[SECURESIGN-994] Add TLS to Fulcio and CTlog services #492
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: fghanmi The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
fghanmi
force-pushed
the
TLSSuppportFulcioCTlog
branch
from
b387080
to
7092e63
Compare
fghanmi
force-pushed
the
TLSSuppportFulcioCTlog
branch
from
df48e12
to
e9ef614
Compare
fghanmi
force-pushed
the
TLSSuppportFulcioCTlog
branch
from
77ab1ce
to
1219155
Compare
fghanmi
changed the title
fghanmi
force-pushed
the
TLSSuppportFulcioCTlog
branch
from
56b68b4
to
b2a2989
Compare
fghanmi
force-pushed
the
TLSSuppportFulcioCTlog
branch
from
b2a2989
to
1943664
Compare
api/v1alpha1/ctlog_types.go
Outdated
| @@ -48,6 +48,9 @@ type CTlogSpec struct { | |||
| // publicKeyRef, rootCertificates and trillian will be overridden. | |||
| //+optional | |||
| ServerConfigRef *LocalObjectReference `json:"serverConfigRef,omitempty"` | |||
| // Configuration for enabling TLS (Transport Layer Security) encryption for manged database. | |||
There was a problem hiding this comment.
please fix doc, it is configuration to encrypt CTlog server
| @@ -309,7 +309,7 @@ metadata: | |||
| features.operators.openshift.io/token-auth-azure: "false" | |||
| features.operators.openshift.io/token-auth-gcp: "false" | |||
| operators.openshift.io/valid-subscription: '["Red Hat Trusted Artifact Signer"]' | |||
| operators.operatorframework.io/builder: operator-sdk-v1.34.2 | |||
| operators.operatorframework.io/builder: operator-sdk-v1.34.1 | |||
There was a problem hiding this comment.
do not change operator-sdk version
api/v1alpha1/common.go
Outdated
| //+kubebuilder:validation:Maximum:=65535 | ||
| //+kubebuilder:default:=80 | ||
| //+kubebuilder:default:=0 |
There was a problem hiding this comment.
I don't think that default port 0 is the right choice. I would prefer to omit this value (use nil) in case it is not used.
| instance.Spec.Ctlog.Address = fmt.Sprintf("http://ctlog.%s.svc", instance.Namespace) | ||
| case instance.Spec.Ctlog.Port == nil: | ||
| port := int32(80) | ||
| if instance.Spec.Ctlog.Address == "" { |
There was a problem hiding this comment.
instance.Spec.TrustedCA != nil does not necessary means that you have TLS enabled CTLog service. I would try to load Ctlog service and try to get scheme and port from it.
There was a problem hiding this comment.
So, Fulcio needs to depend on CTlog and should only start after CTlog has started, in order to fetch its service. Is that correct?
There was a problem hiding this comment.
- there is no dependency on CTLog itself. You can use label selector to find the service
- your deployment depends on
ctlog.namespace.svc"anyway so your fulcio Fulcio will not become fully ready until Ctlog starts. The only downside of this solution is that Fulcio would wait for Ctlog service to be created but I don't think that it is a big problem.
@osmman WDYT?
There was a problem hiding this comment.
I wold do it like this
var url
if instance.Spec.Ctlog.Address != "" && instance.Spec.Ctlog.Port != "" {
url = // use specified
} else {
svc := FindService(ctx, cli, LabelsForComponent(ctl.ComponentName, instance.Name)
// retrieve protocol from service port
// compose url
url = fmt.Sprintf("%s%s.svc:%d", svc.Name, svc.Namespace, svc.Port)
}
url += instance.Spec.Ctlog.Preffix
I hope the above snapshot is clear enough.
There was a problem hiding this comment.
please do not depends on services, you need to keep support of independent deployment so ctlog and fulcio could be deployed separatly (different namespace, cluster) and Fulcio will sucessfuly start without runnig CTlog only create certificate requests will be rejected which is intended behavior.
So please try to use only information which are present in Fulcio resource
There was a problem hiding this comment.
we have TrustedCA, but as Jan said, it does not necessarily mean that CTlog has TLS enabled..
that's why in the beginning, I was using a dedicated field for that TLS.CaCert, I used it to decide whether fulcio should use TLS or not.
There was a problem hiding this comment.
please do not depends on services, you need to keep support of independent deployment so ctlog and fulcio could be deployed separatly (different namespace, cluster) and Fulcio will sucessfuly start without runnig CTlog only create certificate requests will be rejected which is intended behavior.
So please try to use only information which are present in Fulcio resource
I was thinking about it like a fail-over solution in case there is no information in Fulcio resource. With Firas solution, you only think that you should use tls (based on env) but the running CTL does not need to be TLS secured at all. You can get much more valid information from service itself. Service lookup (based on labels) does not create any hard dependency and we already use label selectors in the TUF key auto-discovery.
| }) | ||
| return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not get CA path: %w", err), instance) | ||
| } | ||
| dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--ct-log.tls-ca-cert", caPath) |
There was a problem hiding this comment.
not even Fulcio is able to use SSL_CERT_DIR variable?
There was a problem hiding this comment.
the only TLS option I see is this one:
https://github.com/sigstore/fulcio/blob/main/cmd/app/serve.go#L112
There was a problem hiding this comment.
What I see in the implementation, the server should work with system certs. Give it a try, please. https://github.com/securesign/fulcio/blob/main/cmd/app/serve.go#L279-L302
There was a problem hiding this comment.
Fulcio.Spec.TrustedCA does not necessarily mean that you specify CA for CTLog -> I would prefer to mount it as system CA
There was a problem hiding this comment.
I was able to make it working with system-certs. This is my PoC bouskaJ@b9f4154
There was a problem hiding this comment.
@bouskaJ I've cherry-picked your suggestion, and tested it, all works fine! Thanks!
| func GetService(client client.Client, namespace, serviceName string) (*corev1.Service, error) { | ||
| var service corev1.Service | ||
|
|
||
| err := client.Get(context.TODO(), types.NamespacedName{ |
There was a problem hiding this comment.
do not create new context. Pass existing one.
| }) | ||
| return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not get CA path: %w", err), instance) | ||
| } | ||
| dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--ct-log.tls-ca-cert", caPath) |
There was a problem hiding this comment.
Fulcio.Spec.TrustedCA does not necessarily mean that you specify CA for CTLog -> I would prefer to mount it as system CA
| instance.Spec.Ctlog.Address = fmt.Sprintf("http://ctlog.%s.svc", instance.Namespace) | ||
| case instance.Spec.Ctlog.Port == nil: | ||
| port := int32(80) | ||
| if instance.Spec.Ctlog.Address == "" { |
There was a problem hiding this comment.
I wold do it like this
var url
if instance.Spec.Ctlog.Address != "" && instance.Spec.Ctlog.Port != "" {
url = // use specified
} else {
svc := FindService(ctx, cli, LabelsForComponent(ctl.ComponentName, instance.Name)
// retrieve protocol from service port
// compose url
url = fmt.Sprintf("%s%s.svc:%d", svc.Name, svc.Namespace, svc.Port)
}
url += instance.Spec.Ctlog.Preffix
I hope the above snapshot is clear enough.
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
No description provided.