Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SECURESIGN-994] Enable TLS on secureSign components: mount certificates/keys #483

Closed
wants to merge 5 commits into from

Conversation

Copy link

openshift-ci bot commented Jun 28, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: fghanmi
Once this PR has been reviewed and has the lgtm label, please assign sallyom for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@fghanmi fghanmi changed the title [In progress] [SECURESIGN-994] Enable TLS: mount signed certificates [SECURESIGN-994] Enable TLS: mount signed certificates Jun 28, 2024
Copy link

openshift-ci bot commented Jun 30, 2024

@fghanmi: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/tas-operator-e2e c06886f link true /test tas-operator-e2e

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@fghanmi fghanmi changed the title [SECURESIGN-994] Enable TLS: mount signed certificates [SECURESIGN-994] Enable TLS on secureSign components: mount certificates/keys Jul 1, 2024
Copy link
Contributor

@osmman osmman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a few comments on this PR. First, I recommend dividing the PR into separate components. Please test each component to see if it can use TLS, because it looks like some of them are unable to do that. If a component cannot use TLS, it is unnecessary to modify the operator for that component. Additionally, please create unit and end-to-end tests.


// Secret with TLS server certificates and private key
//+optional
TLSCertificate TLSCert `json:"tlsCertificate"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
TLSCertificate TLSCert `json:"tlsCertificate"`
TLSCertificate TLSCert `json:"tls"`

@@ -46,6 +50,7 @@ type CTlogStatus struct {
PrivateKeyPasswordRef *SecretKeySelector `json:"privateKeyPasswordRef,omitempty"`
PublicKeyRef *SecretKeySelector `json:"publicKeyRef,omitempty"`
RootCertificates []SecretKeySelector `json:"rootCertificates,omitempty"`
TLSCertificate *TLSCert `json:"tlsCertificate,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
TLSCertificate *TLSCert `json:"tlsCertificate,omitempty"`
TLSCertificate *TLSCert `json:"tls,omitempty"`

@@ -21,6 +21,9 @@ type FulcioSpec struct {
// ConfigMap with additional bundle of trusted CA
//+optional
TrustedCA *LocalObjectReference `json:"trustedCA,omitempty"`
// Secret with TLS server certificates and private key
//+optional
TLSCertificate TLSCert `json:"tlsCertificate"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
TLSCertificate TLSCert `json:"tlsCertificate"`
TLSCertificate TLSCert `json:"tls"`

@@ -96,6 +99,7 @@ type OIDCIssuer struct {
type FulcioStatus struct {
ServerConfigRef *LocalObjectReference `json:"serverConfigRef,omitempty"`
Certificate *FulcioCert `json:"certificate,omitempty"`
TLSCertificate *TLSCert `json:"tlsCertificate,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
TLSCertificate *TLSCert `json:"tlsCertificate,omitempty"`
TLSCertificate *TLSCert `json:"tls,omitempty"`

type TrillianServer struct {
// Secret with TLS server certificate and private key
//+optional
TLSCertificate TLSCert `json:"tlsCertificate"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
TLSCertificate TLSCert `json:"tlsCertificate"`
TLSCertificate TLSCert `json:"tls"`

type TrillianSigner struct {
// Secret with TLS server certificate and private key
//+optional
TLSCertificate TLSCert `json:"tlsCertificate"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
TLSCertificate TLSCert `json:"tlsCertificate"`
TLSCertificate TLSCert `json:"tls"`

MountPath: "/etc/ssl/certs",
ReadOnly: true,
})
dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls-certificate", "/etc/ssl/certs/tls.crt")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where did you find these options? There is no option to configure TLSConfig in ct_server application

https://github.com/securesign/certificate-transparency-go/blob/main/trillian/ctfe/ct_server/main.go#L309

Copy link
Contributor Author

@fghanmi fghanmi Jul 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR won't be merged until the issues on upstreams are solved (mentioned here)
I've prepared 4 PRs to enable TLS on CTLog, rekor, fulcio
tls-certificate option is here: https://github.com/google/certificate-transparency-go/pull/1523/files#diff-7a183747e4fb8d227a2b6b60050cbab942013815105b231c7dedf4d0e9fbabbbR61

})
dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--grpc-tls-certificate", "/etc/ssl/certs/tls.crt")
dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--grpc-tls-key", "/etc/ssl/certs/tls.key")
dp.Spec.Template.Spec.Containers[0].Args = append(dp.Spec.Template.Spec.Containers[0].Args, "--tls-ca-cert", "/etc/ssl/certs/ca.crt")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where did you find this option on Fulcio? I unable to find any reference in it's source code.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@openshift-merge-robot
Copy link

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@fghanmi fghanmi closed this Sep 2, 2024
@osmman osmman deleted the SECURESIGN-994 branch September 17, 2024 12:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants