Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fulcio CA certificate issue #206

Closed
cooktheryan opened this issue Feb 22, 2024 · 6 comments · Fixed by #256
Closed

Fulcio CA certificate issue #206

cooktheryan opened this issue Feb 22, 2024 · 6 comments · Fixed by #256
Assignees
@cooktheryan
Labels
bug Something isn't working GA GA deliverables

Comments

@cooktheryan
Copy link
Collaborator

Currently, if a certificate is private or self signed fulcio will require the following. oc set env -n fulcio-system deployment/fulcio-server SSL_CERT_DIR=/var/run/fulcio

We need to try to see if the new Fulcio code fixes this or if we will need to code in our own fix
@cooktheryan cooktheryan added bug Something isn't working GA GA deliverables labels Feb 22, 2024
@cooktheryan cooktheryan self-assigned this Feb 24, 2024
@cooktheryan cooktheryan mentioned this issue Feb 24, 2024
Closed
@osmman
Copy link
Contributor

osmman commented Mar 5, 2024

By using simple SSL_CERT_DIR can cause problem when Fulcio will use multiple OIDC which one is for example Google and internal Keycloak (custom CA root). When I will add custom CA root to SSL_CERT_DIR then it will override the default system's CA trusted roots so it will not trust Google OIDC and user will have to add another CA roots.

// certDirEnv is the environment variable which identifies which directory
// to check for SSL certificate files. If set this overrides the system default.
// It is a colon separated list of directories.
// See https://www.openssl.org/docs/man1.0.2/man1/c_rehash.html.
certDirEnv = "SSL_CERT_DIR"

https://github.com/golang/go/blob/master/src/crypto/x509/root_unix.go#L21-L25
https://github.com/golang/go/blob/master/src/crypto/x509/root_linux.go#L10-L23

@osmman
Copy link
Contributor

osmman commented Mar 5, 2024

Maybe the solution could be to mount user's CA file directly into /etc/pki/tls/certs directory. If I understand go's crypto code correctly than it should be loaded.

https://github.com/golang/go/blob/master/src/crypto/x509/root_linux.go#L22
https://github.com/golang/go/blob/master/src/crypto/x509/root_unix.go#L72

@osmman
Copy link
Contributor

osmman commented Mar 5, 2024

We cannot use /var/run/fulcio/ca.crt because Fulcio use these certificates only for https://kubernetes.default.svc OIDC (not generic).

https://github.com/sigstore/fulcio/blob/main/pkg/config/config.go#L226

@osmman
Copy link
Contributor

osmman commented Mar 5, 2024
edited
Loading

I think I have found one solution to add extra trusted CA for the Fulcio server. The idea is to mount a new file with bundle of extra certificates into /etc/pki/tls/certs/ folder. The deployment configuration goes something like this:

spec:
  template:
    spec:
      containers:
      - name: fulcio-server
        volumeMounts:
        - name: trusted-ca
          mountPath: /etc/pki/tls/certs/fulcio-oidc.crt
          subPath: "fulcio-oidc.crt"
          readOnly: true
      volumes:
      - name: trusted-ca
        configMap:
          name: fulcio-trusted-ca
          items:
            - key: ca.crt
              path: "fulcio-oidc.crt"

Content of ca.crt

-----BEGIN CERTIFICATE-----
first cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
second cert
-----END CERTIFICATE-----

Now just figure out how to connect it to the Operator. I have in my mind these following possibilities:

  1. simply method which expect that namespace has exactly prdefined config map. Similar solution which is used in oidc-info volume.
  2. extend the Fulcio API by adding new field to add trusted CA.
    1. Example which enabled multiple config maps: 
      kind: Fulcio
spec:
  trustedCA:
    - name: kube-root-ca.crt
       key: ca.crt
    - name: openshift-service-ca.crt
       key: service-ca.crt
    - name: custom-ca-bundle
       key: ca.crt
    2. simplify version for only one CA bundle: 
      kind: Fulcio
 spec:
   trustedCA:
     name: custom-ca-bundle
     key: ca.crt

@cooktheryan @bouskaJ @lance @Gregory-Pereira What do you think?

@osmman
Copy link
Contributor

osmman commented Mar 7, 2024
edited
Loading

Now I noticed that it is also possible to use SSL_CERT_DIR env variable too because even if this value is set, the go crypto library will try to load these default os certificates.

This option could work to:

spec:
  template:
    spec:
      containers:
      - name: fulcio-server
        env:
          - name: SSL_CERT_DIR
             value: /var/run/fulcio
        volumeMounts:
        - name: trusted-ca
          mountPath: /var/run/fulcio/oidc.crt
          subPath: "oidc.crt"
          readOnly: true
      volumes:
      - name: trusted-ca
        configMap:
          name: fulcio-trusted-ca
          items:
            - key: ca.crt
              path: "oidc.crt"

@bouskaJ
Copy link
Collaborator

bouskaJ commented Mar 7, 2024

I would tend to use 2.ii - the bundle can be generated by https://cert-manager.io/docs/trust/trust-manager/ OR created manually (it does not matter).

Method 1 is not transparent.

@osmman osmman mentioned this issue Mar 8, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cooktheryan cooktheryan

Labels
bug Something isn't working GA GA deliverables
Projects
None yet
Milestone
No milestone
3 participants
@osmman @cooktheryan @bouskaJ