-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New version of Bundle API #242
Comments
@erikgb We created a The operator for the bundler reads sources, builds PEM & JKS bundles and then creates 1. Append CertificatesThe status of 2. Filter Expired CertificatesDuring reconciliation, when building the certificate bundle, any expired certificates are excluded. Additionally, we schedule an appropriately timed reconciliation if any certificates expire sooner than the normal 10hour drift reconcile. 3. DeduplicationDuplicate certificates are removed by comparing ImplementationOur actual implementation goes like this:
Taken together these features allow rotation in almost any form without any extra work; specifically simple reissues and key rotations. It works for cross signing as well by using multiple sources (although we currently don't have that setup or test it). ExampleA bundler is created with a single source secret generated by cert-manager's issuance of a Clusters can use Reloader, wave or similar to detect changes in the bundle Back to trust-managerWhat are your thoughts on including these features in trust-manager? These features could be behind a feature flag or flags but it seems like sensible default behavior without really affecting current functionality. |
@kdubb This looks very interesting. It's late here, so I will only answer shortly now.
Pretty sure @SgtCoDFish should read ☝️. |
This is missing from my explanation. If the source is removed, the certs it contributed are explicitly removed during reconciliation. If you had a compromised, or otherwise invalid, certificate you can immediately reissue by deleting and re-creating the certificate.
The goal with the bundler isn't an accurate depiction of sources but rather a "correct" depiction of trust, while supporting rotation. |
The idea for this came from production topic cert-manager integration ntentionally copying CA Certificates If you think about it, we're doing this. We're just copying it to the status field of the bundler and automating it. |
Super interesting to read, thanks @kdubb ! The implementation of "remembering" previously trusted CAs has (sort of) been discussed before, some of that in #144 (which proposes a different method - I'm linking that issue for visibility). I definitely see the benefit of it - it obviously helps with rotation. My immediate concern with "remembering" certs is that it doesn't generalise to multiple clusters in a predictable way. The semantics of a trust-manager Bundle today are crystal clear: you'll get a de-duped list of all CA certificates present in all sources. Different sources means different bundles, but if the sources are identical across 10 clusters the bundle will be identical too. If we add caching or "remembering", then the exact same bundle spec changes in meaning after it's been deployed. The longer it lives, the more it remembers and if it's deleted and recreated it won't be the same. A bundle created before a rotation trusts more than a bundle created after a rotation. I think the behaviour that the semantics don't change over time is valuable to preserve, and I'd be nervous about adding this kind of thing to the CRD for that reason. My gut reaction is that an external tool which watches a resource and tracks changes in it in a new resource would be the way to go. E.g. my watcher component is set to watch the key "tls.crt" in Secret A. Every time Secret A is changed, the watcher reads "tls.crt" and appends the value to the ConfigMap "my-history". "my-history" could then by used as a trust-manager source. I'd be interested to hear your thoughts on that! |
This is a total drive-by comment, but I wouldn't personally go for this approach. Comparing any of these attributes ignores the signature on the cert, which is by far the most important thing for determining uniqueness. It's perfectly possible for two certs to have the same issuer, subject and serial number yet for them to be signed by different private keys. Comparing on those attributes means that if an attacker can create a CA which looks like yours but with a different private key and they can get it into your trust store, your cert might be deduped rather than theirs. TBH if an attacker gets a cert into your trust bundle it's game over anyway, but at the end of the day you'd be de-duping a cert that wasn't a dupe! The safest way to de-dupe is to use the fingerprint (hash of the entire cert). That's what trust-manager does: https://github.com/cert-manager/trust-manager/blob/01bd331abb8ee071025e2b8989930a2eb3b1d8e9/pkg/util/cert_pool.go I'd strongly suggest changing your de-duplication logic as a priority to compare hashes! |
First, a bit of background, the name
This is exactly what a
This seems to be adding a second step with more configuration to achieve a similar result. I'm fine with the idea but it seems like your "watcher" is just our As you eluded to, I can agree some really advanced setups might use a That being said, I think a lot of users would be more easily served by not requiring the use of both a The end result would to have a |
Thank you so much for this information. I was already questioning whether we were using the correct deduplication "key" and your suggestion makes total sense. I will correct this in our implementation. |
Alternatively, a Edit: Upon reflection and looking at our code, the name |
@erikgb, we've run into a specific issue with an expired certificate as relates to: The current cert-manager-package-debian container image includes an expired cert which triggers this problem:
This version of debian does not appear to be maintaining the ca-certificates package:
We should either upgrade to debian bookworm per #183 (which appears to have much more current ca bundles), or have a way to filter out expired CA certs. |
@nan-coupa, thanks for your comment, but is it relevant for a new API version? We have #183 suggesting a system bundle based on Debian bookworm. Removing expired certificates from the trust bundle as an opt-in sounds good to me - do you mind opening an issue for it? I think this has been mentioned/discussed in another issue/PR in this project, but right now I cannot find it. 🤔 @SgtCoDFish WDYT? |
@erikgb, I commented on this ticket directly because it mentioned how to handle expired certificates and you asked in an earlier comment:
I can create a new issue if you still think it should be separated rather than discussed here. |
Ahhh, thanks! I wasn't smart enough to search within this issue. 🙈 This comment was added in the context of the |
I've created #272 to track potentially filtering out expired certs - I see the use case! |
Issues go stale after 90d of inactivity. |
/remove-lifecycle stale |
We have already discussed some breaking changes we are considering making to the Bundle API. This issue is proposed as an umbrella issue to agree on what to do and how to proceed. Browsing through our currently open issues, I can find the following candidates:
Bundle
for X.509 Certificates #44Our first decision should be if we want to do #63 - as it suggests renaming the kind from
Bundle
toClusterBundle
. And AFAIK it is not possible to have any conversion webhook to convert between kinds. A conversion webhook can only convert between versions of the same kind. Doing #63 will create space to eventually fix #131 in the future. I am not saying we should do #131, but without #63 it will not be possible to do #131 with good naming of resources. If we decide to go for a new kind, I think we should try to keep both kinds around for a couple of releases - to allow users to migrate.Over to how I think we should introduce a version (or kind). Either way, I suggest starting by introducing a new version (in a dedicated PR) as an exact copy of the existing API version - making the new version unserved. As long as the new version is unserved we can now proceed with changing the new version (and/or kind) in multiple follow-up PRs - without blocking for releases of trust-manager.
The text was updated successfully, but these errors were encountered: