Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

improve CA and certificate generation #2834

Merged
merged 1 commit into from
Aug 9, 2022
Merged

improve CA and certificate generation #2834

merged 1 commit into from
Aug 9, 2022

Conversation

joelanford
Copy link
Member

Motivation for the change:
Recently during an audit on a user's cluster, it was discovered that
OLM's certificate generation functionality has a few minor shortcomings.

  1. The generated CA and server cert do not include a common name,
    which causes some tooling to have trouble tracing the cert chain.
  2. The generated CA and server cert include unnecessary key usages,
    which means those certificates can be used for more than their
    intended purposes.

Description of the change:
This commit resolves the above issues by ensuring the certificates
include common names and by using the minimal key usages necessary.

Testing remarks:
Thus far, I have only manually tested via run-local and verified that:

  1. The generated packageserver secret contained the expected cerificates.
  2. The packagemanifests API worked (thus proving the kube-apiserver can use OLM's generated CA to verify OLM's generated cert for the packageserver api service.

Reviewer Checklist

  • Implementation matches the proposed design, or proposal is updated to match implementation
  • Sufficient unit test coverage
  • Sufficient end-to-end test coverage
  • Bug fixes are accompanied by regression test(s)
  • e2e tests and flake fixes are accompanied evidence of flake testing, e.g. executing the test 100(0) times
  • tech debt/todo is accompanied by issue link(s) in comments in the surrounding code
  • Tests are comprehensible, e.g. Ginkgo DSL is being used appropriately
  • Docs updated or added to /doc
  • Commit messages sensible and descriptive
  • Tests marked as [FLAKE] are truly flaky and have an issue
  • Code is properly formatted

@joelanford
improve CA and certificate generation
b2b6681 
Recently during an audit on a user's cluster, it was discovered that
OLM's certificate generation functionality has a few minor shortcomings.
  1) The generated CA and server cert do not include a common name,
     which causes some tooling to have trouble tracing the cert chain.
  2) The generated CA and server cert include unnecessary key usages,
     which means those certificates can be used for more than their
     intended purposes.

This commit resolves the above issues by ensuring the certificates
include common names and by using the minimal key usages necessary.

Signed-off-by: Joe Lanford <joe.lanford@gmail.com>
dinhxuanvu
dinhxuanvu approved these changes Aug 9, 2022
View reviewed changes
Copy link
Member

@dinhxuanvu dinhxuanvu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@openshift-ci
Copy link

openshift-ci bot commented Aug 9, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dinhxuanvu, joelanford

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 9, 2022
timflannagan
timflannagan reviewed Aug 9, 2022
View reviewed changes
pkg/controller/certs/certs.go
@@ -120,12 +120,12 @@ func CreateSignedServingPair(notAfter time.Time, organization string, ca *KeyPai
certDetails := &x509.Certificate{
SerialNumber: serial,
Subject: pkix.Name{
CommonName: hosts[0],
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we do any length checking for the hosts array length anywhere?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right now, it always has exactly two items:

  1. <svcName>.<svcNamespace>
  2. <svcName>.<svcNamespace>.svc

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alright, works for me.

/lgtm

@timflannagan
Copy link
Contributor

Just one quick question, but otherwise this lgtm.

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Aug 9, 2022
@openshift-merge-robot openshift-merge-robot merged commit 13fa7be into operator-framework:master Aug 9, 2022
@joelanford joelanford deleted the cert-gen branch August 10, 2022 01:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timflannagan timflannagan timflannagan left review comments

@dinhxuanvu dinhxuanvu dinhxuanvu approved these changes

@anik120 anik120 Awaiting requested review from anik120

Assignees

@timflannagan timflannagan

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@joelanford @timflannagan @dinhxuanvu @openshift-merge-robot