enhancements/x509-trust: Propose a new enhancement #115
Conversation
openshift-ci-robot
added
the
size/L
|
|
||
| Components can mount `ca-bundle.crt` from their ConfigMap(s) under `/usr/share/pki/ca-trust-source/anchors/`. | ||
| Components are then responsible for running `update-ca-trust` (FIXME: do we need `extract` or not?) at start. | ||
| They must also run `update-ca-trust` periodically thereafter to pull in any [updates from the mounted ConfigMap][mounted-configmap-updates]. |
There was a problem hiding this comment.
running update-ca-trust requires root. not all containers can run as root.
There was a problem hiding this comment.
not all containers can run as root.
What's the alternative? Holding your trust under ~? Or do you have to union keys in Kube-space and use the single-bundle /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem workaround?
There was a problem hiding this comment.
the latter is more or less what we did for proxy.
or you need to load your CAs from additional locations, if you have that flexibility in your transport libs.
There was a problem hiding this comment.
What we really want of course is user namespaces so that "as root" is really only in the container. xref https://lwn.net/Articles/796700/
| * `composition`, configuring how the bundle in `ca-bundle.crt` is composed with the component's default trust store. | ||
| Valid values are: | ||
| * `append`, in which case components should use the union of the `ca-bundle.crt` and their default trust store. | ||
| * `override`, in which case components should use only `ca-bundle.crt` and ignore their default trust store. |
There was a problem hiding this comment.
There are really two places to make this decision:
- does the admin want to supply the total set of cluster CAs, or do they want to supply additionalCAs that should be appended to the cluster's system trust (as determined by the ubi image, basically)
- does the each component accept the provided cluster CA bundle as the total set of CAs it trusts, or does it append the provided set to its own system trust bundle (it will always append its own component-level CAs, if any)
We'd really only talked about (1) so far, but you seem to be talking about (2).
There was a problem hiding this comment.
We'd really only talked about (1) so far, but you seem to be talking about (2).
This is basically "union with UBI defaults". I don't really care if that happens Kube-side (1) or container-side (2). I just assumed (2), because that's what we do now. Do you have a reason to pivot to (1)?
There was a problem hiding this comment.
actually we do it somewhat kube side today and component side.
- the proxy controller takes the additional CAs and appends the UBI system bundle to it
- the proxy controller injects that new bundle into the labeled CMs
- components consume that CM in whatever manner they choose. They may use it as the only set of CAs, they might union it with their own system trusts, they might union it with their own other sources of CAs, etc.
There was a problem hiding this comment.
actually we do it somewhat kube side today and component side.
Do you have a reason to preserve this, instead of pivoting to explicit append or override semantics?
- the proxy controller takes the additional CAs and appends the UBI system bundle to it
Is this documented anywhere? I don't see anything about it here or here.
There was a problem hiding this comment.
Do you have a reason to preserve this, instead of pivoting to explicit append or override semantics?
we aren't going to (successfully) dictate what components choose to do with the content... so i think on a component consumption perspective you will always have:
- some that use what is provided as the only CAs
- some that combine it w/ their own image system CAs
- some that combine it with their own component-specific CA configuration
Plus (3) will probably always make sense for some components and not for others. meaning at least (1) and (3) are likely to always need to be allowed/implemented. (1) vs (2) we can potentially declare a best practice rule about..I think we'd choose (1) there.
Is this documented anywhere? I don't see anything about it here or here.
Today the additional CA bundle is a combination of user provided CAs plus the system CAs from the network operator image. In the future adding the system trusts to the bundle should be a configurable optional so customers who want to explicitly control the trusted CAs can do so.
There was a problem hiding this comment.
we aren't going to (successfully) dictate what components choose to do with the content...
We aren't? If I gave the CVO a ConfigMap with my company CA and override, and someone MitMed my upstream with a cert signed by a sloppy/compromised big CA, and the CVO accepted the connection to the attacker, I would be really mad at the CVO and file a strongly worded bug ;).
There was a problem hiding this comment.
it's not just CVO, OLM operators will also consume this. which will include ISV operators, community operators, etc.
There was a problem hiding this comment.
I expected a new trust bundle system to expand the existing additionalTrustedCA. It’s not clear to me why we would have a second system?
https://github.com/openshift/api/blob/master/config/v1/types_proxy.go#L65
I expect to cover everything described here. Why would we have a second one?
Or, if it’s not sufficient, how does something new interact? How do they conflict?
There was a problem hiding this comment.
It’s not clear to me why we would have a second system?
Because you might have X.509 trust consumers that do not expect to be speaking to a proxy. This enhancement spun off from openshift/installer#2658 where I proposed setting TrustedCA on the proxy config in the absence of other proxy settings to support the network-routed-proxy case, and the pushback was around the proxy config only being used for the ask-apps-explicitly-to-use-a-proxy case. And at least the CVO currently only uses the proxy-config's TrustedCA when HTTPSProxy is set. This proposal works around that pushback by defining a higher-level default trust config (the default-ca-bundle ConfigMap) that components should be clearly falling back to even if they feel like the proxy config doesn't apply to them. So the CVO logic would be:
- If
HTTPSProxyis set (potentially also ifHTTPProxyis set to anhttps://URI) andTrustedCAis set, useTrustedCAwhen validating TLS connections. Otherwise... - If
default-ca-bundleexists, use it when validating TLS connections. Otherwise... - Use the container's default (UBI) trust store when validating TLS connections.
That would support use cases like:
I'm not using a proxy, but I don't want my nodes trusting all the UBI CAs. The CVO needs to talk to api.openshift.com (for Cincy, signed by Let's Encrypt) and mirror.openshift.com or storage.googleapis.com (for signatures, signed by DigiCert and Google Trust Services respectively). Limit the CVO trust to those three CAs.
There was a problem hiding this comment.
potentially also if HTTPProxy is set to an https:// URI
Note that if HTTPSProxy is unset, HTTPProxy is used to proxy https requests regardless of the url scheme.
|
@wking how do you see this interacting w/ the existing "proxy" CA mechanism? Today the "proxy" mechanism is proxy in one specific way only: the labeled configmaps get content injected based on the CM linked from the ProxyConfig resource. Nothing else about the flow mentions proxy:
So if we're going to introduce a second mechanism for distributing CA bundles, what is the expectation for existing consumers of the "proxy" bundle? And if we end up with disjoint sets (one bundle for the "proxy' and another bundle for "other CAs") how do we expect components to consume both, if they need to? Up to them to munge things together? I think it might be better if we can find a way to evolve the existing mechanism (e.g. break the coupling to ProxyConfig) as a first step. Things the current "proxy" mechanism is lacking:
Can we do something simpler and just address those? Do we even need proxy specific CAs, or can we live with a global cluster CA bundle for now that serves as the proxy bundle as well, for things that want to talk to a proxy? (effectively just rename what we did in 4.2 as the global cluster CA distributor instead of the proxy CA distributor) |
I'll fill in this today. |
|
I've pushed 8698b5b -> 3d92920, renaming the proxy-only injection label to |
|
@wking there's a bit of a migration headache here. In the end state you're saying:
In the current state, CM's labeled with To do this safely it seems like we need some period of time in which the "proxy" CMs are all labeled w/ both labels. Then switch the proxy injection logic over to look for Otherwise you risk the wrong/unexpected thing being injected into a CM. You might be able to simplify the migration by not reusing the |
wking
force-pushed
the
x509-trust
branch
4 times, most recently
from
00ead3d to
e5d3ceb
Compare
| Components are then responsible for running `update-ca-trust` (FIXME: do we need `extract` or not?) at start. | ||
| They must also run `update-ca-trust` periodically thereafter to pull in any [updates from the mounted ConfigMap][mounted-configmap-updates]. | ||
|
|
||
| Components that need a single trust bundle injected can bypass `update-ca-trust` and mount their `ca-bundle.crt` directly into `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem` (FIXME: RHEL/UBI docs confirming this as a supported workflow). |
There was a problem hiding this comment.
Could we automate the creation of environment variables containing the cert bundles, or create a volume using the same mechanism as proxy. It would streamline how we use the injection process.
There was a problem hiding this comment.
Could we automate the creation of environment variables containing the cert bundles...
It's not clear to me how this would work. Can you give example Deployment YAML and talk us through this?
There was a problem hiding this comment.
Sure, I was just extrapolating from this excerpt from the global cluster egress policy enhancement.
deployments with the config.openshift.io/inject-proxy: will get the current proxy environment variables injected (HTTP_PROXY, HTTPS_PROXY, NO_PROXY) by the cluster version operator.
So in our case we could add config.openshift.io/add-trusted-ca-bundle: <container name> to our deployments and the cluster-version-operator would add a volume that mounts the trusted-ca-bundle configmap, and an inline command to add it to the container's trusted CAs.
There was a problem hiding this comment.
@iamemilio I'm happy that I came across your comment. I'm working on adding proxy support to the ingress operator and was considering a similar approach. I feel like we need a better solution to mounting the trust bundle than what currently exists (see image registry operator).
@wking let's use ingress operator as an example. The deployment would be updated with:
annotations:
config.openshift.io/add-trusted-ca-bundle: "ingress-operator" # container name to inject bundle
CVO watches deployments with the above annotation and creates a volume for the operator's trust bundle configmap and mounts the volume in the container(s) specified by the annotation. The ingress operator's deployment would look like the following after CVO finishes reconciliation:
apiVersion: apps/v1
kind: Deployment
metadata:
name: ingress-operator
namespace: openshift-ingress-operator
annotations:
config.openshift.io/add-trusted-ca-bundle: ingress-operator
spec:
<SNIP>
containers:
- name: ingress-operator
<SNIP>
volumeMounts:
- name: trusted-ca
mountPath: /var/run/configmaps/trusted-ca/
<SNIP>
configMap:
name: trusted-ca
optional: true
items:
- key: ca-bundle.crt
path: tls-ca-bundle.pem
There was a problem hiding this comment.
i think you will have a hard time making the case that the CVO should do this.
the only reason the CVO took ownership of setting env vars on the operator deployments is because it is impossible for the operator to set env vars on its own deployment(the cvo would stomp away the values). The same restriction doesn't apply to the configmap volume mounting, since the operator can define its deployment with a CM volume mount, and define the CM to be mounted.
There was a problem hiding this comment.
@bparees thanks for the feedback. I'll look into having the ingress operator programmatically manage it's own trust bundle volume/volumeMount. However, having a single controller that manages this would provide consistency across operators.
There was a problem hiding this comment.
@bparees what would you suggest as a solution then? Should an operator be given the responsibility for injecting this into container deployments, or do you think we should drop it an just add it manually to all the services.
There was a problem hiding this comment.
@iamemilio today operators that need proxy CAs in their operator deployment, configure themselves accordingly:
-
they define a configmap that will have the CAs injected into it:
https://github.com/openshift/cluster-image-registry-operator/blob/a0efd48f8bc2c8d18d53fc5a9e5b8515b94bc2a4/manifests/04-ca-trusted.yaml#L8 -
they mount that configmap in their deployment:
https://github.com/openshift/cluster-image-registry-operator/blob/a0efd48f8bc2c8d18d53fc5a9e5b8515b94bc2a4/manifests/07-operator.yaml#L93 -
they watch the mounted content for changes and restart their process as needed:
https://github.com/openshift/cluster-image-registry-operator/blob/a0efd48f8bc2c8d18d53fc5a9e5b8515b94bc2a4/manifests/07-operator.yaml#L62-L73
That is what i would expect here
i like it. |
|
@Miciah PTAL, would like to understand if this solves the ingresscontroller trust issues. |
smarterclayton
left a comment
smarterclayton
left a comment
There was a problem hiding this comment.
The existing proxy value has to be unified with this (or we just use that).
| Administrators will have a single location to configure a default additional trust bundle to be used by all cluster components. | ||
| They will also be able to specify whether this default is to be use in addition to, or instead of, the component's default trust bundle. | ||
|
|
||
| Administrators will have per-component configuration locations to adjust the cluster-scoped default. |
There was a problem hiding this comment.
Why?
Because you don't need to have a global trust store for the whole cluster. You get better isolation against compromised CAs if each component only trusts the CAs it needs to trust (e.g. the CVO scoping I sketched out here). But while that scoping is nice for the paranoid, it's also a pain, which is why I think we also want to make it easy for folks to mix and match cluster-scoped defaults and per-component overrides to match their security stance.
| * `composition`, configuring how the bundle in `ca-bundle.crt` is composed with the component's default trust store. | ||
| Valid values are: | ||
| * `append`, in which case components should use the union of the `ca-bundle.crt` and their default trust store. | ||
| * `override`, in which case components should use only `ca-bundle.crt` and ignore their default trust store. |
There was a problem hiding this comment.
I expected a new trust bundle system to expand the existing additionalTrustedCA. It’s not clear to me why we would have a second system?
https://github.com/openshift/api/blob/master/config/v1/types_proxy.go#L65
I expect to cover everything described here. Why would we have a second one?
Or, if it’s not sufficient, how does something new interact? How do they conflict?
| 1. The network operator learns about the new labels. | ||
| `config.openshift.io/inject-trusted-cabundle` is treated as a synonym for `config.openshift.io/inject-proxy-cabundle`. | ||
| 2. Existing proxy consumers migrate to `config.openshift.io/inject-proxy-cabundle`. | ||
| 3. The network operator adds an alert on any ConfigMaps with the `config.openshift.io/inject-trusted-cabundle` label, to notify cluster administrators about the deprecation. |
There was a problem hiding this comment.
We do not deprecate features like this. It is forever.
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: wking The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
| ### Per-component Trust | ||
|
|
||
| Each component will define its own well-known ConfigMap(s) in its own namespace, with the same `ca-bundle.crt` and `composition` keys as [the cluster-scoped ConfigMap](#cluster-scoped-default-trust). | ||
| For example, the registry operator uses [`trusted-ca`][registry-configmap-name] in [the `openshift-image-registry` namespace][registry-configmap-namespace]. |
There was a problem hiding this comment.
Each component will define its own well-known ConfigMap(s) in its own namespace, with the same
ca-bundle.crtandcompositionkeys as the cluster-scoped ConfigMap.
Operators currently define their own configmap statically. See the registry operator as an example. If I understand correctly, operators will need to get the value of composition from the cluster-scoped configmap and create the operator-scoped configmap programatically. Is my understanding correct?
There was a problem hiding this comment.
If I understand correctly, operators will need to get the value of
compositionfrom the cluster-scoped configmap and create the operator-scoped configmap programatically
Nope, just make a create-only ConfigMap, as described here. Setting composition locally will get clobbered by the network operator using this logic if you have any of the network-operator labels set, but admins could also unset the network-operator labels and set composition manually on the per-component ConfigMap as they see fit.
I'm not sure that RHEL's ca-certificates RPM is based on the Mozilla CA set, but Fedora's ca-certificates is [1]: > By default, the trust store contains the Mozilla CA list, including > positive and negative trust. [1]: https://docs.fedoraproject.org/en-US/quick-docs/using-shared-system-certificates/
wking
changed the title
|
I expected the following:
|
@smarterclayton I believe the consensus here was that a new config should be created so that we don't muddy the proxy work-flow. Trevor nicely summarized this here. We are proposing that the global configmap that cluster resources use by default be the newly created
I believe this is also a core goal of the original proposal that is outlined in the |
I don't think this is a secure plan for customers. Trust is subdivided inside of our clusters to ensure that we're two bugs away from compromise. If trust is indiscriminately scoped and CAs which are not valid signers for certain certificates are trusted, then you can end up in states where instead of two compromises (the signer and DNS or network), you will only be one compromise (DNS or network) because the wrong trust domain is used. @wking identified the same problem here: #115 (comment) . There are legitimate cases for subdivided trust. Internally signed trust relationships are another. The idea of default trust for external (outside the cluster) signers makes sense. The idea of unioning that trust doesn't make sense as the only option because if you know to expect certain signers you want to use those (again @wking has explained this above too), but it's ok as an option. Neither of these trust models are the same as proxy trust. Given the usages we have already seen where we need to have different trust bundles for different registries, it is not obvious that a big-ball-o- trust is what we really desire. For image-registries we subdivided based on names, which may be more appropriate overall and will lead more correct injection by the consuming components. It doesn't preclude a component from making a big-ball-of-trust, but it enables components that can do better to be able to . |
|
@wking I just had a discussion with @smarterclayton and @deads2k about how to move this forward and our conclusion was that the primary use case this was going to fulfill (components that need to talk to cloudproviders that are using certs that can be validated w/ the system trust store) is better solved by proper consumption of the existing cloudprovider config on the cluster which includes a CA reference. (and in fact the existing consuming components we're aware of that had issues talking to, for example openstack, have been addressed, for example: https://github.com/openshift/cluster-image-registry-operator/blob/master/pkg/storage/swift/swift.go#L148-L154, which was added via openshift/cluster-image-registry-operator#445) So barring a new significant use case of "i need to provide CAs for some external service to many cluster components", we concluded that there is no present need for a "global CA distribution mechanism" at this point. Unless you disagree, I think this can be closed out for now. |
Isn't the "I'm pushing traffic through a proxy by configuring network routing, not via a |
Isn't that solved by the existing proxy CA mechanism? (worst case, you configure a proxyconfig with no actual proxy values, but with a dummy noproxy value). It's still a scenario of "all components making external requests must trust this CA for all their connections" (solved by proxy CA controller) which is distinct from "connection to this specific endpoint must use this additional CA" (not solved by proxy CA controller).
any component that makes external requests is supposed to respect the proxy CA injection/configuration. The only iffy case was "my component makes calls to the hosting cloud provider and we assumed you'd never go through a proxy to talk to the hosting cloud provider". The answer to that case is what i linked to the in the registry-operator: respect the cloudconfig which provides the CA to use. |
|
with respect to: openshift/installer#2658 i think we can simply document the solution, which i believe is: i put a comment in https://bugzilla.redhat.com/show_bug.cgi?id=1771564 about needing to improve the doc, but i didn't mention documenting that particular aspect of it. |
Yeah. I'm not aware of any approach that addresses this, short of passing around separate bundles for each possible endpoint. Would be nice if there was an OpenSSL approach that be configured to allow host-specific CA selection, but I don't think that exists today.
Folks who fiddled with this couldn't get it to work, but I'm not sure they tried that specific approach. I can try to hunt down the transparent network proxy bugs and see if they've tried it and if not, whether it would work for them going forward. And pulling in your bug comment:
Still not clear to me how you're supposed to address this at install time. Do we want a new enhancement around that question more narrowly? |
|
ok.
I'm now on the same page as @bparees earlier with no known, real-world use-cases that aren't addressed by the existing logic, so. /close |
|
@wking: Closed this PR. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
…pose a new enhancement Attempting to address the following use-cases: * CVO pointed at a local Cincinnati (or other update recommendation service) signed by some local CA that the CVO does not trust out of the box. * CVO routed through a TLS-terminating proxy signed by some local CA, but [without the `httpsProxy` Proxy entry that would cause the CVO to use the Proxy's `trustedCA`][1]. As a narrow, CVO-upstream-only alternative to the generic openshift#115 framework. [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1773419#c1
…pose a new enhancement Attempting to address the following use-cases: * CVO pointed at a local Cincinnati (or other update recommendation service) signed by some local CA that the CVO does not trust out of the box. * CVO routed through a TLS-terminating proxy signed by some local CA, but without the httpsProxy Proxy entry that would cause the CVO to use the Proxy's trustedCA [1]. As a narrow, CVO-upstream-only alternative to the generic openshift#115 framework. [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1773419#c1
…pose a new enhancement Attempting to address the following use-cases: * CVO pointed at a local Cincinnati (or other update recommendation service) signed by some local CA that the CVO does not trust out of the box. * CVO routed through a TLS-terminating proxy signed by some local CA, but without the httpsProxy Proxy entry that would cause the CVO to use the Proxy's trustedCA [1]. As a narrow, CVO-upstream-only alternative to the generic openshift#115 framework. [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1773419#c1
…pose a new enhancement Attempting to address the following use-cases: * CVO pointed at a local Cincinnati (or other update recommendation service) signed by some local CA that the CVO does not trust out of the box. * CVO routed through a TLS-terminating proxy signed by some local CA, but without the httpsProxy Proxy entry that would cause the CVO to use the Proxy's trustedCA [1]. As a narrow, CVO-upstream-only alternative to the generic openshift#115 framework. [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1773419#c1
…pose a new enhancement Attempting to address the following use-cases: * CVO pointed at a local Cincinnati (or other update recommendation service) signed by some local CA that the CVO does not trust out of the box. * CVO routed through a TLS-terminating proxy signed by some local CA, but without the httpsProxy Proxy entry that would cause the CVO to use the Proxy's trustedCA [1]. As a narrow, CVO-upstream-only alternative to the generic openshift#115 framework. [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1773419#c1
…pose a new enhancement Attempting to address the following use-cases: * CVO pointed at a local Cincinnati (or other update recommendation service) signed by some local CA that the CVO does not trust out of the box. * CVO routed through a TLS-terminating proxy signed by some local CA, but without the httpsProxy Proxy entry that would cause the CVO to use the Proxy's trustedCA [1]. As a narrow, CVO-upstream-only alternative to the generic openshift#115 framework. [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1773419#c1
…pose a new enhancement Attempting to address the following use-cases: * CVO pointed at a local Cincinnati (or other update recommendation service) signed by some local CA that the CVO does not trust out of the box. * CVO routed through a TLS-terminating proxy signed by some local CA, but without the httpsProxy Proxy entry that would cause the CVO to use the Proxy's trustedCA [1]. As a narrow, CVO-upstream-only alternative to the generic openshift#115 framework. [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1773419#c1
…pose a new enhancement Attempting to address the following use-cases: * CVO pointed at a local Cincinnati (or other update recommendation service) signed by some local CA that the CVO does not trust out of the box. * CVO routed through a TLS-terminating proxy signed by some local CA, but without the httpsProxy Proxy entry that would cause the CVO to use the Proxy's trustedCA [1]. As a narrow, CVO-upstream-only alternative to the generic openshift#115 framework. [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1773419#c1
…pose a new enhancement Attempting to address the following use-cases: * CVO pointed at a local Cincinnati (or other update recommendation service) signed by some local CA that the CVO does not trust out of the box. * CVO routed through a TLS-terminating proxy signed by some local CA, but without the httpsProxy Proxy entry that would cause the CVO to use the Proxy's trustedCA [1]. As a narrow, CVO-upstream-only alternative to the generic openshift#115 framework. [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1773419#c1
12 participants
Previous discussion in rhbz#1771564, openshift/installer#2658, etc., etc. ;). CC @abhinavdahiya, @bparees, @deads2k @dhansen, @dustymabe, @iamemilio, @kalexand-rh, @sdodson