Skip to content
This repository has been archived by the owner on Oct 22, 2021. It is now read-only.

Certificate rotation does not rotate dependent certificates #55

Open
mook-as opened this issue Sep 21, 2020 · 1 comment
Open

Certificate rotation does not rotate dependent certificates #55

mook-as opened this issue Sep 21, 2020 · 1 comment
Labels
bug Something isn't working

Comments

@mook-as
Copy link
Contributor

mook-as commented Sep 21, 2020

Describe the bug
When a certificate is rotated, other QuarksSecrets that depend on it are not automatically rotated. This means that it is quite possible users will not be able to verify the dependent certificates.

To Reproduce

  1. Apply the following resources (here in namespace kubecf, but that doesn't really matter):
var-log-cache-ca.yaml 
---
apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
  labels:
    variableName: log_cache_ca
  name: var-log-cache-ca
  namespace: kubecf
spec:
  request:
    certificate:
      commonName: log-cache-ca
      isCA: true
      signerType: local
      usages:
      - signing
      - digital signature
      - any
      - cert sign
  secretName: var-log-cache-ca
  type: certificate
var-log-cache.yaml 
apiVersion: quarks.cloudfoundry.org/v1alpha1
kind: QuarksSecret
metadata:
  labels:
    variableName: log_cache
  name: var-log-cache
  namespace: kubecf
spec:
  request:
    certificate:
      CAKeyRef:
        key: private_key
        name: var-log-cache-ca
      CARef:
        key: certificate
        name: var-log-cache-ca
      alternativeNames:
      - log_cache
      - logcache
      commonName: log-cache
      isCA: false
      signerType: local
      usages:
      - client auth
      - server auth
  secretName: var-log-cache
  type: certificate
  1. Wait for the certificates to be generated.
  2. Cause the CA certificate to be rotated:
rotate.log-cache-ca.yaml 
---
apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    quarks.cloudfoundry.org/secret-rotation: "true"
  name: rotate.log-cache-ca
  namespace: kubecf
data:
    secrets: '[ "var-log-cache-ca" ]'

Expected behaviour

  1. The CA certificate is rotated.
  2. The dependent certificate is rotated, so that it is signed by the new CA certificate. (Or I guess we could keep the private keys and just update the certificate, it doesn't really matter.)

Actual behaviour

  1. The CA certificate is rotated.
  2. The dependent certificate is not rotated; its .ca field no longer matches the CA certificate.

Environment

  • quarks-secret version v1.0.712
  • quarks-operator v6.0.4-0.gb44bb859
  • quarks-job v1.0.190
@mook-as mook-as added the bug Something isn't working label Sep 21, 2020
@mook-as mook-as mentioned this issue Sep 21, 2020
Draft
7 tasks
@manno
Copy link
Member

manno commented Sep 22, 2020

https://www.pivotaltracker.com/story/show/174932628

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@manno @mook-as