Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SECURESIGN-1460 | Ensure that TSA component does not create duplicated resources #675

Merged
merged 1 commit into from
Oct 24, 2024
Merged

SECURESIGN-1460 | Ensure that TSA component does not create duplicated resources #675

merged 1 commit into from
Oct 24, 2024

Conversation

JasonPowr
Copy link
Contributor

@bouskaJ @osmman Just looking for some feed back on this approach to ensuring only one resources is created at a time, if its acceptable Ill apply it to other TSA resources, needs some more testing

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Oct 8, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Oct 8, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JasonPowr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved label Oct 8, 2024
@JasonPowr JasonPowr changed the title ensure-tsa-does-not-create-duplicate-resources SECURESIGN-1460 | Ensure that TSA component does not create duplicated resources Oct 8, 2024
@JasonPowr JasonPowr force-pushed the ensure-tsa-does-not-create-duplicate-resources branch from e3b2a26 to 7eef591 Compare October 8, 2024 16:19
@JasonPowr JasonPowr force-pushed the ensure-tsa-does-not-create-duplicate-resources branch from 7074c31 to 6cd35b9 Compare October 10, 2024 10:52
@JasonPowr JasonPowr marked this pull request as ready for review October 10, 2024 11:41
bouskaJ
bouskaJ reviewed Oct 21, 2024
View reviewed changes
internal/controller/common/action/base_action.go Show resolved Hide resolved
internal/controller/tsa/actions/generate_signer.go Outdated Show resolved Hide resolved
internal/controller/tsa/actions/generate_signer.go Outdated Show resolved Hide resolved
internal/controller/tsa/actions/generate_signer.go Show resolved Hide resolved
internal/controller/tsa/actions/generate_signer.go Show resolved Hide resolved
internal/controller/tsa/actions/generate_signer.go Outdated Show resolved Hide resolved
internal/controller/tsa/actions/generate_signer_test.go Show resolved Hide resolved
internal/controller/tsa/actions/generate_signer_test.go Outdated Show resolved Hide resolved
internal/controller/tsa/actions/ntpMonitoring.go Show resolved Hide resolved
@JasonPowr JasonPowr force-pushed the ensure-tsa-does-not-create-duplicate-resources branch 4 times, most recently from 91ba0c6 to 455f8bc Compare October 21, 2024 13:39
bouskaJ
bouskaJ reviewed Oct 22, 2024
View reviewed changes
internal/controller/tsa/actions/generate_signer_test.go Outdated Show resolved Hide resolved
internal/controller/tsa/actions/generate_signer_test.go Show resolved Hide resolved
internal/controller/tsa/actions/generate_signer_test.go Outdated Show resolved Hide resolved
internal/controller/tsa/actions/generate_signer_test.go Outdated Show resolved Hide resolved
internal/controller/tsa/actions/generate_signer_test.go Show resolved Hide resolved
internal/controller/tsa/actions/generate_signer.go Outdated Show resolved Hide resolved
internal/controller/tsa/actions/generate_signer.go Outdated Show resolved Hide resolved
internal/controller/tsa/actions/ntpMonitoring.go Show resolved Hide resolved
internal/controller/tsa/actions/ntpMonitoring.go Outdated Show resolved Hide resolved
internal/controller/tsa/actions/ntpMonitoring.go Outdated Show resolved Hide resolved
@bouskaJ bouskaJ force-pushed the ensure-tsa-does-not-create-duplicate-resources branch 2 times, most recently from 8911e07 to 6052c53 Compare October 22, 2024 11:52
@bouskaJ
Copy link
Collaborator

bouskaJ commented Oct 22, 2024

as I am part of the development @osmman can you re-review?

@bouskaJ bouskaJ requested a review from osmman October 22, 2024 12:01
@osmman osmman added this to the 1.1.0 milestone Oct 22, 2024
@JasonPowr
Copy link
Contributor Author

/test tas-operator-e2e

@osmman
Copy link
Contributor

osmman commented Oct 22, 2024
edited
Loading

I think that rootCA, intermediateCA, leafCA should not be created if signer uses key from is KMS or Tink service. These should be using certificate chain stored in certificateChainRef. Problem is that signer key from KMS/Tink will not be used for signing of Root CA.

Here PoC which splits management of signer and cert chains into different actions.

@JasonPowr
Copy link
Contributor Author

JasonPowr commented Oct 22, 2024
edited
Loading

@osmman Does it create rootCA, intermediateCA, leafCA keys when other signer types are specified ? Originally it wasn't supposed to, here:

secure-sign-operator/internal/controller/tsa/actions/generate_signer.go

Line 129 in 6052c53

if tsaUtils.IsFileType(instance) {
, We only handle keys e.g rootCA, intermediateCA, leafCA if it is a file signer type. Maybe I am misunderstanding ?

and we will only create a cert chain if one is not specified

secure-sign-operator/internal/controller/tsa/actions/generate_signer.go

Lines 329 to 343 in 6052c53

func (g generateSigner) handleCertificateChain(ctx context.Context, instance *v1alpha1.TimestampAuthority, config *tsaUtils.TsaCertChainConfig) (*tsaUtils.TsaCertChainConfig, error) {
if ref := instance.Spec.Signer.CertificateChain.CertificateChainRef; ref != nil {
certificateChain, err := k8sutils.GetSecretData(g.Client, instance.Namespace, ref)
if err != nil {
return nil, err
}
config.CertificateChain = certificateChain
} else {
certificateChain, err := tsaUtils.CreateTSACertChain(ctx, instance, DeploymentName, g.Client, config)
if err != nil {
return nil, err
}
config.CertificateChain = certificateChain
}
return config, nil
, if using a tink or kms, a certchain should be provided

@osmman
Copy link
Contributor

osmman commented Oct 22, 2024

@osmman Does it create rootCA, intermediateCA, leafCA keys when other signer types are specified ? Originally it wasn't supposed to, here:

secure-sign-operator/internal/controller/tsa/actions/generate_signer.go

Line 129 in 6052c53

if tsaUtils.IsFileType(instance) {

, We only handle keys e.g rootCA, intermediateCA, leafCA if it is a file signer type. Maybe I am misunderstanding ?
and we will only create a cert chain if one is not specified

secure-sign-operator/internal/controller/tsa/actions/generate_signer.go

Lines 329 to 343 in 6052c53

func (g generateSigner) handleCertificateChain(ctx context.Context, instance *v1alpha1.TimestampAuthority, config *tsaUtils.TsaCertChainConfig) (*tsaUtils.TsaCertChainConfig, error) {
if ref := instance.Spec.Signer.CertificateChain.CertificateChainRef; ref != nil {
certificateChain, err := k8sutils.GetSecretData(g.Client, instance.Namespace, ref)
if err != nil {
return nil, err
}
config.CertificateChain = certificateChain
} else {
certificateChain, err := tsaUtils.CreateTSACertChain(ctx, instance, DeploymentName, g.Client, config)
if err != nil {
return nil, err
}
config.CertificateChain = certificateChain
}
return config, nil

, if using a tink or kms, a certchain should be provided

I think that the action will fail if KMS or Tink resource and cert chain ref is empty/configured to autocreate certs. It will try to resolve certificate chain

secure-sign-operator/internal/controller/tsa/actions/generate_signer.go

Line 153 in 6052c53

tsaCertChainConfig, err = g.handleCertificateChain(ctx, instance, tsaCertChainConfig)

which need RootPrivateKey. That value do not exists because it is resolved only for File based signer.

@bouskaJ bouskaJ force-pushed the ensure-tsa-does-not-create-duplicate-resources branch from 6052c53 to e0fc6bd Compare October 23, 2024 04:43
@JasonPowr
Copy link
Contributor Author

/test tas-operator-e2e

@JasonPowr JasonPowr force-pushed the ensure-tsa-does-not-create-duplicate-resources branch 2 times, most recently from 9ed68a2 to cb3f8a8 Compare October 23, 2024 15:10
@JasonPowr JasonPowr force-pushed the ensure-tsa-does-not-create-duplicate-resources branch from cb3f8a8 to 952efe0 Compare October 24, 2024 09:49
@osmman
Copy link
Contributor

osmman commented Oct 24, 2024

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Oct 24, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit c13b53c into main Oct 24, 2024
18 checks passed
@osmman osmman deleted the ensure-tsa-does-not-create-duplicate-resources branch November 7, 2024 16:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bouskaJ bouskaJ bouskaJ left review comments

@osmman osmman osmman left review comments

@tommyd450 tommyd450 Awaiting requested review from tommyd450

Assignees

@osmman osmman

Labels
approved lgtm
Projects
None yet
Milestone
1.1.0
Development

Successfully merging this pull request may close these issues.
3 participants
@JasonPowr @bouskaJ @osmman