fix(iam): oidc provider retrieves leaf certificate instead of root certificate#22509

Merged

mergify[bot] merged 13 commits intomainfrom

vkukreja/oidc-provider-fix

Nov 4, 2022

Contributor

vinayak-kukreja commented Oct 14, 2022 •

edited

Loading

Currently, the IAM OIDC Provider is retrieving leaf certificates for a given url. The validity for these certificates is not that long. This can cause an outage for the customer since they might not be aware of when the certificate is going to expire. We have seen an outage in EKS due to this issue.

This change will help retrieving root certificates instead of leaf certificates. The validity of root certificate is much more than the leaf certificates. I am also adding validations for the certificate and also informing the customer if there retrieved certificate is going to expire within six months when they do a new deployment.

Fixes #8607

Signed-off-by: Vinayak Kukreja vinakuk@amazon.com

All Submissions:

Have you followed the guidelines in our Contributing guide?

Adding new Unconventional Dependencies:

This PR adds new unconventional dependencies following the process described here

New Features

Have you added the new feature to an integration test?
- Did you use yarn integ to deploy the infrastructure and generate the snapshot (i.e. yarn integ without --dry-run)?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

vinayak-kukreja added 3 commits

October 13, 2022 10:06


          fix(iam, eks): oidc provider gets root certificate

766e9a2

Signed-off-by: Vinayak Kukreja <vinakuk@amazon.com>


          make updates

401c340

Signed-off-by: Vinayak Kukreja <vinakuk@amazon.com>


          make updates

78bbe6e

Signed-off-by: Vinayak Kukreja <vinakuk@amazon.com>

gitpod-io bot commented Oct 14, 2022


          Merge branch 'main' into vkukreja/oidc-provider-fix

343cbb8

github-actions bot added the p2 label

aws-cdk-automation requested a review from a team

October 14, 2022 21:17

aws-cdk-automation previously requested changes

View reviewed changes

Collaborator

aws-cdk-automation left a comment

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

vinayak-kukreja added 2 commits

October 14, 2022 14:21


          make updates

b0c7fe8

Signed-off-by: Vinayak Kukreja <vinakuk@amazon.com>


          make updates

d94cf3b

Signed-off-by: Vinayak Kukreja <vinakuk@amazon.com>

mergify bot added the contribution/core label

vinayak-kukreja changed the title ~~fix(iam, eks): oidc provider gets root certificate~~ fix(iam): oidc provider retrieves root certificate instead of leaf certificate


          remove eks hardcoded thumbprint

14235c3

Signed-off-by: Vinayak Kukreja <vinakuk@amazon.com>

comcalvi reviewed

View reviewed changes

Contributor

comcalvi left a comment •

edited

Loading

looks pretty good, just some minor comments. Once the integ test is finished I can push it to this PR to make the linter happy

packages/@aws-cdk/aws-iam/lib/oidc-provider/external.ts Outdated Show resolved Hide resolved

packages/@aws-cdk/aws-iam/lib/oidc-provider/external.ts Show resolved Hide resolved

TheRealAmazonKendra reviewed

View reviewed changes

packages/@aws-cdk/aws-iam/lib/oidc-provider/external.ts Outdated Show resolved Hide resolved

packages/@aws-cdk/aws-iam/lib/oidc-provider/external.ts Show resolved Hide resolved

packages/@aws-cdk/aws-iam/lib/oidc-provider/external.ts Show resolved Hide resolved

vinayak-kukreja and others added 2 commits

October 20, 2022 17:38


          Merge branch 'main' into vkukreja/oidc-provider-fix

77e6333


          update unit test to fix build

5a7cfb9

Signed-off-by: Vinayak Kukreja <vinakuk@amazon.com>

aws-cdk-automation dismissed their stale review

October 21, 2022 21:41

✅ Updated pull request passes all PRLinter validations. Dissmissing previous PRLinter review.

vinayak-kukreja requested review from TheRealAmazonKendra, comcalvi and iliapolo

October 24, 2022 21:06

comcalvi mentioned this pull request

chore(eks): Integ Test for OIDCP Certificate Retrieval #22608

Merged

4 tasks

vinayak-kukreja added the pr/do-not-merge label

vinayak-kukreja marked this pull request as ready for review

October 27, 2022 16:29

comcalvi suggested changes

View reviewed changes

Contributor

comcalvi left a comment

I don't understand why any non-EKS integration tests are affected by this change. The EKS tests that use the OIDCP should see a change to the thumbprint list, but should be it...why are these other changes here?

packages/@aws-cdk/aws-iam/lib/oidc-provider/external.ts Show resolved Hide resolved

vinayak-kukreja force-pushed the vkukreja/oidc-provider-fix branch 2 times, most recently from 6d67d83 to 2951eeb Compare

November 3, 2022 21:07


          Merge branch 'main' into vkukreja/oidc-provider-fix

c331d13

iliapolo changed the title ~~fix(iam): oidc provider retrieves root certificate instead of leaf certificate~~ fix(iam): oidc provider retrieves leaf certificate instead of root certificate

github-actions bot added the bug label

github-actions bot added the effort/medium label


          reset, merge and address feedback

0a5caa8

Signed-off-by: Vinayak Kukreja <vinakuk@amazon.com>

vinayak-kukreja force-pushed the vkukreja/oidc-provider-fix branch from 2951eeb to 0a5caa8 Compare

November 3, 2022 22:29

aws-cdk-automation previously requested changes

View reviewed changes

Collaborator

aws-cdk-automation left a comment

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.


          update integ tests snapshots

Signed-off-by: Vinayak Kukreja <vinakuk@amazon.com>

aws-cdk-automation dismissed their stale review

November 4, 2022 02:27

✅ Updated pull request passes all PRLinter validations. Dissmissing previous PRLinter review.

vinayak-kukreja requested a review from comcalvi

November 4, 2022 03:19

comcalvi approved these changes

View reviewed changes

Contributor

comcalvi left a comment

lgtm

iliapolo approved these changes

View reviewed changes

iliapolo removed the pr/do-not-merge label

Contributor

mergify bot commented Nov 4, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).


          Merge branch 'main' into vkukreja/oidc-provider-fix

67d19a6

Collaborator

aws-cdk-automation commented Nov 4, 2022

AWS CodeBuild CI Report

CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
Commit ID: 67d19a6
Result: SUCCEEDED
Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

mergify bot merged commit ec32b5b into main

mergify bot deleted the vkukreja/oidc-provider-fix branch

November 4, 2022 13:47

Contributor

mergify bot commented Nov 4, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

Naumel pushed a commit that referenced this pull request


          fix(iam): oidc provider retrieves leaf certificate instead of root ce…

443acc0

…rtificate (#22509)

Currently, the IAM OIDC Provider is retrieving leaf certificates for a given url. The validity for these certificates is not that long. This can cause an outage for the customer since they might not be aware of when the certificate is going to expire. We have seen an [outage](#8607) in EKS due to this issue. 

This change will help retrieving root certificates instead of leaf certificates. The validity of root certificate is much more than the leaf certificates. I am also adding validations for the certificate and also informing the customer if there retrieved certificate is going to expire within six months when they do a new deployment.

Fixes #8607

Signed-off-by: Vinayak Kukreja <vinakuk@amazon.com>

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

iliapolo added a commit that referenced this pull request


          Revert "fix(iam): oidc provider retrieves leaf certificate instead of…

… root certificate (#22509)"

This reverts commit ec32b5b.

iliapolo mentioned this pull request

revert(iam): oidc provider retrieves leaf certificate instead of root certificate #22805

Merged

mergify bot pushed a commit that referenced this pull request


          revert(iam): oidc provider retrieves leaf certificate instead of root…

64232ce

… certificate (#22805)

Reverts #22509. See #22802.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug contribution/core effort/medium p2