From 60d997e985f7d45c44db1d292bf164f8ef85bb5e Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Fri, 31 Jan 2020 13:25:09 -0800 Subject: [PATCH] config/v1/types_proxy: Clarify trustedCA semantics Logic for merging with the "system" trust store is [1]. We might want to optionally relax that in the future [2], but it's not clear to me what the API change associated with that relaxation would look like. To motivate the "may" for the non-proxy case: * Here's the registry calling for the merged CA bundle to get injected [3] and dropping it into its system store [4]. That means the merged CA bundle will be used for all connections from that registry container, regardless of whether they are intended for the proxy or not (e.g. via a NO_PROXY environment variable [5,6]). * The cluster-version operator loads the proxy transport directly from the Proxy object [7,8]. This is probably a CVO bug, because as the docs I'm touching here say, reading the Proxy's trustedCA directly (like [9]) is frowned on. But regardless, It then appends its own system cert pool locally [10], and uses the resulting transport when retrieving image signatures [11,12] and Cincinnati graphs [13]. It does not use the additional proxy CAs for other HTTPS, e.g. talking to the Kubernetes API. [1]: https://github.com/openshift/cluster-network-operator/blob/4175354bbe5d12273d4f877f64478127e9d2777f/pkg/controller/proxyconfig/validation.go#L95-L109 [2]: https://github.com/openshift/enhancements/blame/14b2d1a262dc8520603eaec1910aabf5f2d0115f/enhancements/proxy/global-cluster-egress-proxy.md#L208-L211 [3]: https://github.com/openshift/cluster-image-registry-operator/blob/75e8e851700add9c847190fb228d2e702b2af2e8/manifests/04-ca-trusted.yaml#L5-L8 [4]: https://github.com/openshift/cluster-image-registry-operator/blob/75e8e851700add9c847190fb228d2e702b2af2e8/manifests/07-operator.yaml#L87-L97 [5]: https://github.com/openshift/cluster-image-registry-operator/blob/75e8e851700add9c847190fb228d2e702b2af2e8/manifests/07-operator.yaml#L8 [6]: https://github.com/openshift/enhancements/blame/14b2d1a262dc8520603eaec1910aabf5f2d0115f/enhancements/proxy/global-cluster-egress-proxy.md#L155-L156 [7]: https://github.com/openshift/cluster-version-operator/blob/27c4671aa0cbfbbf20324cf06145b44ec2bca45e/pkg/cvo/cvo.go#L749-L765 [8]: https://github.com/openshift/cluster-version-operator/blob/27c4671aa0cbfbbf20324cf06145b44ec2bca45e/pkg/cvo/availableupdates.go#L201-L223 [9]: https://github.com/openshift/cluster-version-operator/blob/27c4671aa0cbfbbf20324cf06145b44ec2bca45e/pkg/cvo/availableupdates.go#L219 [10]: https://github.com/openshift/cluster-version-operator/blob/27c4671aa0cbfbbf20324cf06145b44ec2bca45e/pkg/cvo/availableupdates.go#L238 [11]: https://github.com/openshift/cluster-version-operator/blob/27c4671aa0cbfbbf20324cf06145b44ec2bca45e/pkg/cvo/cvo.go#L728-L738 [12]: https://github.com/openshift/cluster-version-operator/blob/27c4671aa0cbfbbf20324cf06145b44ec2bca45e/pkg/verify/verify.go#L277 [13]: https://github.com/openshift/cluster-version-operator/blob/27c4671aa0cbfbbf20324cf06145b44ec2bca45e/pkg/cvo/availableupdates.go#L43-L48 --- .../0000_03_config-operator_01_proxy.crd.yaml | 24 ++++---- .../0000_10_config-operator_01_build.crd.yaml | 56 ++++++++++--------- config/v1/types_proxy.go | 18 +++--- .../v1/zz_generated.swagger_doc_generated.go | 2 +- 4 files changed, 55 insertions(+), 45 deletions(-) diff --git a/config/v1/0000_03_config-operator_01_proxy.crd.yaml b/config/v1/0000_03_config-operator_01_proxy.crd.yaml index afd0767479e..cf04b249b98 100644 --- a/config/v1/0000_03_config-operator_01_proxy.crd.yaml +++ b/config/v1/0000_03_config-operator_01_proxy.crd.yaml @@ -62,17 +62,19 @@ spec: type: string trustedCA: description: "trustedCA is a reference to a ConfigMap containing a CA - certificate bundle used for client egress HTTPS connections. The certificate - bundle must be from the CA that signed the proxy's certificate and - be signed for everything. The trustedCA field should only be consumed - by a proxy validator. The validator is responsible for reading the - certificate bundle from required key \"ca-bundle.crt\" and copying - it to a ConfigMap named \"trusted-ca-bundle\" in the \"openshift-config-managed\" - namespace. The namespace for the ConfigMap referenced by trustedCA - is \"openshift-config\". Here is an example ConfigMap (in yaml): \n - apiVersion: v1 kind: ConfigMap metadata: name: user-ca-bundle namespace: - openshift-config data: ca-bundle.crt: | -----BEGIN CERTIFICATE----- - \ Custom CA certificate bundle. -----END CERTIFICATE-----" + certificate bundle. The trustedCA field should only be consumed by + a proxy validator. The validator is responsible for reading the certificate + bundle from the required key \"ca-bundle.crt\", merging it with the + system default trust bundle, and writing the merged trust bundle to + a ConfigMap named \"trusted-ca-bundle\" in the \"openshift-config-managed\" + namespace. Clients that expect to make proxy connections must use + the trusted-ca-bundle for all HTTPS requests to the proxy, and may + use the trusted-ca-bundle for non-proxy HTTPS requests as well. \n + The namespace for the ConfigMap referenced by trustedCA is \"openshift-config\". + Here is an example ConfigMap (in yaml): \n apiVersion: v1 kind: ConfigMap + metadata: name: user-ca-bundle namespace: openshift-config data: + \ ca-bundle.crt: | -----BEGIN CERTIFICATE----- Custom + CA certificate bundle. -----END CERTIFICATE-----" type: object required: - name diff --git a/config/v1/0000_10_config-operator_01_build.crd.yaml b/config/v1/0000_10_config-operator_01_build.crd.yaml index 8f758397123..f3957ce34a4 100644 --- a/config/v1/0000_10_config-operator_01_build.crd.yaml +++ b/config/v1/0000_10_config-operator_01_build.crd.yaml @@ -89,19 +89,21 @@ spec: type: string trustedCA: description: "trustedCA is a reference to a ConfigMap containing - a CA certificate bundle used for client egress HTTPS connections. - The certificate bundle must be from the CA that signed the - proxy's certificate and be signed for everything. The trustedCA - field should only be consumed by a proxy validator. The validator - is responsible for reading the certificate bundle from required - key \"ca-bundle.crt\" and copying it to a ConfigMap named - \"trusted-ca-bundle\" in the \"openshift-config-managed\" - namespace. The namespace for the ConfigMap referenced by trustedCA - is \"openshift-config\". Here is an example ConfigMap (in - yaml): \n apiVersion: v1 kind: ConfigMap metadata: name: - user-ca-bundle namespace: openshift-config data: ca-bundle.crt: - | -----BEGIN CERTIFICATE----- Custom CA certificate - bundle. -----END CERTIFICATE-----" + a CA certificate bundle. The trustedCA field should only be + consumed by a proxy validator. The validator is responsible + for reading the certificate bundle from the required key \"ca-bundle.crt\", + merging it with the system default trust bundle, and writing + the merged trust bundle to a ConfigMap named \"trusted-ca-bundle\" + in the \"openshift-config-managed\" namespace. Clients that + expect to make proxy connections must use the trusted-ca-bundle + for all HTTPS requests to the proxy, and may use the trusted-ca-bundle + for non-proxy HTTPS requests as well. \n The namespace for + the ConfigMap referenced by trustedCA is \"openshift-config\". + Here is an example ConfigMap (in yaml): \n apiVersion: v1 + kind: ConfigMap metadata: name: user-ca-bundle namespace: + openshift-config data: ca-bundle.crt: | -----BEGIN + CERTIFICATE----- Custom CA certificate bundle. -----END + CERTIFICATE-----" type: object required: - name @@ -242,19 +244,21 @@ spec: type: string trustedCA: description: "trustedCA is a reference to a ConfigMap containing - a CA certificate bundle used for client egress HTTPS connections. - The certificate bundle must be from the CA that signed the - proxy's certificate and be signed for everything. The trustedCA - field should only be consumed by a proxy validator. The validator - is responsible for reading the certificate bundle from required - key \"ca-bundle.crt\" and copying it to a ConfigMap named - \"trusted-ca-bundle\" in the \"openshift-config-managed\" - namespace. The namespace for the ConfigMap referenced by trustedCA - is \"openshift-config\". Here is an example ConfigMap (in - yaml): \n apiVersion: v1 kind: ConfigMap metadata: name: - user-ca-bundle namespace: openshift-config data: ca-bundle.crt: - | -----BEGIN CERTIFICATE----- Custom CA certificate - bundle. -----END CERTIFICATE-----" + a CA certificate bundle. The trustedCA field should only be + consumed by a proxy validator. The validator is responsible + for reading the certificate bundle from the required key \"ca-bundle.crt\", + merging it with the system default trust bundle, and writing + the merged trust bundle to a ConfigMap named \"trusted-ca-bundle\" + in the \"openshift-config-managed\" namespace. Clients that + expect to make proxy connections must use the trusted-ca-bundle + for all HTTPS requests to the proxy, and may use the trusted-ca-bundle + for non-proxy HTTPS requests as well. \n The namespace for + the ConfigMap referenced by trustedCA is \"openshift-config\". + Here is an example ConfigMap (in yaml): \n apiVersion: v1 + kind: ConfigMap metadata: name: user-ca-bundle namespace: + openshift-config data: ca-bundle.crt: | -----BEGIN + CERTIFICATE----- Custom CA certificate bundle. -----END + CERTIFICATE-----" type: object required: - name diff --git a/config/v1/types_proxy.go b/config/v1/types_proxy.go index 93f4c487e49..211e501e08c 100644 --- a/config/v1/types_proxy.go +++ b/config/v1/types_proxy.go @@ -41,13 +41,17 @@ type ProxySpec struct { // +optional ReadinessEndpoints []string `json:"readinessEndpoints,omitempty"` - // trustedCA is a reference to a ConfigMap containing a CA certificate bundle used - // for client egress HTTPS connections. The certificate bundle must be from the CA - // that signed the proxy's certificate and be signed for everything. The trustedCA - // field should only be consumed by a proxy validator. The validator is responsible - // for reading the certificate bundle from required key "ca-bundle.crt" and copying - // it to a ConfigMap named "trusted-ca-bundle" in the "openshift-config-managed" - // namespace. The namespace for the ConfigMap referenced by trustedCA is + // trustedCA is a reference to a ConfigMap containing a CA certificate bundle. + // The trustedCA field should only be consumed by a proxy validator. The + // validator is responsible for reading the certificate bundle from the required + // key "ca-bundle.crt", merging it with the system default trust bundle, + // and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle" + // in the "openshift-config-managed" namespace. Clients that expect to make + // proxy connections must use the trusted-ca-bundle for all HTTPS requests to + // the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as + // well. + // + // The namespace for the ConfigMap referenced by trustedCA is // "openshift-config". Here is an example ConfigMap (in yaml): // // apiVersion: v1 diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go index 81b5c10fb7a..982f11c0bc7 100644 --- a/config/v1/zz_generated.swagger_doc_generated.go +++ b/config/v1/zz_generated.swagger_doc_generated.go @@ -1220,7 +1220,7 @@ var map_ProxySpec = map[string]string{ "httpsProxy": "httpsProxy is the URL of the proxy for HTTPS requests. Empty means unset and will not result in an env var.", "noProxy": "noProxy is a comma-separated list of hostnames and/or CIDRs for which the proxy should not be used. Empty means unset and will not result in an env var.", "readinessEndpoints": "readinessEndpoints is a list of endpoints used to verify readiness of the proxy.", - "trustedCA": "trustedCA is a reference to a ConfigMap containing a CA certificate bundle used for client egress HTTPS connections. The certificate bundle must be from the CA that signed the proxy's certificate and be signed for everything. The trustedCA field should only be consumed by a proxy validator. The validator is responsible for reading the certificate bundle from required key \"ca-bundle.crt\" and copying it to a ConfigMap named \"trusted-ca-bundle\" in the \"openshift-config-managed\" namespace. The namespace for the ConfigMap referenced by trustedCA is \"openshift-config\". Here is an example ConfigMap (in yaml):\n\napiVersion: v1 kind: ConfigMap metadata:\n name: user-ca-bundle\n namespace: openshift-config\n data:\n ca-bundle.crt: |", + "trustedCA": "trustedCA is a reference to a ConfigMap containing a CA certificate bundle. The trustedCA field should only be consumed by a proxy validator. The validator is responsible for reading the certificate bundle from the required key \"ca-bundle.crt\", merging it with the system default trust bundle, and writing the merged trust bundle to a ConfigMap named \"trusted-ca-bundle\" in the \"openshift-config-managed\" namespace. Clients that expect to make proxy connections must use the trusted-ca-bundle for all HTTPS requests to the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as well.\n\nThe namespace for the ConfigMap referenced by trustedCA is \"openshift-config\". Here is an example ConfigMap (in yaml):\n\napiVersion: v1 kind: ConfigMap metadata:\n name: user-ca-bundle\n namespace: openshift-config\n data:\n ca-bundle.crt: |", } func (ProxySpec) SwaggerDoc() map[string]string {