Switch to use fileca in e2e tests #309
Conversation
|
cc @nsmith5 Yeah, we need to set up the secret, mount it, and pass the flag to Fulcio. |
|
🚀 Nice! |
.github/workflows/verify-k8s.yml
Outdated
| # Switch to the ephemeralca for testing. | ||
| sed -i -e 's,--ca=googleca,--ca=ephemeralca,g' ${{ github.workspace }}/config/deployment.yaml | ||
| # Switch to fileca for testing. | ||
| sed -i -e 's,--ca=googleca,--ca=fileca,g' ${{ github.workspace }}/config/deployment.yaml |
There was a problem hiding this comment.
Once the secret is set up and mounted, the fileca needs a couple more flags to just figure out where the certs are mounted and the password to decrypt the key. They're as follows
--fileca-certfor the cert path--fileca-keyfor the key path--fileca-passwdfor the key password--fileca-watch=true/falseif you want to watch the cert and key path for updates and reload on change
I'm less familiar with how the deployment is configured, but these flags will need to be set somewhere to get fileca working
|
Current short-term plan here (please let me know if any objections):
|
|
Maybe we could skip 1. and just use openssl to generate the key pair? Would save us from maintaining that extra bit of go code. There are lots of examples of generating key-pairs using openssl in password=password123
duration=36500 # 100 years
# ed25519
openssl req -x509 \
-newkey ed25519 \
-sha256 \
-keyout ed25519-key.pem \
-out ed25519-cert.pem \
-subj "/CN=ed25519" \
-days $duration \
-addext basicConstraints=critical,CA:TRUE,pathlen:1 \
-passout pass:"$password" |
|
@nsmith5 that sounds good, thanks for sharing paths to example scripts |
Resolves sigstore#301 Signed-off-by: Josh Dolitsky <josh@dolit.ski>
|
Regarding my comment "Remove sed for replica count, keep 3 replicas", going to skip this for now as it appears this was done for prometheus vs. CA-related |
.github/workflows/verify-k8s.yml
Outdated
| data: | ||
| key.pem: $(cat "${{ github.run_id }}-key.pem" | base64) | ||
| cert.pem: $(cat "${{ github.run_id }}-cert.pem" | base64) |
There was a problem hiding this comment.
FYI you can use stringData and drop the base64 (it's k8s magic ✨ )
There was a problem hiding this comment.
hm. is that going to work alright with a multiline file?
There was a problem hiding this comment.
It would, but something something yaml 😞
676fdb3 to
d3c7b0f
Compare
|
Pulled in changes from #314 and tests passing now |
| - name: fulcio-secret | ||
| mountPath: /etc/fulcio-secret | ||
| readOnly: true |
There was a problem hiding this comment.
I believe this will cause production to break, but I believe you can make it optional (and then it won't)
There was a problem hiding this comment.
Does the optional field added in volumes section below accomplish this?
There was a problem hiding this comment.
I think so. Tried adding optional in another branch and got yelled at:
error: error validating "STDIN": error validating data: ValidationError(Deployment.spec.template.spec.containers[0].volumeMounts[1]): unknown field "optional" in
Signed-off-by: Josh Dolitsky <josh@dolit.ski>
| - name: fulcio-secret | ||
| secret: | ||
| secretName: fulcio-secret | ||
| optional: true |
There was a problem hiding this comment.
That should make it so that it doesn't block starting it. The one interesting bit is what happens if you do want to specify the secret and it is not there yet but you'd like it to actually block. IIRC though, we watch that mount point so I think it will pick it up once it becomes available. @nsmith5 check me out :)
There was a problem hiding this comment.
Looks like --fileca-watch flag defaults to true, so I think thats correct @vaikas
There was a problem hiding this comment.
fileca will never start without a valid key-pair. We never want to boot up the server if we can't serve requests so I wrote it to try and load an initial key-pair and bail hard if the doesn't work (ref https://github.com/sigstore/fulcio/blob/main/pkg/ca/fileca/fileca.go#L48)
I don't think I know what Kubernetes would do in this case. My hope would be a pod crashloop until the secret mounts, but I don't know the optional spec well enough to know that is the case. Once the pod from this deployment is scheduled and the secret wasn't available at schedule time, does that mean it will never get that secret volume mounted by pods scheduled later when the secret exists will get it? Or does it mean that Kubernetes will try to mount it even to an existing pod once the secret does exist?
There was a problem hiding this comment.
The watch behaviour is also pretty paranoid about putting the server in a state where it can't serve requests so it looks for updates, but if, for instance, the cert doesn't match the key or the key can't be decrypted with the password it will just keep using the existing certs and ignore the updates from the filesystem
There was a problem hiding this comment.
Ran Matt's suggestion, and things appear to work as we expect:
- Create a Pod with an optional secret volume and an image that crash loops if the secret isn't there:
cat << EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: boop-deployment
labels:
app: boop
spec:
replicas: 1
selector:
matchLabels:
app: boop
template:
metadata:
labels:
app: boop
spec:
containers:
- name: boop
image: bash
command:
- "bash"
- "-c"
- "[[ -f /boop/bop.txt ]] || (echo bad && exit 1) && (echo good && while true; do sleep 1; done)"
volumeMounts:
- name: boop-secret
mountPath: /boop
readOnly: true
volumes:
- name: boop-secret
secret:
secretName: boop-secret
optional: true
EOF
$ k get pods
NAME READY STATUS RESTARTS AGE
boop-deployment-5c48fd856b-tv9lz 0/1 CrashLoopBackOff 2 33s
- Create the secret and see if it stops crash looping.
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
name: boop-secret
data:
bop.txt: $(echo boop | base64)
EOF
$ k get pods
NAME READY STATUS RESTARTS AGE
boop-deployment-5c48fd856b-tv9lz 1/1 Running 3 49s
yay?
There was a problem hiding this comment.
Nope looks good from me! Good work @jdolitsky :D
There was a problem hiding this comment.
Thanks for checking in with Dr. Empirical 😆
There was a problem hiding this comment.
No. I think it might behoove us to file an issue in k8s to document the behaviour in case they reserve the right to change this behaviour, or at least make sure that other folks don't have to ponder what the behaviour is. But I'm happy with the change for sure.
Resolves #301