Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SECURESIGN-994] Add TLS to Fulcio and CTlog services #492

Open
wants to merge 18 commits into
base: main
Choose a base branch
from

Conversation

fghanmi
Copy link
Contributor

@fghanmi fghanmi commented Jul 4, 2024

No description provided.

@openshift-ci openshift-ci bot requested review from lkatalin and tommyd450 July 4, 2024 14:48
Copy link

openshift-ci bot commented Jul 4, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: fghanmi
Once this PR has been reviewed and has the lgtm label, please assign osmman for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@fghanmi fghanmi force-pushed the TLSSuppportFulcioCTlog branch from b387080 to 7092e63 Compare July 5, 2024 14:08
@fghanmi fghanmi force-pushed the TLSSuppportFulcioCTlog branch from df48e12 to e9ef614 Compare August 3, 2024 09:14
@fghanmi fghanmi force-pushed the TLSSuppportFulcioCTlog branch from 77ab1ce to 1219155 Compare August 17, 2024 10:35
@fghanmi fghanmi changed the title Add TLS to Fulcio and CTlog services [SECURESIGN-994] Add TLS to Fulcio and CTlog services Aug 26, 2024
@fghanmi fghanmi force-pushed the TLSSuppportFulcioCTlog branch from 56b68b4 to b2a2989 Compare August 31, 2024 22:33
@fghanmi fghanmi force-pushed the TLSSuppportFulcioCTlog branch from b2a2989 to 1943664 Compare September 12, 2024 07:37
@fghanmi fghanmi requested review from osmman and bouskaJ and removed request for lkatalin and tommyd450 September 12, 2024 11:22
@@ -48,6 +48,9 @@ type CTlogSpec struct {
// publicKeyRef, rootCertificates and trillian will be overridden.
//+optional
ServerConfigRef *LocalObjectReference `json:"serverConfigRef,omitempty"`
// Configuration for enabling TLS (Transport Layer Security) encryption for manged database.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please fix doc, it is configuration to encrypt CTlog server

@@ -309,7 +309,7 @@ metadata:
features.operators.openshift.io/token-auth-azure: "false"
features.operators.openshift.io/token-auth-gcp: "false"
operators.openshift.io/valid-subscription: '["Red Hat Trusted Artifact Signer"]'
operators.operatorframework.io/builder: operator-sdk-v1.34.2
operators.operatorframework.io/builder: operator-sdk-v1.34.1
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do not change operator-sdk version

//+kubebuilder:validation:Maximum:=65535
//+kubebuilder:default:=80
//+kubebuilder:default:=0
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that default port 0 is the right choice. I would prefer to omit this value (use nil) in case it is not used.

instance.Spec.Ctlog.Address = fmt.Sprintf("http://ctlog.%s.svc", instance.Namespace)
case instance.Spec.Ctlog.Port == nil:
port := int32(80)
if instance.Spec.Ctlog.Address == "" {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instance.Spec.TrustedCA != nil does not necessary means that you have TLS enabled CTLog service. I would try to load Ctlog service and try to get scheme and port from it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, Fulcio needs to depend on CTlog and should only start after CTlog has started, in order to fetch its service. Is that correct?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. there is no dependency on CTLog itself. You can use label selector to find the service
  2. your deployment depends on ctlog.namespace.svc" anyway so your fulcio Fulcio will not become fully ready until Ctlog starts. The only downside of this solution is that Fulcio would wait for Ctlog service to be created but I don't think that it is a big problem.

@osmman WDYT?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bouskaJ , is it better now ?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wold do it like this

var url
	if instance.Spec.Ctlog.Address != "" && instance.Spec.Ctlog.Port != "" {
	url = // use specified
     
	} else {
svc := FindService(ctx, cli, LabelsForComponent(ctl.ComponentName, instance.Name)
// retrieve protocol from service port
// compose url 
url = fmt.Sprintf("%s%s.svc:%d", svc.Name, svc.Namespace, svc.Port)
     }

url += instance.Spec.Ctlog.Preffix

I hope the above snapshot is clear enough.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please do not depends on services, you need to keep support of independent deployment so ctlog and fulcio could be deployed separatly (different namespace, cluster) and Fulcio will sucessfuly start without runnig CTlog only create certificate requests will be rejected which is intended behavior.

So please try to use only information which are present in Fulcio resource

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we have TrustedCA, but as Jan said, it does not necessarily mean that CTlog has TLS enabled..
that's why in the beginning, I was using a dedicated field for that TLS.CaCert, I used it to decide whether fulcio should use TLS or not.

Copy link
Collaborator

@bouskaJ bouskaJ Sep 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please do not depends on services, you need to keep support of independent deployment so ctlog and fulcio could be deployed separatly (different namespace, cluster) and Fulcio will sucessfuly start without runnig CTlog only create certificate requests will be rejected which is intended behavior.

So please try to use only information which are present in Fulcio resource

I was thinking about it like a fail-over solution in case there is no information in Fulcio resource. With Firas solution, you only think that you should use tls (based on env) but the running CTL does not need to be TLS secured at all. You can get much more valid information from service itself. Service lookup (based on labels) does not create any hard dependency and we already use label selectors in the TUF key auto-discovery.

})
return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not get CA path: %w", err), instance)
}
dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--ct-log.tls-ca-cert", caPath)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not even Fulcio is able to use SSL_CERT_DIR variable?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What I see in the implementation, the server should work with system certs. Give it a try, please. https://github.com/securesign/fulcio/blob/main/cmd/app/serve.go#L279-L302

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fulcio.Spec.TrustedCA does not necessarily mean that you specify CA for CTLog -> I would prefer to mount it as system CA

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was able to make it working with system-certs. This is my PoC bouskaJ@b9f4154

Copy link
Contributor Author

@fghanmi fghanmi Sep 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bouskaJ I've cherry-picked your suggestion, and tested it, all works fine! Thanks!

func GetService(client client.Client, namespace, serviceName string) (*corev1.Service, error) {
var service corev1.Service

err := client.Get(context.TODO(), types.NamespacedName{
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do not create new context. Pass existing one.

})
return i.FailedWithStatusUpdate(ctx, fmt.Errorf("could not get CA path: %w", err), instance)
}
dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--ct-log.tls-ca-cert", caPath)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fulcio.Spec.TrustedCA does not necessarily mean that you specify CA for CTLog -> I would prefer to mount it as system CA

instance.Spec.Ctlog.Address = fmt.Sprintf("http://ctlog.%s.svc", instance.Namespace)
case instance.Spec.Ctlog.Port == nil:
port := int32(80)
if instance.Spec.Ctlog.Address == "" {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wold do it like this

var url
	if instance.Spec.Ctlog.Address != "" && instance.Spec.Ctlog.Port != "" {
	url = // use specified
     
	} else {
svc := FindService(ctx, cli, LabelsForComponent(ctl.ComponentName, instance.Name)
// retrieve protocol from service port
// compose url 
url = fmt.Sprintf("%s%s.svc:%d", svc.Name, svc.Namespace, svc.Port)
     }

url += instance.Spec.Ctlog.Preffix

I hope the above snapshot is clear enough.

@openshift-merge-robot
Copy link

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@osmman osmman added this to the 1.2.0 milestone Sep 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants