From 30cd4e9a49e2c8b4452b72720aae834d0c70ac91 Mon Sep 17 00:00:00 2001 From: Monis Khan Date: Fri, 25 Jun 2021 22:08:10 -0400 Subject: [PATCH 1/2] csr: add expirationSeconds field to control cert lifetime This change updates the CSR API to add a new, optional field called expirationSeconds. This field is a request to the signer for the maximum duration the client wishes the cert to have. The signer is free to ignore this request based on its own internal policy. The signers built-in to KCM will honor this field if it is not set to a value greater than --cluster-signing-duration. The minimum allowed value for this field is 600 seconds (ten minutes). This change will help enforce safer durations for certificates in the Kube ecosystem and will help related projects such as cert-manager with their migration to the Kube CSR API. Future enhancements may update the Kubelet to take advantage of this field when it is configured in a way that can tolerate shorter certificate lifespans with regular rotation. Signed-off-by: Monis Khan Kubernetes-commit: cd91e59f7c351fce47c064a5162c2cb79075159c --- util/certificate/certificate_manager.go | 41 +++++++++++++++---------- util/certificate/csr/csr.go | 21 ++++++++++--- 2 files changed, 41 insertions(+), 21 deletions(-) diff --git a/util/certificate/certificate_manager.go b/util/certificate/certificate_manager.go index 26a01a1d..dee21cf3 100644 --- a/util/certificate/certificate_manager.go +++ b/util/certificate/certificate_manager.go @@ -88,6 +88,11 @@ type Config struct { // SignerName is the name of the certificate signer that should sign certificates // generated by the manager. SignerName string + // RequestedCertificateLifetime is the requested lifetime length for certificates generated by the manager. + // Optional. + // This will set the spec.expirationSeconds field on the CSR. Controlling the lifetime of + // the issued certificate is not guaranteed as the signer may choose to ignore the request. + RequestedCertificateLifetime *time.Duration // Usages is the types of usages that certificates generated by the manager // can be used for. Usages []certificates.KeyUsage @@ -184,10 +189,11 @@ type manager struct { lastRequestCancel context.CancelFunc lastRequest *x509.CertificateRequest - dynamicTemplate bool - signerName string - usages []certificates.KeyUsage - forceRotation bool + dynamicTemplate bool + signerName string + requestedCertificateLifetime *time.Duration + usages []certificates.KeyUsage + forceRotation bool certStore Store @@ -230,18 +236,19 @@ func NewManager(config *Config) (Manager, error) { } m := manager{ - stopCh: make(chan struct{}), - clientsetFn: config.ClientsetFn, - getTemplate: getTemplate, - dynamicTemplate: config.GetTemplate != nil, - signerName: config.SignerName, - usages: config.Usages, - certStore: config.CertificateStore, - cert: cert, - forceRotation: forceRotation, - certificateRotation: config.CertificateRotation, - certificateRenewFailure: config.CertificateRenewFailure, - now: time.Now, + stopCh: make(chan struct{}), + clientsetFn: config.ClientsetFn, + getTemplate: getTemplate, + dynamicTemplate: config.GetTemplate != nil, + signerName: config.SignerName, + requestedCertificateLifetime: config.RequestedCertificateLifetime, + usages: config.Usages, + certStore: config.CertificateStore, + cert: cert, + forceRotation: forceRotation, + certificateRotation: config.CertificateRotation, + certificateRenewFailure: config.CertificateRenewFailure, + now: time.Now, } name := config.Name @@ -459,7 +466,7 @@ func (m *manager) rotateCerts() (bool, error) { // Call the Certificate Signing Request API to get a certificate for the // new private key. - reqName, reqUID, err := csr.RequestCertificate(clientSet, csrPEM, "", m.signerName, m.usages, privateKey) + reqName, reqUID, err := csr.RequestCertificate(clientSet, csrPEM, "", m.signerName, m.requestedCertificateLifetime, m.usages, privateKey) if err != nil { utilruntime.HandleError(fmt.Errorf("%s: Failed while requesting a signed certificate from the control plane: %v", m.name, err)) if m.certificateRenewFailure != nil { diff --git a/util/certificate/csr/csr.go b/util/certificate/csr/csr.go index ec117663..0017007a 100644 --- a/util/certificate/csr/csr.go +++ b/util/certificate/csr/csr.go @@ -25,8 +25,6 @@ import ( "reflect" "time" - "k8s.io/klog/v2" - certificatesv1 "k8s.io/api/certificates/v1" certificatesv1beta1 "k8s.io/api/certificates/v1beta1" "k8s.io/apimachinery/pkg/api/errors" @@ -41,12 +39,16 @@ import ( "k8s.io/client-go/tools/cache" watchtools "k8s.io/client-go/tools/watch" certutil "k8s.io/client-go/util/cert" + "k8s.io/klog/v2" + "k8s.io/utils/pointer" ) // RequestCertificate will either use an existing (if this process has run // before but not to completion) or create a certificate signing request using the -// PEM encoded CSR and send it to API server. -func RequestCertificate(client clientset.Interface, csrData []byte, name string, signerName string, usages []certificatesv1.KeyUsage, privateKey interface{}) (reqName string, reqUID types.UID, err error) { +// PEM encoded CSR and send it to API server. An optional requestedDuration may be passed +// to set the spec.expirationSeconds field on the CSR to control the lifetime of the issued +// certificate. This is not guaranteed as the signer may choose to ignore the request. +func RequestCertificate(client clientset.Interface, csrData []byte, name, signerName string, requestedDuration *time.Duration, usages []certificatesv1.KeyUsage, privateKey interface{}) (reqName string, reqUID types.UID, err error) { csr := &certificatesv1.CertificateSigningRequest{ // Username, UID, Groups will be injected by API server. TypeMeta: metav1.TypeMeta{Kind: "CertificateSigningRequest"}, @@ -62,6 +64,9 @@ func RequestCertificate(client clientset.Interface, csrData []byte, name string, if len(csr.Name) == 0 { csr.GenerateName = "csr-" } + if requestedDuration != nil { + csr.Spec.ExpirationSeconds = DurationToExpirationSeconds(*requestedDuration) + } reqName, reqUID, err = create(client, csr) switch { @@ -85,6 +90,14 @@ func RequestCertificate(client clientset.Interface, csrData []byte, name string, } } +func DurationToExpirationSeconds(duration time.Duration) *int32 { + return pointer.Int32(int32(duration / time.Second)) +} + +func ExpirationSecondsToDuration(expirationSeconds int32) time.Duration { + return time.Duration(expirationSeconds) * time.Second +} + func get(client clientset.Interface, name string) (*certificatesv1.CertificateSigningRequest, error) { v1req, v1err := client.CertificatesV1().CertificateSigningRequests().Get(context.TODO(), name, metav1.GetOptions{}) if v1err == nil || !apierrors.IsNotFound(v1err) { From e56c7dcd3658ae4b04866eed0ee4fd803be0095b Mon Sep 17 00:00:00 2001 From: Monis Khan Date: Wed, 23 Jun 2021 17:55:14 -0400 Subject: [PATCH 2/2] Generated Signed-off-by: Monis Khan Kubernetes-commit: 29b3fa782631ab65c7e1f48fecef58c5365577c8 --- .../v1/certificatesigningrequestspec.go | 23 +++++++++++++------ .../v1beta1/certificatesigningrequestspec.go | 23 +++++++++++++------ applyconfigurations/internal/internal.go | 6 +++++ 3 files changed, 38 insertions(+), 14 deletions(-) diff --git a/applyconfigurations/certificates/v1/certificatesigningrequestspec.go b/applyconfigurations/certificates/v1/certificatesigningrequestspec.go index 7c4d2c98..81ca214a 100644 --- a/applyconfigurations/certificates/v1/certificatesigningrequestspec.go +++ b/applyconfigurations/certificates/v1/certificatesigningrequestspec.go @@ -25,13 +25,14 @@ import ( // CertificateSigningRequestSpecApplyConfiguration represents an declarative configuration of the CertificateSigningRequestSpec type for use // with apply. type CertificateSigningRequestSpecApplyConfiguration struct { - Request []byte `json:"request,omitempty"` - SignerName *string `json:"signerName,omitempty"` - Usages []v1.KeyUsage `json:"usages,omitempty"` - Username *string `json:"username,omitempty"` - UID *string `json:"uid,omitempty"` - Groups []string `json:"groups,omitempty"` - Extra map[string]v1.ExtraValue `json:"extra,omitempty"` + Request []byte `json:"request,omitempty"` + SignerName *string `json:"signerName,omitempty"` + ExpirationSeconds *int32 `json:"expirationSeconds,omitempty"` + Usages []v1.KeyUsage `json:"usages,omitempty"` + Username *string `json:"username,omitempty"` + UID *string `json:"uid,omitempty"` + Groups []string `json:"groups,omitempty"` + Extra map[string]v1.ExtraValue `json:"extra,omitempty"` } // CertificateSigningRequestSpecApplyConfiguration constructs an declarative configuration of the CertificateSigningRequestSpec type for use with @@ -58,6 +59,14 @@ func (b *CertificateSigningRequestSpecApplyConfiguration) WithSignerName(value s return b } +// WithExpirationSeconds sets the ExpirationSeconds field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ExpirationSeconds field is set to the value of the last call. +func (b *CertificateSigningRequestSpecApplyConfiguration) WithExpirationSeconds(value int32) *CertificateSigningRequestSpecApplyConfiguration { + b.ExpirationSeconds = &value + return b +} + // WithUsages adds the given value to the Usages field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the Usages field. diff --git a/applyconfigurations/certificates/v1beta1/certificatesigningrequestspec.go b/applyconfigurations/certificates/v1beta1/certificatesigningrequestspec.go index 73ea58e5..9554b1f4 100644 --- a/applyconfigurations/certificates/v1beta1/certificatesigningrequestspec.go +++ b/applyconfigurations/certificates/v1beta1/certificatesigningrequestspec.go @@ -25,13 +25,14 @@ import ( // CertificateSigningRequestSpecApplyConfiguration represents an declarative configuration of the CertificateSigningRequestSpec type for use // with apply. type CertificateSigningRequestSpecApplyConfiguration struct { - Request []byte `json:"request,omitempty"` - SignerName *string `json:"signerName,omitempty"` - Usages []v1beta1.KeyUsage `json:"usages,omitempty"` - Username *string `json:"username,omitempty"` - UID *string `json:"uid,omitempty"` - Groups []string `json:"groups,omitempty"` - Extra map[string]v1beta1.ExtraValue `json:"extra,omitempty"` + Request []byte `json:"request,omitempty"` + SignerName *string `json:"signerName,omitempty"` + ExpirationSeconds *int32 `json:"expirationSeconds,omitempty"` + Usages []v1beta1.KeyUsage `json:"usages,omitempty"` + Username *string `json:"username,omitempty"` + UID *string `json:"uid,omitempty"` + Groups []string `json:"groups,omitempty"` + Extra map[string]v1beta1.ExtraValue `json:"extra,omitempty"` } // CertificateSigningRequestSpecApplyConfiguration constructs an declarative configuration of the CertificateSigningRequestSpec type for use with @@ -58,6 +59,14 @@ func (b *CertificateSigningRequestSpecApplyConfiguration) WithSignerName(value s return b } +// WithExpirationSeconds sets the ExpirationSeconds field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ExpirationSeconds field is set to the value of the last call. +func (b *CertificateSigningRequestSpecApplyConfiguration) WithExpirationSeconds(value int32) *CertificateSigningRequestSpecApplyConfiguration { + b.ExpirationSeconds = &value + return b +} + // WithUsages adds the given value to the Usages field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the Usages field. diff --git a/applyconfigurations/internal/internal.go b/applyconfigurations/internal/internal.go index acd9061e..10914dd8 100644 --- a/applyconfigurations/internal/internal.go +++ b/applyconfigurations/internal/internal.go @@ -2843,6 +2843,9 @@ var schemaYAML = typed.YAMLObject(`types: - name: io.k8s.api.certificates.v1.CertificateSigningRequestSpec map: fields: + - name: expirationSeconds + type: + scalar: numeric - name: extra type: map: @@ -2939,6 +2942,9 @@ var schemaYAML = typed.YAMLObject(`types: - name: io.k8s.api.certificates.v1beta1.CertificateSigningRequestSpec map: fields: + - name: expirationSeconds + type: + scalar: numeric - name: extra type: map: