osm icon indicating copy to clipboard operation
osm copied to clipboard
verified publisher icon openservicemesh

feat(certs): update webhooks to handle root certificate rotations

Open jsturtevant opened this issue 3 years ago • 6 comments

Signed-off-by: James Sturtevant [email protected]

Description: Fixes: https://github.com/openservicemesh/osm/issues/4817

This PR subscripts to updates to certificate changes for the webhooks and uses existing code that will update the Webhook CRD configuration.

Builds on functionality added in: https://github.com/openservicemesh/osm/pull/4833 which added ability to patch the configurations but wasn't listing to the cert changes produced.

Testing done:

  • [x] unit testing
  • [x] manual testing
  • [ ] e2e - not sure if all the parts are in place to do e2e test?

Affected area:

Functional Area
New Functionality [x]
CI System [ ]
CLI Tool [ ]
Certificate Management [x]
Control Plane [ ]
Demo [ ]
Documentation [ ]
Egress [ ]
Ingress [ ]
Install [ ]
Networking [ ]
Observability [ ]
Performance [ ]
SMI Policy [ ]
Security [ ]
Sidecar Injection [ ]
Tests [ ]
Upgrade [ ]
Other [ ]

Please answer the following questions with yes/no.

  1. Does this change contain code from or inspired by another project?

    • Did you notify the maintainers and provide attribution?

  2. Is this a breaking change?

  3. Has documentation corresponding to this change been updated in the osm-docs repo (if applicable)?

jsturtevant avatar Jul 28 '22 21:07 jsturtevant

Codecov Report

Merging #4952 (261ce73) into main (78f3435) will increase coverage by 0.31%. The diff coverage is 86.95%.

@@            Coverage Diff             @@
##             main    #4952      +/-   ##
==========================================
+ Coverage   68.68%   68.99%   +0.31%     
==========================================
  Files         220      220              
  Lines       15924    16056     +132     
==========================================
+ Hits        10937    11078     +141     
+ Misses       4935     4924      -11     
- Partials       52       54       +2
Flag Coverage Δ
unittests 68.99% <86.95%> (+0.31%) :arrow_up:

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/webhook/server.go 77.50% <86.95%> (+77.50%) :arrow_up:
pkg/messaging/workqueue.go 89.28% <0.00%> (-10.72%) :arrow_down:
pkg/service/types.go 58.82% <0.00%> (-3.68%) :arrow_down:
pkg/envoy/cds/cluster.go 89.34% <0.00%> (-3.40%) :arrow_down:
pkg/catalog/inbound_traffic_policies.go 92.49% <0.00%> (-2.42%) :arrow_down:
pkg/envoy/lds/inmesh.go 75.23% <0.00%> (-1.04%) :arrow_down:
pkg/certificate/manager.go 77.07% <0.00%> (+0.39%) :arrow_up:
pkg/ingress/gateway.go 85.82% <0.00%> (+7.08%) :arrow_up:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 78f3435...261ce73. Read the comment docs.

codecov-commenter avatar Jul 28 '22 22:07 codecov-commenter

note: need to deploy with --set=osm.featureFlags.enableMeshRootCertificate=true

Create a new MRC by using kubectl deploy -f with

apiVersion: config.openservicemesh.io/v1alpha2
kind: MeshRootCertificate
metadata:
  name: osm-mesh-root-certificate-v2
  namespace: osm-system
spec:
  provider:
    tresor:
      ca:
        secretRef:
          name: osm-ca-bundle-v2
          namespace: osm-system
  trustDomain: cluster.local

Did some validation with the demo deployment.

The validation webhook:

Defaulted container "osm-controller" out of: osm-controller, init-osm-controller (init)
{"level":"info","component":"webhook","time":"2022-07-29T02:25:28Z","file":"server.go:69","message":"Starting osm-validator webhook server on test: :9093"}
{"level":"info","component":"webhook","webhook":"osm-validator","cn":"osm-validator.osm-system.svc","time":"2022-07-29T02:25:28Z","file":"server.go:116","message":"Listing for certificate rotations"}
{"level":"debug","component":"webhook","webhook":"osm-validator","cn":"osm-validator.osm-system.svc","time":"2022-07-29T02:25:32Z","file":"server.go:123","message":"Certificate rotation was initiated for webhook"}
{"level":"info","component":"webhook","webhook":"osm-validator","cn":"osm-validator.osm-system.svc","time":"2022-07-29T02:25:32Z","file":"server.go:128","message":"Certificate rotated for webhook"}
{"level":"trace","component":"osm-validator","time":"2022-07-29T15:59:41Z","file":"server.go:67","message":"Received validating webhook request: Method=POST, URL=/validate?timeout=10s"}
{"level":"trace","component":"osm-validator","time":"2022-07-29T15:59:41Z","file":"server.go:67","message":"Received validating webhook request: Method=POST, URL=/validate?timeout=10s"}
{"level":"trace","component":"osm-validator","time":"2022-07-29T15:59:41Z","file":"server.go:67","message":"Received validating webhook request: Method=POST, URL=/validate?timeout=10s"}

And we can see that the webhook is showing the v2 cert:

❯ kubectl get secret -n osm-system osm-ca-bundle -o jsonpath='{.data.ca\.crt}' | base64 -d | openssl x509 -noout -modulus
Modulus=A67D65484D049C76A0006E328E2D902FF260094237E649E2342F386B027EC1CC890FE5C88D8C3BECB61D4EC267FF15C5DCB66D6C3A9FCCA80F424339CF631C036BBDE779F862F3755FFC1053BA747000CFD3BCB7B88BF8626055EC4F14A54BBE70579DB2C17FC0809FB420E006DD157966C770CFDB406E62FED49A0370935A53EC9047AFFE5CA417DBBC2BF30BE9EEC4578DD6312914ECC0D7CE9B3A77140B863B9BA047C093B0204427F6EA79CB1F7EBCD0CADA59DDC553FCE9152086CE1E96AA31148871C65F0D79173393B32CB7C9C22F1EB9F11CC841F200E036C943FB9D0119F82D077E9FF49D16314980D8CA4921B94F524E4E39536E8316E5FBDAC899

osm on  feat-certs-webhook-rotation 
❯ k get validatingwebhookconfigurations.admissionregistration.k8s.io osm-validator-mesh-osm -ojson | jq -r '.webhooks[] | .clientConfig.caBundle' | base64 --decode | openssl x509 -noout -modulus
Modulus=97B8D8A089D67137F5B56B6D591412599B3700FD2D26A0C41E285DB607A045CD92A50ED5AF9B47E5E7CA4A983962989818FD110A53C1A94BB815B3F8EE2398AB580A933179FD626CBD782824253E8DB1358907C8F2E14EE6A4162F37FAFD07B01B0FFF371EBA2CFD8F1F88DB15E68B86B24C64F3D559B9AC575D07E66F69D8D0F39C39448C64CC319E8D9D995457CDF88F2E9945958DB803A018EA60FFC528040E3D60B0F7F710BDA44E7ED871E921B183AC1974A9BC9C3B7499EB1F36A07964E44A03D1B30F789B42E84E26AABEF47311EF60823C005F9300B6B44B1010BC98484A6599E32D4A599D571813998044763EC712E449CD5C135668CE1CCF2A0A7D

osm on  feat-certs-webhook-rotation
❯ kubectl get secret -n osm-system osm-ca-bundle-v2 -o jsonpath='{.data.ca\.crt}' | base64 -d | openssl x509 -noout -modulus
Modulus=97B8D8A089D67137F5B56B6D591412599B3700FD2D26A0C41E285DB607A045CD92A50ED5AF9B47E5E7CA4A983962989818FD110A53C1A94BB815B3F8EE2398AB580A933179FD626CBD782824253E8DB1358907C8F2E14EE6A4162F37FAFD07B01B0FFF371EBA2CFD8F1F88DB15E68B86B24C64F3D559B9AC575D07E66F69D8D0F39C39448C64CC319E8D9D995457CDF88F2E9945958DB803A018EA60FFC528040E3D60B0F7F710BDA44E7ED871E921B183AC1974A9BC9C3B7499EB1F36A07964E44A03D1B30F789B42E84E26AABEF47311EF60823C005F9300B6B44B1010BC98484A6599E32D4A599D571813998044763EC712E449CD5C135668CE1CCF2A0A7D

jsturtevant avatar Jul 29 '22 17:07 jsturtevant

same for the other crd and mutating hooks:

{"level":"debug","component":"webhook","webhook":"osm-bootstrap","cn":"osm-bootstrap.osm-system.svc","time":"2022-07-29T17:25:01Z","file":"server.go:123","message":"Certificate rotation was initiated for webhook"}                                                                                                                                                                                                           
{"level":"info","component":"crd-conversion","time":"2022-07-29T17:25:01Z","file":"crdconversion.go:100","message":"successfully updated conversion webhook configuration for crd : meshconfigs.config.openservicemesh.io"}                                                                                                                                                                                                     
{"level":"info","component":"webhook","webhook":"osm-bootstrap","cn":"osm-bootstrap.osm-system.svc","time":"2022-07-29T17:25:01Z","file":"server.go:128","message":"Certificate rotated for webhook"}  

{"level":"info","component":"webhook","webhook":"osm-injector","cn":"osm-injector.osm-system.svc","time":"2022-07-29T17:21:39Z","file":"server.go:116","message":"Listing for certificate rotations"}
{"level":"debug","component":"webhook","webhook":"osm-injector","cn":"osm-injector.osm-system.svc","time":"2022-07-29T17:21:43Z","file":"server.go:123","message":"Certificate rotation was initiated for webhook"}                                                                                                                                                                                                             
{"level":"info","component":"sidecar-injector","time":"2022-07-29T17:21:43Z","file":"webhook.go:370","message":"Finished creating MutatingWebhookConfiguration osm-webhook-osm"}
{"level":"info","component":"webhook","webhook":"osm-injector","cn":"osm-injector.osm-system.svc","time":"2022-07-29T17:21:43Z","file":"server.go:128","message":"Certificate rotated for webhook"}

jsturtevant avatar Jul 29 '22 17:07 jsturtevant

/hold Going to see what this looks like if I merge run with and NewServer

jsturtevant avatar Aug 04 '22 23:08 jsturtevant

/hold cancel

jsturtevant avatar Aug 08 '22 23:08 jsturtevant

LGTM!

jaellio avatar Aug 09 '22 17:08 jaellio