Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add v1 Fulcio endpoint to prober #1160

Merged
merged 1 commit into from
Jul 2, 2024

Conversation

cmurphy
Copy link
Contributor

@cmurphy cmurphy commented Jul 2, 2024

There is an SLO set up for the /api/v1/signingCert Fulcio endpoint[1], but it is currently reporting "No SLO status data" because the prober was never testing that endpoint. This lead to an outage that went undetected by the monitoring system.

Cosign uses the legacy certificate request endpoint in its Fulcio client[2][3]. This means that the v1 endpoint is likely the most used and therefore an important health indicator. This change adds the v1 endpoint to the prober test, which should populate Prometheus with data which should activate the SLO.

[1]

v1beta-create-signing-certificate = {
display_suffix = "CreateSigningCertificate v1beta (/api/v1/signingCert - POST)"
label_filter = "metric.labels.endpoint=\"/api/v1/signingCert\" metric.labels.method=\"POST\""
goal = 0.995
},

[2] https://github.com/sigstore/cosign/blob/79db196e2d97e7dfc4d8201ef829d4ce906605a7/cmd/cosign/cli/fulcio/fulcio.go#L32
[3] https://github.com/sigstore/fulcio/blob/07b19da442b418ebcf072ac65a7abb25f0e3d5c8/pkg/api/client.go#L60

Summary

Release Note

Documentation

@cmurphy cmurphy force-pushed the probe-legacy-endpoint branch from 88cef8f to 1bef61a Compare July 2, 2024 18:05
There is an SLO set up for the /api/v1/signingCert Fulcio endpoint[1],
but it is currently reporting "No SLO status data" because the prober
was never testing that endpoint. This lead to an outage that went
undetected by the monitoring system.

Cosign uses the legacy certificate request endpoint in its Fulcio
client[2][3]. This means that the v1 endpoint is likely the most used
and therefore an important health indicator. This change adds the v1
endpoint to the prober test, which should populate Prometheus with data
which should activate the SLO.

[1] https://github.com/sigstore/scaffolding/blob/8f7aa097e54eabcecbc671818f9eb5f0e723e54b/terraform/gcp/modules/monitoring/fulcio/slo.tf#L79-L83
[2] https://github.com/sigstore/cosign/blob/79db196e2d97e7dfc4d8201ef829d4ce906605a7/cmd/cosign/cli/fulcio/fulcio.go#L32
[3] https://github.com/sigstore/fulcio/blob/07b19da442b418ebcf072ac65a7abb25f0e3d5c8/pkg/api/client.go#L60

Signed-off-by: Colleen Murphy <[email protected]>
@cmurphy cmurphy force-pushed the probe-legacy-endpoint branch from 1bef61a to 41a7bd0 Compare July 2, 2024 18:13
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if this was broken since #540...

if certBlock == nil || chainPEM == nil {
Logger.Errorf("did not find expected certificates")
}
intermediateBlock, rootPEM := pem.Decode(chainPEM)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just so this can support probing custom instances with any number of intermediates, we might want to continually decode until pem.Decode() parses the root and rest is empty, or use UnmarshalCertificatesFromPEM(chainPEM). We could add a configuration flag for how many intermediates are expected?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wrote it this way to be consistent with the v2 test which expects exactly 3:

if len(fulcioResp.CertificatesWithSct.CertificateChain.Certificates) != 3 {
Logger.Errorf("unexpected number of certificates, got %d, expected 3",
len(fulcioResp.CertificatesWithSct.CertificateChain.Certificates))
return nil, err
}

I think making it configurable would be a separate scope.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah fair point, then this LGTM!

haydentherapper
haydentherapper previously approved these changes Jul 2, 2024
@cmurphy
Copy link
Contributor Author

cmurphy commented Jul 2, 2024

Accidentally pushed a commit to the wrong branch

@haydentherapper haydentherapper merged commit ed0c480 into sigstore:main Jul 2, 2024
42 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants