tls: Generate TLS assets through dependency graph

[yifan-gu]

• Created CertKey type that implements the asset interface.
• Pulling the tls asset generation logic from /installer/pkg/config-generator/tls.go

[wking]

I'd rather use separate assets for the key and the cert. I guess most folks who want to bring their own keys will also bring their own certs, but having separate assets would support us cert'ing folks who bring only their own keys. A potentially more-useful reason for splitting certs from keys is that we could recycle keys and only rebuild certs if something feeding the cert changed (e.g. the DNS names because the user decided to change that config and rebuild their assets).

[yifan-gu]

I don't think we support user provided key/certs?
cc @crawford @abhinavdahiya @aaronlevy @smarterclayton

[aaronlevy]

In Tectonic we were going to target just allowing a user to show up with a CA (or assets to generate intermediate CA), but that was it (they wouldn't get to provide component level certificates).

I don't know if that's acceptable from the Openshift product side. IMO letting user provide component level certs is just asking for them to mess it up (and rotation may not work as expected). But I've heard various things across the spectrum in various meetings, from:

• We generate everything (offline root + in-cluster CA). No option to customize
• We generate everything, but a user can provide is a CSR endpoint that we can use to ask for an in-cluster CA (and we'd plug endpoint into installer).
• User can provide cluster-CA or root CA used to generating cluster-CA (a-la Tectonic plans).
• User can provide all component certs.

@smarterclayton / @eparis -- any specific constraints here we should be working from? My position is going to be the less options we provide (and the more we control) the better - but not always realistic.

[wking]

I don't see you setting this false anywhere:

$ git grep AppendParent origin/pr/145
origin/pr/145:pkg/asset/tls/certkey.go: AppendParent bool // Whether append the parent CA in the cert.
origin/pr/145:pkg/asset/tls/certkey.go:         key, crt, err = generateCert(caKey, caCert, cfg, c.AppendParent)
origin/pr/145:pkg/asset/tls/variables.go:               AppendParent: true,
origin/pr/145:pkg/asset/tls/variables.go:               AppendParent:   true,
origin/pr/145:pkg/asset/tls/variables.go:               AppendParent:   true,
origin/pr/145:pkg/asset/tls/variables.go:               AppendParent: true,

Can we drop it?

[yifan-gu]

For CAs I didn't set it so it's default to false, I can set it to false explicitly.

[wking]

For CAs I didn't set it...

Ah, that explains my grep. Can we just use !IsCA then, or do we need to toggle this independently sometimes?

[abhinavdahiya]

only server certs need to append the signing CA; client certs don't need append.

Also, IsCA vs IsRoot ?

https://github.com/openshift/library-go/blob/master/pkg/crypto/crypto.go

[wking]

only server certs need to append the signing CA; client certs don't need append.

Can we distinguish that using ExtKeyUsageClientAuth?

Also, IsCA vs IsRoot ?

Won't root just be "IsCA set, but ParentCA unset"?

[yifan-gu]

The IsCA boolean is required by the x509.Certificate type.

Can we distinguish that using ExtKeyUsageClientAuth?

Seems we can't, the apiserver-proxy cert still has ExtKeyUsageClientAuth but it doesn't have the AppendParent

BTW, I split the root into a separate type as it shares less code with others.

[wking]

This seems to be unused.

[yifan-gu]

it's used by the kubelet cert

[wking]

If everyone is using 10-years for this, we can drop this knob to simplify the structure.

[wking]

If everyone is using 10-years for this...

They aren't, so this property is fine as it stands.

[wking]

How important is it to vary OrganizationalUnit? I'd expect that CommonName is sufficient context and we can just hard-code []string{"openshift"} for this in your cert-Asset method (instead of having it configurable via a cert-Asset-struct property).

[abhinavdahiya]

👍

[yifan-gu]

Hmm, there's also Organization field, I am not sure what's the best way of dealing with all those, so maybe just leave as is for now, and we can refactor later?

[wking]

I expect we can generate these filenames from the subject common name, in which case they don't have to be part of our CertKey config. For an example in my mockup, see here (my Assets have names, so getting the asset filename is a generic Asset method, not a TLS-specific method).

[yifan-gu]

good point.

[yifan-gu]

@wking After a second look, seems like we have some tls assets whose subject name is not a fixed value (e.g. tnc, ingress), so might just keep as is unless you feel strong about it.

[yifan-gu]

I think many packages will need to perform this. so either move it to a common helpfer func (ideally it can just take the asset.State and iterate over the contents) or make the Store to do it? But I am aware that some targets won't need to write stuff into disk (e.g. the targetable assets like Cluster)

[wking]

But I am aware that some targets won't need to write stuff into disk (e.g. the targetable assets like Cluster)

I think we should just write all the assets to disk. It should help with reloading from disk for regeneration (or for generating the next asset group). And even if an asset will never be needed again, disk space isn't that expensive ;)

[yifan-gu]

@wking I know, by targetable assets I mean things like Cluster, Manifests which are not the actual assets, they just represent a group of assets, so they don't have any content to write.

[wking]

... by targetable assets I mean things like Cluster, Manifests which are not the actual assets, they just represent a group of assets, so they don't have any content to write.

I'd rather not create pseudo-assets for grouping.

[yifan-gu]

that's already part of the dependency graph, it's meant to be the entrypoint for different stages of the installer, so that users can insert their customization.
The installer's subcommands (openshift-install installconfig, openshift-install ignition) also correspond to these targets.

[abhinavdahiya]

@wking PTAL (all green)

[wking]

It looks like you're ignoring an error here. Can you replace this with:

installConfigState, err := installConfig.Generate(nil)
if err != nil {
  t.Fatal(err)
}

[yifan-gu]

yeah cuz it's fake install config, but I added anyway.

[wking]

Ok, I've got just the three nits (which I'm fine punting on or handling in this PR), and the golint errors (which I think we should fix before merging). Once we get the golint issues fixed I'll /lgtm.

[yifan-gu]

/lint

[openshift-ci-robot]

@yifan-gu: 2 unresolved warnings and 4 new warnings.

Details

In response to this:

/lint

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

Golint comments: should have a package comment, unless it's in another file for this package. More info.

[wking]

Golint comments: should have a package comment, unless it's in another file for this package.

I think this is just a limitation of the golint plugin, because you have package docs in a sibling file:

$ git grep '// Package tls ' 0a7e6f4 -- pkg/asset/tls
0a7e6f4:pkg/asset/tls/doc.go:// Package tls defines and generates the tls assets based on its dependencies.

And the golint Prow job is happy, so I don't think we need to worry about these.

[openshift-ci-robot]

Golint comments: should have a package comment, unless it's in another file for this package. More info.

[openshift-ci-robot]

Golint comments: should have a package comment, unless it's in another file for this package. More info.

[openshift-ci-robot]

Golint comments: exported const ValidityTenYears should have comment (or a comment on this block) or be unexported. More info.

[yifan-gu]

/lint

[openshift-ci-robot]

@yifan-gu: 5 unresolved warnings and 0 new warnings.

Details

In response to this:

/lint

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[wking]

The go-vet errors are:

# github.com/openshift/installer/pkg/asset/tls
pkg/asset/tls/certkey_test.go:77:20: undefined: validityTenYears
pkg/asset/tls/certkey_test.go:94:21: undefined: validityTenYears
pkg/asset/tls/certkey_test.go:116:21: undefined: validityTenYears
# github.com/openshift/installer/installer/pkg/config-generator
installer/pkg/config-generator/generator_test.go:134:13: undefined: validityTenYears
installer/pkg/config-generator/generator_test.go:154:19: undefined: validityTenYears

You probably need to convert to the new public versions there too.

[wking]

nit: add a trailing period. From here:

Notice this comment is a complete sentence that begins with the name of the element it describes.

[wking]

nit: "key/cert" -> "key".

[yifan-gu]

It is generating both public and private key pair, why just saying "key"?

[wking]

It is generating both public and private key pair, why just saying "key"?

Making a "key/cert" -> "key" replacement will leave us with "...generates the service-account key pair.". I'm fine if you want to call out public/private as well, but I don't want to claim there's a cert involved.

[yifan-gu]

updated

[wking]

nit: "key/cert" -> "key".

[wking]

/lgtm

/wking crosses his fingers for the e2e and smoke tests ;)

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wking, yifan-gu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [wking,yifan-gu]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment