Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Certificate Hash #6155

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Add Certificate Hash #6155

wants to merge 1 commit into from

Conversation

inteon
Copy link
Member

@inteon inteon commented Jun 14, 2023
edited

Replace all current matching logic with a simple Certificate Hash that can be used to detect if the Certificate resource changed after the Secret was created/ updated.

The main goal of this PR is to be able to determine if a Secret is up-to-date for the specified Certificate resource without requiring CertificateRequest resources to exist. In the long term, this logic will replace existing matching logic and simplify the change detection mechanisms.

  • We cannot use the issued certificate blob in the Secret to determine if the Certificate resource is up-to-date, because the CA might have issued a Certificate that does not match the properties requested in the Certificate resource.
  • Instead, we add a hash to each Secret. This hash is created when the Secret is created and is based on the Certificate that requested the certificate in the Secret. The hash also adds parity bits to detect what field changed in case we detect a change.

Kind

/kind feature

Release Note

NONE

@jetstack-bot
Copy link
Collaborator

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@jetstack-bot jetstack-bot added kind/feature Categorizes issue or PR as related to a new feature. release-note-none Denotes a PR that doesn't merit a release note. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. area/api Indicates a PR directly modifies the 'pkg/apis' directory approved Indicates a PR has been approved by an approver from all required OWNERS files. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jun 14, 2023
@jetstack-bot jetstack-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 23, 2023
@jetstack-bot jetstack-bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jul 4, 2023
@jetstack-bot jetstack-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 24, 2023
@jetstack-bot jetstack-bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 18, 2023
@jetstack-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from inteon. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 18, 2023
@inteon inteon changed the title Add Certificate Hash WIP: Add Certificate Hash Oct 18, 2023
@inteon inteon marked this pull request as ready for review October 18, 2023 11:56
@inteon inteon force-pushed the improve_policy_chain_v1 branch 2 times, most recently from e5874ac to 94d574b Compare October 21, 2023 17:12
@jetstack-bot jetstack-bot added area/acme Indicates a PR directly modifies the ACME Issuer code area/testing Issues relating to testing labels Oct 21, 2023
@inteon inteon added this to the 1.14 milestone Oct 21, 2023
@jetstack-bot jetstack-bot added dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. and removed dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. labels Oct 22, 2023
@jetstack-bot jetstack-bot removed the dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. label Oct 22, 2023
@inteon inteon requested a review from wallrj November 2, 2023 12:15
@inteon inteon marked this pull request as draft November 13, 2023 17:01
@jetstack-bot jetstack-bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 13, 2023
@wallrj wallrj removed their request for review November 15, 2023 16:58
@inteon inteon removed this from the 1.14 milestone Dec 18, 2023
@jetstack-bot jetstack-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 4, 2024
@jetstack-bot jetstack-bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 7, 2024
@inteon inteon force-pushed the improve_policy_chain_v1 branch 2 times, most recently from 6f2f221 to 7bc54a7 Compare January 7, 2024 21:04
@jetstack-bot jetstack-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 10, 2024
@jetstack-bot jetstack-bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 3, 2024
@inteon inteon force-pushed the improve_policy_chain_v1 branch 3 times, most recently from 00a0b68 to dc51ab4 Compare February 5, 2024 13:38
@jetstack-bot jetstack-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 20, 2024
@jetstack-bot jetstack-bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 4, 2024
@inteon
Copy link
Member Author

inteon commented Mar 4, 2024

/ok-to-test

@jetstack-bot
Copy link
Collaborator

@inteon: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-cert-manager-master-make-test 9add564 link true /test pull-cert-manager-master-make-test
pull-cert-manager-master-e2e-v1-28 9add564 link true /test pull-cert-manager-master-e2e-v1-28

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@inteon
Use a hash to detect changes to Certificate resource.
28fed1f 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
@wallrj wallrj linked an issue Mar 5, 2024 that may be closed by this pull request
Certificate secrets are not recreated when critical fields change #6815
Open
@stephenc
Copy link

stephenc commented Mar 5, 2024
edited

Will this address the case where the keystore password secret has changed and thus the keychain needs to be regenerated with the new secret, e.g.

apiVersion: cert-manager.io/v1
kind: Certificate
...
spec:
  ...
  keystores:
    jks:
      create: true
      passwordSecretRef:
        name: some-other-secret-name
        key: "jks-password"                        # <- i.e. if the value of this key in the `some-other-secret-name` secret has changed

Note: obviously if I change the certificate's .spec.keystores.jks.passwordSecretRef.key to a-different-key then the hash will change, but the hash should also include the existence of the secret referenced by .spec.keystores.jks.passwordSecretRef.name as well as the value of the key within that secret (modulo some way of not leaking the value of the secret through the hash)

@inteon
Copy link
Member Author

inteon commented Apr 13, 2024

Will this address the case where the keystore password secret has changed and thus the keychain needs to be regenerated with the new secret, e.g.

apiVersion: cert-manager.io/v1
kind: Certificate
...
spec:
  ...
  keystores:
    jks:
      create: true
      passwordSecretRef:
        name: some-other-secret-name
        key: "jks-password"                        # <- i.e. if the value of this key in the `some-other-secret-name` secret has changed

Note: obviously if I change the certificate's .spec.keystores.jks.passwordSecretRef.key to a-different-key then the hash will change, but the hash should also include the existence of the secret referenced by .spec.keystores.jks.passwordSecretRef.name as well as the value of the key within that secret (modulo some way of not leaking the value of the secret through the hash)

The issue you are describing will not be fixed by this PR. This PR is trying to improve the ReadinessPolicyChain and TriggerPolicyChain.
To fix the issue you are describing, the SecretPostIssuancePolicyChain should be improved, more particularly the SecretKeystoreFormatMismatch function.

@cert-manager-prow cert-manager-prow bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 29, 2024
@cert-manager-prow
Copy link
Contributor

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@cert-manager-prow
Copy link
Contributor

@inteon: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-cert-manager-master-make-verify 28fed1f link true /test pull-cert-manager-master-make-verify
pull-cert-manager-master-e2e-v1-30-upgrade 28fed1f link true /test pull-cert-manager-master-e2e-v1-30-upgrade
pull-cert-manager-master-e2e-v1-30 28fed1f link true /test pull-cert-manager-master-e2e-v1-30

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area/acme Indicates a PR directly modifies the ACME Issuer code area/api Indicates a PR directly modifies the 'pkg/apis' directory area/testing Issues relating to testing dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/feature Categorizes issue or PR as related to a new feature. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. ok-to-test release-note-none Denotes a PR that doesn't merit a release note. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Certificate secrets are not recreated when critical fields change
3 participants
@inteon @jetstack-bot @stephenc