Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SDN-5342: Signer username validation #2560

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

SDN-5342: Signer username validation #2560

wants to merge 4 commits into from
+273 −24

Conversation

pperiyasamy
Copy link
Member

In CNO we have an approver that signs certs automatically, without checking any identity information, so this PR enhances the signer to check on CSR's user name that is populated by API server upon receiving CSR request from the nodes. So it's sufficient to verify the user name before signing the CSR.

It also adds required unit tests to test signer controller, it needed to change from using kubernetes.Clientset to cnoclient.Client for accessing CSR's UpdateApproval API. This needs to be tested on OCP cluster.

cc @kyrtapz @trozet @jcaamano

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Nov 8, 2024
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 8, 2024
edited by openshift-ci bot
Loading

@pperiyasamy: This pull request references SDN-5342 which is a valid jira issue.

In response to this:

In CNO we have an approver that signs certs automatically, without checking any identity information, so this PR enhances the signer to check on CSR's user name that is populated by API server upon receiving CSR request from the nodes. So it's sufficient to verify the user name before signing the CSR.

It also adds required unit tests to test signer controller, it needed to change from using kubernetes.Clientset to cnoclient.Client for accessing CSR's UpdateApproval API. This needs to be tested on OCP cluster.

cc @kyrtapz @trozet @jcaamano

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@pperiyasamy pperiyasamy force-pushed the signer-username-validation branch from 326b533 to 868580a Compare November 8, 2024 18:14
@pperiyasamy
Copy link
Member Author

/retest

@pperiyasamy
Copy link
Member Author

/assign @kyrtapz @trozet @jcaamano

@pperiyasamy
Validate CSR user name before signing it
7d4a9a8 
Signed-off-by: Periyasamy Palanisamy <[email protected]>
@pperiyasamy
Use cno client to update CSR approval
63d19e5 
Signed-off-by: Periyasamy Palanisamy <[email protected]>
@pperiyasamy
Add unit tests for cert signer
99d4343 
Signed-off-by: Periyasamy Palanisamy <[email protected]>
@pperiyasamy
Use library-go crypto utility for generating CA
123242b 
Signed-off-by: Periyasamy Palanisamy <[email protected]>
@pperiyasamy pperiyasamy force-pushed the signer-username-validation branch from 868580a to 123242b Compare November 13, 2024 15:45
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Nov 13, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: pperiyasamy
Once this PR has been reviewed and has the lgtm label, please ask for approval from jcaamano. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@pperiyasamy
Copy link
Member Author

/retest

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Jan 7, 2025

@pperiyasamy: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-ovn-single-node 123242b link false /test e2e-aws-ovn-single-node
ci/prow/e2e-vsphere-ovn-dualstack-primaryv6 123242b link false /test e2e-vsphere-ovn-dualstack-primaryv6
ci/prow/security 123242b link false /test security
ci/prow/okd-scos-e2e-aws-ovn 123242b link false /test okd-scos-e2e-aws-ovn
ci/prow/e2e-aws-hypershift-ovn-kubevirt 123242b link false /test e2e-aws-hypershift-ovn-kubevirt

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abhat abhat Awaiting requested review from abhat

@JacobTanenbaum JacobTanenbaum Awaiting requested review from JacobTanenbaum

Assignees

@trozet trozet

@jcaamano jcaamano

@kyrtapz kyrtapz

Labels
jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@pperiyasamy @openshift-ci-robot @trozet @jcaamano @kyrtapz