Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Implement tls checker for webhook #1696

Merged
merged 4 commits into from
Jan 5, 2022
Merged

feat: Implement tls checker for webhook #1696

merged 4 commits into from
Jan 5, 2022

Conversation

ethernoy
Copy link
Contributor

@ethernoy ethernoy commented Nov 25, 2021
edited
Loading

Signed-off-by: Ethern Su ehaprime@gmail.com

What this PR does / why we need it:

This PR is a purposed solution of #1684, which adds a TLS checker over healthz probe in webhook server to detect the case where file in certsDir is not correctly served in webhook server (it can actually be reproduced easily)

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #1684

Special notes for your reviewer:

I am submitting this draft PR because I want to have a working example of the solution I suggested, so that we can proceed to discuss whether this solution is preferred and make changes if approriate. If this solution is preferred, I will ready this PR with more documentation in websites and code comments.

Also I am new to this project, please let me know if there is any implementation/formatting issue in my code :)

@maxsmythe
Copy link
Contributor

Thanks for the PR! It's marked as a draft, is that still the case?

@ethernoy
Copy link
Contributor Author

Thanks for the PR! It's marked as a draft, is that still the case?

@maxsmythe Hi! I mark this as draft because I hope a reviewer can help to check if this feature is good to go. If it is, I will add the relevant documentation and remove the draft label.

@ethernoy
Copy link
Contributor Author

I have implemented the tlsChecker that is attached in liveness probe when enabled. It compares the certificate served by webhook server and the certificate saved in certDir, and returns error when mismatched is found during a liveness probe check.

Attached is the log of a failed check. Kubelet is about to kill this pod, after this, the secret should resume normal:

image

@ethernoy ethernoy marked this pull request as ready for review December 14, 2021 15:53
@ethernoy
Copy link
Contributor Author

@maxsmythe Hi, do you mind take a look? :)

maxsmythe
maxsmythe approved these changes Dec 15, 2021
View reviewed changes
Copy link
Contributor

@maxsmythe maxsmythe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry I dropped the ball on reviewing this. LGTM. Thank you for flag-gating it!

@codecov-commenter
Copy link

codecov-commenter commented Dec 15, 2021
edited
Loading

Codecov Report

Merging #1696 (37e8d88) into master (48eab16) will decrease coverage by 0.39%.
The diff coverage is 0.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1696      +/-   ##
==========================================
- Coverage   52.14%   51.74%   -0.40%     
==========================================
  Files          98       99       +1     
  Lines        8781     8816      +35     
==========================================
- Hits         4579     4562      -17     
- Misses       3837     3887      +50     
- Partials      365      367       +2
Flag Coverage Δ
unittests 51.74% <0.00%> (-0.40%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/webhook/health_check.go 0.00% <0.00%> (ø)
...onstrainttemplate/constrainttemplate_controller.go 53.36% <0.00%> (-5.77%) ⬇️
pkg/readiness/ready_tracker.go 70.33% <0.00%> (+0.50%) ⬆️
pkg/watch/replay.go 81.25% <0.00%> (+2.27%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ecf4538...37e8d88. Read the comment docs.

@ethernoy
Copy link
Contributor Author

The case fails as this healthcheck probe needs use an insecure http client to get the certificates served in webhook no matter what CA it is using. I believe this is not an issue.

@maxsmythe
Copy link
Contributor

Can you set a skip directive for the linter for that line.

I agree the insecure TLS is not an issue here.

@ethernoy ethernoy changed the title implemented tls checker for webhook; feat: Implement tls checker for webhook Dec 17, 2021
@ethernoy
Copy link
Contributor Author

@maxsmythe

skip directive added and tested locally on my machine.

sozercan
sozercan requested changes Dec 17, 2021
View reviewed changes
ritazh
ritazh reviewed Dec 18, 2021
View reviewed changes
ritazh
ritazh approved these changes Dec 18, 2021
View reviewed changes
Copy link
Member

@ritazh ritazh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @ethernoy! Approved pending #1696 (comment) and make manifests

@ethernoy
implemented tls checker for webhook;
ea760af 
updated staging helm chart for feature enablement;

Signed-off-by: Ethern Su <ehaprime@gmail.com>
@ethernoy
Merge branch 'open-policy-agent:master' into feature/introduce-tls-check
f01f784
@ethernoy ethernoy requested a review from sozercan December 18, 2021 06:49
sozercan
sozercan approved these changes Jan 3, 2022
View reviewed changes
Copy link
Member

@sozercan sozercan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! LGTM

@sozercan
Copy link
Member

sozercan commented Jan 4, 2022

@ethernoy looks like there is a diff here when running make manifests. https://github.com/open-policy-agent/gatekeeper/tree/master/cmd/build/helmify/static needs to be updated with the correct values. after running make manifests there shouldn't be any diff

@ethernoy
updated helmify static manifests;
37e8d88 
Signed-off-by: Ethern Su <ehaprime@gmail.com>
@ethernoy
Copy link
Contributor Author

ethernoy commented Jan 5, 2022

@ethernoy looks like there is a diff here when running make manifests. https://github.com/open-policy-agent/gatekeeper/tree/master/cmd/build/helmify/static needs to be updated with the correct values. after running make manifests there shouldn't be any diff

@sozercan updated helmify static manifests.

@sozercan sozercan merged commit a478ae6 into open-policy-agent:master Jan 5, 2022
@ethernoy ethernoy deleted the feature/introduce-tls-check branch January 6, 2022 06:44
@arvisha16
Copy link

Hello team,

When can we merge the fix into a release?
We need fix, please plan and let me know, thanks so much!

@ethernoy
Copy link
Contributor Author

ethernoy commented May 4, 2022

Hello team,

When can we merge the fix into a release? We need fix, please plan and let me know, thanks so much!

Hi, this fix should already be in release 3.8.0

@arvisha16
Copy link

Hello @ethernoy ethernoy

Thanks so much for the quick reply, we will use 3.8.0

Cheers,
Arvind

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sozercan sozercan sozercan approved these changes

@ritazh ritazh ritazh approved these changes

@maxsmythe maxsmythe maxsmythe approved these changes

@shomron shomron Awaiting requested review from shomron

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
6 participants
@ethernoy @maxsmythe @codecov-commenter @sozercan @arvisha16 @ritazh