Adds Support for Control Plane TLS#208
Conversation
|
To communicate: I haven't been looking at this because it is failing CI. |
|
@LukeShu I've been side tracked with other PR. I marked the PR as WIP. |
8eeccaf to
f2849cd
Compare
Signed-off-by: danehans <daneyonhansen@gmail.com>
| caCertPEM: caCert, | ||
| caKeyPEM: caKey, | ||
| expiry: expiry, | ||
| commonName: "envoy-gateway", |
There was a problem hiding this comment.
Common names are deprecated in RFC 2818 (in 2000) in favor of SANs. Major softwares (Golang, Chrome etc) stopped supporting them, so we should just issue certs without common names.
There was a problem hiding this comment.
Something to consider instead of just not setting the CN (having it be an empty string) is to have it be a human-friendly string; like "Envoy Gateway xDS server" or something.
But yeah, we shouldn't be issuing certs with hostnames in the CN.
|
xref #404 will causes this PR to support a TLS secret per managed Envoy deployment. |
LukeShu
left a comment
There was a problem hiding this comment.
Some nit-picks, but on the whole LGTM.
| DefaultNamespace = config.EnvoyGatewayNamespace | ||
|
|
||
| // DefaultCertificateLifetime holds the default certificate lifetime (in days). | ||
| DefaultCertificateLifetime = 365 |
There was a problem hiding this comment.
Can we just have this be DefaultCertificateLifetime = 365*24*time.Hour so it's typed as a time.Duration and we don't need to worry about converting it?
| caCertPEM: caCert, | ||
| caKeyPEM: caKey, | ||
| expiry: expiry, | ||
| commonName: "envoy-gateway", |
There was a problem hiding this comment.
Something to consider instead of just not setting the CN (having it be an empty string) is to have it be a human-friendly string; like "Envoy Gateway xDS server" or something.
But yeah, we shouldn't be issuing certs with hostnames in the CN.
| // bigIntHash generates a SubjectKeyId by hashing the modulus of the private | ||
| // key. This isn't one of the methods listed in RFC 5280 4.2.1.2, but that also | ||
| // notes that other methods are acceptable. | ||
| // | ||
| // gosec makes a blanket claim that SHA-1 is unacceptable, which is | ||
| // false here. The core Go method of generations the SubjectKeyId (see | ||
| // https://github.com/golang/go/issues/26676) also uses SHA-1, as recommended | ||
| // by RFC 5280. | ||
| func bigIntHash(n *big.Int) []byte { | ||
| h := sha1.New() // nolint:gosec | ||
| h.Write(n.Bytes()) // nolint:errcheck | ||
| return h.Sum(nil) | ||
| } |
There was a problem hiding this comment.
Why have a separate .Write(); hy not skip the .Write() and just return h.Sum(n.Bytes)? Or even skip creating an object at all and
h := sha1.Sum(n.Bytes())
return h[:](this is what the mentioned code the core crypto/x509 does)
But also, why are we even bothering with this? It's optional in non-CA certificates, and the crypto/x509 code will handle it for us in CA certificates.
| func newSerial(now time.Time) *big.Int { | ||
| return big.NewInt(int64(now.Nanosecond())) | ||
| } |
There was a problem hiding this comment.
Using the time feels weird to me. Perhaps crypto/rand would be better?
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)| Name: "sds", | ||
| MountPath: "/sds", | ||
| }, | ||
| }, |
There was a problem hiding this comment.
Should we put them in /mnt or /etc or somewhere? Putting them straight in the root feels weird to me.
| runAsUser: 65534 | ||
| runAsGroup: 65534 |
There was a problem hiding this comment.
65534 is the magic UID that users outside of your UID namespace show up as. So using it here is questionable. (
nss-systemdcalls this special user "nobody", but IMO a better name would have been "unknown")
I'm not necessarily asking you to change it, I'm asking you to justify it.
| Type: "RSA PRIVATE KEY", | ||
| Bytes: x509.MarshalPKCS1PrivateKey(newKey), |
There was a problem hiding this comment.
Getting in to bike-shed territory, but any reason to not use "PRIVATE KEY" and x509.MarshalPKCS8PrivateKey? It'd have fewer things to change if we ever want to switch away from RSA.
|
If anyone cares, here's some very similar code in Emissary: https://github.com/emissary-ingress/emissary/blob/master/cmd/apiext/ca.go |
ObjectName()method to get/set the default name of the ProxyInfra type.fixes: #70
Signed-off-by: danehans daneyonhansen@gmail.com