warn when own certificate appears in a configured CRL#1766
warn when own certificate appears in a configured CRL#1766jlojosnegros wants to merge 1 commit intoistio:masterfrom
Conversation
istio-testing
added
size/L
|
Hi @jlojosnegros. Thanks for your PR. I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Introduces find_cert_revocation(), which scans the provided CRL DERs for the workload certificate's serial number. Called during TLS config building so ztunnel emits a warning when its own cert is listed as revoked, giving operators early notice that certificate renewal is needed before peers start rejecting connections. Adds a unit test covering both the positive (serial found) and negative (serial not found) paths using rcgen-generated CRLs. Signed-off-by: Jose Luis Ojosnegros Manchón <jojosneg@redhat.com>
jlojosnegros
force-pushed
the
clr-check-own-cert
branch
from
7dcb1d6 to
11f1fe0
Compare
|
Hi all 👋 - new contributor here. @nilekhc you added the TODO this PR resolves (in #1660). Would you mind taking a look when you have a moment? @howardjohn @keithmattix @ilrudie - pinging you as recent contributors to the file in case you have bandwidth for a quick review. Also, would someone be able to run Happy to address any feedback! |
|
/ok-to-test |
istio-testing
added
ok-to-test
|
Thanks for the label @ilrudie :) |
3 participants
When CRL checking is enabled, ztunnel validates peer certificates against the configured CRLs but never checks whether its own workload certificate appears in any of those lists. If the local certificate is revoked, peers will start rejecting inbound HBONE connections without ztunnel having any indication of why.
This adds a self-revocation check inside WorkloadCertificate::build_tls_config:
after fetching the CRL DERs from the manager,
find_cert_revocationscans eachCRL for the workload certificate's serial number. If a match is found, a
warn!log is emitted with the certificate serial, SPIFFE identity, and revocation
reason (when present in the CRL entry). The check is purely diagnostic — the
TLS config is still built normally so ztunnel continues to operate fail-open,
consistent with the existing allow_unknown_revocation_status policy.
find_cert_revocationis intentionally kept narrow: it only compares serialnumbers within CRLs that can be successfully parsed; malformed CRL entries
are logged at debug level and skipped.
A unit test covers both the positive case (own serial listed in CRL returns
Some) and the negative case (unrelated serial returns None).
Closes #1767