HOSTEDCP-1257: control-plane-pki-operator: add a CSR flow for break-glass creds #3267
Conversation
|
@stevekuznetsov: This pull request references HOSTEDCP-1256 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
the
jira/valid-reference
openshift-ci
bot
added
do-not-merge/needs-area
area/ci-tooling
✅ Deploy Preview for hypershift-docs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
stevekuznetsov
force-pushed
the
skuznets/pki-csr
branch
2 times, most recently
from
3be2099
to
22eb99a
Compare
| @@ -0,0 +1,185 @@ | |||
| /* | |||
There was a problem hiding this comment.
Do we have a policy for wholesale copy-paste of modules? Upstream made it clear they would not be OK with exporting this.
There was a problem hiding this comment.
I would at least add a comment saying where this came from
| type ValidatorFunc func(csr *certificatesv1.CertificateSigningRequest, x509cr *x509.CertificateRequest) error | ||
|
|
||
| // Validator returns a function that validates CertificateSigningRequests | ||
| func Validator(hcp *hypershiftv1beta1.HostedControlPlane, signer SignerClass) ValidatorFunc { |
There was a problem hiding this comment.
Please review this - we're declaring what kinds of CSRs we accept here.
| der, err := ca.Sign(x509cr.Raw, authority.PermissiveSigningPolicy{ | ||
| TTL: duration(certTTL, expirationSeconds), | ||
| Usages: usages, | ||
| Backdate: backdate, // this must always be less than the minimum TTL requested by a user (see sanity check requestedDuration below) |
There was a problem hiding this comment.
Please review backdating & validity - as written, it's the same as upstream k8s signers.
| return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der}), nil | ||
| } | ||
|
|
||
| func duration(certTTL time.Duration, expirationSeconds *int32) time.Duration { |
There was a problem hiding this comment.
Please review duration policy - as written, it's the same as upstream k8s signers.
| kubeInformersForNamespaces, | ||
| kubeClient, | ||
| controllerContext.EventRecorder, | ||
| 36*certRotationScale/24, |
There was a problem hiding this comment.
Please review TTL.
| @@ -0,0 +1,80 @@ | |||
| package controlplanepkioperator | |||
There was a problem hiding this comment.
This file (and the test) don't follow the convention in this controller, but the convention is to put everything in disjoint places and many thousand-line-files so I hope that's ok
...nifests/controlplanepkioperator/testdata/zz_fixture_TestReconcileCSRApproverClusterRole.yaml
Show resolved
Hide resolved
stevekuznetsov
force-pushed
the
skuznets/pki-csr
branch
from
22eb99a
to
b98d5cf
Compare
|
|
||
| // signing the certificate necessarily uses cryptographic randomness, so we can't know | ||
| // what the output will be a priori | ||
| if testCase.expectedCfg != nil && testCase.expectedCfg.Status != nil && testCase.expectedCfg.Status.Certificate != nil && |
There was a problem hiding this comment.
This is unfortunate but I don't know of any way for us to avoid it. Essentially we end up asserting that if the test case expected something in the signed certificate field, there is some value - any value - there.
stevekuznetsov
force-pushed
the
skuznets/pki-csr
branch
2 times, most recently
from
e7ce332
to
3785020
Compare
Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
stevekuznetsov
force-pushed
the
skuznets/pki-csr
branch
5 times, most recently
from
a15269b
to
a845102
Compare
openshift-ci
bot
added
the
area/control-plane-operator
stevekuznetsov
force-pushed
the
skuznets/pki-csr
branch
2 times, most recently
from
8a64c99
to
d70aba9
Compare
stevekuznetsov
force-pushed
the
skuznets/pki-csr
branch
2 times, most recently
from
ed82750
to
9d76262
Compare
In order to acquire break-glass credentials, end users will not have access to the management plane from which they can read certificates. Instead, we expect them to create (by proxy) a CertificateSigningRequest that we will sign, if it is approved. Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
stevekuznetsov
force-pushed
the
skuznets/pki-csr
branch
from
9d76262
to
95c604a
Compare
api/hypershift/v1alpha1/certificatesigningrequestapproval_types.go
Outdated
Show resolved
Hide resolved
api/hypershift/v1alpha1/certificatesigningrequestapproval_types.go
Outdated
Show resolved
Hide resolved
hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go
Outdated
Show resolved
Hide resolved
hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go
Outdated
Show resolved
Hide resolved
| @@ -0,0 +1,185 @@ | |||
| /* | |||
There was a problem hiding this comment.
I would at least add a comment saying where this came from
Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
|
@csrwng thanks for the review - I'd like to hear from the client-go folks if there's a CA library I should use instead of pulling in that bit from k8s, but this is ready otherwise. Worst case, we can un-copy that in a follow-up. |
openshift-ci
bot
added
the
area/documentation
Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
stevekuznetsov
force-pushed
the
skuznets/pki-csr
branch
from
67fd6e8
to
a1513fa
Compare
|
/rtest |
|
/retest |
1 similar comment
|
/retest |
|
/approve
Branching already happened 👎 |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sjenning, stevekuznetsov The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
stevekuznetsov
changed the title
|
@stevekuznetsov: This pull request references HOSTEDCP-1257 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@stevekuznetsov: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
openshift-merge-bot
bot
merged commit 0f7c8c4
into
openshift:main
|
[ART PR BUILD NOTIFIER] This PR has been included in build ose-hypershift-container-v4.16.0-202312121005.p0.g0f7c8c4.assembly.stream for distgit hypershift. |
|
/cherry-pick release-4.15 |
|
@stevekuznetsov: new pull request created: #3324 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
In order to acquire break-glass credentials, end users will not have access to the management plane from which they can read certificates. Instead, we expect them to create (by proxy) a CertificateSigningRequest that we will sign, if it is approved.
/cc @sjenning @csrwng @enxebre