enhancements/authentication: detect invalid certificates

[s-urbaniak]

/cc @sttts @stlaz @deads2k

[sttts]

custom serving certs for kube-apiserver

[s-urbaniak]

@sttts do you have a place where I can hook into the verification of those? Currently, I think we'd need a separate controller in cluster-kube-apiserver-operator that checks config.openshift.io.APIServer#servingInfo.namedCertificates, parses them, and verifies for invalid certs.

[sttts]

I believe @sanchezl worked on that. He can link the code here.

[stlaz]

which is going to end up by what, a degraded condition on an "invalid" certificate?

[stlaz]

You should also extend the https://github.com/openshift/cluster-authentication-operator/blob/d2f6218a6ab2daccbec43f71a495de1c80529ef6/pkg/controllers/customroute/custom_route_controller.go#L55 to not accept "invalid" certificates

[s-urbaniak]

augmenting https://github.com/openshift/cluster-authentication-operator/blob/d2f6218a6ab2daccbec43f71a495de1c80529ef6/pkg/controllers/customroute/custom_route_controller.go#L55 is a good idea.

However we have to be careful: this concrete logic must not be backported. If users configured legacy certificates in the previous releases we have to block upgrades.

[s-urbaniak]

a degraded condition on an "invalid" certificate?

most likely yes, a degraded condition of i.e. authentication-operator will appear, as the connection will fail to verify.

[bparees]

do we at least know what the other workloads are that are likely impacted by this?

does every component that exposes a TLS metrics endpoint need to do work, for example?

[s-urbaniak]

I am not aware that all components expose a TLS metric like this. Our finding refers concretely to a contribution that was made upstream to Kubernetes.

An initial search on the openshift org reveals quite a few usages: https://github.com/search?q=org%3Aopenshift+x509ignoreCN%3D0&type=code

maybe @eparis has more insight as I believe he had touch points with the GODEBUG=x509ignoreCN=0 setting.

[wking]

are we planning to backport an Upgradeable=False guard for this, or rely on the alert, or start with the alert and maybe follow up with Upgradeable=False if we see a lot of alerts, or...?

[s-urbaniak]

@wking the suggestion is to backport an Upgradeable=False guard for this. An alert would be feasible if, after the upgrade, the cluster would be functional. However, in the presence of invalid certificates, a cluster will simply be dysfunctional after the upgrade to 4.10.

[deads2k]

a way to prevent upgrades from OpenShift 4.9 to OpenShift 4.10 in the face of invalid certificates
For cases where the platform is a client, this is probably valid. For cases where the platform is a server, but not a client, I think it's too strong to block upgrades. Can you separate the cases?

[s-urbaniak]

i think all the cases enumerated here are platform clients:

• custom serving certificates for kube-apiserver: openshift workloads invoking api calls
• custom API webhooks: kube-apiserver being the client
• custom aggregated API endpoints: kube-apiserver being the client
• custom certificates for route endpoints: openshift oauth-proxy workloads being the client
• certificates of external auth identity providers: oauth-server being the client

[s-urbaniak]

Also submitted https://bugzilla.redhat.com/show_bug.cgi?id=2031839 to track urgency with respect to 4.10.

[slaskawi]

You probably mean during "TLS Handshake procedure" or when a client verified "Server Hello".

[soltysh]

One nit, rest lgtm

[soltysh]

cluster-kube-apiserver-operator

[deads2k]

What clients of this external server do we have?

[deads2k]

What clients of this external server do we have?
If it is just the operator, could the operator build a custom verifier for the check?

[s-urbaniak]

If it is just the operator, could the operator build a custom verifier for the check?

The client, in this case, is oauth-server, not authentication-operator.

[deads2k]

alerting on this as well seems appropriate

[deads2k]

adding the metric for an alert seems valid regardless

[s-urbaniak]

indeed, good idea.

[pierreprinetti]

Shall we add certificates securing infrastructure API as a target case here?

For example, an OpenStack cloud exposing its API endpoints with a custom certificate. We have several platform-specific touchpoints (eg cluster-api-provider-openstack) that would need to expose the metric, if I understand this enhancement correctly

[s-urbaniak]

i'd consider this as a separate enhancement proposal or separate bugzilla. This proposal was not meant to be catch-all to focus on scope for the auth team.

[pierreprinetti]

OK. Opened https://bugzilla.redhat.com/show_bug.cgi?id=2038166 , thanks

[pierreprinetti]

I would also be interested in what happens in future releases.

Scenario: a new 4.11 feature triggers calls to a new HTTPS endpoint. The feature, that doesn't exist in 4.10, is active in 4.11 independently of user intervention. The new HTTPS endpoint is served with what you defined as "invalid certificate".

In this scenario, upgrading from 4.10 to 4.11 potentially brings the cluster to an unstable state.

In general terms: for each new HTTPS endpoint we call in 4.y, do we commit on adding an HTTPS-cert check in 4.y-1.z? Do we commit to doing that until a specific date?

For context, Chrome has dropped support for CN in v58 in April 2017.

[s-urbaniak]

Starting from 4.10 we're not having a go runtime any more that is capable to accept legacy cert based endpoints in the first place.

[pierreprinetti]

It seemed to me that library-go's IsHostnameError was specifically designed for checking invalid certificates under Go v1.17+. What am I missing?

[s-urbaniak]

No, IsHostnameError will only work with <=1.16.

[openshift-bot]

Inactive enhancement proposals go stale after 28d of inactivity.

See https://github.com/openshift/enhancements#life-cycle for details.

Mark the proposal as fresh by commenting /remove-lifecycle stale.
Stale proposals rot after an additional 7d of inactivity and eventually close.
Exclude this proposal from closing by commenting /lifecycle frozen.

If this proposal is safe to close now please do so with /close.

/lifecycle stale

[openshift-bot]

Stale enhancement proposals rot after 7d of inactivity.

See https://github.com/openshift/enhancements#life-cycle for details.

Mark the proposal as fresh by commenting /remove-lifecycle rotten.
Rotten proposals close after an additional 7d of inactivity.
Exclude this proposal from closing by commenting /lifecycle frozen.

If this proposal is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

[openshift-bot]

Rotten enhancement proposals close after 7d of inactivity.

See https://github.com/openshift/enhancements#life-cycle for details.

Reopen the proposal by commenting /reopen.
Mark the proposal as fresh by commenting /remove-lifecycle rotten.
Exclude this proposal from closing again by commenting /lifecycle frozen.

/close

[openshift-ci]

@openshift-bot: Closed this PR.

In response to this:

Rotten enhancement proposals close after 7d of inactivity.

See https://github.com/openshift/enhancements#life-cycle for details.

Reopen the proposal by commenting /reopen.
Mark the proposal as fresh by commenting /remove-lifecycle rotten.
Exclude this proposal from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sdodson]

/reopen
It's my understanding that this has already been implemented. Can we do a quick review to see where this diverges from implementation and get this merged?

[openshift-ci]

@sdodson: Reopened this PR.

In response to this:

/reopen
It's my understanding that this has already been implemented. Can we do a quick review to see where this diverges from implementation and get this merged?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-bot]

Rotten enhancement proposals close after 7d of inactivity.

See https://github.com/openshift/enhancements#life-cycle for details.

Reopen the proposal by commenting /reopen.
Mark the proposal as fresh by commenting /remove-lifecycle rotten.
Exclude this proposal from closing again by commenting /lifecycle frozen.

/close

[openshift-ci]

@openshift-bot: Closed this PR.

In response to this:

Rotten enhancement proposals close after 7d of inactivity.

See https://github.com/openshift/enhancements#life-cycle for details.

Reopen the proposal by commenting /reopen.
Mark the proposal as fresh by commenting /remove-lifecycle rotten.
Exclude this proposal from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[s-urbaniak]

/reopen

[openshift-ci]

@s-urbaniak: Reopened this PR.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[pierreprinetti]

/remove-lifecycle rotten

I am supporting @s-urbaniak in finalising this proposal.

I have addressed what I believe are the outstanding comments:

• @slaskawi please verify the response to your comment (TLS Handshake procedure vs TSL client handshakes)
• @soltysh please verify the response to your comment (cluster-kube-apiserver-operator vs cluster-kube-apiserver)
• @deads2k I have added "alterting" as a non-goal, for the purpose of finalising the enhancement focusing on the minimum viable logic useful to prevent catastrophic failures on upgrade. WDYT?

I will squash before merge as soon as we converge to consensus.

[pierreprinetti]

@slaskawi @soltysh @deads2k @s-urbaniak
Based on the absence of angry negative feedback, I am going to squash so that the PR is ready to merge.

[pierreprinetti]

Minor fix: correcting the "created" and "updated" dates at the top of the document.

[pierreprinetti]

I believe this PR is ready for you to consider LGTM'ing, @mfojtik.

[mfojtik]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mfojtik, soltysh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [mfojtik,soltysh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@s-urbaniak: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.