Skip to content

[v18] MWI: Warn when including Root CA in issuer override chain #57167

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
strideynet merged 2 commits into from
Jul 25, 2025
Merged

[v18] MWI: Warn when including Root CA in issuer override chain #57167

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
df13d1c
Add warning about inclusion of Root CA in chain
strideynet Jul 24, 2025
f779888
Use equality of RawSubject/RawIssuer rather than string
strideynet Jul 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions tool/tctl/common/workload_identity_command.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,10 +75,12 @@ type WorkloadIdentityCommand struct {
overridesCreateName string
overridesCreateForce bool
overridesCreateFullchains []string
overridesCreateDryRun bool

now func() time.Time

stdout io.Writer
stderr io.Writer
}

// Initialize sets up the "tctl workload-identity" command.
Expand Down Expand Up @@ -179,6 +181,9 @@ func (c *WorkloadIdentityCommand) Initialize(
Flag("force", "Overwrite the existing override if it exists.").
Short('f').
BoolVar(&c.overridesCreateForce)
c.overridesCreateCmd.
Flag("dry-run", "Print the workload_identity_x509_issuer_override that would have been created, without actually creating it.").
BoolVar(&c.overridesCreateDryRun)
c.overridesCreateCmd.
Flag("name", "The name of the override resource to write.").
Default("default").
Expand All @@ -191,6 +196,9 @@ func (c *WorkloadIdentityCommand) Initialize(
if c.stdout == nil {
c.stdout = os.Stdout
}
if c.stderr == nil {
c.stderr = os.Stderr
}
if c.now == nil {
c.now = time.Now
}
Expand Down Expand Up @@ -518,6 +526,24 @@ func (c *WorkloadIdentityCommand) runOverridesCreate(ctx context.Context, client
overrides = append(overrides, certs)
}

// Ensure that the user has not provided the Root CA - we only want them to
// provide the intermediates that chain to the root CA. If they provide the
// root CA, then workloads will end up needlessly distributing the root CA
// to validators.
for _, chain := range overrides {
for _, cert := range chain {
// If the issuer and subject are the same, then this is a
// "self-signed" certificate.
if bytes.Equal(cert.RawSubject, cert.RawIssuer) {
slog.WarnContext(
ctx,
"The provided certificate chain contains a root certificate when it should only contain the issuing CA and the intermediate CAs necessary to chain the issuing CA to the root CA. Remove the root certificate from the certificate file.",
"cert_subject", cert.Subject.String(),
)
}
}
}

clusterName, err := client.GetDomainName(ctx)
if err != nil {
return trace.Wrap(err)
Expand Down Expand Up @@ -578,6 +604,14 @@ func (c *WorkloadIdentityCommand) runOverridesCreate(ctx context.Context, client
},
}

if c.overridesCreateDryRun {
fmt.Fprintln(c.stderr, "Dry run mode enabled, the following override would have been created:")
if err := utils.WriteYAML(c.stdout, types.ProtoResource153ToLegacy(override)); err != nil {
return trace.Wrap(err, "failed to marshal override")
}
return nil
}

if c.overridesCreateForce {
if _, err := oclt.UpsertX509IssuerOverride(ctx, &workloadidentityv1pb.UpsertX509IssuerOverrideRequest{
X509IssuerOverride: override,
Expand Down
Loading