Ensure CA + Tiller cert never expire and Helm client cert expires quickly

2018-07-24 16:34:39 +01:00 · 2018-07-24 16:34:39 +01:00 · cb21560b91
commit cb21560b91
parent 039a8ebdd4
8 changed files with 51 additions and 6 deletions
--- a/app/models/clusters/applications/helm.rb
+++ b/app/models/clusters/applications/helm.rb
@ -31,8 +31,7 @@ module Clusters
      end

      def issue_cert
-        ca_cert_obj
-          .issue
+        ca_cert_obj.issue
      end

      def set_initial_status
@ -42,7 +41,8 @@ module Clusters
      end

      def install_command
-        tiller_cert = issue_cert
+        tiller_cert = ca_cert_obj.issue(expires_in: Gitlab::Kubernetes::Helm::Certificate::INFINITE_EXPIRY)
+
        Gitlab::Kubernetes::Helm::InitCommand.new(
          name: name,
          files: {
--- a/lib/gitlab/kubernetes/helm/certificate.rb
+++ b/lib/gitlab/kubernetes/helm/certificate.rb
@ -2,6 +2,9 @@ module Gitlab
  module Kubernetes
    module Helm
      class Certificate
+        INFINITE_EXPIRY = 1000.years
+        SHORT_EXPIRY = 30.minutes
+
        attr_reader :key, :cert

        def key_string
@ -27,7 +30,7 @@ module Gitlab
          cert = OpenSSL::X509::Certificate.new
          cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)
          cert.not_before = Time.now
-          cert.not_after = Time.now + 365 * 24 * 60 * 60
+          cert.not_after = INFINITE_EXPIRY.from_now
          cert.public_key = public_key
          cert.serial = 0x0
          cert.version = 2
@ -44,7 +47,7 @@ module Gitlab
          new(key, cert)
        end

-        def issue
+        def issue(expires_in: SHORT_EXPIRY)
          key = OpenSSL::PKey::RSA.new(4096)
          public_key = key.public_key

@ -54,7 +57,7 @@ module Gitlab
          cert.subject = OpenSSL::X509::Name.parse(subject)
          cert.issuer = self.cert.subject
          cert.not_before = Time.now
-          cert.not_after = Time.now + 365 * 24 * 60 * 60
+          cert.not_after = expires_in.from_now
          cert.public_key = public_key
          cert.serial = 0x0
          cert.version = 2
--- a/spec/lib/gitlab/kubernetes/helm/certificate_spec.rb
+++ b/spec/lib/gitlab/kubernetes/helm/certificate_spec.rb
@ -0,0 +1,27 @@
+require 'spec_helper'
+
+describe Gitlab::Kubernetes::Helm::Certificate do
+  describe '.generate_root' do
+    subject { described_class.generate_root }
+
+    it 'should generate a root CA that expires a long way in the future' do
+      expect(subject.cert.not_after).to be > 999.years.from_now
+    end
+  end
+
+  describe '#issue' do
+    subject { described_class.generate_root.issue }
+
+    it 'should generate a cert that expires soon' do
+      expect(subject.cert.not_after).to be < 60.minutes.from_now
+    end
+
+    context 'passing in INFINITE_EXPIRY' do
+      subject { described_class.generate_root.issue(expires_in: described_class::INFINITE_EXPIRY) }
+
+      it 'should generate a cert that expires a long way in the future' do
+        expect(subject.cert.not_after).to be > 999.years.from_now
+      end
+    end
+  end
+end
--- a/spec/models/clusters/applications/helm_spec.rb
+++ b/spec/models/clusters/applications/helm_spec.rb
@ -43,6 +43,9 @@ describe Clusters::Applications::Helm do

      expect(subject.files[:'cert.pem']).to be_present
      expect(subject.files[:'key.pem']).to be_present
+
+      cert = OpenSSL::X509::Certificate.new(subject.files[:'cert.pem'])
+      expect(cert.not_after).to be > 999.years.from_now
    end
  end
 end
--- a/spec/models/clusters/applications/ingress_spec.rb
+++ b/spec/models/clusters/applications/ingress_spec.rb
@ -108,6 +108,9 @@ describe Clusters::Applications::Ingress do

      expect(subject[:'cert.pem']).to be_present
      expect(subject[:'key.pem']).to be_present
+
+      cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem'])
+      expect(cert.not_after).to be < 60.minutes.from_now
    end
  end
 end
--- a/spec/models/clusters/applications/jupyter_spec.rb
+++ b/spec/models/clusters/applications/jupyter_spec.rb
@ -53,6 +53,9 @@ describe Clusters::Applications::Jupyter do

      expect(subject[:'cert.pem']).to be_present
      expect(subject[:'key.pem']).to be_present
+
+      cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem'])
+      expect(cert.not_after).to be < 60.minutes.from_now
    end

    context 'when the helm application does not have a ca_cert' do
--- a/spec/models/clusters/applications/prometheus_spec.rb
+++ b/spec/models/clusters/applications/prometheus_spec.rb
@ -168,6 +168,9 @@ describe Clusters::Applications::Prometheus do

      expect(subject[:'cert.pem']).to be_present
      expect(subject[:'key.pem']).to be_present
+
+      cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem'])
+      expect(cert.not_after).to be < 60.minutes.from_now
    end

    context 'when the helm application does not have a ca_cert' do
--- a/spec/models/clusters/applications/runner_spec.rb
+++ b/spec/models/clusters/applications/runner_spec.rb
@ -49,6 +49,9 @@ describe Clusters::Applications::Runner do

      expect(subject[:'cert.pem']).to be_present
      expect(subject[:'key.pem']).to be_present
+
+      cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem'])
+      expect(cert.not_after).to be < 60.minutes.from_now
    end

    context 'when the helm application does not have a ca_cert' do