-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SECURESIGN-1014 | Add support for Trusted Timestamp Authorities in SecureSign #456
base: main
Are you sure you want to change the base?
Conversation
Skipping CI for Draft Pull Request. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JasonPowr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
75de16f
to
171b90d
Compare
a0bb1a0
to
1282868
Compare
4150c71
to
3259955
Compare
0959e74
to
0e16cd0
Compare
21c3783
to
080759a
Compare
/test tas-operator-e2e |
1 similar comment
/test tas-operator-e2e |
080759a
to
a481720
Compare
a481720
to
d53a47d
Compare
c63ec3b
to
be06817
Compare
be06817
to
4d8816c
Compare
4d8816c
to
7e2ead7
Compare
/test tas-operator-e2e |
|
||
if ref := instance.Spec.Signer.CertificateChain.CertificateChainRef; ref == nil { | ||
config.RootPrivateKeyPassword = common.GeneratePassword(8) | ||
key, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there anything common we can share with Rekor
? Both components generate signer with all related keys.... See https://github.com/securesign/secure-sign-operator/blob/main/internal/controller/rekor/actions/server/generate_signer.go#L200
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ill take a look thanks for the review :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The current implementation of the TSA API looks good overall.
However, I would like to request some additional changes to ensure thorough testing and integration. Firstly, please add multiple unit tests for the TSA component, focusing specifically on the generateSigner and ntpMonitoringAction actions. Our experience shows that most bugs in our operator stem from user modify values in spec, and having robust unit tests for these actions will help mitigate this issue.
Additionally, extend the current controller tests to verify that objects and resources are correctly generated. Alongside this, please create a new test case to cover the hot update scenario, ensuring that the controller handles this situation appropriately.
Lastly, modify our end-to-end (e2e) tests to integrate the new TSA component, with a particular focus on upgrade testing.
maps.Copy(secretLabels, labels) | ||
|
||
certificateChain := k8sutils.CreateImmutableSecret(fmt.Sprintf("tsa-signer-config-%s", instance.Name), instance.Namespace, tsaCertChainConfig.ToMap(), secretLabels) | ||
if err = controllerutil.SetControllerReference(instance, certificateChain, g.Client.Scheme()); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently I am slowly changing behavior when we should not deleting generated secrets by our operator. The reason is to keep them in cluster for key rotation and enable to users find them for validated old signed data.
So you need to modify this action:
- by removing
controllerutil.SetControllerReference
andg.Client.DeleteAllOf
- solving remove TSACertCaLabel from old secrets, is is required other wise Tuf controller will fail on error of multiple secrets. You can find inspiration in Rekor component
- create unit tests for this action
|
||
if ntpConfig != nil { | ||
labels := constants.LabelsFor(ComponentName, DeploymentName, instance.Name) | ||
configMap := kubernetes.CreateConfigMap(NtpCMName, instance.Namespace, labels, map[string]string{"ntp-config.yaml": string(ntpConfig)}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it is better to use immutable configmaps, the main reason is change of cfg will automatically force deployment to apply new config. You can use kubernetes.CreateImmutableConfigmap
function
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Tomas appreciate the review :)
Opening this as a draft pr, so far this is just the basic deployment of the Timestamp Authority. just looking for some feedback. jira: https://issues.redhat.com/browse/SECURESIGN-1014
Testing
--timestamp-server-url=$TSA_URL
egcertificate chain
usingcurl https://<tsa-url>/api/v1/timestamp/certchain > ts_chain.pem
, then run thecosign verify
cmd like so: