From dbbf93b9e22dbb0a38146ccfd9205f5169595144 Mon Sep 17 00:00:00 2001 From: Windz Date: Thu, 26 Oct 2023 11:53:07 +0900 Subject: [PATCH] split key default to false (#46) * draft Signed-off-by: wfan * hash Signed-off-by: wfan * log Signed-off-by: wfan * Update cmd/athenz-sia/main.go Co-authored-by: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> Signed-off-by: Windz * Update pkg/identity/certificated.go Co-authored-by: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> Signed-off-by: Windz * Update pkg/identity/healthcheckd.go Co-authored-by: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> Signed-off-by: Windz * Update pkg/identity/metricsd.go Co-authored-by: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> Signed-off-by: Windz * Update pkg/token/daemon.go Co-authored-by: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> Signed-off-by: Windz --------- Signed-off-by: wfan Signed-off-by: Windz Co-authored-by: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com> --- athenz-sia.env | 6 +++--- cmd/athenz-sia/main.go | 4 ++-- pkg/config/config.go | 9 +++++++++ pkg/config/default.go | 4 ++-- pkg/identity/certificated.go | 5 ++--- pkg/identity/healthcheckd.go | 2 +- pkg/identity/metricsd.go | 2 +- pkg/token/daemon.go | 2 +- 8 files changed, 21 insertions(+), 13 deletions(-) diff --git a/athenz-sia.env b/athenz-sia.env index 8e46194b..437d5927 100644 --- a/athenz-sia.env +++ b/athenz-sia.env @@ -142,10 +142,10 @@ ROLECERT_DIR= # ROLE_CERT_FILENAME_DELIMITER=:role. # -# Outputs private key specifically for role certificates (e.g. :true or false) -# Default value for binary: https://github.com/AthenZ/k8s-athenz-sia/blob/c8478297a9d228ffc0a6a1ea469ad0ef8a682dc8/pkg/config/default.go#L92 +# Outputs private key specifically for role certificates (e.g. true or false) +# Default value for binary: https://github.com/AthenZ/k8s-athenz-sia/blob/7cedb649397adb59afdaaa821cfa0b1d226b7203/pkg/config/default.go#L92 # -ROLE_CERT_KEY_FILE_OUTPUT=true +ROLE_CERT_KEY_FILE_OUTPUT=false # # Athenz Role Auth Header to retrieve role tokens # Default value for binary: https://github.com/AthenZ/k8s-athenz-sia/blob/c8478297a9d228ffc0a6a1ea469ad0ef8a682dc8/pkg/config/default.go#L41 diff --git a/cmd/athenz-sia/main.go b/cmd/athenz-sia/main.go index 6fa7a2c7..4ef743b0 100644 --- a/cmd/athenz-sia/main.go +++ b/cmd/athenz-sia/main.go @@ -85,8 +85,8 @@ func main() { } if !idConfig.Init { - <-ch // wait until receiving os.Signal from channel ch - log.Println("Shutting down...") + s := <-ch // wait until receiving os.Signal from channel ch + log.Printf("Initiating shutdown with received signal %s ...\n", s.String()) } close(certificateChan) diff --git a/pkg/config/config.go b/pkg/config/config.go index 4157bbcb..de3dd388 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -242,6 +242,15 @@ func (idConfig *IdentityConfig) validateAndInit() (err error) { PollInterval: pollInterval, }) + // if certificate provisioning is disabled (use external key) and splitting role certificate key file is disabled, role certificate and external key mismatch problem may occur when external key rotates. + // error case: issue role certificate, rotate external key, mismatch period, issue role certificate, resolve, rotate external key, ... + if idConfig.ProviderService == "" && !idConfig.RoleCertKeyFileOutput { + // if role certificate issuing is enabled, warn user about the mismatch problem + if idConfig.TargetDomainRoles != "" && idConfig.RoleCertDir != "" { + log.Warnf("Rotating KEY_FILE[%s] may cause key mismatch with issued role certificate due to different rotation cycle. Please manually restart SIA when you rotate the key file.", idConfig.KeyFile) + } + } + // During the init flow if X.509 cert(and key) already exists, // - someone is attempting to run init after a pod has been started // - pod sandbox crashed and kubelet runs the init container diff --git a/pkg/config/default.go b/pkg/config/default.go index d12ced6a..3395b2a3 100644 --- a/pkg/config/default.go +++ b/pkg/config/default.go @@ -89,7 +89,7 @@ func DefaultIdentityConfig() *IdentityConfig { TargetDomainRoles: "", RoleCertDir: "", RoleCertFilenameDelimiter: DEFAULT_ROLE_CERT_FILENAME_DELIMITER, - RoleCertKeyFileOutput: true, + RoleCertKeyFileOutput: false, RoleAuthHeader: DEFAULT_ROLE_AUTH_HEADER, TokenType: "accesstoken", TokenRefresh: DEFAULT_TOKEN_REFRESH, @@ -114,7 +114,7 @@ func DefaultIdentityConfig() *IdentityConfig { rawMode: "init", rawRefresh: "24h", rawDelayJitterSeconds: "0", - rawRoleCertKeyFileOutput: "true", + rawRoleCertKeyFileOutput: "false", rawTokenRefresh: DEFAULT_TOKEN_REFRESH.String(), rawTokenExpiry: DEFAULT_TOKEN_EXPIRY.String(), rawTokenServerRESTAPI: "false", diff --git a/pkg/identity/certificated.go b/pkg/identity/certificated.go index 59f9189a..cd4b115f 100644 --- a/pkg/identity/certificated.go +++ b/pkg/identity/certificated.go @@ -103,8 +103,7 @@ func Certificated(idConfig *config.IdentityConfig, stopChan <-chan struct{}) (er return errors.Wrap(err, "unable to save x509 role cert") } - // always output role cert key file to prevent unexpected key rotation when using external key - if id == nil || idConfig.RoleCertKeyFileOutput { + if idConfig.RoleCertKeyFileOutput { outKeyPath := filepath.Join(idConfig.RoleCertDir, rolecert.Domain+idConfig.RoleCertFilenameDelimiter+rolecert.Role+".key.pem") log.Debugf("Saving x509 role cert key[%d bytes] at [%s]", len(roleKeyPEM), outKeyPath) if err := w.AddBytes(outKeyPath, 0644, roleKeyPEM); err != nil { @@ -354,7 +353,7 @@ func Certificated(idConfig *config.IdentityConfig, stopChan <-chan struct{}) (er log.Errorf("Failed to refresh x509 certificate after multiple retries: %s", err.Error()) } case <-stopChan: - log.Info("Certificate provider will shutdown") + log.Info("Initiating shutdown of certificate provider daemon ...") err = deleteRequest() if err != nil { log.Errorf("Failed to delete x509 certificate Instance ID record: %s", err.Error()) diff --git a/pkg/identity/healthcheckd.go b/pkg/identity/healthcheckd.go index 3df99844..6960b7a1 100644 --- a/pkg/identity/healthcheckd.go +++ b/pkg/identity/healthcheckd.go @@ -59,7 +59,7 @@ func Healthcheckd(idConfig *config.IdentityConfig, stopChan <-chan struct{}) (er defer close(shutdownChan) <-stopChan - log.Info("Health check server will shutdown") + log.Info("Initiating shutdown of health check daemon ...") ctx, cancel := context.WithTimeout(context.Background(), idConfig.ShutdownTimeout) defer cancel() healthCheckServer.SetKeepAlivesEnabled(false) diff --git a/pkg/identity/metricsd.go b/pkg/identity/metricsd.go index 8cc6a6b5..2b1e8f4c 100644 --- a/pkg/identity/metricsd.go +++ b/pkg/identity/metricsd.go @@ -98,7 +98,7 @@ func Metricsd(idConfig *config.IdentityConfig, stopChan <-chan struct{}) (error, defer close(shutdownChan) <-stopChan - log.Info("Metrics exporter will shutdown") + log.Info("Initiating shutdown of metrics exporter daemon ...") // context.Background() is used, no timeout err := exporter.Shutdown() if err != nil { diff --git a/pkg/token/daemon.go b/pkg/token/daemon.go index 5d5aafe2..c3d38cab 100644 --- a/pkg/token/daemon.go +++ b/pkg/token/daemon.go @@ -274,7 +274,7 @@ func Tokend(idConfig *config.IdentityConfig, stopChan <-chan struct{}) (error, < log.Errorf("Failed to refresh tokens after multiple retries: %s", err.Error()) } case <-stopChan: - log.Info("Token provider will shutdown") + log.Info("Initiating shutdown of token provider daemon ...") time.Sleep(idConfig.ShutdownDelay) ctx, cancel := context.WithTimeout(context.Background(), idConfig.ShutdownTimeout) defer cancel()