Skip to content

Add RSA support to TLS libraries#3135

Merged
alpeb merged 2 commits intomasterfrom
alpeb/rsa
Jul 26, 2019
Merged

Add RSA support to TLS libraries#3135
alpeb merged 2 commits intomasterfrom
alpeb/rsa

Conversation

@alpeb
Copy link
Member

@alpeb alpeb commented Jul 24, 2019

Fixes #3131

Wrapped private keys into either PrivateKeyEC or PrivateKeyRSA to
provide different certificate matching logic and marshaling depending on
the block type.

You can test having an RSA cert for the proxy injector by applying this
patch:

$ diff -u chart/templates/proxy_injector-rbac.yaml ~/tmp/proxy_injector-rbac.yaml
--- chart/templates/proxy_injector-rbac.yaml    2019-07-24 14:34:43.570616936 -0500
+++ /home/alpeb/tmp/proxy_injector-rbac.yaml    2019-07-24 13:41:03.150285099 -0500
@@ -1,4 +1,5 @@
 {{with .Values -}}
+{{- $ca := genCA "linkerd-proxy-injector.linkerd.svc" 365 -}}
 ---
 ###
 ### Proxy Injector RBAC
@@ -60,8 +61,8 @@
     {{ .CreatedByAnnotation }}: {{ .CliVersion }}
 type: Opaque
 data:
-  crt.pem: {{ b64enc .ProxyInjector.CrtPEM }}
-  key.pem: {{ b64enc .ProxyInjector.KeyPEM }}
+  crt.pem: {{ b64enc $ca.Cert }}
+  key.pem: {{ b64enc $ca.Key }}
 ---
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: MutatingWebhookConfiguration
@@ -81,7 +82,7 @@
       name: linkerd-proxy-injector
       namespace: {{ .Namespace }}
       path: "/"
-    caBundle: {{ b64enc .ProxyInjector.CrtPEM }}
+    caBundle: {{ b64enc $ca.Cert }}
   failurePolicy: {{ .WebhookFailurePolicy }}
   rules:
   - operations: [ "CREATE" ]

This will replace the logic to generate the cert with a call to Helm's
genCA, which uses RSA.

@alpeb
Add RSA support to TLS libraries
3c8b794 
Fixes #3131

Wrapped private keys into either `PrivateKeyEC` or `PrivateKeyRSA` to
provide different certificate matching logic and marshaling depending on
the block type.

You can test having an RSA cert for the proxy injector by applying this
patch:

```diff
$ diff -u chart/templates/proxy_injector-rbac.yaml ~/tmp/proxy_injector-rbac.yaml
--- chart/templates/proxy_injector-rbac.yaml    2019-07-24 14:34:43.570616936 -0500
+++ /home/alpeb/tmp/proxy_injector-rbac.yaml    2019-07-24 13:41:03.150285099 -0500
@@ -1,4 +1,5 @@
 {{with .Values -}}
+{{- $ca := genCA "linkerd-proxy-injector.linkerd.svc" 365 -}}
 ---
 ###
 ### Proxy Injector RBAC
@@ -60,8 +61,8 @@
     {{ .CreatedByAnnotation }}: {{ .CliVersion }}
 type: Opaque
 data:
-  crt.pem: {{ b64enc .ProxyInjector.CrtPEM }}
-  key.pem: {{ b64enc .ProxyInjector.KeyPEM }}
+  crt.pem: {{ b64enc $ca.Cert }}
+  key.pem: {{ b64enc $ca.Key }}
 ---
 apiVersion: admissionregistration.k8s.io/v1beta1
 kind: MutatingWebhookConfiguration
@@ -81,7 +82,7 @@
       name: linkerd-proxy-injector
       namespace: {{ .Namespace }}
       path: "/"
-    caBundle: {{ b64enc .ProxyInjector.CrtPEM }}
+    caBundle: {{ b64enc $ca.Cert }}
   failurePolicy: {{ .WebhookFailurePolicy }}
   rules:
   - operations: [ "CREATE" ]
```

This will replace the logic to generate the cert with a call to Helm's
`genCA`, which uses RSA.

Signed-off-by: Alejandro Pedraza <[email protected]>
@alpeb alpeb requested review from adleong, ihcsim and siggy July 24, 2019 19:42
@alpeb alpeb self-assigned this Jul 24, 2019
@l5d-bot
Copy link
Collaborator

l5d-bot commented Jul 24, 2019

Integration test results for 3c8b794: fail 😕
Log output: https://gist.github.com/a1746b927597e1eb267448e40fe3bf19

siggy
siggy approved these changes Jul 24, 2019
View reviewed changes
Copy link
Member

@siggy siggy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for providing the test diff, confirmed works! a couple nits then 🚢

@alpeb
Feedback Siggy
f8f3742 
Signed-off-by: Alejandro Pedraza <[email protected]>
@l5d-bot
Copy link
Collaborator

l5d-bot commented Jul 25, 2019

Integration test results for f8f3742: success 🎉
Log output: https://gist.github.com/0fd6005bc5988c9719ef486d0159546f

@alpeb alpeb mentioned this pull request Jul 26, 2019
Merged
adleong
adleong approved these changes Jul 26, 2019
View reviewed changes
Copy link
Member

@adleong adleong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:electron: ➰ ⭐ LGTM

@alpeb alpeb merged commit 19a8c72 into master Jul 26, 2019
@alpeb alpeb deleted the alpeb/rsa branch July 26, 2019 16:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@siggy siggy siggy approved these changes

@adleong adleong adleong approved these changes

@ihcsim ihcsim Awaiting requested review from ihcsim

Assignees

@alpeb alpeb

Labels

area/controller area/install

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add RSA support to TLS libraries

4 participants

@alpeb @l5d-bot @siggy @adleong