Merge pull request #1556 from openshift-cherrypick-robot/cherry-pick-…

…1548-to-release-0.6 [release-0.6] reconciler/apiexport: switch from rsa4096 to 256 bit cryptographic random string
kcp-dev · Jul 18, 2022 · 47e2320 · 47e2320
2 parents ef58658 + 46e8f92
commit 47e2320
Show file tree

Hide file tree

Showing 8 changed files with 61 additions and 15 deletions.
diff --git a/pkg/crypto/rand.go b/pkg/crypto/rand.go
@@ -0,0 +1,50 @@
+/*
+Copyright 2022 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package crypto
+
+import (
+	"encoding/base64"
+	"math/rand"
+)
+
+// RandomBits returns a random byte slice with at least the requested bits of entropy.
+// Callers should avoid using a value less than 256 unless they have a very good reason.
+func RandomBits(bits int) []byte {
+	size := bits / 8
+	if bits%8 != 0 {
+		size++
+	}
+	b := make([]byte, size)
+	if _, err := rand.Read(b); err != nil {
+		panic(err) // rand should never fail
+	}
+	return b
+}
+
+// RandomBitsString returns a random string with at least the requested bits of entropy.
+// It uses RawURLEncoding to ensure we do not get / characters or trailing ='s.
+func RandomBitsString(bits int) string {
+	return base64.RawURLEncoding.EncodeToString(RandomBits(bits))
+}
+
+// Random256BitsString is a convenience function for calling RandomBitsString(256).
+// Callers that need a random string should use this function unless they have a
+// very good reason to need a different amount of entropy.
+func Random256BitsString() string {
+	// 32 bytes (256 bits) = 43 base64-encoded characters
+	return RandomBitsString(256)
+}
diff --git a/pkg/reconciler/apis/apibinding/apibinding_reconcile.go b/pkg/reconciler/apis/apibinding/apibinding_reconcile.go
@@ -268,7 +268,7 @@ func (c *controller) reconcileBinding(ctx context.Context, apiBinding *apisv1alp
 		if existingCRD == nil {
 			// Create flow
 
-			klog.V(2).Infof("Creating CRD %s|%s for APIBinding %s|%s", ShadowWorkspaceName, crd.Name, logicalcluster.From(apiBinding), apiBinding.Name)
+			klog.V(2).Infof("Creating CRD %s|%s for APIBinding %s|%s resource %s.%s", ShadowWorkspaceName, crd.Name, logicalcluster.From(apiBinding), apiBinding.Name, crd.Spec.Names.Plural, crd.Spec.Group)
 			if _, err := c.createCRD(ctx, ShadowWorkspaceName, crd); err != nil {
 				schemaClusterName := logicalcluster.From(schema)
 				if apierrors.IsInvalid(err) {

diff --git a/pkg/reconciler/apis/apiexport/apiexport_reconcile.go b/pkg/reconciler/apis/apiexport/apiexport_reconcile.go
@@ -127,7 +127,7 @@ func (c *controller) createIdentitySecret(ctx context.Context, clusterName logic
 		return err
 	}
 
-	klog.V(2).Infof("Creating identity secret %s/%s for APIExport %s|%s", clusterName, secret.Name, clusterName, apiExportName)
+	klog.V(2).Infof("Creating identity secret %s|%s/%s for APIExport %s|%s", clusterName, c.secretNamespace, secret.Name, clusterName, apiExportName)
 	if err := c.createSecret(ctx, clusterName, secret); err != nil {
 		return err
 	}

diff --git a/pkg/reconciler/apis/apiexport/crypto.go b/pkg/reconciler/apis/apiexport/crypto.go
@@ -17,36 +17,32 @@ limitations under the License.
 package apiexport
 
 import (
-	cryptorand "crypto/rand"
-	"crypto/rsa"
 	"crypto/sha256"
 	"fmt"
+	"time"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/util/keyutil"
+	"k8s.io/klog/v2"
 
 	apisv1alpha1 "github.com/kcp-dev/kcp/pkg/apis/apis/v1alpha1"
+	"github.com/kcp-dev/kcp/pkg/crypto"
 )
 
 func GenerateIdentitySecret(ns string, apiExportName string) (*corev1.Secret, error) {
-	privateKey, err := rsa.GenerateKey(cryptorand.Reader, 4096)
-	if err != nil {
-		return nil, fmt.Errorf("error generating private key: %w", err)
-	}
-
-	encoded, err := keyutil.MarshalPrivateKeyToPEM(privateKey)
-	if err != nil {
-		return nil, fmt.Errorf("error encoding private key: %w", err)
+	start := time.Now()
+	key := crypto.Random256BitsString()
+	if dur := time.Since(start); dur > time.Millisecond*100 {
+		klog.Warningf("identity key generation took long: %s", dur)
 	}
 
 	secret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: ns,
 			Name:      apiExportName,
 		},
-		Data: map[string][]byte{
-			apisv1alpha1.SecretKeyAPIExportIdentity: encoded,
+		StringData: map[string]string{
+			apisv1alpha1.SecretKeyAPIExportIdentity: key,
 		},
 	}
 

diff --git a/...orkload/apiexport/apiexport_controller.go → ...piexport/workload_apiexport_controller.go b/...orkload/apiexport/apiexport_controller.go → ...piexport/workload_apiexport_controller.go
diff --git a/...r/workload/apiexport/apiexport_indexes.go → ...d/apiexport/workload_apiexport_indexes.go b/...r/workload/apiexport/apiexport_indexes.go → ...d/apiexport/workload_apiexport_indexes.go
diff --git a/...workload/apiexport/apiexport_reconcile.go → ...apiexport/workload_apiexport_reconcile.go b/...workload/apiexport/apiexport_reconcile.go → ...apiexport/workload_apiexport_reconcile.go
diff --git a/...oad/apiexport/apiexport_reconcile_test.go → ...port/workload_apiexport_reconcile_test.go b/...oad/apiexport/apiexport_reconcile_test.go → ...port/workload_apiexport_reconcile_test.go