Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix openssl SAN check on newer versions of OpenSSL #11277

Merged
merged 1 commit into from
Sep 9, 2024
Merged

Fix openssl SAN check on newer versions of OpenSSL #11277

merged 1 commit into from
Sep 9, 2024

Conversation

mhamzahkhan
Copy link
Contributor

What type of PR is this?

/kind bug

What this PR does / why we need it:
Newer versions of OpenSSL appear to return an exit code of 1 if the checkhost doesn't match. Older versions of OpenSSL seem to return a 0 regardless of if it matched or not:

[root@lab-loadbalancer-01-lon1-uk ~]# openssl version
OpenSSL 3.1.1 30 May 2023 (Library: OpenSSL 3.1.1 30 May 2023)

[root@lab-loadbalancer-01-lon1-uk ~]# openssl x509 -noout -in apiserver.crt -checkhost lab-master-01-lon1-uk.cluster.local && echo "Matched" || echo "Did not match"
Hostname lab-master-01-lon1-uk.cluster.local does match certificate
Matched

[root@lab-loadbalancer-01-lon1-uk ~]# openssl x509 -noout -in apiserver.crt -checkhost i-should-not-match && echo "Matched" || echo "Did not match"
Hostname i-should-not-match does NOT match certificate
Matched

root@lab-master-01-lon1-uk:/etc/kubernetes/ssl# openssl version
OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)

root@lab-master-01-lon1-uk:/etc/kubernetes/ssl# openssl x509 -noout -in apiserver.crt -checkhost lab-master-01-lon1-uk.cluster.local && echo "Matched" || echo "Did not match"
Hostname lab-master-01-lon1-uk.cluster.local does match certificate
Matched

root@lab-master-01-lon1-uk:/etc/kubernetes/ssl# openssl x509 -noout -in apiserver.crt -checkhost i-should-not-match && echo "Matched" || echo "Did not match"
Hostname i-should-not-match does NOT match certificate
Did not match

This causes ansible to exit on the SAN check:

TASK [kubernetes/control-plane : Kubeadm | Check apiserver.crt SAN hosts] ***************************************************
....
failed: [lab-master-01-lon1-uk.k8s.intahnet.co.uk] (item=lab-master-01-lon1-uk.cluster.local) => {"ansible_loop_var": "item", "changed": true, "cmd": ["openssl", "x509", "-noout", "-in", "/etc/kubernetes/ssl/apiserver.crt", "-checkhost", "lab-master-01-lon1-uk.cluster.local"], "delta": "0:00:00.022344", "end": "2024-06-07 06:19:02.072828", "item": "lab-master-01-lon1-uk.cluster.local", "msg": "non-zero return code", "rc": 1, "start": "2024-06-07 06:19:02.050484", "stderr": "", "stderr_lines": [], "stdout": "Hostname lab-master-01-lon1-uk.cluster.local does NOT match certificate", "stdout_lines": ["Hostname lab-master-01-lon1-uk.cluster.local does NOT match certificate"]}
....

NO MORE HOSTS LEFT **********************************************************************************************************

Adding ignore_errors: true should fix this

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

@k8s-ci-robot k8s-ci-robot added the release-note-none Denotes a PR that doesn't merit a release note. label Jun 7, 2024
@linux-foundation-easycla Linux Foundation: EasyCLA
Copy link

linux-foundation-easycla bot commented Jun 7, 2024
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: mhamzahkhan / name: M. Hamzah Khan (f165ac4)

@k8s-ci-robot k8s-ci-robot added cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 7, 2024
@k8s-ci-robot
Copy link
Contributor

Hi @mhamzahkhan. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jun 7, 2024
@k8s-ci-robot k8s-ci-robot requested a review from yankay June 7, 2024 10:59
@mhamzahkhan mhamzahkhan marked this pull request as draft June 7, 2024 11:00
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 7, 2024
@mhamzahkhan mhamzahkhan force-pushed the fcos40-fix-openssl-san-check branch from a6344f9 to 68f4082 Compare June 7, 2024 11:01
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Jun 7, 2024
@mhamzahkhan mhamzahkhan marked this pull request as ready for review June 7, 2024 11:06
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 7, 2024
@VannTen
Copy link
Contributor

VannTen commented Jun 7, 2024 via email

@yankay
Copy link
Member

yankay commented Jun 18, 2024

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 18, 2024
@mhamzahkhan
Copy link
Contributor Author

Apologies for the delay in updating this PR, and the suggestions for how to improve this.

Would something like this be acceptable?

      failed_when: apiserver_sans_ip_check.stdout is not search('match certificate')

This would cause it to fail only if the certificate is eg unable to be parsed for whatever reason.

@yankay yankay closed this Aug 15, 2024
@yankay yankay reopened this Aug 15, 2024
@VannTen
Copy link
Contributor

VannTen commented Aug 26, 2024

Yes, I think that should work.

(Regarding the block rescue stuff, thinking about it a second time I'm not sure it would work, given how block interacts with loop in Ansible 🤔. So might be best to change only the minimum ^^)

@VannTen
Copy link
Contributor

VannTen commented Sep 5, 2024

/approve
I suggest you rebase, I think the elastx_cleanup has been made optional in master

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/contains-merge-commits labels Sep 5, 2024
@mhamzahkhan
Copy link
Contributor Author

I have rebased this now :)

@VannTen
Copy link
Contributor

VannTen commented Sep 9, 2024 via email

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 9, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mhamzahkhan, VannTen

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit d54cfba into kubernetes-sigs:master Sep 9, 2024
40 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MrFreezeex MrFreezeex Awaiting requested review from MrFreezeex

@yankay yankay Awaiting requested review from yankay

@mzaian mzaian Awaiting requested review from mzaian

@VannTen VannTen Awaiting requested review from VannTen

Assignees

@VannTen VannTen

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-none Denotes a PR that doesn't merit a release note. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mhamzahkhan @k8s-ci-robot @VannTen @yankay