Conversation
tekton-robot
added
do-not-merge/work-in-progress
tekton-robot
added
the
size/XXL
|
This is still missing documentation, maybe add few more tests, but in general it's tested working and ready for review. |
enarha
force-pushed
the
central-tls-config
branch
2 times, most recently
from
c641544 to
bded46d
Compare
|
@enarha Please add PR deescrtipion with changes, architecture diagram, |
| @@ -0,0 +1,229 @@ | |||
| /* | |||
| Copyright 2024 The Tekton Authors | |||
There was a problem hiding this comment.
Question: Should it not be 2026?
| @@ -0,0 +1,167 @@ | |||
| /* | |||
| Copyright 2024 The Tekton Authors | |||
| @@ -0,0 +1,229 @@ | |||
| /* | |||
| Copyright 2024 The Tekton Authors | |||
| @@ -0,0 +1,167 @@ | |||
| /* | |||
| Copyright 2024 The Tekton Authors | |||
| // GetTLSEnvVarsFromAPIServer fetches the TLS security profile from the OpenShift APIServer | ||
| // resource and converts it to environment variable values that can be used by Tekton components. | ||
| // Returns nil if the APIServer has no TLS profile configured or if the shared lister is not initialized. | ||
| func GetTLSEnvVarsFromAPIServer(ctx context.Context, _ *rest.Config) (*TLSEnvVars, error) { |
There was a problem hiding this comment.
Can we return tls.config here from crypto/tls
We Could need other configration in the future
We could use then func TLSEnvVarsFromConfig(cfg *tls.Config) *TLSEnvVars to turn it to envvars
There was a problem hiding this comment.
We can. But we'll need to do the conversation twice APIServer string -> tls.Config -> env var strings instead of APIServer string -> env var strings. If you think we can immediately use the tls.Config with a specific consumer in mind (webhooks, nginx or whatever), then I'll follow your suggestion. If we do not have specific case immediately waiting for that, then I'll suggest we add this when we need it.
Please let me know what do you think.
| recorder := events.NewLoggingEventRecorder("tekton-operator") | ||
| observedConfig, errs := apiserver.ObserveTLSSecurityProfile(listers, recorder, existingConfig) | ||
| if len(errs) > 0 { | ||
| logger.Warnf("Errors observing TLS security profile: %v", errs) |
There was a problem hiding this comment.
Good question. It is a matter of policy - what do we want to happen in the case of a failure. I encountered two types of errors. In the first case we are able to read the APIServer, but failed to populate the map existingConfig with values. It was a bug in the way library-go handles this case in the older version we use, which I fixed, thus we have that two level check. The second case is we fail to read the APIServer resource. If we return an error and bubble it up, we'll break the reconciliation of the operands (e.g. TektonResult). The current behavior is to log a warning, degrade the TLS funcitonality (centralized TLS configuration does not have an effect), but operands continue working. The question is if we prefer that harder or softer form of failure. I believe with the hard failure, the Tekton administrator can still disable the centralized TLS configuration by disabling it through the TektonConfig and if that's the case I'm inclined to agree with a hard failure. WDYT?
|
|
||
| // If no TLS configuration is present, return nil | ||
| if minVersion == "" && len(cipherSuites) == 0 { | ||
| return nil, nil |
There was a problem hiding this comment.
should we log and return error ?
| return &TLSEnvVars{ | ||
| MinVersion: convertTLSVersionToEnvFormat(minVersion), | ||
| CipherSuites: strings.Join(cipherSuites, ","), | ||
| CurvePreferences: "", // Will be populated once openshift/api#2583 is merged |
There was a problem hiding this comment.
can we mention this in PR description openshift/api#2583
because empty curve preferences means go defaults
|
|
||
| // convertTLSVersionToEnvFormat converts library-go TLS version format (VersionTLSxx) to | ||
| // the format expected by Go's crypto/tls (1.x) | ||
| func convertTLSVersionToEnvFormat(version string) string { |
There was a problem hiding this comment.
We should consider parse TLSVversion to go format, webhook for example are expecting this in go native constant , I suppose the same thing for go apis using tls
https://github.com/knative/pkg/blob/main/webhook/webhook.go#L53
A conversion in this format feels more suitable to error prone constant
func parseTLSVersion(version string) (uint16, error) {
switch version {
case "VersionTLS10", "TLSv1.0":
return tls.VersionTLS10, nil
case "VersionTLS11", "TLSv1.1":
return tls.VersionTLS11, nil
case "VersionTLS12", "TLSv1.2":
return tls.VersionTLS12, nil
case "VersionTLS13", "TLSv1.3":
return tls.VersionTLS13, nil
default:
return 0, fmt.Errorf("unknown TLS version: %s", version)
}
}
There was a problem hiding this comment.
Switched to function which returns an error if unknown tls version is set through the apiserver record. Also split the retrieval of the tls configuration from the transformation. If we need to add more transformations in the future (e.g. to tsl.Config) we can do that without affecting existing code.
| if oe.resolvedTLSConfig == nil { | ||
| return "" | ||
| } | ||
| return fmt.Sprintf("%s:%s:%s", oe.resolvedTLSConfig.MinVersion, oe.resolvedTLSConfig.CipherSuites, oe.resolvedTLSConfig.CurvePreferences) |
There was a problem hiding this comment.
can we use a real hash function for the fingerprint like sha256, the ":" thingy cna be present in ciphers ro curves
There was a problem hiding this comment.
Ok first look, thaught that this function is calculating a hash, but hte hash is calculted in isntallerset code
mm I think the name is misleading here, could we called GetPlatformData rather than GetHash Data
| } | ||
| } | ||
|
|
||
| // injectTLSConfig injects the TLS configuration as environment variables into the Results API deployment |
| if err := setupAPIServerTLSWatch(ctx, ctrl); err != nil { | ||
| // On OpenShift clusters the APIServer resource should always exist. | ||
| // This env var is an escape hatch for edge cases and must be explicitly enabled. | ||
| if os.Getenv("SKIP_APISERVER_TLS_WATCH") == "true" { |
enarha
force-pushed
the
central-tls-config
branch
from
bded46d to
2de7f83
Compare
| // and check with annotation, if they are same then we skip updating the object | ||
| // otherwise we update the manifest | ||
| specHash, err := hash.Compute(tr.Spec) | ||
| hashInput := struct { |
There was a problem hiding this comment.
This seems redudant and duplciate for all component
Can we have a common function that computes Hash give spec and common extension
Would make thing clear when redaing
There was a problem hiding this comment.
I kept it per component for now. Each component has specific deployments to update. I considered a separate function which takes a resource type (e.g. deployment/statefulset) and resource object (e.g. tekton-results-api), but it requires any type params and extra import of the common package, so I think for now the advantages are not much bigger than the disadvantages.
| if oe.resolvedTLSConfig == nil { | ||
| return "" | ||
| } | ||
| return fmt.Sprintf("%s:%s:%s", oe.resolvedTLSConfig.MinVersion, oe.resolvedTLSConfig.CipherSuites, oe.resolvedTLSConfig.CurvePreferences) |
There was a problem hiding this comment.
Ok first look, thaught that this function is calculating a hash, but hte hash is calculted in isntallerset code
mm I think the name is misleading here, could we called GetPlatformData rather than GetHash Data
enarha
force-pushed
the
central-tls-config
branch
2 times, most recently
from
b744aba to
63a684f
Compare
|
@enarha can we add in this PR transformation for other components |
|
|
||
| ### 3. Extension Interface Enhancement | ||
|
|
||
| - Added `GetHashData() string` method to the Extension interface |
There was a problem hiding this comment.
can you use the new function name GetPlatformData
|
|
||
| // Wait for caches to sync | ||
| if !cache.WaitForCacheSync(ctx.Done(), apiServerInformer.Informer().HasSynced) { | ||
| logger.Warn("Failed to sync APIServer informer cache") |
There was a problem hiding this comment.
What happens if the cache is not synced (because of network issue or ai server not reachable), is the code safe on this ? We should probably retrigger a reconcile if cache is not synced, but that will be more complex as for now, let just verify code is safe nothing will panic just after, may be we need to add unit test
There was a problem hiding this comment.
From what I see, nothing will panic if the cluster apiserver resource is not found in the cache. The reconciliation of the operand (e.g. tektonresult) will fail repeatedly though. There will be some very rapid reconcile retries with an exponential backoff. The same goes for the cache sync. The admin can still disable the central TLS configuration. If they opt-in into that feature, then I think louder failure without a panic makes sense. If you prefer we do not affect the operand reconciliation, then we can ignore that error and threat it like "no TLS config available" in the APIServer resource and just log some warning.
| func ResolveCentralTLSToEnvVars(ctx context.Context, lister TektonConfigLister) (*TLSEnvVars, error) { | ||
| tc, err := lister.Get(v1alpha1.ConfigResourceName) | ||
| if err != nil { | ||
| return nil, nil |
There was a problem hiding this comment.
Here we should propagate the error: failed to get tektonconfig
| } | ||
|
|
||
| // TLS 1.3 cipher suite names (IANA names) | ||
| tls13Ciphers := map[string]bool{ |
There was a problem hiding this comment.
should we add this
As per this https://go.dev/blog/tls-cipher-suites#:~:text=Go%20does%20allow%20configuring%20cipher,order%20by%20default%2C%20unless%20Config.
ciphers are not configrable. with tls 1.3, because they are considered as safe
Now the issue if we add them here, that may procude issues, right ?
There was a problem hiding this comment.
The reason this was included in the first place is that the newer version of library-go does the same. They are commented out in the 2023 version, but in the newer ones they are not.
They are not configurable indeed and not required for golang based operands. But we have some non golang based dependencies like PostgreSQL and Nginx maybe more. I'm not sure how will these handle the 1.3 ciphers if we do not explicitly specify them. So that's one reason to include them. For Tekton Results we already have the code which handles the ciphers list and there the 1.3 ciphers are simply ignored. To me it makes more sense to keep these for now. WDYT?
There was a problem hiding this comment.
Yes we can have the "ignore mecansim for our go apps" centralised, not just for results
|
@pratap0007 @anithapriyanatarajan @mbpavan Can you review please ? |
enarha
force-pushed
the
central-tls-config
branch
from
63a684f to
6137592
Compare
tekton-robot
added
the
needs-rebase
enarha
force-pushed
the
central-tls-config
branch
from
6137592 to
04296ed
Compare
tekton-robot
removed
the
needs-rebase
tekton-robot
removed
the
do-not-merge/work-in-progress
|
/hold |
tekton-robot
added
do-not-merge/hold
enarha
force-pushed
the
central-tls-config
branch
2 times, most recently
from
6f72622 to
485b2e0
Compare
tekton-robot
removed
the
needs-rebase
kind reminder. |
tekton-robot
added
the
needs-rebase
|
@enarha - could you rebase this PR. |
enarha
force-pushed
the
central-tls-config
branch
from
7dcd289 to
6eb7fbb
Compare
tekton-robot
added
needs-rebase
Add support for centralized TLS configuration derived from the OpenShift APIServer TLS security profile. This enables Tekton components to inherit cluster-wide TLS settings (minimum version, cipher suites) via the TektonConfig CR. Key changes: - Watch the APIServer resource for TLS profile changes and enqueue TektonConfig for reconciliation - Add GetTLSProfileFromAPIServer and TLSEnvVarsFromProfile to extract and convert TLS profiles to environment variables - Add ResolveCentralTLSToEnvVars and InjectTLSEnvVars as reusable helpers for component extensions - Add EnableCentralTLSConfig flag in TektonConfig OpenShift platform spec (opt-in, default false) - Add GetPlatformData to the Extension interface for platform-specific hash data (e.g., TLS config fingerprint) - Add RBAC permissions for reading the APIServer resource Note: curve preferences (CurvePreferences) are currently omitted and default to Go's standard library values until openshift/api#2583 is merged. Assisted-by: Cursor
Activate the centralized TLS configuration infrastructure for the TektonResult component: - Resolve TLS config from APIServer via ResolveCentralTLSToEnvVars in PreReconcile - Inject TLS env vars into the results-api deployment using the generic InjectTLSEnvVars transformer - Include TLS config fingerprint in GetPlatformData for installer set hash computation, triggering updates on TLS profile changes - Log injected TLS config at Info level for observability Assisted-by: Cursor
Testing of the central TLS functionality requires full OpenShift cluster (not ROSA, Hypershift) because it requires access to the APIServer resource. This change adds testing plan and easy way to run the required commands.
enarha
force-pushed
the
central-tls-config
branch
from
6eb7fbb to
611010c
Compare
tekton-robot
removed
the
needs-rebase
|
@anithapriyanatarajan @mbpavan any chance to have lgtm here ? |
|
/hold |
tekton-robot
added
the
do-not-merge/hold
|
@enarha marked to be on hold to check the possibility of refactoring the implementation to be inclusive of plain kubernetes users as well. Basically to check the option to have |
Personally I'm against such approach until we get a clean evidence such requirement exists. That will complicate implementation and maintenance with no clear benefit (YAGNI). To be honest, before implementing it that way, I researched the topic (Kubernetes way of setting application configuration cluster wide) and found nothing specific, so I decided to stick to the current requirements. That also goes beyond the scope of Tekton, so I do not see how we can influence Kubernetes even if add support for it. That's IMO. |
In its current form the variables (TLS_MIN_VERSION, TLS_CIPHER_SUITES, TLS_CURVE_PREFERENCES) are directly read from API server and Injected to Envars. This is tightly coupled to openshift API. My request is to have this stored to the tektonconfig CR and mark it as populated manually / automated. This way an admin gets an opportunity to override if required and also for kuberenetes plain version, admins can set this manually as required. This way any other tekton components consumption model from Operator remains intact even if the source for reading the policy changes. |
|
/hold cancel |
tekton-robot
removed
the
do-not-merge/hold
|
/kind enhancement |
|
@anithapriyanatarajan: The label(s) DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/ok-to-test |
|
/kind feature |
tekton-robot
added
the
kind/feature
|
@enarha - Thank you for the PR. Approving the changes limiting the scope of Cryptoagility to Openshift. |
|
/lgtm |
5 participants
Changes
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
make test lintbefore submitting a PRSee the contribution guide for more details.
Release Notes