Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve filtered certs error reporting #276

Closed
Hoega opened this issue Jan 18, 2024 · 9 comments
Closed

Improve filtered certs error reporting #276

Hoega opened this issue Jan 18, 2024 · 9 comments
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.

Comments

@Hoega
Copy link
Contributor

Hoega commented Jan 18, 2024

When creating a bundle from a source (configmap, secret, or inline) with exclusively expired certificates, the bundle will fail and indicate that the source contains no PEM data. There is no indication that certs are expired and it can be tricky to troubleshoot.

This is because 'ValidateAndSanitizePEMBundleWithOptions' parses sources individually, therefore if a source has only expired cert(s), the cert(s) will be skipped and the sanitize function will find an empty output thus returning an error.

For example, if I have:

  • 1 valid cert in configmap source
  • 1 valid cert in secret source
  • 1 expired cert in inline source

The bundle will fail with this error message:
Warning SourceBuildError 1s (x12 over 12s) bundles Failed to build bundle sources: invalid PEM data in source: bundle contains no PEM certificates

Also, the bundle is pending:

NAME         TARGET   SYNCED   REASON   AGE
my-org.com                              5m15s

Whereas If I add 1 valid cert to the inline source the bundle would be OK. This is because the sanitize function requires at least one valid cert by source.

I propose to parse and sanitize sources globally and/or at least to improve the error reporting to highlight a cert is expired.

@arsenalzp
Copy link
Contributor

arsenalzp commented Jan 21, 2024

Can we accept this as the new feature? I think I can work on it once the decision is made.

@erikgb
Copy link
Contributor

erikgb commented Jan 21, 2024

Can we accept this as the new feature? I think I can work on it once the decision is made.

Please work on it! I think we all agree that the error handling could be improved here. Could you start by describing the proposed solution in more detail? I agree this would become a lesser problem if a bundle is sanitized after reading all sources. But what if the resulting bundle would contain exclusively expired certificates?

@arsenalzp
Copy link
Contributor

arsenalzp commented Jan 21, 2024

Can we accept this as the new feature? I think I can work on it once the decision is made.

Please work on it! I think we all agree that the error handling could be improved here. Could you start by describing the proposed solution in more detail? I agree this would become a lesser problem if a bundle is sanitized after reading all sources. But what if the resulting bundle would contain exclusively expired certificates?

Hello,
Thank you for letting me work again!
I guess it would be optionally possible either allow or disallow to include expired certificates into the resulting bundle. But I don't know any reason why users want to have expired certificates in bundles, except legacy requirements, etc.

I would look something like
allowExpiredCerts: true
with default false.
Then we can suppress expired certificate warnings and include it in the bundle, or just write ones and exclude expired certificates from the bundle.

@erikgb
Copy link
Contributor

erikgb commented Jan 21, 2024

Ah, you haven't seen #273? There is now an opt-in to filter out expired certificates in trust-manager. I understand this issue mostly as a usability improvement to this recently added feature. It could make sense to include an expired certificate in a bundle to get better error messages.

@arsenalzp
Copy link
Contributor

Ah, you haven't seen #273? There is now an opt-in to filter out expired certificates in trust-manager. I understand this issue mostly as a usability improvement. It could make sense to include an expired certificate in a bundle to get better error messages.

Oh, I didn't see that because pull request wasn't linked to this particular issue.

@erikgb
Copy link
Contributor

erikgb commented Jul 16, 2024

It seems most reasonable to validate to validate at least one certificate per bundle, and not per bundle source.

/priority important-soon

@cert-manager-prow cert-manager-prow bot added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label Jul 16, 2024
@cert-manager-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale

@cert-manager-prow cert-manager-prow bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 6, 2024
@erikgb
Copy link
Contributor

erikgb commented Nov 23, 2024

I think the issue was fixed by #375. Feel free to reopen if that is not the case.

/close

@cert-manager-prow
Copy link
Contributor

@erikgb: Closing this issue.

In response to this:

I think the issue was fixed by #375. Feel free to reopen if that is not the case.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Projects
None yet
Development

No branches or pull requests

4 participants