-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SECURESIGN-994] Add TLS to Fulcio and CTlog services #492
base: main
Are you sure you want to change the base?
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: fghanmi The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
b387080
to
7092e63
Compare
df48e12
to
e9ef614
Compare
77ab1ce
to
1219155
Compare
56b68b4
to
b2a2989
Compare
b2a2989
to
1943664
Compare
api/v1alpha1/ctlog_types.go
Outdated
@@ -48,6 +48,9 @@ type CTlogSpec struct { | |||
// publicKeyRef, rootCertificates and trillian will be overridden. | |||
//+optional | |||
ServerConfigRef *LocalObjectReference `json:"serverConfigRef,omitempty"` | |||
// Configuration for enabling TLS (Transport Layer Security) encryption for manged database. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please fix doc, it is configuration to encrypt CTlog server
@@ -309,7 +309,7 @@ metadata: | |||
features.operators.openshift.io/token-auth-azure: "false" | |||
features.operators.openshift.io/token-auth-gcp: "false" | |||
operators.openshift.io/valid-subscription: '["Red Hat Trusted Artifact Signer"]' | |||
operators.operatorframework.io/builder: operator-sdk-v1.34.2 | |||
operators.operatorframework.io/builder: operator-sdk-v1.34.1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do not change operator-sdk version
api/v1alpha1/common.go
Outdated
//+kubebuilder:validation:Maximum:=65535 | ||
//+kubebuilder:default:=80 | ||
//+kubebuilder:default:=0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think that default port 0
is the right choice. I would prefer to omit this value (use nil
) in case it is not used.
instance.Spec.Ctlog.Address = fmt.Sprintf("http://ctlog.%s.svc", instance.Namespace) | ||
case instance.Spec.Ctlog.Port == nil: | ||
port := int32(80) | ||
if instance.Spec.Ctlog.Address == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
instance.Spec.TrustedCA != nil
does not necessary means that you have TLS enabled CTLog service. I would try to load Ctlog service and try to get scheme and port from it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, Fulcio needs to depend on CTlog and should only start after CTlog has started, in order to fetch its service. Is that correct?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- there is no dependency on CTLog itself. You can use label selector to find the service
- your deployment depends on
ctlog.namespace.svc"
anyway so your fulcio Fulcio will not become fully ready until Ctlog starts. The only downside of this solution is that Fulcio would wait for Ctlog service to be created but I don't think that it is a big problem.
@osmman WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wold do it like this
var url
if instance.Spec.Ctlog.Address != "" && instance.Spec.Ctlog.Port != "" {
url = // use specified
} else {
svc := FindService(ctx, cli, LabelsForComponent(ctl.ComponentName, instance.Name)
// retrieve protocol from service port
// compose url
url = fmt.Sprintf("%s%s.svc:%d", svc.Name, svc.Namespace, svc.Port)
}
url += instance.Spec.Ctlog.Preffix
I hope the above snapshot is clear enough.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please do not depends on services, you need to keep support of independent deployment so ctlog and fulcio could be deployed separatly (different namespace, cluster) and Fulcio will sucessfuly start without runnig CTlog only create certificate requests will be rejected which is intended behavior.
So please try to use only information which are present in Fulcio resource
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we have TrustedCA
, but as Jan said, it does not necessarily mean that CTlog has TLS enabled..
that's why in the beginning, I was using a dedicated field for that TLS.CaCert
, I used it to decide whether fulcio should use TLS or not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please do not depends on services, you need to keep support of independent deployment so ctlog and fulcio could be deployed separatly (different namespace, cluster) and Fulcio will sucessfuly start without runnig CTlog only create certificate requests will be rejected which is intended behavior.
So please try to use only information which are present in Fulcio resource
I was thinking about it like a fail-over solution in case there is no information in Fulcio resource. With Firas solution, you only think that you should use tls (based on env) but the running CTL does not need to be TLS secured at all. You can get much more valid information from service itself. Service lookup (based on labels) does not create any hard dependency and we already use label selectors in the TUF key auto-discovery.
}) | ||
return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not get CA path: %w", err), instance) | ||
} | ||
dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--ct-log.tls-ca-cert", caPath) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not even Fulcio is able to use SSL_CERT_DIR
variable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the only TLS option I see is this one:
/~https://github.com/sigstore/fulcio/blob/main/cmd/app/serve.go#L112
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What I see in the implementation, the server should work with system certs. Give it a try, please. /~https://github.com/securesign/fulcio/blob/main/cmd/app/serve.go#L279-L302
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fulcio.Spec.TrustedCA does not necessarily mean that you specify CA for CTLog -> I would prefer to mount it as system CA
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was able to make it working with system-certs. This is my PoC bouskaJ@b9f4154
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bouskaJ I've cherry-picked your suggestion, and tested it, all works fine! Thanks!
func GetService(client client.Client, namespace, serviceName string) (*corev1.Service, error) { | ||
var service corev1.Service | ||
|
||
err := client.Get(context.TODO(), types.NamespacedName{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do not create new context. Pass existing one.
}) | ||
return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not get CA path: %w", err), instance) | ||
} | ||
dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--ct-log.tls-ca-cert", caPath) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fulcio.Spec.TrustedCA does not necessarily mean that you specify CA for CTLog -> I would prefer to mount it as system CA
instance.Spec.Ctlog.Address = fmt.Sprintf("http://ctlog.%s.svc", instance.Namespace) | ||
case instance.Spec.Ctlog.Port == nil: | ||
port := int32(80) | ||
if instance.Spec.Ctlog.Address == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wold do it like this
var url
if instance.Spec.Ctlog.Address != "" && instance.Spec.Ctlog.Port != "" {
url = // use specified
} else {
svc := FindService(ctx, cli, LabelsForComponent(ctl.ComponentName, instance.Name)
// retrieve protocol from service port
// compose url
url = fmt.Sprintf("%s%s.svc:%d", svc.Name, svc.Namespace, svc.Port)
}
url += instance.Spec.Ctlog.Preffix
I hope the above snapshot is clear enough.
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
No description provided.