Skip to content

Commit

Permalink
add an update step to replace digicert with onecert
Browse files Browse the repository at this point in the history
This allows upgrades to 4.16 to proceed. These upgrades were being
blocked by the SHA-1 signing algorithm used by DigiCert, which is
incompatible with 4.16
  • Loading branch information
yithian committed Sep 27, 2024
1 parent 7e77b10 commit d86dbbf
Showing 3 changed files with 56 additions and 0 deletions.
1 change: 1 addition & 0 deletions pkg/cluster/adminupdate_test.go
Original file line number Diff line number Diff line change
@@ -62,6 +62,7 @@ func TestAdminUpdateSteps(t *testing.T) {
"[Action startVMs]",
"[Condition apiServersReady, timeout 30m0s]",
"[Action populateDatabaseIntIP]",
"[Action replaceDigicert]",
"[Action fixMCSCert]",
"[Action fixMCSUserData]",
"[Action configureAPIServerCertificate]",
2 changes: 2 additions & 0 deletions pkg/cluster/install.go
Original file line number Diff line number Diff line change
@@ -138,6 +138,7 @@ func (m *manager) getGeneralFixesSteps() []steps.Step {
func (m *manager) getCertificateRenewalSteps() []steps.Step {
steps := []steps.Step{
steps.Action(m.populateDatabaseIntIP),
steps.Action(m.replaceDigicert),
steps.Action(m.fixMCSCert),
steps.Action(m.fixMCSUserData),
steps.Action(m.configureAPIServerCertificate),
@@ -223,6 +224,7 @@ func (m *manager) Update(ctx context.Context) error {
steps.Action(m.startVMs),
steps.Condition(m.apiServersReady, 30*time.Minute, true),
steps.Action(m.rotateACRTokenPassword),
steps.Action(m.replaceDigicert),
steps.Action(m.configureAPIServerCertificate),
steps.Action(m.configureIngressCertificate),
steps.Action(m.renewMDSDCertificate),
53 changes: 53 additions & 0 deletions pkg/cluster/replacedigicert.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
package cluster

// Copyright (c) Microsoft Corporation.
// Licensed under the Apache License 2.0.

import (
"context"
"strings"

azkeyvault "github.com/Azure/azure-sdk-for-go/services/keyvault/v7.0/keyvault"

"github.com/Azure/ARO-RP/pkg/util/keyvault"
utilpem "github.com/Azure/ARO-RP/pkg/util/pem"
)

// if the cluster is using a managed domain and has a DigiCert-issued
// certificate, replace the certificate with one issued by OneCert. This
// ensures that clusters upgrading to 4.16 aren't blocked due to the SHA-1
// signing algorithm in use by DigiCert
func (m *manager) replaceDigicert(ctx context.Context) error {
apiCertName := m.doc.ID + "apiserver"

if strings.Contains(m.doc.OpenShiftCluster.Properties.ClusterProfile.Domain, ".") {
bundle, err := m.env.ClusterKeyvault().GetSecret(ctx, apiCertName)
if err != nil {
return err
}

// don't need to look at the key, just the cert(s)
_, certs, err := utilpem.Parse([]byte(*bundle.Value))
if err != nil {
return err
}

outer:
for _, cert := range certs {
for _, w := range cert.Issuer.Organization {
if strings.Contains(w, "DigiCert") {
// cluster uses a DigiCert certificate, change it over to OneCert
_, err := m.env.ClusterKeyvault().SetCertificateIssuer(ctx, "OneCertV2-PublicCA", azkeyvault.CertificateIssuerSetParameters{})
if err != nil {
return err
}

m.env.ClusterKeyvault().CreateSignedCertificate(ctx, "OneCertV2-PublicCA", apiCertName, cert.Subject.CommonName, keyvault.EkuServerAuth)
break outer
}
}
}
}

return nil
}

0 comments on commit d86dbbf

Please sign in to comment.