Skip to content

Use upstream golang/crypto for ACME EAB + move crypto fork to cert-manager org #3877

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 13, 2021
Merged

Use upstream golang/crypto for ACME EAB + move crypto fork to cert-manager org #3877

merged 4 commits into from
Apr 13, 2021

Conversation

irbekrm
Copy link
Contributor

@irbekrm irbekrm commented Apr 9, 2021
edited
Loading

See #3220 for full context.

Up till now we used a fork of golang/crypto with added support for ACME External Account Binding and fetching of ACME preferred certificate chains from @meyskens GitHub account.

This PR:

  • uses upstream golang/crypto functionality for ACME External Account Binding instead of our own
  • uses golang/crypto fork from cert-manager account instead of @meyskens account

Notes:

  • I have forked the latest golang/crypto to cert-manager org and cherry-picked @meyskens commit that implements fetching of alternative certificate chains on top of that. We can use this fork till the same functionality gets implemented upstream

  • The difference between the upstream implementation of ACME EAB and our own that we have used up till now is that in upstream the MAC algorithm value is hardcoded to HS256. This means that the issuer.spec.acme.externalAccountBinding.keyAlgorithm that has been 'required' so far becomes useless. This PR makes the field optional and the validating webhook now returns a warning if it is set. It is now possible (we test for that) to 1) deploy with issuer.spec.acme.externalAccountBinding.keyAlgorithm field set 2) deploy without the field 3) deploy with, then remove.

This PR was originally part of the too large #3850 that I split into smaller PRs. Once/if this gets merged, I would like to create another PR to return a warning from the validating webhook if an issuer with spec.acme.externalAccountBinding.keyAlgorithm field set.

Deprecate Issuer.spec.acme.externalAccountBinding.keyAlgorithm field. EAB MAC algorithm is now hardcoded to HS256.

/kind cleanup

Closes #3822

irbekrm added 3 commits April 9, 2021 10:28
@irbekrm
Issuer's ACME EAB algorithm can no longer be set
09af959 
It is hardcoded to HS256 in golang.org/x/crypto

Also, we now use a fork of golang.org/x/crypto
in cert-manager org.

Signed-off-by: irbekrm <irbekrm@gmail.com>
@irbekrm
Add e2e test cases for different ACME EAB configurations
2c2b3da 
Signed-off-by: irbekrm <irbekrm@gmail.com>
@irbekrm
Update comment for replace directive in go.mod
697836e 
Signed-off-by: irbekrm <irbekrm@gmail.com>
@irbekrm irbekrm requested review from wallrj and SgtCoDFish April 9, 2021 14:22
@jetstack-bot jetstack-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. area/acme Indicates a PR directly modifies the ACME Issuer code area/api Indicates a PR directly modifies the 'pkg/apis' directory area/deploy Indicates a PR modifies deployment configuration area/testing Issues relating to testing approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Apr 9, 2021
@irbekrm
Copy link
Contributor Author

irbekrm commented Apr 9, 2021

/kind cleanup

@jetstack-bot jetstack-bot added kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. and removed needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Apr 9, 2021
SgtCoDFish
SgtCoDFish reviewed Apr 9, 2021
View reviewed changes
Copy link
Member

@SgtCoDFish SgtCoDFish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a few quite minor things which I don't feel strongly about but might be worth considering! looks good, generally 😄

SgtCoDFish
SgtCoDFish approved these changes Apr 9, 2021
View reviewed changes
Copy link
Member

@SgtCoDFish SgtCoDFish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Apr 9, 2021
wallrj
wallrj approved these changes Apr 9, 2021
View reviewed changes
Copy link
Member

@wallrj wallrj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of comments which you can address or simply answer and /unhold if you disagree.

/lgtm
/hold

test/e2e/suite/issuers/acme/issuer.go
})
Expect(err).To(HaveOccurred())
Expect(err).To(MatchError(wait.ErrWaitTimeout))
})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not convinced that we need an E2E test for this. AFAICS it demonstrates that we can include or omit the KeyAlgorithm in our API calls and that the Issuer controller marks the Issuer Ready regardless....but it doesn't really tell us anything about whether the KeyAlgorithm is used.

I was going to suggest adding a unit-test instead, for the Setup function (above) but I see that it's over 200 lines long and has no existing unit-tests, so that might be a big rabbit hole.

Up to you. Remove this if you agree or leave it if you think it adds value.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to Richard's comments - I'm not sure if the e2e test provides much value (and I think a unit test would actually provide more value) - but can appreciate this is a relatively untested area as is 😬

Copy link
Contributor Author

@irbekrm irbekrm Apr 9, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added that bit to the e2e tests because this PR changes the part that e2e-tests ACME Issuer with ExternalAccountBinding- we are now only testing with an Issuer without the keyAlgorithm field.

Because of that I thought it would be good to have a basic high level e2e test that verifies that 1) an Issuer with that field can be created (gets past webhooks, becomes Ready etc) and 2) the field can be removed- which are the two things users probably would be doing? I could remove it, if it seems like it doesn't have any value.

I could look at unit testing the Setup function. I expect that it will need some refactoring so it might be a separate PR (that could come before this PR).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems reasonable to keep in order to verify that it all works fine with and without! 😊

@jetstack-bot jetstack-bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 9, 2021
@wallrj
Copy link
Member

wallrj commented Apr 9, 2021

/unassign

munnerz
munnerz reviewed Apr 9, 2021
View reviewed changes
test/e2e/suite/issuers/acme/issuer.go
})
Expect(err).To(HaveOccurred())
Expect(err).To(MatchError(wait.ErrWaitTimeout))
})
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to Richard's comments - I'm not sure if the e2e test provides much value (and I think a unit test would actually provide more value) - but can appreciate this is a relatively untested area as is 😬

@irbekrm irbekrm mentioned this pull request Apr 9, 2021
Closed
@irbekrm
Standardize deprecation warnings
d213b4b 
Signed-off-by: irbekrm <irbekrm@gmail.com>
@jetstack-bot jetstack-bot removed the lgtm Indicates that a PR is ready to be merged. label Apr 12, 2021
@irbekrm
Copy link
Contributor Author

irbekrm commented Apr 12, 2021

/test pull-cert-manager-e2e-v1-20

@irbekrm irbekrm mentioned this pull request Apr 12, 2021
Merged
wallrj
wallrj approved these changes Apr 13, 2021
View reviewed changes
Copy link
Member

@wallrj wallrj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@irbekrm it looks like you've answered all our comments.

/lgtm
/hold

I added a /hold comment in case you were planning to add unit-tests in this PR.
Unhold if you prefer to get this merged now.

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Apr 13, 2021
@jetstack-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: irbekrm, SgtCoDFish, wallrj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [SgtCoDFish,irbekrm,wallrj]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@irbekrm
Copy link
Contributor Author

irbekrm commented Apr 13, 2021

I added a /hold comment in case you were planning to add unit-tests in this PR

Thank you @wallrj
If that's ok, I would like to add the tests in a separate PR closely following this one, because the Setup function is currently untested and I expect that we will need to refactor it a little.
This PR is not untested as such and in this case I feel like it might be better to not make this PR gigantic.
I will unhold this.

/hold cancel

@jetstack-bot jetstack-bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 13, 2021
@jetstack-bot jetstack-bot merged commit b5be5a8 into cert-manager:master Apr 13, 2021
@jetstack-bot jetstack-bot added this to the v1.4 milestone Apr 13, 2021
@irbekrm irbekrm deleted the move_crypto_fork branch April 13, 2021 12:30
@maelvls maelvls mentioned this pull request Apr 21, 2021
Closed
This was referenced Apr 29, 2021
Merged
Merged
@irbekrm irbekrm mentioned this pull request Jun 10, 2021
Merged
@maelvls maelvls mentioned this pull request Jun 15, 2021
Merged
@mrajashree mrajashree mentioned this pull request Nov 30, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@munnerz munnerz munnerz left review comments

@wallrj wallrj wallrj approved these changes

@SgtCoDFish SgtCoDFish SgtCoDFish approved these changes

Assignees

@wallrj wallrj

@SgtCoDFish SgtCoDFish

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/acme Indicates a PR directly modifies the ACME Issuer code area/api Indicates a PR directly modifies the 'pkg/apis' directory area/deploy Indicates a PR modifies deployment configuration area/testing Issues relating to testing dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.4
Development

Successfully merging this pull request may close these issues.

Use go/x/crypto functionality for ACME External Account Binding
5 participants
@irbekrm @wallrj @jetstack-bot @munnerz @SgtCoDFish