Skip to content

tls: remove serving capability from deprecated apiserver cert, also fix Complete ClientCA bundle for apiserver #1640

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-robot merged 2 commits into from
Apr 18, 2019
Merged

tls: remove serving capability from deprecated apiserver cert, also fix Complete ClientCA bundle for apiserver #1640

openshift-merge-robot merged 2 commits into from
Apr 18, 2019

Conversation

@deads2k
Copy link
Contributor

@deads2k deads2k commented Apr 17, 2019

The kubelet terminates mTLS to determine the identity of the caller. This fixes the combined client bundle that can provide a stepping stone to getting the kubelet restricting properly.

@sjenning as we discussed yesterday
/assign @wking

@deads2k
tls: shrink tls surface area
5ec6e78 
As we're fixing the kubelet TLS files, we've noticed places that are over-signing
and trusting the wrong thing.  This updates the next case we can use to ratchet
the fixes into the MCO.
@openshift-ci-robot openshift-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Apr 17, 2019
deads2k
deads2k commented Apr 17, 2019
View reviewed changes
pkg/asset/tls/apiserver.go Outdated
Copy link
Contributor Author

@deads2k deads2k Apr 17, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We've ratcheted through changes in kas-o, mco, kubelet, kas-o, and now we can fix this. It's never used to serve anymore

deads2k
deads2k commented Apr 17, 2019
View reviewed changes
pkg/asset/tls/apiserver.go Outdated
Copy link
Contributor Author

@deads2k deads2k Apr 17, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This prevents kas-o from rotating client cert/key pairs.

deads2k
deads2k commented Apr 17, 2019
View reviewed changes
pkg/asset/tls/apiserver.go Outdated
Copy link
Contributor Author

@deads2k deads2k Apr 17, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sjenning this is the one it is legal to depend upon.

@abhinavdahiya
Copy link
Contributor

abhinavdahiya commented Apr 17, 2019

This removes usages from a deprecated cert ?

@deads2k
Copy link
Contributor Author

deads2k commented Apr 17, 2019

This removes usages from a deprecated cert ?

Yeah, tightening things up so they can't grow back while we're working out full removal.

@wking
Copy link
Member

wking commented Apr 18, 2019

Not very clear to me, but it's been open for a while, and CI is green, so:

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Apr 18, 2019
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Apr 18, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 18, 2019
@abhinavdahiya
Copy link
Contributor

abhinavdahiya commented Apr 18, 2019

/hold

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 18, 2019
@abhinavdahiya
Copy link
Contributor

abhinavdahiya commented Apr 18, 2019

Just wanna take a quick look. Will hold cancel asap

abhinavdahiya
abhinavdahiya reviewed Apr 18, 2019
View reviewed changes
pkg/asset/tls/apiserver.go
// Generate generates the cert/key pair based on its dependencies.
func (a *APIServerCertKey) Generate(dependencies asset.Parents) error {
kubeCA := &KubeCA{}
installConfig := &installconfig.InstallConfig{}
Copy link
Contributor

@abhinavdahiya abhinavdahiya Apr 18, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you should also drop the dependency from https://github.com/openshift/installer/pull/1640/files#diff-c7316d3d0bee102140cf53dc3ae5edf9R27

@abhinavdahiya abhinavdahiya changed the title kubelet client-ca tls: remove serving capability from deprecated apiserver cert, also fix Complete ClientCA bundle for apiserver Apr 18, 2019
@abhinavdahiya
Copy link
Contributor

abhinavdahiya commented Apr 18, 2019

#1640 (comment) is non-blocking.
i'll take a todo to fix this in another PR.

/hold cancel

@openshift-ci-robot openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 18, 2019
@openshift-merge-robot openshift-merge-robot merged commit 7aea0d5 into openshift:master Apr 18, 2019
@sjenning sjenning mentioned this pull request Apr 18, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@flaper87 flaper87 Awaiting requested review from flaper87

@steveej steveej Awaiting requested review from steveej

1 more reviewer

@abhinavdahiya abhinavdahiya abhinavdahiya left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@wking wking

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@deads2k @abhinavdahiya @wking @openshift-ci-robot @openshift-merge-robot