Skip to content

Commit

Permalink
Merge pull request #274 from SpectralHiss/hef/csr-p384-generation-fix
Browse files Browse the repository at this point in the history
Hef/csr p384 generation fix
  • Loading branch information
jetstack-bot authored Feb 29, 2024
2 parents 6fa81ba + 1f1b9fb commit a93a3a0
Show file tree
Hide file tree
Showing 21 changed files with 632 additions and 10 deletions.
4 changes: 2 additions & 2 deletions deploy/charts/istio-csr/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -264,7 +264,7 @@ Create the default certificate as part of install.
> 2048
> ```
Number of bits to use for istiod-tls RSAKey
Number of bits to use for istiod-tls Key
#### **app.server.clusterID** ~ `string`
> Default value:
> ```yaml
Expand Down Expand Up @@ -301,7 +301,7 @@ Container port to serve istio-csr gRPC service.
> 2048
> ```
Number of bits to use for the server's serving certificate (RSAKeySize).
Number of bits to use for the server's serving certificate, can only be 256 or 384 when signature algorithm is ECDSA.
#### **app.server.serving.signatureAlgorithm** ~ `string`
> Default value:
> ```yaml
Expand Down
4 changes: 2 additions & 2 deletions deploy/charts/istio-csr/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -353,7 +353,7 @@
},
"helm-values.app.server.serving.certificateKeySize": {
"default": 2048,
"description": "Number of bits to use for the server's serving certificate (RSAKeySize).",
"description": "Number of bits to use for the server's serving certificate, can only be 256 or 384 when signature algorithm is ECDSA.",
"type": "number"
},
"helm-values.app.server.serving.port": {
Expand Down Expand Up @@ -436,7 +436,7 @@
},
"helm-values.app.tls.istiodPrivateKeySize": {
"default": 2048,
"description": "Number of bits to use for istiod-tls RSAKey",
"description": "Number of bits to use for istiod-tls Key",
"type": "number"
},
"helm-values.app.tls.rootCAFile": {
Expand Down
4 changes: 2 additions & 2 deletions deploy/charts/istio-csr/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,7 @@ app:
istiodCertificateRenewBefore: 30m
# Create the default certificate as part of install.
istiodCertificateEnable: true
# Number of bits to use for istiod-tls RSAKey
# Number of bits to use for istiod-tls Key
istiodPrivateKeySize: 2048

server:
Expand All @@ -148,7 +148,7 @@ app:
address: 0.0.0.0
# Container port to serve istio-csr gRPC service.
port: 6443
# Number of bits to use for the server's serving certificate (RSAKeySize).
# Number of bits to use for the server's serving certificate, can only be 256 or 384 when signature algorithm is ECDSA.
certificateKeySize: 2048
# The type of signature algorithm to use when generating private keys. Currently only RSA and ECDSA are supported. By default RSA is used.
signatureAlgorithm: "RSA"
Expand Down
1 change: 1 addition & 0 deletions make/02_mod.mk
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ $(kind_cluster_config): make/config/kind/cluster.yaml | $(bin_dir)/scratch

include make/test-e2e.mk
include make/test-carotation.mk
include make/test-ecc.mk
include make/test-unit.mk

.PHONY: release
Expand Down
31 changes: 31 additions & 0 deletions make/test-ecc.mk
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# Copyright 2023 The cert-manager Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

.PHONY: test-ecc
## ecc test
## @category Testing
test-ecc: kind_cluster_name := "istio-csr-ecc"
test-ecc: e2e-setup-cert-manager oci-load-manager | $(bin_dir)/scratch/istioctl-$(ISTIO_VERSION) $(NEEDS_KUBECTL) $(NEEDS_HELM) $(NEEDS_KIND) $(NEEDS_GOJQ)
$(eval oci_image_tar := $(bin_dir)/scratch/image/oci-layout-manager.$(oci_manager_image_tag).docker.tar)

ARTIFACTS=$(ARTIFACTS) \
ISTIO_CSR_IMAGE=$(oci_manager_image_name_development) \
ISTIO_CSR_IMAGE_TAG=$(oci_manager_image_tag) \
KIND_CLUSTER_NAME=$(kind_cluster_name) \
ISTIO_BIN=$(bin_dir)/scratch/istioctl-$(ISTIO_VERSION) \
KUBECTL_BIN=$(KUBECTL) \
HELM_BIN=$(HELM) \
KIND_BIN=$(KIND) \
JQ_BIN=$(GOJQ) \
./test/ecc/run.sh
16 changes: 12 additions & 4 deletions pkg/tls/tls.go
Original file line number Diff line number Diff line change
Expand Up @@ -292,17 +292,25 @@ func (p *Provider) fetchCertificate(ctx context.Context) (time.Time, error) {
defer func() { metricCertRequest.With(prometheus.Labels{"success": success}).Inc() }()

opts := pkiutil.CertOptions{
Host: strings.Join(p.opts.ServingCertificateDNSNames, ","),
IsServer: true,
TTL: p.opts.ServingCertificateDuration,
RSAKeySize: p.opts.ServingCertificateKeySize,
Host: strings.Join(p.opts.ServingCertificateDNSNames, ","),
IsServer: true,
TTL: p.opts.ServingCertificateDuration,
}

switch p.opts.ServingSignatureAlgorithm {
case "RSA":
opts.ECSigAlg = ""
opts.RSAKeySize = p.opts.ServingCertificateKeySize
case "ECDSA":
opts.ECSigAlg = pkiutil.EcdsaSigAlg
switch p.opts.ServingCertificateKeySize {
case 256:
opts.ECCCurve = pkiutil.P256Curve
case 384:
opts.ECCCurve = pkiutil.P384Curve
default:
return time.Time{}, fmt.Errorf("unsupported serving certificate key size (supported: 256, 384): %d", p.opts.ServingCertificateKeySize)
}
default:
return time.Time{}, fmt.Errorf("unknown signature algorithm (supported: \"RSA\", \"ECDSA\"): %s", p.opts.ServingSignatureAlgorithm)
}
Expand Down
2 changes: 2 additions & 0 deletions test/ecc/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
/ca.pem
/istio-csr-serving.pems
30 changes: 30 additions & 0 deletions test/ecc/cleanup.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
#!/usr/bin/env bash

# Copyright 2021 The cert-manager Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

set -o nounset
set -o errexit
set -o pipefail

echo "======================================"
echo ">> cleaning up resources"

rm -f "$TEST_DIR/ca.pem"
#rm -f "${ISTIO_CSR_SERVING_CERTFILE}"
echo ">> exporting kind loads"
$KIND_BIN export logs "$ARTIFACTS" --name "$KIND_CLUSTER_NAME"

echo ">> deleting cluster..."
$KIND_BIN delete cluster --name "$KIND_CLUSTER_NAME"
29 changes: 29 additions & 0 deletions test/ecc/env.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
#!/usr/bin/env bash

# Copyright 2021 The cert-manager Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

export ARTIFACTS="${ARTIFACTS:-./_bin/artifacts}"
export ISTIO_CSR_IMAGE="${ISTIO_CSR_IMAGE:-cert-manager.local/cert-manager-istio-csr}"
export ISTIO_CSR_IMAGE_TAG="${ISTIO_CSR_IMAGE_TAG:-canary}"
export KIND_CLUSTER_NAME="${KIND_CLUSTER_NAME:-istio-ca-ecc}"

export ISTIO_BIN="${ISTIO_BIN:-./_bin/scratch/istioctl-1.20.2}"
export KUBECTL_BIN="${KUBECTL_BIN:-./_bin/tools/kubectl}"
export HELM_BIN="${HELM_BIN:-./_bin/tools/helm}"
export KIND_BIN="${KIND_BIN:-./_bin/tools/kind}"
export JQ_BIN="${JQ_BIN:-./_bin/tools/jq}"
export RED="\e[31m"
export GREEN="\e[32m"
export ENDCOLOR="\e[0m"
27 changes: 27 additions & 0 deletions test/ecc/issuers/root.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: istio-root-1
namespace: istio-system
spec:
isCA: true
duration: 2160h
secretName: istio-root-1
commonName: istio-root-1
subject:
organizations:
- cluster.local
- cert-manager-root-1
issuerRef:
name: selfsigned
kind: Issuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: istio-root-1
namespace: istio-system
spec:
ca:
secretName: istio-root-1
7 changes: 7 additions & 0 deletions test/ecc/issuers/selfsigned.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned
namespace: istio-system
spec:
selfSigned: {}
34 changes: 34 additions & 0 deletions test/ecc/reset-istio-csr.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
#!/usr/bin/env bash

# Copyright 2021 The cert-manager Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

set -o nounset
set -o errexit
set -o pipefail

echo "======================================"
echo ">> resetting Istio + istio-csr for another test"

echo ">> $HELM_BIN uninstall cert-manager-istio-csr -n cert-manager"
$HELM_BIN uninstall cert-manager-istio-csr -n cert-manager


echo ">> resetting Istio for another test"
echo ">> $ISTIO_BIN uninstall -y -f \"$TEST_DIR/values/istio-ecdsa_p${KEY_SIZE}.yaml\""

$ISTIO_BIN uninstall -y --purge -f "$TEST_DIR/values/istio-ecdsa_p${KEY_SIZE}.yaml"
$KUBECTL_BIN delete cr --all -n istio-system
$KUBECTL_BIN delete mutatingwebhookconfigurations istio-revision-tag-default
rm -f "${ISTIO_CSR_SERVING_CERTFILE}"
46 changes: 46 additions & 0 deletions test/ecc/run.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
#!/usr/bin/env bash

# Copyright 2021 The cert-manager Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

set -o nounset
set -o errexit
set -o pipefail

TEST_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
ISTIO_CSR_SERVING_CERTFILE="${TEST_DIR}"/istio-csr-serving.pems

export TEST_DIR
# This will contain the signed certificate of "istio-csr-serving" CertificateRequests to run assertions against
export ISTIO_CSR_SERVING_CERTFILE
source "$TEST_DIR/env.sh"

# Ensure we always clean up after ourselves.
cleanup() {
"$TEST_DIR/cleanup.sh"
}
trap cleanup EXIT

echo "======================================"
echo ">> running full ECC 256 and 384 support"

export KEY_SIZE="256"
"$TEST_DIR/setup.sh"
"$TEST_DIR/test.sh"

"$TEST_DIR/reset-istio-csr.sh"
export KEY_SIZE="384"
"$TEST_DIR/setup.sh"
"$TEST_DIR/test.sh"

65 changes: 65 additions & 0 deletions test/ecc/setup.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
#!/usr/bin/env bash

# Copyright 2021 The cert-manager Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

set -o nounset
set -o errexit
set -o pipefail

echo "======================================"
echo ">> creating root of trust"

echo ">> creating cert-manager issuers"
$KUBECTL_BIN create namespace istio-system || true
$KUBECTL_BIN apply -f "$TEST_DIR/issuers/."

echo ">> waiting for issuers to become ready"
$KUBECTL_BIN get issuers -n istio-system
$KUBECTL_BIN wait --timeout=180s -n istio-system --for=condition=ready issuer istio-root-1
$KUBECTL_BIN get issuers -n istio-system

echo ">> extracting root of trust"
$KUBECTL_BIN get secret -n istio-system istio-root-1 -o jsonpath="{.data['ca\.crt']}" | base64 -d > "$TEST_DIR/ca.pem"

echo ">> creating root of trust secret"
$KUBECTL_BIN create secret generic istio-root-certs --from-file=ca.pem="$TEST_DIR/ca.pem" -n cert-manager || true

echo "======================================"
echo ">> installing istio-csr with roots of trust, using issuer from root-1"

echo ">> installing cert-manager-istio-csr with using ecdsa key type"
echo "$HELM_BIN upgrade -i cert-manager-istio-csr ./deploy/charts/istio-csr -n cert-manager --values $TEST_DIR/values/istio-csr-ecdsa_p${KEY_SIZE}.yaml --wait"

$HELM_BIN upgrade -i cert-manager-istio-csr ./deploy/charts/istio-csr \
-n cert-manager \
--values "$TEST_DIR/values/istio-csr-ecdsa_p${KEY_SIZE}.yaml" \
--set image.repository="$ISTIO_CSR_IMAGE" \
--set image.tag="$ISTIO_CSR_IMAGE_TAG" \
--wait

echo ">> installing istio"
$ISTIO_BIN install -y -f "$TEST_DIR/values/istio-ecdsa_p${KEY_SIZE}.yaml"

echo ">> enforcing mTLS everywhere"
$KUBECTL_BIN apply -n istio-system -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: "default"
spec:
mtls:
mode: STRICT
EOF

Loading

0 comments on commit a93a3a0

Please sign in to comment.