Skip to content

Make cfssl-self-sign files world readable

Mitchell Nielsen requested to merge make-certificates-world-readable into master

What does this MR do?

Make cfssl-self-sign files world readable

Makes the files generated by cfssl-self-sign's
generate-certificates script world readable.

This ensures that the kubectl container can create
Kubernetes Secrets from the generated keys, which are generated
with 0600 by default.

Since the cfssl-self-sign image and the
kubectl image specify different users (root and nobody, respectively)
we have to make them world readable.

This is especially relevant in OpenShift, where AnyUID
SecurityContextConstraints will force the containers to use random
UIDs.

Changelog: fixed

Related issues

Related to gitlab-org/cloud-native/gitlab-operator#103 (closed)

Test plan

Replicate current bug

$ docker run --rm -it registry.gitlab.com/gitlab-org/build/cng/cfssl-self-sign:15-9-stable sh
/ # /scripts/generate-certificates
cfssl version:
Version: 1.6.1
Runtime: go1.12.12
ca-config.json:

... output trimmed for brevity ...

2023/03/31 17:48:21 [INFO] encoded CSR
2023/03/31 17:48:21 [INFO] signed certificate with serial number 355009135190729623642535013773271585172526497918
/ #
/ # ls -l /output
total 36
-rw-r--r--    1 root     root           273 Mar 31 17:48 ca-config.json
-rw-r--r--    1 root     root           152 Mar 31 17:48 ca-csr.json
-rw-------    1 root     root           227 Mar 31 17:48 ca-key.pem
-rw-r--r--    1 root     root           404 Mar 31 17:48 ca.csr
-rw-r--r--    1 root     root           656 Mar 31 17:48 ca.pem
-rw-r--r--    1 root     root           131 Mar 31 17:48 wildcard-csr.json
-rw-------    1 root     root           227 Mar 31 17:48 wildcard-key.pem
-rw-r--r--    1 root     root           428 Mar 31 17:48 wildcard.csr
-rw-r--r--    1 root     root           725 Mar 31 17:48 wildcard.pem

You can see that wildcard-key.pem and ca-key.pem are only readable by root, which causes the error when the kubectl container (operating as nobody) can't read that file when attempting to create the secret.

Confirm permissions in new image

$ docker run --rm -it registry.gitlab.com/gitlab-org/build/cng/cfssl-self-sign:make-certificates-world-readable sh
/ #
/ #
/ # /scripts/generate-certificates
cfssl version:
Version: 1.6.1
Runtime: go1.12.12

... output trimmed for brevity ...

2023/03/31 17:46:50 [INFO] encoded CSR
2023/03/31 17:46:50 [INFO] signed certificate with serial number 453553176848201618526527245204891524247746521293
/ #
/ # ls -l output
total 36
-rw-r--r--    1 root     root           273 Mar 31 17:46 ca-config.json
-rw-r--r--    1 root     root           152 Mar 31 17:46 ca-csr.json
-rw-r--r--    1 root     root           227 Mar 31 17:46 ca-key.pem
-rw-r--r--    1 root     root           408 Mar 31 17:46 ca.csr
-rw-r--r--    1 root     root           656 Mar 31 17:46 ca.pem
-rw-r--r--    1 root     root           131 Mar 31 17:46 wildcard-csr.json
-rw-r--r--    1 root     root           227 Mar 31 17:46 wildcard-key.pem
-rw-r--r--    1 root     root           428 Mar 31 17:46 wildcard.csr
-rw-r--r--    1 root     root           725 Mar 31 17:46 wildcard.pem

Now the ca-key.pem and wildcard-key.pem files are world readable.

Ensure downstream charts pipeline passes

Ensure Kubernetes Chart deployment works with the changes

certmanager:
  install: false
global:
  ingress:
    configureCertmanager: false
shared-secrets:
  selfsign:
    image:
      tag: make-certificates-world-readable

Ensure that Kubernetes Operator deployment works with the changes

  1. Installed latest Kubernetes manifest from Releases page.
  2. Applied GitLab CR:
apiVersion: apps.gitlab.com/v1beta1
kind: GitLab
metadata:
  name: gitlab
  namespace: gitlab-system
spec:
  chart:
    version: "6.10.1"
    values:
      global:
        appConfig:
          initialDefaults:
            signupEnabled: false
        hosts:
          domain: gke.mnielsen-sandbox.com
          externalIP: 34.123.173.205
        ingress:
          configureCertmanager: false
      shared-secrets:
        selfsign:
          image:
            tag: make-certificates-world-readable
  1. Confirmed that gitlab-wildcard-tls Secret was created (and no errors in the shared-secrets Job logs).

Ensure that OpenShift deployment issue is resolved (gitlab-org/cloud-native/gitlab-operator#103 (closed), gitlab-org/cloud-native/gitlab-operator!371 (closed))

  1. Installed latest OpenShift Operator manifest from Releases page.
  2. Applied the same manifest from the Kubernetes Operator testing.
  3. Confirmed that gitlab-wildcard-tls Secret was created (and no errors in the shared-secrets Job logs).

Considerations

This obviously deviates from the recommended file permissions for sensitive files. This is a consideration to keep in mind, and may be worth documenting for awareness.

It's also worth noting that both the cfssl-self-sign and kubectl containers used in the Shared-Secrets Job are short-lived.

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion

Required

  • Merge Request Title, and Description are up to date, accurate, and descriptive
  • MR targeting the appropriate branch
  • MR has a green pipeline on GitLab.com

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes
  • Documentation created/updated
  • Integration tests added to GitLab QA
  • The impact any change in container size has should be evaluated
Edited by Mitchell Nielsen

Merge request reports