Skip to content

BUGFIX: CertificateRequest short names must be unique.#6354

Merged
SgtCoDFish merged 5 commits intocert-manager:masterfrom
inteon:fix_name_collision_bug
Sep 25, 2023
Merged

BUGFIX: CertificateRequest short names must be unique.#6354
SgtCoDFish merged 5 commits intocert-manager:masterfrom
inteon:fix_name_collision_bug

Conversation

@inteon
Copy link
Copy Markdown
Member

@inteon inteon commented Sep 20, 2023
edited
Loading

Fixes #6342

The new mechanism is explained here:

cert-manager/pkg/controller/certificates/requestmanager/requestmanager_controller.go

Lines 401 to 411 in 860df22

// The CertificateRequest name is limited to 253 characters, assuming the nextRevision and hyphen
// can be represented using 20 characters, we can directly accept certificate names up to 233
// characters. Certificate names that are longer than this will be hashed to a shorter name. We want
// to make crafting two Certificates with the same truncated name as difficult as possible, so we
// use a cryptographic hash function to hash the full certificate name to 64 characters.
// Finally, for Certificates with a name longer than 233 characters, we build the CertificateRequest
// name as follows: <first-168-chars-of-certificate-name>-<64-char-hash>-<19-char-nextRevision>
crName, err := apiutil.ComputeSecureUniqueDeterministicNameFromData(crt.Name, 233)
if err != nil {
return err
}

Kind

/kind bug

Release Note

BUGFIX: fix CertificateRequest name collision bug in StableCertificateRequestName feature.

@jetstack-bot jetstack-bot added kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Sep 20, 2023
@inteon
BUGFIX: CertificateRequest short names must be unique.
fa2d933 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
@inteon inteon force-pushed the fix_name_collision_bug branch from e63fc97 to fa2d933 Compare September 20, 2023 12:51
SgtCoDFish
SgtCoDFish reviewed Sep 20, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@SgtCoDFish SgtCoDFish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've left a couple of comments; what do you think?

@inteon
add uniqueness check for names util
6006182 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
@inteon
Copy link
Copy Markdown
Member Author

inteon commented Sep 21, 2023
edited
Loading

/cherrypick release-1.13

@jetstack-bot
Copy link
Copy Markdown
Contributor

jetstack-bot commented Sep 21, 2023

@inteon: once the present PR merges, I will cherry-pick it on top of release-1.13 in a new PR and assign it to you.

Details

In response to this:

/cherrypick release-1.13
/cherrypick release-1.12

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@inteon
Copy link
Copy Markdown
Member Author

inteon commented Sep 21, 2023

/cherrypick release-1.12

@jetstack-bot
Copy link
Copy Markdown
Contributor

jetstack-bot commented Sep 21, 2023

@inteon: once the present PR merges, I will cherry-pick it on top of release-1.12 in a new PR and assign it to you.

Details

In response to this:

/cherrypick release-1.12

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@inteon
fix feedback: make hash secure
860df22 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
@inteon inteon force-pushed the fix_name_collision_bug branch from 0f35a61 to 860df22 Compare September 21, 2023 11:24
SgtCoDFish
SgtCoDFish reviewed Sep 22, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@SgtCoDFish SgtCoDFish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple more comments!

pkg/controller/certificates/requestmanager/requestmanager_controller.go
Comment on lines +381 to +383
// We limit the GenerateName to 52 + 1 characters to stay within the 63 - 5 character limit that
// is used in Kubernetes when generating names.
// see https://github.com/kubernetes/apiserver/blob/696768606f546f71a1e90546613be37d1aa37f64/pkg/storage/names/generate.go
Copy link
Copy Markdown
Member

@SgtCoDFish SgtCoDFish Sep 22, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Love this comment!

@inteon
add more test cases and fix typo
eac230f 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
@inteon inteon mentioned this pull request Sep 22, 2023
Closed
@inteon inteon requested a review from SgtCoDFish September 22, 2023 12:00
SgtCoDFish
SgtCoDFish approved these changes Sep 22, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@SgtCoDFish SgtCoDFish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve
/hold

This is an improvement and it fixes the issue as far as I can tell! I think it'd be helpful for another maintainer to take a look at this since it's essentially setting the format for all CertificateRequests going forwards. Maybe someone else will have thoughts on it. But I'd be happy to merge I think!

@jetstack-bot jetstack-bot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm Indicates that a PR is ready to be merged. labels Sep 22, 2023
@jetstack-bot
Copy link
Copy Markdown
Contributor

jetstack-bot commented Sep 22, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: SgtCoDFish

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 22, 2023
@maelvls maelvls self-requested a review September 25, 2023 11:45
maelvls
maelvls reviewed Sep 25, 2023
View reviewed changes
maelvls
maelvls reviewed Sep 25, 2023
View reviewed changes
maelvls
maelvls reviewed Sep 25, 2023
View reviewed changes
@maelvls
Copy link
Copy Markdown
Member

maelvls commented Sep 25, 2023

I am happy with the new format.

Maybe bumping the name limit from a DNS label (63 chars) to a DNS subdomain (253 chars) would have solved 99% of the problems, including the original author of the issue. It seems like the hashing feature addresses a small corner case: folks with very very very large certificate names (longer than 232 chars) would still get the issue reported by the original author. But it's good that we solved this corner case anyways.

Thanks for working on this!

I'll hold it if you need to fix some of the non-blocking suggestions.

/lgtm
/hold

@inteon
add extra comment
2dc22bc 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
@jetstack-bot jetstack-bot removed the lgtm Indicates that a PR is ready to be merged. label Sep 25, 2023
@inteon
Copy link
Copy Markdown
Member Author

inteon commented Sep 25, 2023

/unhold

@jetstack-bot jetstack-bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 25, 2023
@SgtCoDFish
Copy link
Copy Markdown
Member

SgtCoDFish commented Sep 25, 2023

/lgtm

(quick lgtm as requested given this has been reviewed)

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Sep 25, 2023
@SgtCoDFish SgtCoDFish merged commit 1c417be into cert-manager:master Sep 25, 2023
@jetstack-bot
Copy link
Copy Markdown
Contributor

jetstack-bot commented Sep 25, 2023

@inteon: new pull request created: #6358

Details

In response to this:

/cherrypick release-1.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

This was referenced Sep 25, 2023
Merged
Merged
@jetstack-bot
Copy link
Copy Markdown
Contributor

jetstack-bot commented Sep 25, 2023

@inteon: new pull request created: #6359

Details

In response to this:

/cherrypick release-1.12

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@inteon inteon added kind/bug Categorizes issue or PR as related to a bug. and removed kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. labels Sep 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maelvls maelvls maelvls left review comments

@SgtCoDFish SgtCoDFish SgtCoDFish approved these changes

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CertificateRequest name collisions in v1.13.0

4 participants

@inteon @jetstack-bot @maelvls @SgtCoDFish