-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Regenerate certificates to use SANs instead of Common Name #2461
Conversation
.travis.yml
Outdated
@@ -7,6 +7,44 @@ dist: bionic | |||
|
|||
matrix: | |||
include: | |||
# Go 1.15 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wasn't able to get matrix expansion working here, but figured it's pretty important to avoid silent regressions on Go 1.15 builds.
Was hoping we could simply add:
go:
- 1.14.x
- 1.15.x
and remove the references to 1.14.x
in the matrix.include
list, but it seems go
can't be expanded into the matrix.
Suggestions welcome!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since the build now passes for 1.15, I suggest we just update 1.14 -> 1.15, instead of duplicating (the CI already runs for too long, we don't have capacity to double the number of steps).
We may want to add one extra step to run unit tests & lint with go tip (but I would do it in a separate PR).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, updated to 1.15.
Where can I learn more about "go tip"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've seen it used elsewhere, e.g. https://github.com/opentracing/opentracing-go/blob/d34af3eaa63c4d08ab54863a4bdd0daa45212e12/.travis.yml#L7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would an additional "tip" build version result in doubling the number of steps (1.15 + tip)?
Codecov Report
@@ Coverage Diff @@
## master #2461 +/- ##
==========================================
+ Coverage 95.57% 95.59% +0.01%
==========================================
Files 208 208
Lines 10690 10690
==========================================
+ Hits 10217 10219 +2
+ Misses 401 399 -2
Partials 72 72
Continue to review full report at Codecov.
|
pkg/config/tlscfg/testdata/README.md
Outdated
@@ -1,35 +1,60 @@ | |||
# Example Certificate Authority and Certificate creation for testing | |||
|
|||
The following commands were used to create the CA, server and client's certificates and keys | |||
The following commands were used to create the CA, server and client's certificates and keys. These certificates use the Subject Alternative Name extension rather than the Common Name, which will be unsupported in Go 1.15. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just curious:
- couldn't we just move all of this into a script, instead of a run book?
- is there a flag to for "accept defaults" to make the script even less interactive?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, and yes, there's a way to accept defaults. I've modified this README file into a bash script.
.travis.yml
Outdated
@@ -7,6 +7,44 @@ dist: bionic | |||
|
|||
matrix: | |||
include: | |||
# Go 1.15 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since the build now passes for 1.15, I suggest we just update 1.14 -> 1.15, instead of duplicating (the CI already runs for too long, we don't have capacity to double the number of steps).
We may want to add one extra step to run unit tests & lint with go tip (but I would do it in a separate PR).
Signed-off-by: albertteoh <albert.teoh@logz.io>
Signed-off-by: albertteoh <albert.teoh@logz.io>
Signed-off-by: albertteoh <albert.teoh@logz.io>
68a3c94
to
4c71d06
Compare
# Generate config files. | ||
# The server name (under alt_names in the ssl.conf) is `example.com`. (in accordance to [RFC 2006](https://tools.ietf.org/html/rfc2606)) | ||
source gen-ssl-conf.sh example.com ssl.conf | ||
source gen-ssl-conf.sh wrong.com wrong-ssl.conf |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
perhaps instead of writing to the current dir (and accidentally checking in), we could use temp dir
tmp_dir=$(mktemp -d -t certificates)
clean_up () {
ARG=$?
rm -rf $tmp_dir
exit $ARG
}
trap clean_up EXIT
-CA example-CA-cert.pem \ | ||
-CAkey example-CA-key.pem \ | ||
-CAcreateserial \ | ||
-extfile ssl.conf |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how about writing PEM files into $tmp_dir
and then copying into the right place in the source tree?
printf "A script to generate SSL configuration files for testing purposes.\n\n" | ||
printf "Usage: ssl-conf-gen.sh DOMAIN_NAME OUTPUT_FILE\n\n" | ||
printf "Example: ssl-conf-gen.sh example.com ssl.conf\n" | ||
return |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should this be exit -1
instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe negative numbers are not supported as return codes in bash. But good catch that it should return a non-0 return code.
return
was intentional because this script is source
d, which means it runs within the parent shell.
The added benefit of source
-ing is that the set -ex
that you suggested above will also apply in this script so commands in this script are printed to STDOUT and will also trigger an early exit if something fails.
If developers want to call this script separately, it can be run with source gen-ssl-conf.sh <args...>
.
@@ -1,35 +0,0 @@ | |||
# Example Certificate Authority and Certificate creation for testing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would keep the README with some basic instruction how to regenerate certificates, preferably via a make command.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
README.md and Makefile added.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was actually referring to the main Makefile. If it's just in this dir then I would simply provide instructions for running the script directly.
@@ -1,35 +0,0 @@ | |||
# Example Certificate Authority and Certificate creation for testing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was actually referring to the main Makefile. If it's just in this dir then I would simply provide instructions for running the script directly.
Signed-off-by: albertteoh <albert.teoh@logz.io>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎉 🎉 🎉
one of the commits is not signed (probably the merge). You may want to squash into one: |
Signed-off-by: albertteoh <albert.teoh@logz.io>
bffee26
to
f361cda
Compare
Signed-off-by: albertteoh albert.teoh@logz.io
Which problem is this PR solving?
Proposed fix to a failing test caused by Go 1.15 dropping support for Common Names.
Please let me know if there is a better way of generating certs using SANs or if any configurations appear spurious, as this is pretty new to me.
Closes #2435
Short description of the changes