Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforce the use of kubernetes.io/tls secret types. #1697

Closed
jpeach opened this issue Oct 14, 2019 · 5 comments · Fixed by #1714
Closed

Enforce the use of kubernetes.io/tls secret types. #1697

jpeach opened this issue Oct 14, 2019 · 5 comments · Fixed by #1714
Assignees
@jpeach
Labels
priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Milestone
1.0.0-rc.2

Comments

@jpeach
Copy link
Contributor

jpeach commented Oct 14, 2019

Currently, Contour can allow the use of secrets that are not of type kubernetes.io/tls if they are not service account tokens and contain the expected data keys.

We should consider enforcing a requirement that the secret be of type kubernetes.io/tls. This makes the requirement clearer for users and improves separation of secrets in the cluster. It would also make it a bit easier to implement a certificate validation controller.
@davecheney davecheney added this to the 1.0.0-rc.2 milestone Oct 14, 2019
@davecheney davecheney added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label Oct 14, 2019
@jpeach jpeach self-assigned this Oct 15, 2019
@jpeach
Copy link
Contributor Author

jpeach commented Oct 15, 2019

I'm working on this next.

@jpeach
Copy link
Contributor Author

jpeach commented Oct 15, 2019

Related to #1702

@jpeach
Copy link
Contributor Author

jpeach commented Oct 16, 2019
edited
Loading

Proposed rules:

  • TLS certificate/key pairs must be secrets of type "kubernetes.io/tls"
  • Certificate bundles may be "kubernetes.io/tls" or generic (type "Opaque" or "") secrets
  • The CA bundle on a TLS secret may be the empty string (see internal/dag: TLS Cert validation w/cert-manager #1644)

jpeach added a commit to jpeach/contour that referenced this issue Oct 16, 2019
@jpeach
Improve TLS secrets validation.
2e152a0 
Clarify the validation of the types of secrets that Contour will
accept for TLS key+cert pairs and CA certificate bundles.

Contour only accepts TLS key+cert pairs from secrets of type
"kubernetes.io/tls". These secrets may contain an additional
"ca.crt" field that stores the CA certificate bundle.

Contour will otherwise accept CA certificate bundles from
generic secrets (whose type is "Opaque" or is empty).

Contour will ignore all other types of secrets.

This fixes projectcontour#1697.

Signed-off-by: James Peach <[email protected]>
jpeach added a commit to jpeach/contour that referenced this issue Oct 16, 2019
@jpeach
Improve TLS secrets validation.
fccce2a 
Clarify the validation of the types of secrets that Contour will
accept for TLS key+cert pairs and CA certificate bundles.

Contour only accepts TLS key+cert pairs from secrets of type
"kubernetes.io/tls". These secrets may contain an additional
"ca.crt" field that stores the CA certificate bundle.

Contour will otherwise accept CA certificate bundles from
generic secrets (whose type is "Opaque" or is empty).

Contour will ignore all other types of secrets.

This fixes projectcontour#1697.

Signed-off-by: James Peach <[email protected]>
jpeach added a commit to jpeach/contour that referenced this issue Oct 16, 2019
@jpeach
internal/dag: improve TLS secrets validation
7ccbfd2 
Clarify the validation of the types of secrets that Contour
will accept for TLS key+cert pairs and CA certificate bundles.

Contour only accepts TLS key+cert pairs from secrets of type
"kubernetes.io/tls". These secrets may contain an additional
"ca.crt" field that stores the CA certificate bundle.

Contour will otherwise accept CA certificate bundles from
generic secrets (whose type is "Opaque" or is empty).

Contour will ignore all other types of secrets.

This fixes projectcontour#1697.

Signed-off-by: James Peach <[email protected]>
@jpeach jpeach mentioned this issue Oct 16, 2019
Merged
jpeach added a commit to jpeach/contour that referenced this issue Oct 17, 2019
@jpeach
internal/dag: improve TLS secrets validation
5e70cf6 
Clarify the validation of the types of secrets that Contour
will accept for TLS key+cert pairs and CA certificate bundles.

Contour only accepts TLS key+cert pairs from secrets of type
"kubernetes.io/tls". These secrets may contain an additional
"ca.crt" field that stores the CA certificate bundle.

Contour will otherwise accept CA certificate bundles from
generic secrets (whose type is "Opaque" or is empty).

Contour will ignore all other types of secrets.

This fixes projectcontour#1697.

Signed-off-by: James Peach <[email protected]>
jpeach added a commit to jpeach/contour that referenced this issue Oct 17, 2019
@jpeach
internal/dag: improve TLS secrets validation
26589a2 
Clarify the validation of the types of secrets that Contour
will accept for TLS key+cert pairs and CA certificate bundles.

Contour only accepts TLS key+cert pairs from secrets of type
"kubernetes.io/tls". These secrets may contain an additional
"ca.crt" field that stores the CA certificate bundle.

Contour will otherwise accept CA certificate bundles from
generic secrets (whose type is "Opaque" or is empty).

Contour will ignore all other types of secrets.

This fixes projectcontour#1697.

Signed-off-by: James Peach <[email protected]>
jpeach added a commit to jpeach/contour that referenced this issue Oct 18, 2019
@jpeach
internal/dag: improve TLS secrets validation
de7a3f3 
Clarify the validation of the types of secrets that Contour
will accept for TLS key+cert pairs and CA certificate bundles.

Contour only accepts TLS key+cert pairs from secrets of type
"kubernetes.io/tls". These secrets may contain an additional
"ca.crt" field that stores the CA certificate bundle.

Contour will otherwise accept CA certificate bundles from
generic secrets (whose type is "Opaque" or is empty).

Contour will ignore all other types of secrets.

This fixes projectcontour#1697.

Signed-off-by: James Peach <[email protected]>
jpeach added a commit to jpeach/contour that referenced this issue Oct 18, 2019
@jpeach
internal/dag: improve TLS secrets validation
ac12d88 
Clarify the validation of the types of secrets that Contour
will accept for TLS key+cert pairs and CA certificate bundles.

Contour only accepts TLS key+cert pairs from secrets of type
"kubernetes.io/tls". These secrets may contain an additional
"ca.crt" field that stores the CA certificate bundle.

Contour will otherwise accept CA certificate bundles from
generic secrets (whose type is "Opaque" or is empty).

Contour will ignore all other types of secrets.

This fixes projectcontour#1697.

Signed-off-by: James Peach <[email protected]>
@jpeach
Copy link
Contributor Author

jpeach commented Oct 18, 2019

Document this per #1415

jpeach added a commit to jpeach/contour that referenced this issue Oct 18, 2019
@jpeach
internal/dag: improve TLS secrets validation
6a464f1 
Clarify the validation of the types of secrets that Contour
will accept for TLS key+cert pairs and CA certificate bundles.

Contour only accepts TLS key+cert pairs from secrets of type
"kubernetes.io/tls". These secrets may contain an additional
"ca.crt" field that stores the CA certificate bundle.

Contour will otherwise accept CA certificate bundles from
generic secrets (whose type is "Opaque" or is empty).

Contour will ignore all other types of secrets.

This fixes projectcontour#1697.

Signed-off-by: James Peach <[email protected]>
jpeach added a commit to jpeach/contour that referenced this issue Oct 18, 2019
@jpeach
internal/dag: improve TLS secrets validation
6cf5a48 
Clarify the validation of the types of secrets that Contour
will accept for TLS key+cert pairs and CA certificate bundles.

Contour only accepts TLS key+cert pairs from secrets of type
"kubernetes.io/tls". These secrets may contain an additional
"ca.crt" field that stores the CA certificate bundle.

Contour will otherwise accept CA certificate bundles from
generic secrets (whose type is "Opaque" or is empty).

Contour will ignore all other types of secrets.

This fixes projectcontour#1697.

Signed-off-by: James Peach <[email protected]>
jpeach added a commit that referenced this issue Oct 18, 2019
@jpeach
internal/dag: improve TLS secrets validation
46d3ae3 
Clarify the validation of the types of secrets that Contour
will accept for TLS key+cert pairs and CA certificate bundles.

Contour only accepts TLS key+cert pairs from secrets of type
"kubernetes.io/tls". These secrets may contain an additional
"ca.crt" field that stores the CA certificate bundle.

Contour will otherwise accept CA certificate bundles from
generic secrets (whose type is "Opaque" or is empty).

Contour will ignore all other types of secrets.

This fixes #1697.

Signed-off-by: James Peach <[email protected]>
@sunjayBhatia sunjayBhatia mentioned this issue Feb 12, 2021
Closed
@sunjayBhatia
Copy link
Member

having a small issue due to this, see: #2138 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jpeach jpeach

Labels
priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Projects
None yet
Milestone
1.0.0-rc.2
Development

Successfully merging a pull request may close this issue.

internal/dag: improve TLS secrets validation jpeach/contour
3 participants
@davecheney @jpeach @sunjayBhatia