Make cfssl-self-sign files world readable
What does this MR do?
Make cfssl-self-sign files world readable
Makes the files generated by cfssl-self-sign's
generate-certificates script world readable.
This ensures that the kubectl container can create
Kubernetes Secrets from the generated keys, which are generated
with 0600 by default.
Since the cfssl-self-sign image and the
kubectl image specify different users (root and nobody, respectively)
we have to make them world readable.
This is especially relevant in OpenShift, where AnyUID
SecurityContextConstraints will force the containers to use random
UIDs.
Changelog: fixed
Related issues
Related to gitlab-org/cloud-native/gitlab-operator#103 (closed)
Test plan
Replicate current bug
$ docker run --rm -it registry.gitlab.com/gitlab-org/build/cng/cfssl-self-sign:15-9-stable sh
/ # /scripts/generate-certificates
cfssl version:
Version: 1.6.1
Runtime: go1.12.12
ca-config.json:
... output trimmed for brevity ...
2023/03/31 17:48:21 [INFO] encoded CSR
2023/03/31 17:48:21 [INFO] signed certificate with serial number 355009135190729623642535013773271585172526497918
/ #
/ # ls -l /output
total 36
-rw-r--r-- 1 root root 273 Mar 31 17:48 ca-config.json
-rw-r--r-- 1 root root 152 Mar 31 17:48 ca-csr.json
-rw------- 1 root root 227 Mar 31 17:48 ca-key.pem
-rw-r--r-- 1 root root 404 Mar 31 17:48 ca.csr
-rw-r--r-- 1 root root 656 Mar 31 17:48 ca.pem
-rw-r--r-- 1 root root 131 Mar 31 17:48 wildcard-csr.json
-rw------- 1 root root 227 Mar 31 17:48 wildcard-key.pem
-rw-r--r-- 1 root root 428 Mar 31 17:48 wildcard.csr
-rw-r--r-- 1 root root 725 Mar 31 17:48 wildcard.pem
You can see that wildcard-key.pem
and ca-key.pem
are only readable by root
, which causes the error when the kubectl
container (operating as nobody
) can't read that file when attempting to create the secret.
Confirm permissions in new image
$ docker run --rm -it registry.gitlab.com/gitlab-org/build/cng/cfssl-self-sign:make-certificates-world-readable sh
/ #
/ #
/ # /scripts/generate-certificates
cfssl version:
Version: 1.6.1
Runtime: go1.12.12
... output trimmed for brevity ...
2023/03/31 17:46:50 [INFO] encoded CSR
2023/03/31 17:46:50 [INFO] signed certificate with serial number 453553176848201618526527245204891524247746521293
/ #
/ # ls -l output
total 36
-rw-r--r-- 1 root root 273 Mar 31 17:46 ca-config.json
-rw-r--r-- 1 root root 152 Mar 31 17:46 ca-csr.json
-rw-r--r-- 1 root root 227 Mar 31 17:46 ca-key.pem
-rw-r--r-- 1 root root 408 Mar 31 17:46 ca.csr
-rw-r--r-- 1 root root 656 Mar 31 17:46 ca.pem
-rw-r--r-- 1 root root 131 Mar 31 17:46 wildcard-csr.json
-rw-r--r-- 1 root root 227 Mar 31 17:46 wildcard-key.pem
-rw-r--r-- 1 root root 428 Mar 31 17:46 wildcard.csr
-rw-r--r-- 1 root root 725 Mar 31 17:46 wildcard.pem
Now the ca-key.pem
and wildcard-key.pem
files are world readable.
downstream charts pipeline passes
EnsureEnsure Kubernetes Chart deployment works with the changes
certmanager:
install: false
global:
ingress:
configureCertmanager: false
shared-secrets:
selfsign:
image:
tag: make-certificates-world-readable
Ensure that Kubernetes Operator deployment works with the changes
- Installed latest Kubernetes manifest from Releases page.
- Applied GitLab CR:
apiVersion: apps.gitlab.com/v1beta1
kind: GitLab
metadata:
name: gitlab
namespace: gitlab-system
spec:
chart:
version: "6.10.1"
values:
global:
appConfig:
initialDefaults:
signupEnabled: false
hosts:
domain: gke.mnielsen-sandbox.com
externalIP: 34.123.173.205
ingress:
configureCertmanager: false
shared-secrets:
selfsign:
image:
tag: make-certificates-world-readable
- Confirmed that
gitlab-wildcard-tls
Secret was created (and no errors in theshared-secrets
Job logs).
gitlab-org/cloud-native/gitlab-operator#103 (closed), gitlab-org/cloud-native/gitlab-operator!371 (closed))
Ensure that OpenShift deployment issue is resolved (- Installed latest OpenShift Operator manifest from Releases page.
- Applied the same manifest from the Kubernetes Operator testing.
- Confirmed that
gitlab-wildcard-tls
Secret was created (and no errors in theshared-secrets
Job logs).
Considerations
This obviously deviates from the recommended file permissions for sensitive files. This is a consideration to keep in mind, and may be worth documenting for awareness.
It's also worth noting that both the cfssl-self-sign
and kubectl
containers used in the Shared-Secrets Job
are short-lived.
Checklist
See Definition of done.
For anything in this list which will not be completed, please provide a reason in the MR discussion
Required
-
Merge Request Title, and Description are up to date, accurate, and descriptive -
MR targeting the appropriate branch -
MR has a green pipeline on GitLab.com
Expected (please provide an explanation if not completing)
-
Test plan indicating conditions for success has been posted and passes -
Documentation created/updated -
Integration tests added to GitLab QA -
The impact any change in container size has should be evaluated