Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(kuma-cp): clock skew for generated certs #11807

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat(kuma-cp): clock skew for generated certs #11807

wants to merge 1 commit into from

Conversation

jakubdyszkiewicz
Copy link
Contributor

Motivation

We noticed that in this run of E2E tests admin operation failed.
https://github.com/kumahq/kuma/actions/runs/11406777608/job/31744572466
with

2024-10-18T17:01:59.005Z	ERROR	rest	Could not execute admin operation	{"error": "unable to send GET to config_dump: Get \"https://10.42.0.16:9901/config_dump\": remote error: tls: expired certificate", "errorVerbose": "Get ...

while the cert from config dump says

        Validity
            Not Before: Oct 18 17:01:55 2024 GMT
            Not After : Oct 16 17:01:55 2034 GMT

Go will report expired if we violate either not before or not after

	if now.Before(c.NotBefore) {
		return CertificateInvalidError{
			Cert:   c,
			Reason: Expired,
			Detail: fmt.Sprintf("current time %s is before %s", now.Format(time.RFC3339), c.NotBefore.Format(time.RFC3339)),
		}
	} else if now.After(c.NotAfter) {
		return CertificateInvalidError{
			Cert:   c,
			Reason: Expired,
			Detail: fmt.Sprintf("current time %s is after %s", now.Format(time.RFC3339), c.NotAfter.Format(time.RFC3339)),
		}
	}

It's not realistic that we violated Not After, but technically it's possible with Not Before.

Implementation information

We use clock skew already when we generate CA.
We should also use it for certs. This applies for certs generated for

  • inter cp
  • cp -> envoy admin
  • certs generated by kumactl generate cert
  • cfg.General.TlsCertFile if no cert is provided

Supporting documentation

No issue, noticed failing CI.

@jakubdyszkiewicz jakubdyszkiewicz requested a review from a team as a code owner October 21, 2024 11:53
@jakubdyszkiewicz jakubdyszkiewicz requested review from Automaat and lobkovilya and removed request for a team October 21, 2024 11:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelbeaumont michaelbeaumont michaelbeaumont approved these changes

@Automaat Automaat Awaiting requested review from Automaat Automaat is a code owner automatically assigned from kumahq/kuma-maintainers

@lobkovilya lobkovilya Awaiting requested review from lobkovilya lobkovilya is a code owner automatically assigned from kumahq/kuma-maintainers

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jakubdyszkiewicz @michaelbeaumont