OCPBUGS-6661, OCPBUGS-9464: Handle mTLS CRLs, and fix accidental CRL duplication #472
Conversation
openshift-ci-robot
added
jira/severity-important
|
@rfredette: This pull request references Jira Issue OCPBUGS-9464, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/jira refresh |
openshift-ci-robot
added
jira/valid-bug
|
@rfredette: This pull request references Jira Issue OCPBUGS-9464, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
rfredette
force-pushed
the
ocpbugs-9464-duplicate-crls
branch
from
36ebc38 to
bef0660
Compare
|
/assign |
rfredette
changed the title
rfredette
force-pushed
the
ocpbugs-9464-duplicate-crls
branch
from
bef0660 to
e701475
Compare
openshift-ci-robot
added
jira/severity-critical
|
@rfredette: This pull request references Jira Issue OCPBUGS-9464, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
| {{- with (env "ROUTER_MUTUAL_TLS_AUTH_CA") }} ca-file {{. }} {{ else }} ca-file /etc/ssl/certs/ca-bundle.trust.crt {{ end }} | ||
| {{- with (env "ROUTER_MUTUAL_TLS_AUTH_CRL") }} crl-file {{. }} {{ end }} | ||
| {{- if (ne (env "ROUTER_MUTUAL_TLS_AUTH_CRL") "") }} | ||
| {{- with (env "ROUTER_MUTUAL_TLS_AUTH_CA") }} ca-file {{ . }} {{- else }} ca-file /etc/ssl/certs/ca-bundle.trust.crt {{ end }} |
There was a problem hiding this comment.
There are some changes here:
- previously:
{{. }}, now:{{ . }}-- innocuous - previously:
{{ else }}, now{{- else }}-- but now we trim all the whitespace before the action
Is the last change intentional? If so, for what reason?
My comment holds true for the other template change below too.
There was a problem hiding this comment.
It's not an intentional change; I will update this to get rid of that drift.
| return nil, fmt.Errorf("http.Get failed: %w", err) | ||
| } | ||
| defer resp.Body.Close() | ||
| crlBytes, err := io.ReadAll(resp.Body) |
There was a problem hiding this comment.
Before we ReadAll() we should check the response code:
if resp.StatusCode != http.StatusOK {
return nil, fmt.Errorf("received non-OK status code: %d", resp.StatusCode)
}The error message may be more helpful when a GET fails (e.g., 404).
What happens if the status code is a redirect?
| if block == nil { | ||
| break | ||
| } | ||
| clientCAData = data |
There was a problem hiding this comment.
In clientCAData are we only concerned with certificates?
if block.Type != "CERTIFICATE" {
return nil, time.Time{}, false, fmt.Errorf("client CA bundle contains a non-certificate PEM block")
}Or log and skip.
There was a problem hiding this comment.
We should only care about certificates; any other PEM block type shouldn't matter. I think log & skip any non-certificate content is the way to go.
| caUpdateChannel <- struct{}{} | ||
| } | ||
| if err := r.watchVolumeMountDir(filepath.Dir(caPath), caReloadFn); err != nil { | ||
| log.V(0).Error(err, "failed to establish watch on mTLS certificate directory") | ||
| return nil |
There was a problem hiding this comment.
Although this is existing behaviour, why does this not return the error?
There was a problem hiding this comment.
@Miciah I noticed that writeDefaultCert doesn't return an error for its calls to watchVolumeMountDir() should the call fail. Do you know of any history for why this returns nil?
There was a problem hiding this comment.
If we were to return an error I'd propose we do that change in 4.14+ only for the moment as we want the backports to discretely fix OCPBUGS-6661 and OCPBUGS-9464 only.
The CRLs on disk don't include enough information to accurately determine which CA certificate they were downloaded for. Instead of re-parsing the CRLs on disk, keep them in a map indexed by the CA's subject key, so we can avoid unnecessary downloads and incorrect attribution.
Allows easier backporting to releases reliant on go 1.18 or older
rfredette
force-pushed
the
ocpbugs-9464-duplicate-crls
branch
from
e701475 to
6593d76
Compare
|
@rfredette: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Miciah The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
@rfredette: Jira Issue OCPBUGS-9464: Some pull requests linked via external trackers have merged: The following pull requests linked via external trackers have not merged: These pull request must merge or be unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with Jira Issue OCPBUGS-9464 has not been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cherry-pick release-4.13 |
|
@rfredette: new pull request created: #485 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This PR makes the router parse the certificates supplied in ROUTER_MUTUAL_TLS_AUTH_CA, download CRLs from any CRL distribution points that are found, and write them to a file that is supplied to HAProxy for mTLS certificate validation.
It also includes a fix for an issue where, when a CRL is distributed in a certificate that is not its issuer, the CRL would sometimes be missing or two copies of the CRL would be present.