Merge pull request #525 from njhale/refresh-certs

feat(csv): add cert rotation for owned APIServices

Author: openshift-merge-robot

.gitlab-ci.yml

@@ -225,6 +225,7 @@ e2e-teardown:
   script:
   - echo $CD_KUBECONFIG | base64 -d > kubeconfig
   - export KUBECONFIG=./kubeconfig
+  - kubectl delete apiservice v1alpha1.packages.apps.redhat.com --ignore-not-found=true
   - kubectl delete ns --ignore-not-found=true e2e-${CI_COMMIT_REF_SLUG}-${SHA8}
   - kubectl get pods -o wide -n e2e-${CI_COMMIT_REF_SLUG}-${SHA8}
   stage: test_teardown
@@ -284,6 +285,7 @@ stop-preview:
   script:
   - echo $CD_KUBECONFIG | base64 -d > kubeconfig
   - export KUBECONFIG=./kubeconfig
+  - kubectl delete apiservice v1alpha1.packages.apps.redhat.com --ignore-not-found=true
   - kubectl delete ns --ignore-not-found=true ci-olm-${CI_COMMIT_REF_SLUG}
   - kubectl get pods -o wide -n ci-olm-${CI_COMMIT_REF_SLUG}
   stage: deploy_preview

.gitlab-ci/base_jobs.libsonnet

@@ -136,6 +136,7 @@ local appr = utils.appr;
         before_script: [],
         script:
             k8s.setKubeConfig(self.localvars.kubeconfig) + [
+                "kubectl delete apiservice v1alpha1.packages.apps.redhat.com --ignore-not-found=true",
                 "kubectl delete ns --ignore-not-found=true %s" % self.localvars.namespace,
                 "kubectl get pods -o wide -n %s" % self.localvars.namespace,
             ],

deploy/chart/templates/0000_30_02-clusterserviceversion.crd.yaml

@@ -180,6 +180,7 @@ spec:
                           values:
                             type: array
                             description: set of values for the expression
+                            
             apiservicedefinitions:
               type: object
               properties:

pkg/api/apis/operators/v1alpha1/clusterserviceversion_types.go

@@ -181,18 +181,20 @@ const (
 type ConditionReason string
 
 const (
-	CSVReasonRequirementsUnknown ConditionReason = "RequirementsUnknown"
-	CSVReasonRequirementsNotMet  ConditionReason = "RequirementsNotMet"
-	CSVReasonRequirementsMet     ConditionReason = "AllRequirementsMet"
-	CSVReasonOwnerConflict       ConditionReason = "OwnerConflict"
-	CSVReasonComponentFailed     ConditionReason = "InstallComponentFailed"
-	CSVReasonInvalidStrategy     ConditionReason = "InvalidInstallStrategy"
-	CSVReasonWaiting             ConditionReason = "InstallWaiting"
-	CSVReasonInstallSuccessful   ConditionReason = "InstallSucceeded"
-	CSVReasonInstallCheckFailed  ConditionReason = "InstallCheckFailed"
-	CSVReasonComponentUnhealthy  ConditionReason = "ComponentUnhealthy"
-	CSVReasonBeingReplaced       ConditionReason = "BeingReplaced"
-	CSVReasonReplaced            ConditionReason = "Replaced"
+	CSVReasonRequirementsUnknown     ConditionReason = "RequirementsUnknown"
+	CSVReasonRequirementsNotMet      ConditionReason = "RequirementsNotMet"
+	CSVReasonRequirementsMet         ConditionReason = "AllRequirementsMet"
+	CSVReasonOwnerConflict           ConditionReason = "OwnerConflict"
+	CSVReasonComponentFailed         ConditionReason = "InstallComponentFailed"
+	CSVReasonInvalidStrategy         ConditionReason = "InvalidInstallStrategy"
+	CSVReasonWaiting                 ConditionReason = "InstallWaiting"
+	CSVReasonInstallSuccessful       ConditionReason = "InstallSucceeded"
+	CSVReasonInstallCheckFailed      ConditionReason = "InstallCheckFailed"
+	CSVReasonComponentUnhealthy      ConditionReason = "ComponentUnhealthy"
+	CSVReasonBeingReplaced           ConditionReason = "BeingReplaced"
+	CSVReasonReplaced                ConditionReason = "Replaced"
+	CSVReasonNeedCertRotation        ConditionReason = "NeedCertRotation"
+	CSVReasonAPIServiceResourceIssue ConditionReason = "APIServiceResourceIssue"
 )
 
 // Conditions appear in the status as a record of state transitions on the ClusterServiceVersion
@@ -225,7 +227,7 @@ func (csv ClusterServiceVersion) OwnsCRD(name string) bool {
 	return false
 }
 
-// ConditionReason is a camelcased reason for the status of a RequirementStatus or DependentStatus
+// StatusReason is a camelcased reason for the status of a RequirementStatus or DependentStatus
 type StatusReason string
 
 const (
@@ -278,11 +280,17 @@ type ClusterServiceVersionStatus struct {
 	Conditions []ClusterServiceVersionCondition `json:"conditions,omitempty"`
 	// The status of each requirement for this CSV
 	RequirementStatus []RequirementStatus `json:"requirementStatus,omitempty"`
+	// Last time the owned APIService certs were updated
+	// +optional
+	CertsLastUpdated metav1.Time `json:"certsLastUpdated,omitempty"`
+	// Time the owned APIService certs will rotate next
+	// +optional
+	CertsRotateAt metav1.Time `json:"certsRotateAt,omitempty"`
 }
 
+// ClusterServiceVersion is a Custom Resource of type `ClusterServiceVersionSpec`.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +genclient
-// ClusterServiceVersion is a Custom Resource of type `ClusterServiceVersionSpec`.
 type ClusterServiceVersion struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata"`

pkg/api/apis/operators/v1alpha1/zz_generated.deepcopy.go

@@ -4,13 +4,21 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
+	"crypto/sha256"
 	"crypto/x509"
 	"crypto/x509/pkix"
+	"encoding/hex"
 	"encoding/pem"
+	"fmt"
+	"math"
 	"math/big"
 	"time"
 )
 
+const (
+	Organization = "Red Hat, Inc."
+)
+
 // KeyPair stores an x509 certificate and its ECDSA private key
 type KeyPair struct {
 	Cert *x509.Certificate
@@ -40,16 +48,25 @@ func (kp *KeyPair) ToPEM() (certPEM []byte, privPEM []byte, err error) {
 	return
 }
 
-func GenerateCA() (*KeyPair, error) {
+// GenerateCA generates a self-signed CA cert/key pair that expires in expiresIn days
+func GenerateCA(notAfter time.Time) (*KeyPair, error) {
+	notBefore := time.Now()
+	if notAfter.Before(notBefore) {
+		return nil, fmt.Errorf("invalid notAfter: %s before %s", notAfter.String(), notBefore.String())
+	}
+
+	serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
+	if err != nil {
+		return nil, err
+	}
+
 	caDetails := &x509.Certificate{
-		//TODO(Nick): figure out what to use for a SerialNumber
-		SerialNumber: big.NewInt(1653),
+		SerialNumber: serial,
 		Subject: pkix.Name{
-			Organization: []string{"Red Hat, Inc."},
+			Organization: []string{Organization},
 		},
-		NotBefore: time.Now(),
-		// Valid for 2 years
-		NotAfter:              time.Now().AddDate(2, 0, 0),
+		NotBefore:             notBefore,
+		NotAfter:              notAfter,
 		IsCA:                  true,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
 		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
@@ -80,16 +97,25 @@ func GenerateCA() (*KeyPair, error) {
 	return ca, nil
 }
 
-func CreateSignedServingPair(ca *KeyPair, hosts []string) (*KeyPair, error) {
+// CreateSignedServingPair creates a serving cert/key pair signed by the given ca
+func CreateSignedServingPair(notAfter time.Time, ca *KeyPair, hosts []string) (*KeyPair, error) {
+	notBefore := time.Now()
+	if notAfter.Before(notBefore) {
+		return nil, fmt.Errorf("invalid notAfter: %s before %s", notAfter.String(), notBefore.String())
+	}
+
+	serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
+	if err != nil {
+		return nil, err
+	}
+
 	certDetails := &x509.Certificate{
-		//TODO(Nick): figure out what to use for a SerialNumber
-		SerialNumber: big.NewInt(1653),
+		SerialNumber: serial,
 		Subject: pkix.Name{
-			Organization: []string{"Red Hat, Inc."},
+			Organization: []string{Organization},
 		},
-		NotBefore: time.Now(),
-		// Valid for 2 years
-		NotAfter:              time.Now().AddDate(2, 0, 0),
+		NotBefore:             notBefore,
+		NotAfter:              notAfter,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
 		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
 		BasicConstraintsValid: true,
@@ -119,3 +145,51 @@ func CreateSignedServingPair(ca *KeyPair, hosts []string) (*KeyPair, error) {
 
 	return servingCert, nil
 }
+
+// PEMToCert converts the PEM block of the given byte array to an x509 certificate
+func PEMToCert(certPEM []byte) (*x509.Certificate, error) {
+	block, _ := pem.Decode(certPEM)
+	if block == nil {
+		return nil, fmt.Errorf("cert PEM empty")
+	}
+
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return nil, err
+	}
+
+	return cert, nil
+}
+
+// VerifyCert checks that the given cert is signed and trusted by the given CA
+func VerifyCert(ca, cert *x509.Certificate, host string) error {
+	roots := x509.NewCertPool()
+	roots.AddCert(ca)
+
+	opts := x509.VerifyOptions{
+		DNSName: host,
+		Roots:   roots,
+	}
+
+	if _, err := cert.Verify(opts); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// Active checks if the given cert is within its valid time window
+func Active(cert *x509.Certificate) bool {
+	now := time.Now()
+	active := now.After(cert.NotBefore) && now.Before(cert.NotAfter)
+	return active
+}
+
+type PEMHash func(certPEM []byte) (hash string)
+
+func PEMSHA256(certPEM []byte) (hash string) {
+	hasher := sha256.New()
+	hasher.Write(certPEM)
+	hash = hex.EncodeToString(hasher.Sum(nil))
+	return
+}

pkg/controller/certs/certs.go

@@ -5,13 +5,13 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	crbacv1 "k8s.io/client-go/listers/rbac/v1"
 	rbacauthorizer "k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac"
 
 	"github.com/operator-framework/operator-lifecycle-manager/pkg/api/apis/operators/v1alpha1"
+	"github.com/operator-framework/operator-lifecycle-manager/pkg/lib/ownerutil"
 )
 
 // RuleChecker is used to verify whether PolicyRules are satisfied by existing Roles or ClusterRoles
@@ -81,7 +81,7 @@ func (c *CSVRuleChecker) GetRole(namespace, name string) (*rbacv1.Role, error) {
 	}
 
 	// check if the Role has an OwnerConflict with the client's CSV
-	if role != nil && c.hasOwnerConflicts(role.GetOwnerReferences()) {
+	if role != nil && ownerutil.HasOwnerConflict(c.csv, role.GetOwnerReferences()) {
 		return &rbacv1.Role{}, nil
 	}
 
@@ -98,7 +98,7 @@ func (c *CSVRuleChecker) ListRoleBindings(namespace string) ([]*rbacv1.RoleBindi
 	// filter based on OwnerReferences
 	var filtered []*rbacv1.RoleBinding
 	for _, rb := range rbList {
-		if !c.hasOwnerConflicts(rb.GetOwnerReferences()) {
+		if !ownerutil.HasOwnerConflict(c.csv, rb.GetOwnerReferences()) {
 			filtered = append(filtered, rb)
 		}
 	}
@@ -114,7 +114,7 @@ func (c *CSVRuleChecker) GetClusterRole(name string) (*rbacv1.ClusterRole, error
 	}
 
 	// check if the ClusterRole has an OwnerConflict with the client's CSV
-	if clusterRole != nil && c.hasOwnerConflicts(clusterRole.GetOwnerReferences()) {
+	if clusterRole != nil && ownerutil.HasOwnerConflict(c.csv, clusterRole.GetOwnerReferences()) {
 		return &rbacv1.ClusterRole{}, nil
 	}
 
@@ -131,39 +131,15 @@ func (c *CSVRuleChecker) ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding
 	// filter based on OwnerReferences
 	var filtered []*rbacv1.ClusterRoleBinding
 	for _, crb := range crbList {
-		if !c.hasOwnerConflicts(crb.GetOwnerReferences()) {
+		if !ownerutil.HasOwnerConflict(c.csv, crb.GetOwnerReferences()) {
 			filtered = append(filtered, crb)
 		}
 	}
 
 	return filtered, nil
 }
 
-// hasOwnerConflicts checks if the given list of OwnerReferences points to CSVs other than the
-// CSVRuleChecker's. The method returns true if the list of OwnerReferences contains elements of Kind
-// ClusterServiceVersion but does not include an OwnerReference to the CSVRuleChecker's CSV. If there
-// are no OwnerReferences of Kind ClusterServiceVersion, or there is but one element is an OwnerReference
-// to the CSVRuleChecker's CSV, then the method returns false.
-//
-// Note: This is imporant when determining if a Role, RoleBinding, ClusterRole, or ClusterRoleBinding
-// can be used to satisfy permissions of a CSV. If the CSVRuleChecker's CSV is not a member of the RBAC resource's
-// OwnerReferences, then we know the resource can be garbage collected by OLM independently of the CSVRuleChecker's
-// CSV
-func (c *CSVRuleChecker) hasOwnerConflicts(ownerRefs []metav1.OwnerReference) bool {
-	conflicts := false
-	for _, ownerRef := range ownerRefs {
-		if ownerRef.Kind == v1alpha1.ClusterServiceVersionKind {
-			if ownerRef.Name == c.csv.GetName() && ownerRef.UID == c.csv.GetUID() {
-				return false
-			}
-
-			conflicts = true
-		}
-	}
-
-	return conflicts
-}
-
+// ruleValid returns an error if the given PolicyRule is not valid (resource and nonresource attributes defined)
 func ruleValid(rule rbacv1.PolicyRule) error {
 	if len(rule.Verbs) == 0 {
 		return fmt.Errorf("policy rule must have at least one verb")