Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[certificates]: validate that certs are valid for a Gitpod install #13471

Merged
merged 1 commit into from
Oct 3, 2022
Merged

[certificates]: validate that certs are valid for a Gitpod install #13471

merged 1 commit into from
Oct 3, 2022

Conversation

mrsimonemms
Copy link
Contributor

@mrsimonemms mrsimonemms commented Sep 29, 2022
edited
Loading

Description

Add some rudimentary checks for the certificate - importantly, these are the skateboard not the finished article. These download and decode the certificate secret and perform the following checks:

  1. that the secret exists and is able to be decoded as an OpenSSL x509 certificate
  2. that $DOMAIN, *.$DOMAIN and *.ws.$DOMAIN exist in the secret (the subject alternate names seems to be non-standard, so this is a simple grep)
  3. that the current timestamp is between the notBefore and notAfter timestamps

NB it does NOT validate that the certificate's CA is known and installed in the cluster. That's important but it's beyond the 🛹

As with the other KOTS checks, these are perhaps a little rudimentary but they give an indication of whether the provided state is Gitpod-compatible. As there's a time-based test, it is plausible (however unlikely) that this could fail 5 minutes later if the cert expiry then occurs - again, this can be tweaked as a 🚲

IMPORTANT this is not provided as a pre-flight check. As the majority of our users will be using LetsEncrypt and cert-manager to generate their certs, these are not triggered until AFTER the first deployment. This would mean that the pre-flight checks are likely to fail. Instead, this is part of the troubleshooting to provide answers if the installation is not working.

Related Issue(s)

Fixes #11865

How to test

Example support bundle - file and analyzer

Install via KOTS and go to "troubleshoot" to build a support bundle. This has been checked with both a LetsEncrypt and a self-signed cert built in-cluster. I do not have a valid, publicly-signed cert that's not provided by LetsEncrypt.

To check the edge-cases that KOTS smooths away for us, you can run the script in the image directly

docker run -it --rm \
  -v "${HOME}/.kube:/root/.kube" \
  eu.gcr.io/gitpod-core-dev/build/kots-config-check/certificate:mrsimonemms-add-kots-support-bundle-11865.1 \
  <domain> \
  gitpod \
  https-certificates

Release Notes

[certificates]: validate that certs are valid for a Gitpod install

Documentation

Werft options:

  • /werft with-local-preview
    If enabled this will build install/preview
  • /werft with-preview
  • /werft with-integration-tests=all
    Valid options are all, workspace, webapp, ide

@mrsimonemms mrsimonemms force-pushed the mrsimonemms/add-kots-support-bundle-11865 branch 2 times, most recently from c47e4c2 to b5d0e49 Compare September 30, 2022 09:57
@mrsimonemms mrsimonemms force-pushed the mrsimonemms/add-kots-support-bundle-11865 branch 4 times, most recently from 7081183 to e58e87c Compare September 30, 2022 11:06
@mrsimonemms mrsimonemms marked this pull request as ready for review September 30, 2022 11:20
@mrsimonemms mrsimonemms requested a review from a team September 30, 2022 11:20
@github-actions github-actions bot added the team: delivery Issue belongs to the self-hosted team label Sep 30, 2022
@mrsimonemms mrsimonemms force-pushed the mrsimonemms/add-kots-support-bundle-11865 branch from e58e87c to 6f22443 Compare September 30, 2022 13:36
@mrsimonemms mrsimonemms self-assigned this Sep 30, 2022
@Pothulapati Pothulapati self-requested a review October 3, 2022 05:00
Pothulapati
Pothulapati approved these changes Oct 3, 2022
View reviewed changes
Copy link
Contributor

@Pothulapati Pothulapati left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 👍🏼

holding on the small nit, but feel free to remove it if it's not worth it.

/hold

components/kots-config-check/certificate/entrypoint.sh Show resolved Hide resolved
@mrsimonemms
Copy link
Contributor Author

/unhold

@roboquat roboquat merged commit feaa85f into main Oct 3, 2022
@roboquat roboquat deleted the mrsimonemms/add-kots-support-bundle-11865 branch October 3, 2022 07:47
@mrsimonemms mrsimonemms mentioned this pull request Oct 3, 2022
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Pothulapati Pothulapati Pothulapati approved these changes

Assignees

@mrsimonemms mrsimonemms

Labels
release-note size/L team: delivery Issue belongs to the self-hosted team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add KOTS support bundle checks to validate certificate domain
3 participants
@mrsimonemms @Pothulapati @roboquat