Merge #61233 #61234

61233: server: secure init service cert rotation r=aaron-crl a=aaron-crl Part of #60632 . Release justification: low risk, feature completion for #60632. Added certificate rotation functionality and some test cases. Fixed several bugs related to path checks that rotation depends on. Adjustments to automatic certificate generation lifespan and key sizes to bring them in alignment with existing defaults. 61234: vendor: bump snappy to v0.0.3 r=dt a=dt Bump snappy to v0.0.3 to fix segfault on arm (only diffs are in en/decode_arm64.s). Release note: none. Release justification: non-production (arm64) code only. Co-authored-by: Aaron Blum <[email protected]> Co-authored-by: David Taylor <[email protected]>
cockroachdb · Feb 28, 2021 · 8591a29 · 8591a29
3 parents 9097271 + ae2e077 + 6b59c31
commit 8591a29
Show file tree

Hide file tree

Showing 9 changed files with 629 additions and 96 deletions.
diff --git a/DEPS.bzl b/DEPS.bzl
@@ -1327,8 +1327,8 @@ def go_deps():
         name = "com_github_golang_snappy",
         build_file_proto_mode = "disable_global",
         importpath = "github.com/golang/snappy",
-        sum = "h1:aeE13tS0IiQgFjYdoL8qN3K1N2bXXtI6Vi51/y7BpMw=",
-        version = "v0.0.2",
+        sum = "h1:fHPg5GQYlCeLIPB9BZqMVR5nR9A+IM5zcgeTdjMYmLA=",
+        version = "v0.0.3",
     )
     go_repository(
         name = "com_github_gomodule_redigo",

diff --git a/go.mod b/go.mod
@@ -71,7 +71,7 @@ require (
 	github.com/golang-commonmark/puny v0.0.0-20180910110745-050be392d8b8 // indirect
 	github.com/golang/geo v0.0.0-20200319012246-673a6f80352d
 	github.com/golang/protobuf v1.4.2
-	github.com/golang/snappy v0.0.2
+	github.com/golang/snappy v0.0.3
 	github.com/google/btree v1.0.0
 	github.com/google/flatbuffers v1.11.0
 	github.com/google/go-cmp v0.5.2

diff --git a/go.sum b/go.sum
@@ -448,8 +448,8 @@ github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.2-0.20190904063534-ff6b7dc882cf/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/golang/snappy v0.0.2 h1:aeE13tS0IiQgFjYdoL8qN3K1N2bXXtI6Vi51/y7BpMw=
-github.com/golang/snappy v0.0.2/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/golang/snappy v0.0.3 h1:fHPg5GQYlCeLIPB9BZqMVR5nR9A+IM5zcgeTdjMYmLA=
+github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/gomodule/redigo v1.7.1-0.20190724094224-574c33c3df38/go.mod h1:B4C85qUVwatsJoIUNIfCRsp7qO0iAmpGFZ4EELWSbC4=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0 h1:0udJVsspx3VBr5FwtLhQQtuAsVc79tTq0ocGIPAU6qo=

diff --git a/pkg/security/auto_tls_init.go b/pkg/security/auto_tls_init.go
@@ -26,8 +26,8 @@ import (
 )
 
 // TODO(aaron-crl): This shared a name and purpose with the value in
-// pkg/security and should be consolidated.
-const defaultKeySize = 4096
+// pkg/cli/cert.go and should be consolidated.
+const defaultKeySize = 2048
 
 // notBeforeMargin provides a window to compensate for potential clock skew.
 const notBeforeMargin = time.Second * 30
@@ -128,7 +128,7 @@ func CreateCACertAndKey(
 // CreateServiceCertAndKey creates a cert/key pair signed by the provided CA.
 // This is a utility function to help with cluster auto certificate generation.
 func CreateServiceCertAndKey(
-	lifespan time.Duration, service, hostname string, caCertPEM []byte, caKeyPEM []byte,
+	lifespan time.Duration, service string, hostnames []string, caCertPEM []byte, caKeyPEM []byte,
 ) (certPEM []byte, keyPEM []byte, err error) {
 	notBefore := timeutil.Now().Add(-notBeforeMargin)
 	notAfter := timeutil.Now().Add(lifespan)
@@ -183,11 +183,13 @@ func CreateServiceCertAndKey(
 	// Attempt to parse hostname as IP, if successful add it as an IP
 	// otherwise presume it is a DNS name.
 	// TODO(aaron-crl): Pass these values via config object.
-	ip := net.ParseIP(hostname)
-	if ip != nil {
-		serviceCert.IPAddresses = []net.IP{ip}
-	} else {
-		serviceCert.DNSNames = []string{hostname}
+	for _, hostname := range hostnames {
+		ip := net.ParseIP(hostname)
+		if ip != nil {
+			serviceCert.IPAddresses = []net.IP{ip}
+		} else {
+			serviceCert.DNSNames = []string{hostname}
+		}
 	}
 
 	servicePrivKey, err := rsa.GenerateKey(rand.Reader, defaultKeySize)
@@ -223,5 +225,5 @@ func CreateServiceCertAndKey(
 		return nil, nil, err
 	}
 
-	return serviceCertBlock.Bytes(), servicePrivKeyPEM.Bytes(), err
+	return serviceCertBlock.Bytes(), servicePrivKeyPEM.Bytes(), nil
 }
diff --git a/pkg/security/auto_tls_init_test.go b/pkg/security/auto_tls_init_test.go
@@ -40,7 +40,7 @@ func TestDummyCreateServiceCertAndKey(t *testing.T) {
 	_, _, err = security.CreateServiceCertAndKey(
 		time.Minute,
 		"test Service cert generation",
-		"localhost",
+		[]string{"localhost", "127.0.0.1"},
 		caCert,
 		caKey,
 	)