Dissalow custom CA paths for identity providers #9731
Conversation
openshift-ci-robot
added
do-not-merge/work-in-progress
| @@ -41,7 +41,7 @@ | |||
| bind_addr: "{{ openshift_master_bind_addr | default(None) }}" | |||
| session_max_seconds: "{{ openshift_master_session_max_seconds | default(None) }}" | |||
| session_name: "{{ openshift_master_session_name | default(None) }}" | |||
| ldap_ca: "{{ openshift_master_ldap_ca | default(lookup('file', openshift_master_ldap_ca_file) if openshift_master_ldap_ca_file is defined else None) }}" | |||
| ldap_ca: "{{ openshift_master_ldap_ca | default(lookup('file', openshift_master_ldap_ca_file)) }}" | |||
There was a problem hiding this comment.
I don't think this change is desired.
There was a problem hiding this comment.
Right, no need to touch that
vrutkovs
force-pushed
the
ldap_ca_in_origin_master
branch
3 times, most recently
from
3b5dc60
to
1e2ef3f
Compare
openshift-ci-robot
added
size/S
vrutkovs
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
vrutkovs
changed the title
| @@ -99,7 +99,7 @@ | |||
|
|
|||
| - name: Create the request header ca file if needed | |||
| copy: | |||
| dest: "{{ item.clientCA if 'clientCA' in item and '/' in item.clientCA else '/etc/origin/master/' ~ item.clientCA | default('request_header_ca.crt') }}" | |||
| dest: "/etc/origin/master/request_header_ca.crt" | |||
There was a problem hiding this comment.
We need to evaluate the boolean cases in this PR as well.
It seems that this file is only created of the clientCA key is defined in an item in openshift_master_identity_providers. Since we've updated the docs, that field is no longer there, thus this field might not get defined.
Probably just need to force people to migrate these CA keys to not include a leading '/' char, and then just put the file path in /etc/origin/master/* wherever they specify.
There was a problem hiding this comment.
Probably just need to force people to migrate these CA keys to not include a leading '/' char, and then just put the file path in /etc/origin/master/* wherever they specify
Not sure what would be the usecase for this, although its potentially dangerous, as user may rewrite etcd/api certs if the name is ca-bundle.crt or ca.crt or admin.crt , which are pretty common.
There was a problem hiding this comment.
I don't care where we put the files or what we name them, as long as they are in /etc/origin/master they will be fine. We already have logic that will block existing users from upgrades if any paths outside of /etc/origin/master are found in master's config file.
We need to implement similar logic for the identity provider dictionary for new installs, backport to 3.10. The change as-is here would break some logic, and define variables when they might otherwise be undefined by the user.
For example, https://github.com/openshift/openshift-ansible/pull/9731/files#diff-54774cd1a74c81a803bc9a139d03f9d6R109 will never be true because we're now telling users not to define the 'clientCA' key in the example.
There was a problem hiding this comment.
Seems like we should just get rid of that conditional across these set of tasks?
There was a problem hiding this comment.
We already have logic that will block existing users from upgrades if any paths outside of /etc/origin/master are found in master's config file
Identity providers are skipped there, as this part of the code is expected to do that. Also, this check won't forbid rewriting existing certs.
.. will never be true because we're now telling users not to define the 'clientCA' key in the example.
Correct, removed this clause.
| @@ -99,7 +99,7 @@ | |||
|
|
|||
| - name: Create the request header ca file if needed | |||
| copy: | |||
| dest: "{{ item.clientCA if 'clientCA' in item and '/' in item.clientCA else '/etc/origin/master/' ~ item.clientCA | default('request_header_ca.crt') }}" | |||
| dest: "/etc/origin/master/request_header_ca.crt" | |||
There was a problem hiding this comment.
I don't care where we put the files or what we name them, as long as they are in /etc/origin/master they will be fine. We already have logic that will block existing users from upgrades if any paths outside of /etc/origin/master are found in master's config file.
We need to implement similar logic for the identity provider dictionary for new installs, backport to 3.10. The change as-is here would break some logic, and define variables when they might otherwise be undefined by the user.
For example, https://github.com/openshift/openshift-ansible/pull/9731/files#diff-54774cd1a74c81a803bc9a139d03f9d6R109 will never be true because we're now telling users not to define the 'clientCA' key in the example.
This commit would ensure ldap auth provider won't rewrite any files in the static pod and gets placed in /etc/origin/master/ Previously, before static pod deployment, openshift_master_identity_providers param for LDAP auth could specify the file, which was copied on the host and was used by API server, running on the host. In 3.10+ this file needs to be mounted in the API server container (along with the rest of configuration), so a custom path in `ca` section could be left on the node. This file was copied unconditionally and could rewrite any CA / config file. This commit would always place contents from `openshift_master_ldap_ca` (or file from `openshift_master_ldap_ca_file`) in /etc/origin/master/ldap_ca.crt, which would be mounted in a static pod. This also affects OpenID auth and request header auth
vrutkovs
force-pushed
the
ldap_ca_in_origin_master
branch
from
1e2ef3f
to
ceac075
Compare
If users could specify arbitrary paths, I don't think they would fail. |
| @@ -78,7 +78,7 @@ | |||
|
|
|||
| - name: Create the ldap ca file if needed | |||
| copy: | |||
| dest: "{{ item.ca if 'ca' in item and '/' in item.ca else '/etc/origin/master/' ~ item.ca | default('ldap_ca.crt') }}" | |||
| dest: "/etc/origin/master/ldap_ca.crt" | |||
There was a problem hiding this comment.
Perhaps we should prefix each filename with the 'name' key of the auth_provider? That would allow multiple auth providers of the same type?
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: michaelgugino, sdodson, vrutkovs The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/cherrypick release-3.10 |
|
@michaelgugino: new pull request created: #9803 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This commit would ensure ldap auth provider won't rewrite any files
in the static pod and gets placed in /etc/origin/master/ldap_ca.crt.
Previously, before static pod deployment,
openshift_master_identity_providers
param for LDAP auth could specify the file, which was copied on the
host and was used by API server, running on the host.
In 3.10+ this file needs to be mounted in the API server container
(along with the rest of configuration), so a custom path in
casectioncould be left on the node. This file was copied unconditionally and
could rewrite any CA / config file.
This commit would always place contents from
openshift_master_ldap_ca(or file from
openshift_master_ldap_ca_file) in/etc/origin/master/ldap_ca.crt, which would be mounted in a static pod.
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1614414, https://bugzilla.redhat.com/show_bug.cgi?id=1616262 and #9397
Fixes #6191
TODO:
LDAPPasswordIdentityProviderhascaautofilled withldap_caifopenshift_master_ldap_ca_fileis set