Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUGFIX: CertificateRequest short names must be unique. #6354

Merged
merged 5 commits into from Sep 25, 2023
Merged

BUGFIX: CertificateRequest short names must be unique. #6354

merged 5 commits into from Sep 25, 2023

Conversation

inteon
Copy link
Member

@inteon inteon commented Sep 20, 2023
edited

Fixes #6342

The new mechanism is explained here:

cert-manager/pkg/controller/certificates/requestmanager/requestmanager_controller.go

Lines 401 to 411 in 860df22

// The CertificateRequest name is limited to 253 characters, assuming the nextRevision and hyphen
// can be represented using 20 characters, we can directly accept certificate names up to 233
// characters. Certificate names that are longer than this will be hashed to a shorter name. We want
// to make crafting two Certificates with the same truncated name as difficult as possible, so we
// use a cryptographic hash function to hash the full certificate name to 64 characters.
// Finally, for Certificates with a name longer than 233 characters, we build the CertificateRequest
// name as follows: <first-168-chars-of-certificate-name>-<64-char-hash>-<19-char-nextRevision>
crName, err := apiutil.ComputeSecureUniqueDeterministicNameFromData(crt.Name, 233)
if err != nil {
return err
}

Kind

/kind bug

Release Note

BUGFIX: fix CertificateRequest name collision bug in StableCertificateRequestName feature.

@jetstack-bot jetstack-bot added kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Sep 20, 2023
@inteon
BUGFIX: CertificateRequest short names must be unique.
fa2d933 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
SgtCoDFish
SgtCoDFish reviewed Sep 20, 2023
View reviewed changes
Copy link
Member

@SgtCoDFish SgtCoDFish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've left a couple of comments; what do you think?

pkg/api/util/names_test.go Outdated Show resolved Hide resolved
pkg/api/util/names.go Outdated Show resolved Hide resolved
@inteon
add uniqueness check for names util
6006182 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
@inteon
Copy link
Member Author

inteon commented Sep 21, 2023
edited

/cherrypick release-1.13

@jetstack-bot
Copy link
Collaborator

@inteon: once the present PR merges, I will cherry-pick it on top of release-1.13 in a new PR and assign it to you.

In response to this:

/cherrypick release-1.13
/cherrypick release-1.12

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@inteon
Copy link
Member Author

inteon commented Sep 21, 2023

/cherrypick release-1.12

@jetstack-bot
Copy link
Collaborator

@inteon: once the present PR merges, I will cherry-pick it on top of release-1.12 in a new PR and assign it to you.

In response to this:

/cherrypick release-1.12

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@inteon
fix feedback: make hash secure
860df22 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
SgtCoDFish
SgtCoDFish reviewed Sep 22, 2023
View reviewed changes
Copy link
Member

@SgtCoDFish SgtCoDFish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple more comments!

pkg/api/util/names.go Outdated Show resolved Hide resolved
pkg/api/util/names_test.go Show resolved Hide resolved
pkg/controller/certificates/requestmanager/requestmanager_controller.go
Comment on lines +381 to +383
// We limit the GenerateName to 52 + 1 characters to stay within the 63 - 5 character limit that
// is used in Kubernetes when generating names.
// see https://github.com/kubernetes/apiserver/blob/696768606f546f71a1e90546613be37d1aa37f64/pkg/storage/names/generate.go
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Love this comment!

@inteon
add more test cases and fix typo
eac230f 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
@inteon inteon mentioned this pull request Sep 22, 2023
Closed
SgtCoDFish
SgtCoDFish approved these changes Sep 22, 2023
View reviewed changes
Copy link
Member

@SgtCoDFish SgtCoDFish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve
/hold

This is an improvement and it fixes the issue as far as I can tell! I think it'd be helpful for another maintainer to take a look at this since it's essentially setting the format for all CertificateRequests going forwards. Maybe someone else will have thoughts on it. But I'd be happy to merge I think!

@jetstack-bot jetstack-bot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm Indicates that a PR is ready to be merged. labels Sep 22, 2023
@jetstack-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: SgtCoDFish

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 22, 2023
@maelvls maelvls self-requested a review September 25, 2023 11:45
@maelvls
Copy link
Member

maelvls commented Sep 25, 2023

I am happy with the new format.

Maybe bumping the name limit from a DNS label (63 chars) to a DNS subdomain (253 chars) would have solved 99% of the problems, including the original author of the issue. It seems like the hashing feature addresses a small corner case: folks with very very very large certificate names (longer than 232 chars) would still get the issue reported by the original author. But it's good that we solved this corner case anyways.

Thanks for working on this!

I'll hold it if you need to fix some of the non-blocking suggestions.

/lgtm
/hold

@inteon
add extra comment
2dc22bc 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
@jetstack-bot jetstack-bot removed the lgtm Indicates that a PR is ready to be merged. label Sep 25, 2023
@inteon
Copy link
Member Author

inteon commented Sep 25, 2023

/unhold

@jetstack-bot jetstack-bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 25, 2023
@SgtCoDFish
Copy link
Member

/lgtm

(quick lgtm as requested given this has been reviewed)

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Sep 25, 2023
@SgtCoDFish SgtCoDFish merged commit 1c417be into cert-manager:master Sep 25, 2023
6 checks passed
@jetstack-bot
Copy link
Collaborator

@inteon: new pull request created: #6358

In response to this:

/cherrypick release-1.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

This was referenced Sep 25, 2023
Merged
Merged
@jetstack-bot
Copy link
Collaborator

@inteon: new pull request created: #6359

In response to this:

/cherrypick release-1.12

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@inteon inteon added kind/bug Categorizes issue or PR as related to a bug. and removed kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. labels Sep 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maelvls maelvls maelvls left review comments

@SgtCoDFish SgtCoDFish SgtCoDFish approved these changes

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CertificateRequest name collisions in v1.13.0
4 participants
@inteon @jetstack-bot @maelvls @SgtCoDFish