New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HOSTEDCP-1257: control-plane-pki-operator: add a CSR flow for break-glass creds #3267
HOSTEDCP-1257: control-plane-pki-operator: add a CSR flow for break-glass creds #3267
Conversation
@stevekuznetsov: This pull request references HOSTEDCP-1256 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
✅ Deploy Preview for hypershift-docs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
3be2099
to
22eb99a
Compare
@@ -0,0 +1,185 @@ | |||
/* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we have a policy for wholesale copy-paste of modules? Upstream made it clear they would not be OK with exporting this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would at least add a comment saying where this came from
type ValidatorFunc func(csr *certificatesv1.CertificateSigningRequest, x509cr *x509.CertificateRequest) error | ||
|
||
// Validator returns a function that validates CertificateSigningRequests | ||
func Validator(hcp *hypershiftv1beta1.HostedControlPlane, signer SignerClass) ValidatorFunc { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please review this - we're declaring what kinds of CSRs we accept here.
der, err := ca.Sign(x509cr.Raw, authority.PermissiveSigningPolicy{ | ||
TTL: duration(certTTL, expirationSeconds), | ||
Usages: usages, | ||
Backdate: backdate, // this must always be less than the minimum TTL requested by a user (see sanity check requestedDuration below) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please review backdating & validity - as written, it's the same as upstream k8s signers.
return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der}), nil | ||
} | ||
|
||
func duration(certTTL time.Duration, expirationSeconds *int32) time.Duration { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please review duration policy - as written, it's the same as upstream k8s signers.
kubeInformersForNamespaces, | ||
kubeClient, | ||
controllerContext.EventRecorder, | ||
36*certRotationScale/24, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please review TTL.
@@ -0,0 +1,80 @@ | |||
package controlplanepkioperator |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This file (and the test) don't follow the convention in this controller, but the convention is to put everything in disjoint places and many thousand-line-files so I hope that's ok
...nifests/controlplanepkioperator/testdata/zz_fixture_TestReconcileCSRApproverClusterRole.yaml
Show resolved
Hide resolved
22eb99a
to
b98d5cf
Compare
|
||
// signing the certificate necessarily uses cryptographic randomness, so we can't know | ||
// what the output will be a priori | ||
if testCase.expectedCfg != nil && testCase.expectedCfg.Status != nil && testCase.expectedCfg.Status.Certificate != nil && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is unfortunate but I don't know of any way for us to avoid it. Essentially we end up asserting that if the test case expected something in the signed certificate field, there is some value - any value - there.
e7ce332
to
3785020
Compare
Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
a15269b
to
a845102
Compare
8a64c99
to
d70aba9
Compare
ed82750
to
9d76262
Compare
In order to acquire break-glass credentials, end users will not have access to the management plane from which they can read certificates. Instead, we expect them to create (by proxy) a CertificateSigningRequest that we will sign, if it is approved. Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
9d76262
to
95c604a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some initial comments
api/hypershift/v1alpha1/certificatesigningrequestapproval_types.go
Outdated
Show resolved
Hide resolved
api/hypershift/v1alpha1/certificatesigningrequestapproval_types.go
Outdated
Show resolved
Hide resolved
hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go
Outdated
Show resolved
Hide resolved
hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go
Outdated
Show resolved
Hide resolved
@@ -0,0 +1,185 @@ | |||
/* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would at least add a comment saying where this came from
Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
@csrwng thanks for the review - I'd like to hear from the client-go folks if there's a CA library I should use instead of pulling in that bit from k8s, but this is ready otherwise. Worst case, we can un-copy that in a follow-up. |
Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
67fd6e8
to
a1513fa
Compare
/rtest |
/retest |
1 similar comment
/retest |
/approve
Branching already happened 👎 |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sjenning, stevekuznetsov The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@stevekuznetsov: This pull request references HOSTEDCP-1257 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@stevekuznetsov: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
0f7c8c4
into
openshift:main
[ART PR BUILD NOTIFIER] This PR has been included in build ose-hypershift-container-v4.16.0-202312121005.p0.g0f7c8c4.assembly.stream for distgit hypershift. |
/cherry-pick release-4.15 |
@stevekuznetsov: new pull request created: #3324 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
In order to acquire break-glass credentials, end users will not have access to the management plane from which they can read certificates. Instead, we expect them to create (by proxy) a CertificateSigningRequest that we will sign, if it is approved.
/cc @sjenning @csrwng @enxebre