Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(tls): use fixed-length cert CommonNames #968

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

andrewazores
Copy link
Member

Welcome to Cryostat! 👋

Before contributing, make sure you have:

  • Read the contributing guidelines
  • Linked a relevant issue which this PR resolves
  • Linked any other relevant issues, PR's, or documentation, if any
  • Resolved all conflicts, if any
  • Rebased your branch PR on top of the latest upstream main branch
  • Attached at least one of the following labels to the PR: [chore, ci, docs, feat, fix, test]
  • Signed all commits: git commit -S -m "YOUR_COMMIT_MESSAGE"

Fixes: #964

Description of the change:

This change adds allows the users to provide...

Motivation for the change:

This change is helpful because users may want to...

How to manually test:

  1. Insert steps here...
  2. ...

@andrewazores
Copy link
Member Author

/build_test

Copy link

github-actions bot commented Nov 5, 2024

/build_test completed successfully ✅.
View Actions Run.

@andrewazores andrewazores marked this pull request as ready for review November 5, 2024 19:27
@andrewazores andrewazores requested a review from a team November 5, 2024 19:27
Copy link
Member

@ebaron ebaron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems pretty straightforward, I just want to check first if this breaks anything when upgrading the operator. I'm worried something like #896 will happen.

Copy link
Member

@ebaron ebaron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I'm getting a 503 error after upgrading using the steps in #897. I think the easiest fix would be expand the check from #897 to compare the entire certificate spec and not just the secret name. This doesn't solve the certificate expiry issue (#119), but at least should get us back to the current state.

@andrewazores
Copy link
Member Author

The check from #897 looks like it's just checking the SecretName referenced by the CA Issuer, and the Issuer's Spec only really contains the SecretName.

SecretName: NewCryostatCACert(gvk, cr).Spec.SecretName,

SecretName: common.ClusterUniqueNameWithPrefix(gvk, "ca", cr.Name, cr.InstallNamespace),

currentSecret := current.SecretName

If I'm understanding the problem correctly, it's that the Certificates' Specs have changed (because the CommonName field has changed) - the Issuers and theirs Specs actually haven't changed. But I suppose on upgrade, a new CA gets created again and the old one needs to be invalidated and all its Certificates deleted?

@ebaron
Copy link
Member

ebaron commented Nov 6, 2024

The check from #897 looks like it's just checking the SecretName referenced by the CA Issuer, and the Issuer's Spec only really contains the SecretName.

SecretName: NewCryostatCACert(gvk, cr).Spec.SecretName,

SecretName: common.ClusterUniqueNameWithPrefix(gvk, "ca", cr.Name, cr.InstallNamespace),

currentSecret := current.SecretName

If I'm understanding the problem correctly, it's that the Certificates' Specs have changed (because the CommonName field has changed) - the Issuers and theirs Specs actually haven't changed. But I suppose on upgrade, a new CA gets created again and the old one needs to be invalidated and all its Certificates deleted?

Right that's what needs to happen on upgrade. You're right, detecting this will be a little more complicated than just modifying the check done in #897.

One possibility is treating the certificate spec like an immutable field, and calling the deleteCertChain method when attempting to modify it. Something like:

// Immutable, only updated when the deployment is created
if deploy.CreationTimestamp.IsZero() {
deploy.Spec.Selector = deployCopy.Spec.Selector
} else if !cmp.Equal(deploy.Spec.Selector, deployCopy.Spec.Selector) {
// Return error so deployment can be recreated
return errSelectorModified
}

@andrewazores
Copy link
Member Author

I found that the cmp.Equal() check on the whole cert Spec didn't behave quite how I expected, so in that latest commit I'm checking specific properties for equality. This looks like it works as expected, including in the upgrade case as outlined in #897's test steps, so once I figure out what exactly was breaking the deep equality check on the Specs then I can clean it up and I think this will be ready.

@andrewazores
Copy link
Member Author

/build_test

Copy link

github-actions bot commented Nov 7, 2024

/build_test : At least one test failed ❌.
View Actions Run.

@andrewazores
Copy link
Member Author

/build_test

Copy link

github-actions bot commented Nov 7, 2024

/build_test completed successfully ✅.
View Actions Run.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Bug] CommonName field in certificates may be too long
2 participants