Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add RSA support to TLS libraries #3135

Merged
merged 2 commits into from
Jul 26, 2019
Merged

Add RSA support to TLS libraries #3135

merged 2 commits into from
Jul 26, 2019

Conversation

alpeb
Copy link
Member

@alpeb alpeb commented Jul 24, 2019

Fixes #3131

Wrapped private keys into either PrivateKeyEC or PrivateKeyRSA to
provide different certificate matching logic and marshaling depending on
the block type.

You can test having an RSA cert for the proxy injector by applying this
patch:

$ diff -u chart/templates/proxy_injector-rbac.yaml ~/tmp/proxy_injector-rbac.yaml
--- chart/templates/proxy_injector-rbac.yaml    2019-07-24 14:34:43.570616936 -0500
+++ /home/alpeb/tmp/proxy_injector-rbac.yaml    2019-07-24 13:41:03.150285099 -0500
@@ -1,4 +1,5 @@
 {{with .Values -}}
+{{- $ca := genCA "linkerd-proxy-injector.linkerd.svc" 365 -}}
 ---
 ###
 ### Proxy Injector RBAC
@@ -60,8 +61,8 @@
     {{ .CreatedByAnnotation }}: {{ .CliVersion }}
 type: Opaque
 data:
-  crt.pem: {{ b64enc .ProxyInjector.CrtPEM }}
-  key.pem: {{ b64enc .ProxyInjector.KeyPEM }}
+  crt.pem: {{ b64enc $ca.Cert }}
+  key.pem: {{ b64enc $ca.Key }}
 ---
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: MutatingWebhookConfiguration
@@ -81,7 +82,7 @@
       name: linkerd-proxy-injector
       namespace: {{ .Namespace }}
       path: "/"
-    caBundle: {{ b64enc .ProxyInjector.CrtPEM }}
+    caBundle: {{ b64enc $ca.Cert }}
   failurePolicy: {{ .WebhookFailurePolicy }}
   rules:
   - operations: [ "CREATE" ]

This will replace the logic to generate the cert with a call to Helm's
genCA, which uses RSA.

@alpeb
Add RSA support to TLS libraries
3c8b794 
Fixes #3131

Wrapped private keys into either `PrivateKeyEC` or `PrivateKeyRSA` to
provide different certificate matching logic and marshaling depending on
the block type.

You can test having an RSA cert for the proxy injector by applying this
patch:

```diff
$ diff -u chart/templates/proxy_injector-rbac.yaml ~/tmp/proxy_injector-rbac.yaml
--- chart/templates/proxy_injector-rbac.yaml    2019-07-24 14:34:43.570616936 -0500
+++ /home/alpeb/tmp/proxy_injector-rbac.yaml    2019-07-24 13:41:03.150285099 -0500
@@ -1,4 +1,5 @@
 {{with .Values -}}
+{{- $ca := genCA "linkerd-proxy-injector.linkerd.svc" 365 -}}
 ---
 ###
 ### Proxy Injector RBAC
@@ -60,8 +61,8 @@
     {{ .CreatedByAnnotation }}: {{ .CliVersion }}
 type: Opaque
 data:
-  crt.pem: {{ b64enc .ProxyInjector.CrtPEM }}
-  key.pem: {{ b64enc .ProxyInjector.KeyPEM }}
+  crt.pem: {{ b64enc $ca.Cert }}
+  key.pem: {{ b64enc $ca.Key }}
 ---
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: MutatingWebhookConfiguration
@@ -81,7 +82,7 @@
       name: linkerd-proxy-injector
       namespace: {{ .Namespace }}
       path: "/"
-    caBundle: {{ b64enc .ProxyInjector.CrtPEM }}
+    caBundle: {{ b64enc $ca.Cert }}
   failurePolicy: {{ .WebhookFailurePolicy }}
   rules:
   - operations: [ "CREATE" ]
```

This will replace the logic to generate the cert with a call to Helm's
`genCA`, which uses RSA.

Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
@alpeb alpeb requested review from siggy, ihcsim and adleong July 24, 2019 19:42
@alpeb alpeb self-assigned this Jul 24, 2019
@l5d-bot
Copy link
Collaborator

l5d-bot commented Jul 24, 2019

Integration test results for 3c8b794: fail 😕
Log output: https://gist.github.com/a1746b927597e1eb267448e40fe3bf19

siggy
siggy approved these changes Jul 24, 2019
View reviewed changes
Copy link
Member

@siggy siggy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for providing the test diff, confirmed works! a couple nits then 🚢

pkg/tls/cred.go Outdated Show resolved Hide resolved
pkg/tls/codec.go Outdated Show resolved Hide resolved
@alpeb
Feedback Siggy
f8f3742 
Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
@l5d-bot
Copy link
Collaborator

l5d-bot commented Jul 25, 2019

Integration test results for f8f3742: success 🎉
Log output: https://gist.github.com/0fd6005bc5988c9719ef486d0159546f

@alpeb alpeb mentioned this pull request Jul 26, 2019
Merged
adleong
adleong approved these changes Jul 26, 2019
View reviewed changes
Copy link
Member

@adleong adleong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:electron: ➰ ⭐ LGTM

@alpeb alpeb merged commit 19a8c72 into master Jul 26, 2019
@alpeb alpeb deleted the alpeb/rsa branch July 26, 2019 16:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adleong adleong adleong approved these changes

@siggy siggy siggy approved these changes

@ihcsim ihcsim Awaiting requested review from ihcsim

Assignees

@alpeb alpeb

Labels
area/controller area/install
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add RSA support to TLS libraries
4 participants
@alpeb @l5d-bot @siggy @adleong