Use upstream golang/crypto functionality for ACME External Account Binding #3850
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: irbekrm The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
It is hardcoded to HS256 in golang.org/x/crypto Also, we now use a fork of golang.org/x/crypto in cert-manager org. Signed-off-by: irbekrm <irbekrm@gmail.com>
Use test/util/gen instead Signed-off-by: irbekrm <irbekrm@gmail.com>
Signed-off-by: irbekrm <irbekrm@gmail.com>
Signed-off-by: irbekrm <irbekrm@gmail.com>
…ield is set Signed-off-by: irbekrm <irbekrm@gmail.com>
a0acaf9 to
16f5141
Compare
|
/milestone v1.4 |
Signed-off-by: irbekrm <irbekrm@gmail.com>
There was a problem hiding this comment.
I've not run this locally yet: I think this all looks good, but honestly there's so much going on I could easily have missed several things. You could make the case for splitting this into several different PRs:
- Use cert-manager/crypto instead of meyskens/crypto
- Add support for warnings being returned during validation
- Deprecate the keyAlgorithm field and return a warning when it's set
- Remove legacy functions for issuer generation from
test/e2e/util/util.go
I think 4 stands out to me as being well worth splitting out into a separate PR. I think my preference would be to make 1 its own standalone PR too since it stands out to me as being such an important thing (because the fork makes me really, really nervous).
| type ValidateFunc func(req *admissionv1.AdmissionRequest, obj runtime.Object) field.ErrorList | ||
| type ValidateUpdateFunc func(req *admissionv1.AdmissionRequest, oldObj, obj runtime.Object) field.ErrorList | ||
| type ValidateFunc func(req *admissionv1.AdmissionRequest, obj runtime.Object) (field.ErrorList, []string) | ||
| type ValidateUpdateFunc func(req *admissionv1.AdmissionRequest, oldObj, obj runtime.Object) (field.ErrorList, []string) |
There was a problem hiding this comment.
it might be helpful to document in a comment on these types what the new []string return value is for, so that it's obvious at a glance. Likewise in the definitions of func (r *Registry) Validate and func (r *Registry) ValidateUpdate below and other instances of those types of function.
There was a problem hiding this comment.
Further to that, we have field.ErrorList which has the notion of a path, helping to point people at where exactly an error is.
It seems a shame to not have that kind of rich information for warnings. Maybe even something like this could work:
type WarningList field.ErrorListThere was a problem hiding this comment.
Thanks- I agree that splitting makes sense!
Would it makes sense if it was:
- Removes legacy functions (so that it's more straightforward to write e2e tests for 2)
- Use cert-manager/crypto instead of meyskens/crypto + deprecates the keyAlgorithm- this would allow us to fork upstream golang/crypto & cherry-pick alternative cert chains (current verson from meyskens has an older version of golang/crypto with our custom functionality for ACME EAB) and once we use upstream for ACME EAB we have to get rid of keyAlgorithm at least partially.
- Implements warnings
| @@ -68,8 +68,7 @@ var _ = framework.CertManagerDescribe("ACME Certificate (HTTP01)", func() { | |||
| validations := f.Helper().ValidationSetForUnsupportedFeatureSet(unsupportedFeatures) | |||
|
|
|||
| BeforeEach(func() { | |||
| acmeIssuer := util.NewCertManagerACMEIssuer(issuerName, f.Config.Addons.ACMEServer.URL, testingACMEEmail, testingACMEPrivateKey) | |||
There was a problem hiding this comment.
am I correct these changes are related to:
I have removed a bunch of legacy functions for issuer generation ...
if so, I can see why that's a valuable change but this is already a pretty huge PR and these changes to use gen here feel quite distant from the goal of this specific PR; they should maybe be in their own PR, to make everything easier to review?
or have I missed how these changes are linked to this PR?
There was a problem hiding this comment.
I put it here because I was adding some e2e tests for issuers and without removing the legacy I would have to either use & update the legacy functions for issuer generation or have two different ways of doing this in one file.
I will create a separate PR with these changes.
There was a problem hiding this comment.
#3873 PRs in just the removal of legacy functions.
|
/retest |
|
/test pull-cert-manager-e2e-v1-20 |
|
/test pull-cert-manager-bazel |
|
/test pull-cert-manager-bazel |
|
Closing this as I am splitting it into 3 separate PRs. |
[Update] I will split this PR into multiple ones to make it easier to code review.
See #3220 for full context.
Up till now we used a fork of
golang/cryptowith added support for ACME External Account Binding and fetching of ACME preferred certificate chains from @meyskens GitHub account.This PR:
golang/cryptofunctionality for ACME External Account Binding instead of our owngolang/cryptofork fromcert-manageraccount instead of @meyskens accountNotes:
I have forked the latest
golang/cryptotocert-managerorg and cherry-picked @meyskens commit that implements fetching of alternative certificate chains on top of that. We can use this fork till the same functionality gets implemented upstreamThe difference between the upstream implementation of ACME EAB and our own that we have used up till now is that in upstream the MAC algorithm value is hardcoded to
HS256. This means that theissuer.spec.acme.externalAccountBinding.keyAlgorithmthat has been 'required' so far becomes useless. This PR makes the field optional and the validating webhook now returns a warning if it is set. It is now possible (we test for that) to 1) deploy withissuer.spec.acme.externalAccountBinding.keyAlgorithmfield set 2) deploy without the field 3) deploy with, then remove.I have removed a bunch of legacy functions for issuer generation from
test/e2e/util/util.goas it partially duplicated the functionality intest/test/unit/gen/issuer.goand added some more specific issuer generation functions totest/unit/gen/issuer.go.Can we assume that no-one has been importing the legacy functions from
test/e2e/util/util.go? I did not find external imports onpkg.go.devIn order for the webhook to be able to return a warning I had to add it to the signature of most validating functions. I assume that this is a functionality that might potentially become useful? (i.e perhaps the warning about empty hostname for self-signed issuer that @SgtCoDFish worked on could have been implemented as a warning)
Would it make sense to eventually remove
issuer.spec.acme.externalAccountBinding.keyAlgorithm? (In which case that should probabaly be added to the warning message).This is what the warning looks like:
fixes #3822