-kube-controller-manager:service-account-private-key-4 .data."service-account.key"
And the matching public key at ConfigMap openshift-kube-apiserver:sa-token-signing-certs-3 .data."service-account-001.pub"
There was a problem hiding this comment.
Service account secret and public keys are certainly being included, but things like JWT are not, as they are derivatives and thus harder to be tracked
There was a problem hiding this comment.
I see. recert has to re-sign all JWTs after regenerating the service account private key, so it needs to know where they all are. So without them being tracked in the registry recert would still have to do scanning to find JWTs.
Also, pedantic nit: you might want to change the wording of the enhancement from "TLS" to something else since those service account private/public keys which the registry tracks are used to the best of my knowledge exclusively for signing/verifying JWTs, and that technically doesn't have anything to do with TLS, so the term TLS is overly specific
There was a problem hiding this comment.
I think TLS is correct here - certificates and CA bundles unlike JWT have a set of properties like key algorithm, key size, validity period etc. Hopefully it would be useful for recert tool, but its not meant to cover all secrets recert is working with.
There was a problem hiding this comment.
I think TLS is correct here
The registry will cover service account keys (which don't even have certs associated with them, and even if they did, that still doesn't make them TLS-related, TLS uses certs, but certs are not exclusive to TLS), they have nothing to do with TLS, they're used just for signing and verifying JWTs, so mentioning TLS is technically too specific and excludes them, despite the registry including them. Of course I'm just being pedantic here, it's just a suggestion to fix the terminology in the enhancement to avoid confusion
There was a problem hiding this comment.
Added few examples to Non goals to cover this discussion
| TLS artifacts registry is useful for several teams in Red Hat (i.e. | ||
| which component manages a particular certificate) and customers - | ||
| for instance, helping them to separate platform-managed certificates | ||
| from user-managed. |
There was a problem hiding this comment.
from user-managed.
Beyond user-managed vs platform-managed, within the umbrella of platform-managed it would also be nice if the registry could make a distinction between cluster internal certificates (which are platform managed) and well-known Internet CA certificates (which are also technically platform managed). The latter are static and provided from outside the cluster, they don't relate cryptographically to the certificates and keys within the cluster. The former are internal to the cluster and can be rotated as long as all their related keys and certs are rotated as well
There was a problem hiding this comment.
the registry could make a distinction between cluster
This would be a property of the cert, similar to the "owning-component" we have now - but we don't need to list all properties in the enhancement describing TLS registry as a structure. This enhancement however should include a way of adding new metadata requirements - which way would fit you?
There was a problem hiding this comment.
It's not critical to me whether it's covered within the scope of the enhancement or some generic metadata field in the future - I guess it depends on the definition of "Ownership" - who owns a trusted e.g. Verisign certificate - it's platform-managed (i.e. not user provided), but it's not our certificate - it's a globally well known Internet CA certificate. Who owns such certificate? (not looking for an answer, just something to consider. I'm not opinionated on whether this is something the enhancement should cover)
There was a problem hiding this comment.
Its a matter of correctly phrasing requirements. So far we used "ownership" as a substitute for "owning component", meaning "JIRA component which is responsible for its lifecycle". One of valid values there however is "End User" (if no component created it).
Its certainly a problem to define terms correctly, but I don't think there is a way to prevent this problem in principle
vrutkovs
force-pushed
the
tls-artifacts-registry
branch
from
8f6f40e
to
6a54532
Compare
|
Another obstacle we have with recert is that some keys and certs can be found in really obscure locations:
We take care of them for now, but it's inconvenient and I think we should restrict keys/certs to be only in configmaps/secrets But even within secrets/configmaps, some are not directly inside the secret/configmap, they're nested within a kubeconfig that's inside the secret/configmap, which is so convoluted that we have implemented specialized workarounds to handle them in particular, these currently include:
Our current solution for some of them is to delete them and let them reconcile, but for others that reconcile takes too long so we have to give them special handling for performance reasons, and we wish we could stop doing that |
|
Inactive enhancement proposals go stale after 28d of inactivity. See https://github.com/openshift/enhancements#life-cycle for details. Mark the proposal as fresh by commenting If this proposal is safe to close now please do so with /lifecycle stale |
openshift-ci
bot
added
the
lifecycle/stale
| Add a test to the conformance suite that verifies the actual cluster TLS | ||
| artifacts have necessary metadata. | ||
|
|
||
| ### Non-Goals |
There was a problem hiding this comment.
I'd call out here the bits from earlier comments, ie. JWT tokens and cluster external certificates.
There was a problem hiding this comment.
Good idea, added few items here
| registry | ||
| * Create a test that verifies that TLS artifacts in a cluster have | ||
| necessary annotations to provide required metadata. | ||
| * Some TLS artifacts can be added to known violation list so that the test |
There was a problem hiding this comment.
I'd probably add it as non-goal, since this will be only a temporary approach while we get to the point where the full registry is working as expected.
There was a problem hiding this comment.
Maintaining a list of violations is part of the registry, its not a non-goal really
|
|
||
| #### Adding a new TLS artifact | ||
|
|
||
| The cluster administrator opens the TLS artifacts registry in the `origin` repo |
There was a problem hiding this comment.
Have you consider publishing the registry in our docs? Would it be feasible?
There was a problem hiding this comment.
Or at least a link from the docs describing this problem to a particular file in origin repo.
There was a problem hiding this comment.
We already have docs generated in openshift/api about which certificates we expect and how they interact. This enhancement is more focused on ensuring that certs in cluster actually match this model. These features definitely overlap, but there is no need to publish actual certs from CI cluster to docs.
Its worth adding a link to the api docs though, its useful to keep expected and actual state in sync
vrutkovs
force-pushed
the
tls-artifacts-registry
branch
from
6a54532
to
da6966c
Compare
| ### Non-Goals | ||
|
|
||
| * Include certificates provided by user (additional CA bundle, custom ingress / API certificates) | ||
| * Include other encrypted artifacts - e.g. JWT tokens |
There was a problem hiding this comment.
Maybe getting back to this in light of the recent discussions above. Is there any plan or idea on how this registry would be usable for the IBI/IBU flows or replacing recert if they are not including JWT or other derivatives? AFAIK @omertuc comments are basic requirements for replacement of recert.
There was a problem hiding this comment.
I'm not familiar with IBI/IBU flows - do you have a link to describe those?
This registry won't replace recert, but hopefully it would be useful for recert tool - it would be a source of truth on cert locations and its properties, e.g. which signer has issued this cert and where on disk or in cluster this cert needs to be present etc.
There was a problem hiding this comment.
Regarding IBI/IBU - Theres this high level write up which I recommend, but I think its irrelevant to the point im making.
I think this registry will not be that useful to recert because recert will still have to iterate over all objects for crypto analysis due to JWT explicitly being excluded from this EP.
This is because before looking into the objects subject to modification, recert does not know where the JWTs / Certs are it has to modify. With this enhancement we could make recert use the certificate directory to skip one part of this, however JWTs would need either
- A) A new registry that is similar to the one discussed here (leading to a new EP or to the existing recert logic staying as is)
- B) An extension to this registry so that they can be mapped in this EP (removing it from non-goals)
There was a problem hiding this comment.
I think its worth extending this registry for JWT, although for this first phase its listed as a non-goal
There was a problem hiding this comment.
@omertuc @jerpeter1 Do we concur then that we need to build out this extension before being able to use it for recert or should we introudce an intermediary step?
vrutkovs
force-pushed
the
tls-artifacts-registry
branch
from
da6966c
to
8220d8a
Compare
|
Stale enhancement proposals rot after 7d of inactivity. See https://github.com/openshift/enhancements#life-cycle for details. Mark the proposal as fresh by commenting If this proposal is safe to close now please do so with /lifecycle rotten |
openshift-ci
bot
added
lifecycle/rotten
vrutkovs
force-pushed
the
tls-artifacts-registry
branch
from
8220d8a
to
b530840
Compare
|
Rotten enhancement proposals close after 7d of inactivity. See https://github.com/openshift/enhancements#life-cycle for details. Reopen the proposal by commenting /close |
|
@openshift-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/reopen |
|
@vrutkovs: Reopened this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
removed
the
lifecycle/rotten
|
#1555 is changing the enhancement template in a way that will cause the header check in the linter job to fail for existing PRs. If this PR is merged within the development period for 4.16 you may override the linter if the only failures are caused by issues with the headers (please make sure the markdown formatting is correct). If this PR is not merged before 4.16 development closes, please update the enhancement to conform to the new template. |
vrutkovs
force-pushed
the
tls-artifacts-registry
branch
from
b530840
to
58d715f
Compare
|
@vrutkovs: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Inactive enhancement proposals go stale after 28d of inactivity. See https://github.com/openshift/enhancements#life-cycle for details. Mark the proposal as fresh by commenting If this proposal is safe to close now please do so with /lifecycle stale |
openshift-ci
bot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
openshift-ci
bot
removed
the
lifecycle/stale
|
Inactive enhancement proposals go stale after 28d of inactivity. See https://github.com/openshift/enhancements#life-cycle for details. Mark the proposal as fresh by commenting If this proposal is safe to close now please do so with /lifecycle stale |
openshift-ci
bot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
openshift-ci
bot
removed
the
lifecycle/stale
cc @dgrisonnet @dinhxuanvu @deads2k
TODO: