Regenerate certificates to use SANs instead of Common Name

[albertteoh]

Signed-off-by: albertteoh albert.teoh@logz.io

Which problem is this PR solving?

Proposed fix to a failing test caused by Go 1.15 dropping support for Common Names.

Please let me know if there is a better way of generating certs using SANs or if any configurations appear spurious, as this is pretty new to me.

Closes #2435

Short description of the changes

• Regenerate certificates using Subject Alternative Names as per the recommendation in crypto/x509: Go 1.15 will break default connections to AWS RDS golang/go#39568 (comment).
• Update README with instructions to generate the current set of certificates.
• Add a copy of existing Travis jobs to be executed against Go 1.15 to avoid introduced regressions.

[albertteoh]

I wasn't able to get matrix expansion working here, but figured it's pretty important to avoid silent regressions on Go 1.15 builds.

Was hoping we could simply add:

go:
- 1.14.x
- 1.15.x

and remove the references to 1.14.x in the matrix.include list, but it seems go can't be expanded into the matrix.

Suggestions welcome!

[yurishkuro]

Since the build now passes for 1.15, I suggest we just update 1.14 -> 1.15, instead of duplicating (the CI already runs for too long, we don't have capacity to double the number of steps).

We may want to add one extra step to run unit tests & lint with go tip (but I would do it in a separate PR).

[albertteoh]

Okay, updated to 1.15.
Where can I learn more about "go tip"?

[yurishkuro]

I've seen it used elsewhere, e.g. https://github.com/opentracing/opentracing-go/blob/d34af3eaa63c4d08ab54863a4bdd0daa45212e12/.travis.yml#L7

[albertteoh]

Would an additional "tip" build version result in doubling the number of steps (1.15 + tip)?

[codecov]

Codecov Report

Merging #2461 into master will increase coverage by 0.01%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #2461      +/-   ##
==========================================
+ Coverage   95.57%   95.59%   +0.01%     
==========================================
  Files         208      208              
  Lines       10690    10690              
==========================================
+ Hits        10217    10219       +2     
+ Misses        401      399       -2     
  Partials       72       72              

Impacted Files	Coverage Δ
...lugin/sampling/strategystore/adaptive/processor.go	100.00% <0.00%> (+0.79%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5508165...f361cda. Read the comment docs.

[yurishkuro]

just curious:

• couldn't we just move all of this into a script, instead of a run book?
• is there a flag to for "accept defaults" to make the script even less interactive?

[albertteoh]

Good point, and yes, there's a way to accept defaults. I've modified this README file into a bash script.

[yurishkuro]

Since the build now passes for 1.15, I suggest we just update 1.14 -> 1.15, instead of duplicating (the CI already runs for too long, we don't have capacity to double the number of steps).

We may want to add one extra step to run unit tests & lint with go tip (but I would do it in a separate PR).

[yurishkuro]

perhaps instead of writing to the current dir (and accidentally checking in), we could use temp dir

tmp_dir=$(mktemp -d -t certificates)
clean_up () {
    ARG=$?
    rm -rf $tmp_dir
    exit $ARG
} 
trap clean_up EXIT

[yurishkuro]

how about writing PEM files into $tmp_dir and then copying into the right place in the source tree?

[yurishkuro]

should this be exit -1 instead?

[albertteoh]

I believe negative numbers are not supported as return codes in bash. But good catch that it should return a non-0 return code.

return was intentional because this script is sourced, which means it runs within the parent shell.

The added benefit of source-ing is that the set -ex that you suggested above will also apply in this script so commands in this script are printed to STDOUT and will also trigger an early exit if something fails.

If developers want to call this script separately, it can be run with source gen-ssl-conf.sh <args...>.

[yurishkuro]

I would keep the README with some basic instruction how to regenerate certificates, preferably via a make command.

[albertteoh]

README.md and Makefile added.

[yurishkuro]

I was actually referring to the main Makefile. If it's just in this dir then I would simply provide instructions for running the script directly.

[yurishkuro]

I was actually referring to the main Makefile. If it's just in this dir then I would simply provide instructions for running the script directly.

[yurishkuro]

🎉 🎉 🎉

[yurishkuro]

one of the commits is not signed (probably the merge). You may want to squash into one:

https://github.com/jaegertracing/jaeger/blob/master/CONTRIBUTING_GUIDELINES.md#missing-sign-offs