Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add RSA support to TLS libraries #3131

Closed
alpeb opened this issue Jul 24, 2019 · 0 comments · Fixed by #3135
Closed

Add RSA support to TLS libraries #3131

alpeb opened this issue Jul 24, 2019 · 0 comments · Fixed by #3135
Assignees
@alpeb
Labels
area/controller priority/P0 Release Blocker

Comments

@alpeb
Copy link
Member

alpeb commented Jul 24, 2019

Refactor the TLS libraries relied upon by the proxy-injector and sp-validor webhooks to have them work with RSA as well (they currently only deal with EC)
This was referenced Jul 24, 2019
Closed
Closed
@alpeb alpeb added the priority/P0 Release Blocker label Jul 24, 2019
@alpeb alpeb self-assigned this Jul 24, 2019
alpeb added a commit that referenced this issue Jul 24, 2019
@alpeb
Add RSA support to TLS libraries
3c8b794 
Fixes #3131

Wrapped private keys into either `PrivateKeyEC` or `PrivateKeyRSA` to
provide different certificate matching logic and marshaling depending on
the block type.

You can test having an RSA cert for the proxy injector by applying this
patch:

```diff
$ diff -u chart/templates/proxy_injector-rbac.yaml ~/tmp/proxy_injector-rbac.yaml
--- chart/templates/proxy_injector-rbac.yaml    2019-07-24 14:34:43.570616936 -0500
+++ /home/alpeb/tmp/proxy_injector-rbac.yaml    2019-07-24 13:41:03.150285099 -0500
@@ -1,4 +1,5 @@
 {{with .Values -}}
+{{- $ca := genCA "linkerd-proxy-injector.linkerd.svc" 365 -}}
 ---
 ###
 ### Proxy Injector RBAC
@@ -60,8 +61,8 @@
     {{ .CreatedByAnnotation }}: {{ .CliVersion }}
 type: Opaque
 data:
-  crt.pem: {{ b64enc .ProxyInjector.CrtPEM }}
-  key.pem: {{ b64enc .ProxyInjector.KeyPEM }}
+  crt.pem: {{ b64enc $ca.Cert }}
+  key.pem: {{ b64enc $ca.Key }}
 ---
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: MutatingWebhookConfiguration
@@ -81,7 +82,7 @@
       name: linkerd-proxy-injector
       namespace: {{ .Namespace }}
       path: "/"
-    caBundle: {{ b64enc .ProxyInjector.CrtPEM }}
+    caBundle: {{ b64enc $ca.Cert }}
   failurePolicy: {{ .WebhookFailurePolicy }}
   rules:
   - operations: [ "CREATE" ]
```

This will replace the logic to generate the cert with a call to Helm's
`genCA`, which uses RSA.

Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
@alpeb alpeb mentioned this issue Jul 24, 2019
Merged
alpeb added a commit that referenced this issue Jul 26, 2019
@alpeb
Add RSA support to TLS libraries (#3135)
19a8c72 
* Add RSA support to TLS libraries

Fixes #3131

Wrapped private keys into either `PrivateKeyEC` or `PrivateKeyRSA` to
provide different certificate matching logic and marshaling depending on
the block type.

You can test having an RSA cert for the proxy injector by applying this
patch:

```diff
$ diff -u chart/templates/proxy_injector-rbac.yaml ~/tmp/proxy_injector-rbac.yaml
--- chart/templates/proxy_injector-rbac.yaml    2019-07-24 14:34:43.570616936 -0500
+++ /home/alpeb/tmp/proxy_injector-rbac.yaml    2019-07-24 13:41:03.150285099 -0500
@@ -1,4 +1,5 @@
 {{with .Values -}}
+{{- $ca := genCA "linkerd-proxy-injector.linkerd.svc" 365 -}}
 ---
 ###
 ### Proxy Injector RBAC
@@ -60,8 +61,8 @@
     {{ .CreatedByAnnotation }}: {{ .CliVersion }}
 type: Opaque
 data:
-  crt.pem: {{ b64enc .ProxyInjector.CrtPEM }}
-  key.pem: {{ b64enc .ProxyInjector.KeyPEM }}
+  crt.pem: {{ b64enc $ca.Cert }}
+  key.pem: {{ b64enc $ca.Key }}
 ---
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: MutatingWebhookConfiguration
@@ -81,7 +82,7 @@
       name: linkerd-proxy-injector
       namespace: {{ .Namespace }}
       path: "/"
-    caBundle: {{ b64enc .ProxyInjector.CrtPEM }}
+    caBundle: {{ b64enc $ca.Cert }}
   failurePolicy: {{ .WebhookFailurePolicy }}
   rules:
   - operations: [ "CREATE" ]
```

This will replace the logic to generate the cert with a call to Helm's
`genCA`, which uses RSA.

Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 17, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@alpeb alpeb

Labels
area/controller priority/P0 Release Blocker
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add RSA support to TLS libraries linkerd/linkerd2
1 participant
@alpeb