1.17: projects/utils/ssl: Add a check for ssl secrets that will be rejected by envoy but not go #10048
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ets, previously these would leak invalid info to envoy
github-actions
bot
added
the
keep pr updated
|
Issues linked to changelog: |
nfuden
added
release-blocker
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
In go pem decoding is intentionally spec compliant. This means that it is very permissive with its decoding and will skip un-parsable, possibly usable or just commented data.
This means that when we consume crt data we may pass along info that is rejected by envoy which can stall configuration and is generally something we try to avoid.
API changes
Code changes
Rely on kubernetes cert encoding to check to see if anything was dropped in decoding from pem and then emit an error if anything was dropped.
Interesting decisions
Originally we attempted to go the route as seen in https://gist.github.com/anitgandhi/58b0618512fdb3caa89e86c8a6a536ab from golang/go#34069
While this mostly worked and caught several issues we continued to find more edge cases such as with headers. Given this we decided to lean heavily on kubernetes setup to make sure that we are most compliant with what another big project does.
For example the gist catches the unterminated cert block but did not catch invalid headers being provided for example
-----BEGIN HEADERS----- Header: 1 -----END HEADERS-----is invalid as it does not have a newline like
`-----BEGIN HEADERS-----
Header: 1
-----END HEADERS-----`
Testing steps
Reproduction:
Follow https://docs.solo.io/gloo-edge/latest/guides/security/tls/server_tls/
Now update the crt by adding
-----BEGIN CERTIFICATE----- MIID6TCCA1ICAQEwDQYJKoZIhvcNAQEFBQAwgYsxCzAJBgNVBAYTAlVTMRMwEQYDThen update your secret
kubectl create secret tls animal-certs --key tls.key \ --cert tls.crt --namespace gloo-system \ --save-config \ --dry-run=client \ -o yaml | \ kubectl apply -f -Next update something to kick translation ideally a route on the accepted vs.
See that envoy nacks the request.
Remove the secret reference.
Upgrade to this pr's image
Readd the reference and see validation block the update.
Checklist: