Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

implement trusting a CA bundle #14609

Closed
4 tasks done
ReToCode opened this issue Nov 10, 2023 · 3 comments · Fixed by #14717
Closed
4 tasks done

implement trusting a CA bundle #14609

ReToCode opened this issue Nov 10, 2023 · 3 comments · Fixed by #14717
Assignees
@ReToCode
Milestone
v1.14.0

Comments

@ReToCode
Copy link
Member

ReToCode commented Nov 10, 2023
edited
Loading

If we are using cert-manager, we currently build our trust on reading the ca.crt in the generated certificate's Secret to configure trust in:

  • activator
  • net-* implementation

Digging into the docs and asking our cert-manager team, they strongly recommend to use trust-manager to distribute a trust bundle decoupled from the actual secret generation. With that in place, it enables to rotate the CA without breaking the trust:

  1. The administrator, manually adds the old and new CA to the trust-bundle
  2. trust-manager distributes it to all workload
  3. The administrator updates the CA, all certificates are recreated when they are expired or when they are force-renewed
  4. The administrator removes the old CA from the trust-bundle

Note the relevant bits from the docs

Say you have a cert-manager Issuer which has the root certificate you want to trust in ca.crt. It's tempting to use the Secret directly and point at ca.crt, but a best practice would be to copy that root into a separate ConfigMap (or Secret). The reason is - as with many TLS gotchas - certificate rotation. If you rotate your issuer such that it's issued from a new root certificate, trust-manager will see the Secret be updated and automatically update your trust bundle to include the new root - immediately distrusting the old root. That means that if any services were still using a certificate issued by the old root, they'll be distrusted and will break.

To not limit the use to just trust-manager, we can use the API of a ConfigMap containing one or more PEM formatted certificates as trust-bundle sources. This also works with other approaches like OpenShift PKI or OpenShift Service Signer which have the same interface, see https://github.com/ReToCode/knative-encryption/blob/main/8-trust-sources/README.md. In the future we can also add https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3257-cluster-trust-bundles as a possible extension or replacement.

Tasks
@ReToCode ReToCode converted this from a draft issue Nov 10, 2023
@ReToCode
Copy link
Member Author

/cc @skonto, @nak3, @KauzClay , @dprotaso , @pierDipi

@ReToCode ReToCode mentioned this issue Nov 16, 2023
Closed
7 tasks
@ReToCode
Copy link
Member Author

ReToCode commented Nov 24, 2023
edited
Loading

Some initial investigation results here: https://github.com/ReToCode/knative-encryption/tree/main/8-trust-sources#trust-manager.

Having CA Bundles in a Configmap is pretty common. OpenShift also has solutions that work this way. All of them allow to add a custom label to filter on them. So it might be a good approach to not limit the implementation to trust-manager, but instead to just read Configmaps with a specific label having PEM based bundles in them.

@dprotaso
Copy link
Member

dprotaso commented Nov 24, 2023
edited
Loading

Also there's something coming in Kubernetes

https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3257-cluster-trust-bundles

@ReToCode ReToCode self-assigned this Dec 5, 2023
@ReToCode ReToCode moved this to In Progress in Serving Encryption Dec 5, 2023
@ReToCode ReToCode mentioned this issue Dec 6, 2023
Merged
@ReToCode ReToCode mentioned this issue Dec 14, 2023
Merged
@ReToCode ReToCode changed the title implement trust-manager integration implement trusting a CA bundle Dec 14, 2023
@pierDipi pierDipi removed this from Eventing TLS Jan 25, 2024
@ReToCode ReToCode mentioned this issue Jan 26, 2024
Merged
@ReToCode ReToCode added this to the v1.14.0 milestone Jan 30, 2024
@ReToCode ReToCode mentioned this issue Mar 7, 2024
Open
@github-project-automation github-project-automation bot moved this from In Progress to Done in Serving Encryption Mar 8, 2024
@ReToCode ReToCode mentioned this issue May 30, 2024
Closed
mgencur added a commit to mgencur/serving-1 that referenced this issue May 30, 2024
@mgencur
Do not delete ingress Secret in tests for internal tls
c61d2ed 
This test relies on trusting certificates as described in
knative#14609
This is currently not implemented in net-istio, and it's tracked as
knative-extensions/net-istio#1328
@mgencur mgencur mentioned this issue May 30, 2024
Merged
knative-prow bot pushed a commit that referenced this issue May 30, 2024
@mgencur
Do not delete ingress Secret in tests for internal tls (#15280)
f84265a 
This test relies on trusting certificates as described in
#14609
This is currently not implemented in net-istio, and it's tracked as
knative-extensions/net-istio#1328
ReToCode pushed a commit to ReToCode/serving that referenced this issue May 31, 2024
@mgencur @ReToCode
Do not delete ingress Secret in tests for internal tls (knative#15280)
2578809 
This test relies on trusting certificates as described in
knative#14609
This is currently not implemented in net-istio, and it's tracked as
knative-extensions/net-istio#1328

(cherry picked from commit f84265a)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ReToCode ReToCode

Labels
None yet
Projects
Serving Encryption
Status: Done
Serving Milestones
Status: Done
Milestone
v1.14.0
Development

Successfully merging a pull request may close this issue.

add upstream TLS trust from CM bundles ReToCode/serving
2 participants
@dprotaso @ReToCode