Ensuring root rotation works #1768
Conversation
| Cert []byte | ||
| Pool *x509.CertPool | ||
| // Digest of the serialized bytes of the certificate | ||
| Digest digest.Digest | ||
| // This signer will be nil if the node doesn't have the appropriate key material | ||
| Signer cfsigner.Signer | ||
| // Stores the location on disk where the RootCA lives |
There was a problem hiding this comment.
Path stores the location...
Current coverage is 55.06% (diff: 69.38%)@@ master #1768 diff @@
==========================================
Files 102 102
Lines 16854 16873 +19
Methods 0 0
Messages 0 0
Branches 0 0
==========================================
+ Hits 9245 9291 +46
+ Misses 6459 6420 -39
- Partials 1150 1162 +12
|
| @@ -545,9 +574,9 @@ func CreateRootCA(rootCN string, paths CertPaths) (RootCA, error) { | |||
|
|
|||
| // GetRemoteSignedCertificate submits a CSR to a remote CA server address, | |||
| // and that is part of a CA identified by a specific certificate pool. | |||
| func GetRemoteSignedCertificate(ctx context.Context, csr []byte, rootCAPool *x509.CertPool, config CertificateRequestConfig) ([]byte, error) { | |||
| func GetRemoteSignedCertificate(ctx context.Context, csr []byte, rootCAPool *x509.CertPool, config CertificateRequestConfig) ([]byte, []byte, error) { | |||
There was a problem hiding this comment.
Maybe this should just return the NodeCertificateStatusResponse.
| // However, there might have been a server-side root rotation, so we verify this cert with a new pool. | ||
| // If we got a valid rootCABundle, turn it into a Pool, and verify the newly minted certificate using it. | ||
| rootCAPool := rca.Pool | ||
| newRootCA, newRootErr := NewRootCA(rootCABundle, nil, rca.Path, time.Minute) |
There was a problem hiding this comment.
Shouldn't all this be conditional on rootCABundle not being empty?
There was a problem hiding this comment.
Also, is it possible to skip all this, particularly saving the root CA cert to disk, if the received bundle is identical to what we already have?
| Certificate: &node.Certificate, | ||
| Status: &node.Certificate.Status, | ||
| Certificate: &node.Certificate, | ||
| RootCABundle: s.securityConfig.RootCA().Cert, |
There was a problem hiding this comment.
Not sure there's any need to fill this field in right now while there's no CA-side support for root rotation - unless it's useful for testing or something.
|
I think this looks reasonable for 1.13. You'll need to get sign-off from @vieux to put it in after the feature freeze. Since this is more of a forward compatibility change than an actual feature, it might be okay. I'd suggest setting this up this in such a way that this new code is never triggered in a pure 1.13 environment. For example, if the client only rotates root certs when it receives a |
|
/cc @aluzzardi would be great if this got in for 1.13, ensuring backwards compatibility break on 1.12 for root-rotation. |
|
What would we be breaking in 1.12? /cc @vieux |
|
@aluzzardi the goal is for 1.14 to support adding a new root CA, reissue all the certificates for all the nodes, and removing the old CA. 1.12 nodes will not be able to add a new root CA, and therefore will not be able to continue participating in the cluster without manual intervention. If we don't get this in, the same will happen for 1.13 nodes. |
| if err == nil { | ||
| // No errors, swam the current rootCA |
There was a problem hiding this comment.
what does "swam the current rootCA" mean?
| @@ -339,10 +295,6 @@ func TestRequestAndSaveNewCertificates(t *testing.T) { | |||
| _, _, err = unencryptedKeyReader.Read() | |||
| require.Error(t, err) | |||
|
|
|||
| _, _, err = ca.NewKeyReadWriter(tc.Paths.Node, []byte("kek!"), nil).Read() | |||
There was a problem hiding this comment.
Any reason to delete this assertion?
|
LGTM aside from minor nitpicks :) |
diogomonica
force-pushed
the
ensuring-root-rotation-works
branch
from
5f76379
to
4349296
Compare
Signed-off-by: Diogo Monica <diogo.monica@gmail.com>
…on NodeStatus Signed-off-by: Diogo Monica <diogo.monica@gmail.com>
diogomonica
force-pushed
the
ensuring-root-rotation-works
branch
2 times, most recently
from
faa81a1
to
5d2d0c0
Compare
|
In 1.14+, there's going to be a way to rotate the root CA. Older agents of course won't be able to perform the rotation, therefore either they'll fail (meh) or we'll just block rotation if any older engine is connected (better). Pseudo random example: This PR adds agent-side rotation support (e.g. making sure an agent can fetch a new CA bundle from the manager) which means 1.13 agents would be able to perform rotation (so the Question is: Are we comfortable with this kind of change during the freeze? @diogomonica Did I summarize the problem correctly? |
|
@aluzzardi perfectly so. <3 |
diogomonica
force-pushed
the
ensuring-root-rotation-works
branch
from
5d2d0c0
to
e0807b2
Compare
Signed-off-by: Diogo Monica <diogo.monica@gmail.com>
diogomonica
force-pushed
the
ensuring-root-rotation-works
branch
from
e0807b2
to
e2aed4d
Compare
|
LGTM - let's merge in master. Need sign-off from @vieux in order to cherry pick to 1.13.x (rc3 at this point) |
…re test Signed-off-by: Diogo Monica <diogo.monica@gmail.com>
|
Added one more test, for the case where the server returns a nil |
|
LGTM |
| @@ -594,7 +629,7 @@ func GetRemoteSignedCertificate(ctx context.Context, csr []byte, rootCAPool *x50 | |||
| } | |||
|
|
|||
| // If the certificate was issued, return | |||
| if statusResponse.Status.State == api.IssuanceStateIssued { | |||
| if statusResponse.Status != nil && statusResponse.Status.State == api.IssuanceStateIssued { | |||
@diogomonica @aluzzardi is this going to cause issues for 1.13-rc1/rc2? (no top priority, but good to know if there are possible issues) |
|
@thaJeztah shouldn't have any impact. But we should merge this ASAP. |
|
@diogomonica Looks like I don't have permissions in this repo to merge, but I see enough LGTM's, so should be ready to go 😄 |
|
does this need squashing? |
|
Removing cherry-pick label, since this was backported to 1.13 in a separate PR. |
This PR fixes the client-side certificate rotation to also update the current Root CA being used by the server.
1.14 will bring CA Root Rotation, so it would be ideal if the break in compatibility was 1.12, and not 1.13.