Skip to content

Fix TLSChallenge certificate test flake and increase cert expiry date #3843

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
SimonBaeumer merged 6 commits into from
Nov 17, 2022
Merged

Fix TLSChallenge certificate test flake and increase cert expiry date #3843

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
7147af8
X-Smart-Branch-Parent: master
SimonBaeumer Nov 17, 2022
f219ff0
Update docs
SimonBaeumer Nov 17, 2022
2435377
rm cert.md
SimonBaeumer Nov 17, 2022
b3cffa0
Update openssl command
SimonBaeumer Nov 17, 2022
1921ca8
WIP
SimonBaeumer Nov 17, 2022
65676c2
fix style
SimonBaeumer Nov 17, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions central/tlsconfig/tlsconfig.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ func GetAdditionalCAs() ([][]byte, error) {
var certDERs [][]byte
for _, certFile := range certFileInfos {
if filepath.Ext(certFile.Name()) != ".crt" {
log.Infof("Skipping additional-ca file %q, must end with '*.crt'.", certFile.Name())
continue
}
content, err := os.ReadFile(path.Join(additionalCADir, certFile.Name()))
Expand Down
21 changes: 15 additions & 6 deletions sensor/common/centralclient/client_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,13 +28,22 @@ import (
const (
endpoint = "localhost:8000"

// Receiving trust info examples from a running cluster:
// roxcurl /v1/tls-challenge?"challengeToken=h83_PGhSqS8OAvplb8asYMfPHy1JhVVMKcajYyKmrIU="
// 1. Deploy a new StackRox instance
// 2. Create and generate a new CA and replace it in the additional-ca.yaml:
// $ openssl genrsa -des3 -out myCA.key 2048
// $ openssl req -x509 -new -nodes -key myCA.key -sha256 -out myCA.pem -days 100000 -subj '/CN=Root LoadBalancer Certificate Authority'
// $ kubectl -n stackrox apply -f additional-ca.yaml
//
// 3. Receiving trust info examples from a running cluster:
// $ roxcurl /v1/tls-challenge?"challengeToken=h83_PGhSqS8OAvplb8asYMfPHy1JhVVMKcajYyKmrIU="
// Copy trust-info and signature from the json response
// Note that tests here are likely to start failing again some time in November 2022 due to cert expiration.
// TODO(ROX-8661): Make these tests not fail after a year.
trustInfoExample = "Cs8EMIICSzCCAfKgAwIBAgIIcWKm03L8WR8wCgYIKoZIzj0EAwIwRzEnMCUGA1UEAxMeU3RhY2tSb3ggQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRwwGgYDVQQFExM0Mjc3MTY2NjM4MTI2ODYwNDk0MB4XDTIxMTExNzA4MTIwMFoXDTIyMTExNzA5MTIwMFowWzEYMBYGA1UECwwPQ0VOVFJBTF9TRVJWSUNFMSEwHwYDVQQDDBhDRU5UUkFMX1NFUlZJQ0U6IENlbnRyYWwxHDAaBgNVBAUTEzgxNzAyNzYxMDExMDA5NTE4MzkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQn0TP1n5TjGmM9QW58s11ItYoEtXj5AuwyDIle631XDb0vjiGrRXl6xEM0+zDlHjMDnU33AO9tPXzavXDZUpGto4GzMIGwMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUrFDnL+iViftHNoUUXKXgKRNBxrYwHwYDVR0jBBgwFoAUWKYQUqODajdf1pFwZ1DT1g3zy4IwMQYDVR0RBCowKIIQY2VudHJhbC5zdGFja3JveIIUY2VudHJhbC5zdGFja3JveC5zdmMwCgYIKoZIzj0EAwIDRwAwRAIgdTpOZ5ce2czlCm2XRbY9r0dJomao6qDYEongF1rxxasCIBnzIoTglBPvKVC25gVaYS2+X0EwpOG4QdgMH7DtHXbWCtYDMIIB0jCCAXigAwIBAgIUam1M7xL4Y1lEA/RYgFgui45ngTkwCgYIKoZIzj0EAwIwRzEnMCUGA1UEAxMeU3RhY2tSb3ggQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRwwGgYDVQQFExM0Mjc3MTY2NjM4MTI2ODYwNDk0MB4XDTIxMTExNzA5MDcwMFoXDTI2MTExNjA5MDcwMFowRzEnMCUGA1UEAxMeU3RhY2tSb3ggQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRwwGgYDVQQFExM0Mjc3MTY2NjM4MTI2ODYwNDk0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyQhd8jO5weSBK8GvQ7bh7WVeCZeVlgamtjzA+V8vYUrmK1XI6uGe4x0tvEirXbh35OcXZG4ZH34t/AtDmv31FKNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFimEFKjg2o3X9aRcGdQ09YN88uCMAoGCCqGSM49BAMCA0gAMEUCIEDbVs1oUErS7dSRZi97MKKVpYXPf593h/EEP53Xn5VkAiEA5iNduwdhb5Scb1RPsn61ACp1PmsBXKZNmI/bg6pRcVoSLGg4M19QR2hTcVM4T0F2cGxiOGFzWU1mUEh5MUpoVlZNS2Nhall5S21ySVU9GixTXy1vX0lrNk1yb0FvbE9jZWVHdDdtNW1zZ2hhNm9pSzNFTlhjWnJUa09FPSL+BTCCAvowggHioAMCAQICCQDFOhT28TGN2jANBgkqhkiG9w0BAQsFADAyMTAwLgYDVQQDDCdSb290IExvYWRCYWxhbmNlciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjExMTI0MTUzOTQ2WhcNMjExMjI0MTUzOTQ2WjAyMTAwLgYDVQQDDCdSb290IExvYWRCYWxhbmNlciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmmCImXD+JBhT8V+Xuqrg9jgZnp7dGbpwE+RRrLiygzmNZvvMbv8izWK4hct4lHAEe8n+q1iYipZsznEQkAYJ++q8Lwr4y4vLFj2/wu+/ldTuycfGSb6wYmc4EgBN28hD/vNaD8GF+VHeslQFUuN0p5zTS3LyhjBXskZ4xAHXUvpBbQ0nqS7IgNQ2g0en+JVrZOju46HVp6nul3bOoP+uGY0SbOhcxa+Ue31s/GeFyAtzBwgBw8NvH2ZGwB9NpK1DaOupTzsFt5f7XVBJ+txB9XKMEmLE3l+u3Sb/b3ubCpq4IhtWImP5lV1FLCdCk64ChjmB/ZAY46lD+bHwFwjZBAgMBAAGjEzARMA8GA1UdEwQIMAYBAf8CAQEwDQYJKoZIhvcNAQELBQADggEBABxmjsk9KtVe1y5r5VA37vmlw0nszk1lAx4hU+WF83DzXiO4xWhr//Jqv1bvIR1fRU3xKj/YskArflQwRHFe5oN8LuBVsYFsv/p4hVZ7IDrtYXxZIUMT+GIIanXAYFWZASK3fJvIN/rLD2V2TYQP555PuVNs3VXXcTiwLtAAlRrQlbiIuBn8JYb8Xbo/izj97NKY8E3MsDFRrdXK+tjiup6qqh2vlKd8iCBwAhb0DyP2MWzwMHOr+pEFEls2+b2/Ni40885UKhOCGJ+G+3XohA1K3CMRhAw3TayU6AMicpX+97uV1xkXgnk4SIOcE/OyhUo+dbq0JAfhFYdsx6i8OLY="
signatureExample = "MEYCIQDaJRmuxWGArjO4us5XVjukNZqQz78zAWydzBZISxXKfQIhAN47i+VSmyGVpI5WlzR5Tq4GN74l9vml0VWxyopsGtl4"
//
// 4. Update certificates central cert in ./testdata/central-ca.pem
// $ kubectl -n stackrox get secrets central-tls -o json | jq '.data["ca.pem"]' -r | base64 --decode > ./testdata/central-ca.pem
//
// TODO(ROX-8661): Make these tests not fail after cert expiration.
trustInfoExample = "CtAEMIICTDCCAfKgAwIBAgIILqBbQTO0fZQwCgYIKoZIzj0EAwIwRzEnMCUGA1UEAxMeU3RhY2tSb3ggQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRwwGgYDVQQFExM1MjYzNzUyODEzMDg3ODI4ODAyMB4XDTIyMTExNzEyNTMwMFoXDTIzMTExNzEzNTMwMFowWzEYMBYGA1UECwwPQ0VOVFJBTF9TRVJWSUNFMSEwHwYDVQQDDBhDRU5UUkFMX1NFUlZJQ0U6IENlbnRyYWwxHDAaBgNVBAUTEzMzNTk3ODU2NTc2MTY4NTg1MTYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASxp5b4U94JwH+vKGqDBdGZMuupQYqbEy6F4YY1jhV4WswcIu3myU/erP5LN7rZOBmCTWPzdJC7s5k1aJb7S/43o4GzMIGwMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUYeOi1mk8IQBNNQzGeV+Ev4luE6kwHwYDVR0jBBgwFoAUPOjaaoCNHLWpZLAN/uH7IOp5sJYwMQYDVR0RBCowKIIQY2VudHJhbC5zdGFja3JveIIUY2VudHJhbC5zdGFja3JveC5zdmMwCgYIKoZIzj0EAwIDSAAwRQIhAM6RlxgMmM6O5JD/ZO2+8BcIYdS2nAOG97OHm78qlcAFAiAsveXciCOGAYI90C0YOJ/CvQqstE5WDkt1f8g2TXvK2QrVAzCCAdEwggF4oAMCAQICFGELlbfREh3EdOemBF5KXp0pEVYsMAoGCCqGSM49BAMCMEcxJzAlBgNVBAMTHlN0YWNrUm94IENlcnRpZmljYXRlIEF1dGhvcml0eTEcMBoGA1UEBRMTNTI2Mzc1MjgxMzA4NzgyODgwMjAeFw0yMjExMTcxMzQ4MDBaFw0yNzExMTYxMzQ4MDBaMEcxJzAlBgNVBAMTHlN0YWNrUm94IENlcnRpZmljYXRlIEF1dGhvcml0eTEcMBoGA1UEBRMTNTI2Mzc1MjgxMzA4NzgyODgwMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMEbcZElYqfr0kp5sskSqk7Is5NlGdXGoM44I4elM5supY1n4HvN9Byhf2Qzcvg4yvOoFECm6UZhQJ+K/wtOceijQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQ86NpqgI0ctalksA3+4fsg6nmwljAKBggqhkjOPQQDAgNHADBEAiAfYKbyb3FtCY5ZZUirvguI/RW3V+8gXYCcGFS/CpcpFAIgHzvoJRdQ8cGO4At8JH6p7K8nCbKwdPOs2Q+e2Sv2iaASLGg4M19QR2hTcVM4T0F2cGxiOGFzWU1mUEh5MUpoVlZNS2Nhall5S21ySVU9Giw1MFVvSnlBSVJRa0s5ZDZzOUFuQW9yU2NlQVFmbWFqWDctcS0tQnZaZ25vPSKABjCCAvwwggHkAgkAp+BoHpRnwt8wDQYJKoZIhvcNAQELBQAwPzELMAkGA1UEBhMCVVMxMDAuBgNVBAMMJ1Jvb3QgTG9hZEJhbGFuY2VyIENlcnRpZmljYXRlIEF1dGhvcml0eTAgFw0yMjExMTcxMzMxNDVaGA8yMjk2MDkwMTEzMzE0NVowPzELMAkGA1UEBhMCVVMxMDAuBgNVBAMMJ1Jvb3QgTG9hZEJhbGFuY2VyIENlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALYsSh6dzXxpuiLxntDBBHbaNPFRg/qKWlqmiy6uUMuqh04AVw6GSMQCtxl+2nOQB6psocCwUPCqNuubDRfW9bI+fucOF3kkuijnFYoEQW7Lja7pABzeaOrXLj7jZX/sRU9P/VUpnyfsm892YarLJ9wCFcYvBAdkezn3Wyfqml9fU/5ZRutj+K2K66/bKBJYGkLdDf20ZTYf93JZUsXGSNoEvlLz/rKWx9qR7bMZAhsjP4RoiwCAbp2gkm1CxRKmQkT8WVlTMpoJhvcbf7a8ynpDVnryNPT70fwkqsEgju1mazdKarYa4Oxb/XAiyVwUc0c0ytdMo5mpJvn3u+yzWaMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAk9AxNHgniNf+JgNwVZM0G/79LXVj5cgAJC3xX1FuyvAwxxnUS3+vFQTJTnMDAeZ0Wzk64FniARmkmygj9n5i669k0t8j59FGaD3pPWe87WxjYjBzbVMVhMhDC8VJeRhYAKGoHQGOVCb/gl3hw82suFCnG6Qzx7Irp1V1EBalqGikugiN5vY8ilxR44Y2DSwKHEhG29zogOFkq7mmYb2+pAYaSpiy0Y/sM658OY+bJmbGvB5UFFeuCML8NeZYeFQ1U4aThnAwy/vPbO6lBgh+uSHX02UK0n+ZaMup2S6bpaMKC0PKkQLNtkV3vBj/TACtZ2lJM25+6lwNON/nWPcPgQ=="
signatureExample = "MEUCIQCZKFQR1lgX99ZwP0LesThASckZWtxzPuuhf1oG+XelGwIgA4N3p0Rza3ZfZ3Za6Ub6loSRV8z1TWH8gszEKRxHGrA="
// invalidSignature signature signed by a different private key
invalidSignature = "MEUCIQDTYU+baqRR2RPy9Y50u5xc+ZrwrxCbqgHsgyf+QrjZQQIgJgqMmvRRvtgLU9O6WfzNifA1X8vwaBZ98CCniRH2pGs="

Expand Down
26 changes: 26 additions & 0 deletions sensor/common/centralclient/testdata/additional-ca.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
apiVersion: v1
kind: Secret
metadata:
name: additional-ca
namespace: stackrox
type: Opaque
stringData:
"lb_ca.crt": |
-----BEGIN CERTIFICATE-----
MIIC/DCCAeQCCQCn4GgelGfC3zANBgkqhkiG9w0BAQsFADA/MQswCQYDVQQGEwJV
UzEwMC4GA1UEAwwnUm9vdCBMb2FkQmFsYW5jZXIgQ2VydGlmaWNhdGUgQXV0aG9y
aXR5MCAXDTIyMTExNzEzMzE0NVoYDzIyOTYwOTAxMTMzMTQ1WjA/MQswCQYDVQQG
EwJVUzEwMC4GA1UEAwwnUm9vdCBMb2FkQmFsYW5jZXIgQ2VydGlmaWNhdGUgQXV0
aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtixKHp3NfGm6
IvGe0MEEdto08VGD+opaWqaLLq5Qy6qHTgBXDoZIxAK3GX7ac5AHqmyhwLBQ8Ko2
65sNF9b1sj5+5w4XeSS6KOcVigRBbsuNrukAHN5o6tcuPuNlf+xFT0/9VSmfJ+yb
z3Zhqssn3AIVxi8EB2R7OfdbJ+qaX19T/llG62P4rYrrr9soElgaQt0N/bRlNh/3
cllSxcZI2gS+UvP+spbH2pHtsxkCGyM/hGiLAIBunaCSbULFEqZCRPxZWVMymgmG
9xt/trzKekNWevI09PvR/CSqwSCO7WZrN0pqthrg7Fv9cCLJXBRzRzTK10yjmakm
+fe77LNZowIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCT0DE0eCeI1/4mA3BVkzQb
/v0tdWPlyAAkLfFfUW7K8DDHGdRLf68VBMlOcwMB5nRbOTrgWeIBGaSbKCP2fmLr
r2TS3yPn0UZoPek9Z7ztbGNiMHNtUxWEyEMLxUl5GFgAoagdAY5UJv+CXeHDzay4
UKcbpDPHsiunVXUQFqWoaKS6CI3m9jyKXFHjhjYNLAocSEbb3OiA4WSruaZhvb6k
BhpKmLLRj+wzrnw5j5smZsa8HlQUV64Iwvw15lh4VDVThpOGcDDL+89s7qUGCH65
IdfTZQrSf5loy6nZLpulowoLQ8qRAs22RXe8GP9MAK1naUkzbn7qXA043+dY9w+B
-----END CERTIFICATE-----
18 changes: 9 additions & 9 deletions sensor/common/centralclient/testdata/central-ca.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIB0jCCAXigAwIBAgIUam1M7xL4Y1lEA/RYgFgui45ngTkwCgYIKoZIzj0EAwIw
MIIB0TCCAXigAwIBAgIUYQuVt9ESHcR056YEXkpenSkRViwwCgYIKoZIzj0EAwIw
RzEnMCUGA1UEAxMeU3RhY2tSb3ggQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRwwGgYD
VQQFExM0Mjc3MTY2NjM4MTI2ODYwNDk0MB4XDTIxMTExNzA5MDcwMFoXDTI2MTEx
NjA5MDcwMFowRzEnMCUGA1UEAxMeU3RhY2tSb3ggQ2VydGlmaWNhdGUgQXV0aG9y
aXR5MRwwGgYDVQQFExM0Mjc3MTY2NjM4MTI2ODYwNDk0MFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAEyQhd8jO5weSBK8GvQ7bh7WVeCZeVlgamtjzA+V8vYUrmK1XI
6uGe4x0tvEirXbh35OcXZG4ZH34t/AtDmv31FKNCMEAwDgYDVR0PAQH/BAQDAgEG
MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFimEFKjg2o3X9aRcGdQ09YN88uC
MAoGCCqGSM49BAMCA0gAMEUCIEDbVs1oUErS7dSRZi97MKKVpYXPf593h/EEP53X
n5VkAiEA5iNduwdhb5Scb1RPsn61ACp1PmsBXKZNmI/bg6pRcVo=
VQQFExM1MjYzNzUyODEzMDg3ODI4ODAyMB4XDTIyMTExNzEzNDgwMFoXDTI3MTEx
NjEzNDgwMFowRzEnMCUGA1UEAxMeU3RhY2tSb3ggQ2VydGlmaWNhdGUgQXV0aG9y
aXR5MRwwGgYDVQQFExM1MjYzNzUyODEzMDg3ODI4ODAyMFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAEwRtxkSVip+vSSnmyyRKqTsizk2UZ1cagzjgjh6Uzmy6ljWfg
e830HKF/ZDNy+DjK86gUQKbpRmFAn4r/C05x6KNCMEAwDgYDVR0PAQH/BAQDAgEG
MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFDzo2mqAjRy1qWSwDf7h+yDqebCW
MAoGCCqGSM49BAMCA0cAMEQCIB9gpvJvcW0JjlllSKu+C4j9FbdX7yBdgJwYVL8K
lykUAiAfO+glF1DxwY7gC3wkfqnsrycJsrB086zZD57ZK/aJoA==
-----END CERTIFICATE-----