Skip to content

USHIFT-667: Avoid regenerating keypair for Service Account tokens#1200

Merged
openshift-merge-robot merged 1 commit intoopenshift:mainfrom
oglok:sa-tokens
Dec 20, 2022
Merged

USHIFT-667: Avoid regenerating keypair for Service Account tokens#1200
openshift-merge-robot merged 1 commit intoopenshift:mainfrom
oglok:sa-tokens

Conversation

@oglok
Copy link
Contributor

@oglok oglok commented Dec 16, 2022
edited
Loading

Signed-off-by: Ricardo Noriega rnoriega@redhat.com

Which issue(s) this PR addresses:

The issue happens when MicroShift is restarted, and the keypair used to verify service account tokens is regenerated. At first boot, KAS and KCM will read the content of the initial file and keep that information internally. After restart, the user agents calling the API server with the private key will be unauthorized because it has changed.

This PR prevents the regeneration of the key pair.

Closes USHIFT-667

@oglok
Avoid creating keypair for Service Account tokens
376c564 
Signed-off-by: Ricardo Noriega <rnoriega@redhat.com>
@oglok
Copy link
Contributor Author

oglok commented Dec 16, 2022

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 16, 2022
@openshift-ci openshift-ci bot requested review from ggiguash and mangelajo December 16, 2022 11:45
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 16, 2022
@mangelajo
Copy link
Contributor

mangelajo commented Dec 16, 2022

@oglok can you explain how the issue happens and how the PR fixes it? :)

@oglok
Copy link
Contributor Author

oglok commented Dec 19, 2022

@oglok can you explain how the issue happens and how the PR fixes it? :)

I've edited the PR description.

@oglok
Copy link
Contributor Author

oglok commented Dec 19, 2022

/unhold

PR is fully tested and after restart, the keypair for service account tokens is fully authorized. No more errors like:

Dec 19 16:47:35 rhel9vm.oglok.net microshift[9565]: kube-apiserver E1219 16:47:35.466392    9565 authentication.go:63] "Unable to authenticate the request" err="[invalid bearer token, square/go-jose: error in cryptographic primitive]"
Dec 19 16:47:36 rhel9vm.oglok.net microshift[9565]: kube-apiserver E1219 16:47:36.615710    9565 authentication.go:63] "Unable to authenticate the request" err="[invalid bearer token, square/go-jose: error in cryptographic primitive]"

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 19, 2022
@oglok oglok requested review from pacevedom and pmtk December 19, 2022 16:14
@oglok oglok changed the title USHIFT-667: Avoid creating keypair for Service Account tokens USHIFT-667: Avoid regenerating keypair for Service Account tokens Dec 19, 2022
pacevedom
pacevedom reviewed Dec 20, 2022
View reviewed changes
pkg/util/cert.go
)

func EnsureKeyPair(pubKeyPath, privKeyPath string) error {
if _, err := getKeyPair(pubKeyPath, privKeyPath); err == nil {
Copy link
Contributor

@pacevedom pacevedom Dec 20, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we have a log if the error is not nil? Is it relevant enough even though its regenerated afterwards?

Copy link
Contributor Author

@oglok oglok Dec 20, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If getKeyPair is not successful, it will return all errors internally. I'd say it's not necessary.

@pacevedom
Copy link
Contributor

pacevedom commented Dec 20, 2022

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Dec 20, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 20, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: oglok, pacevedom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 20, 2022

@oglok: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-merge-robot openshift-merge-robot merged commit 46f188c into openshift:main Dec 20, 2022
This was referenced Jan 19, 2024
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ggiguash ggiguash Awaiting requested review from ggiguash

@mangelajo mangelajo Awaiting requested review from mangelajo

@pmtk pmtk Awaiting requested review from pmtk

1 more reviewer

@pacevedom pacevedom pacevedom left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@pacevedom pacevedom

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@oglok @mangelajo @pacevedom @openshift-merge-robot