deckhouse icon indicating copy to clipboard operation
deckhouse copied to clipboard
verified publisher icon deckhouse

[global] Add CN to certificates in Deckhouse

Open nabokihms opened this issue 3 years ago • 4 comments

Preflight Checklist

  • [X] I agree to follow the Code of Conduct that this project adheres to.
  • [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.

Use case. Why is this important?

Our Certificate objects have no commonName field. Despite this field being deprecated in the 2000s, some legacy systems still count it as the source to validate, e.g., DNS name.

For the CN field, Certmanager automatically picks the first entry from the dnsNames array. Thus there is no problem on the cert-manager side.

Subject: CN = grafana.kube-dev.flant.com

However, on the side of the signer, e.g., vault, it is concealed which common name will be used for an issued certificate. Frauds will be able to fill the common name as they wish and bypass legacy systems security.

To reduce the surface of the attack, the signer needs to make the common name field required for CSRs. Thus, Deckhouse won't be able to issue certificates.

Proposed Solution

Explicitly set the common name field for certificates in Deckhouse, which, I assume, will trigger new orders for all modules.

Additional Information

https://github.com/deckhouse/deckhouse/blob/73613da8560717f1ba11e9d9884f4635552dfe8c/modules/300-prometheus/templates/grafana/ingress.yaml#L72-L88

Certificate example

nabokihms avatar Feb 03 '22 15:02 nabokihms

Can we make using CN optional for the case of those issuers which require it?

shvgn avatar Feb 04 '22 06:02 shvgn

It is possible. Although, there is a couple of problems we will face with this approach:

  1. Deckhouse will need to maintain the list of issuers and which of them require the CN.
  2. It is almost impossible to get the exact list of existing issuers because there is a feature in cert-manager which allows you to extend it with your custom issuer.

nabokihms avatar Feb 04 '22 06:02 nabokihms

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar May 15 '22 12:05 stale[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Aug 14 '22 06:08 stale[bot]

This issue has been automatically closed because it has not had activity in the last month and a half. If this issue is still valid, please ping a maintainer and ask them to check this again. Thank you for your contributions.

stale[bot] avatar Aug 30 '22 22:08 stale[bot]