Skip to content

[v4.y] Load cluster ca certificates using OpenSSL::X509::Store#add_file#552

Merged
cben merged 5 commits intoManageIQ:v4.yfrom
cben:v4.y-openssl-x509-store-add-file
Mar 23, 2022
Merged

[v4.y] Load cluster ca certificates using OpenSSL::X509::Store#add_file#552
cben merged 5 commits intoManageIQ:v4.yfrom
cben:v4.y-openssl-x509-store-add-file

Conversation

@cben
Copy link
Copy Markdown
Collaborator

@cben cben commented Mar 22, 2022
edited
Loading

Backporting #461 (which fixed #460) + tests.

@cben cben force-pushed the v4.y-openssl-x509-store-add-file branch 2 times, most recently from 03a206e to 2c4f23b Compare March 22, 2022 21:52
@cben
Copy link
Copy Markdown
Collaborator Author

cben commented Mar 22, 2022
edited
Loading

@jperville @DocX I'm backporting the add_file fix here which will allow me to finally release it (sorry for huge delay).

Added tests and CI keeps failing on Mac — any idea if add_file might behave differently by OS?

EDIT: note my test was not for root+intermediate scenario; it's a simple sandwitch of 3 unrelated CA certs, of which only the middle one should match.

cben
cben commented Mar 22, 2022
View reviewed changes
lib/kubeclient/config.rb
elsif cluster.key?('certificate-authority-data')
Base64.decode64(cluster['certificate-authority-data'])
ca_cert_data = Base64.decode64(cluster['certificate-authority-data'])
cert_store.add_cert(OpenSSL::X509::Certificate.new(ca_cert_data))
Copy link
Copy Markdown
Collaborator Author

@cben cben Mar 22, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Umm, looks like the fix only covered certificate-authority, but certificate-authority-data would still have the bug.

  • need to add test with concatenated inline data.
  • can we fix it?
  • if not, correct CHANGELOG to explain partial fix.

@cben cben mentioned this pull request Mar 22, 2022
Open
cben added 2 commits March 23, 2022 09:35
@cben
Tests for concatenated CA data (ManageIQ#460)
7c331c1 
Test sandwitches the real CA cert between two unrelated CA certs
(another-ca1.pem, another-ca2.pem, simply copied from two runs of
update_certs_k0s.rb).
No test for root+intermediate scenario.

Fails before the backport of ManageIQ#461:

KubeclientConfigTest#test_concatenated_ca [/home/beni/kubeclient/test/test_config.rb:196]:
Expected false to be truthy.

(some experimenting with order suggests only first cert is honored.)
Passes with the fix.
@cben
Merge pull request ManageIQ#461 from PerfectMemory/openssl-x509-store…
d1cd26d 
…-add-file

Load cluster ca certificates using OpenSSL::X509::Store#add_file

(cherry picked from commit 53408c1)
@cben cben force-pushed the v4.y-openssl-x509-store-add-file branch 2 times, most recently from 3f43a3e to 1521fcd Compare March 23, 2022 07:47
@cben
Copy link
Copy Markdown
Collaborator Author

cben commented Mar 23, 2022
edited
Loading

Oops, maybe the Mac angle was my mistake.

The cert I put in middle of concatenated-ca.pem didn't match the existing certs, so it failed rake test. OTOH linux doesn't run rake test on existing certs, it only runs tests inside
test/config/update_certs_k0s.rb which regenerates all certs consistently, therefore it passed.

I'm changing CI to complete all tests when one errors to get clearer picture => 🎉 mac passed.
(windows — which I never tried in CI before — failed to install gems, I'll track that in separate PR => #553)

Still not handling certificate-authority-data. OK, I'll document and release soon the partial fix — better than nothing.

cben added 2 commits March 23, 2022 10:11
@cben
Changelog for fix for ManageIQ#460
2dd7f64
@cben
[v4.y] CI: don't abort other builds when one fails error
b1824ed 
- Helps confirm suspected OS-specific failures.
- Normally when one build fails, most other builds already started and
  some almost complete `bundle install` / started tests.
  So it's not a big "waste" expensive to let them finish, arguably it's
  actually a waste to abort them! (sunken cost fallacy? :-)
- In case rubocop complains, while I do consider it a merge blocker,
  it's better contributor (and maintainer) experience to also see test results.
@cben cben force-pushed the v4.y-openssl-x509-store-add-file branch from 1521fcd to b1824ed Compare March 23, 2022 08:12
@cben cben merged commit e05c715 into ManageIQ:v4.y Mar 23, 2022
@cben cben mentioned this pull request Mar 23, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cben