From cb21560b9174ed49d33cf974600bb2b5cf69fc62 Mon Sep 17 00:00:00 2001
From: Dylan Griffith <dyl.griffith@gmail.com>
Date: Tue, 24 Jul 2018 16:34:39 +0100
Subject: [PATCH] Ensure CA + Tiller cert never expire and Helm client cert
 expires quickly

---
 app/models/clusters/applications/helm.rb      |  6 ++---
 lib/gitlab/kubernetes/helm/certificate.rb     |  9 ++++---
 .../kubernetes/helm/certificate_spec.rb       | 27 +++++++++++++++++++
 .../models/clusters/applications/helm_spec.rb |  3 +++
 .../clusters/applications/ingress_spec.rb     |  3 +++
 .../clusters/applications/jupyter_spec.rb     |  3 +++
 .../clusters/applications/prometheus_spec.rb  |  3 +++
 .../clusters/applications/runner_spec.rb      |  3 +++
 8 files changed, 51 insertions(+), 6 deletions(-)
 create mode 100644 spec/lib/gitlab/kubernetes/helm/certificate_spec.rb

diff --git a/app/models/clusters/applications/helm.rb b/app/models/clusters/applications/helm.rb
index f08224e94c2..0004997e1a0 100644
--- a/app/models/clusters/applications/helm.rb
+++ b/app/models/clusters/applications/helm.rb
@@ -31,8 +31,7 @@ module Clusters
       end
 
       def issue_cert
-        ca_cert_obj
-          .issue
+        ca_cert_obj.issue
       end
 
       def set_initial_status
@@ -42,7 +41,8 @@ module Clusters
       end
 
       def install_command
-        tiller_cert = issue_cert
+        tiller_cert = ca_cert_obj.issue(expires_in: Gitlab::Kubernetes::Helm::Certificate::INFINITE_EXPIRY)
+
         Gitlab::Kubernetes::Helm::InitCommand.new(
           name: name,
           files: {
diff --git a/lib/gitlab/kubernetes/helm/certificate.rb b/lib/gitlab/kubernetes/helm/certificate.rb
index dc8f4ca2489..d5afc737654 100644
--- a/lib/gitlab/kubernetes/helm/certificate.rb
+++ b/lib/gitlab/kubernetes/helm/certificate.rb
@@ -2,6 +2,9 @@ module Gitlab
   module Kubernetes
     module Helm
       class Certificate
+        INFINITE_EXPIRY = 1000.years
+        SHORT_EXPIRY = 30.minutes
+
         attr_reader :key, :cert
 
         def key_string
@@ -27,7 +30,7 @@ module Gitlab
           cert = OpenSSL::X509::Certificate.new
           cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)
           cert.not_before = Time.now
-          cert.not_after = Time.now + 365 * 24 * 60 * 60
+          cert.not_after = INFINITE_EXPIRY.from_now
           cert.public_key = public_key
           cert.serial = 0x0
           cert.version = 2
@@ -44,7 +47,7 @@ module Gitlab
           new(key, cert)
         end
 
-        def issue
+        def issue(expires_in: SHORT_EXPIRY)
           key = OpenSSL::PKey::RSA.new(4096)
           public_key = key.public_key
 
@@ -54,7 +57,7 @@ module Gitlab
           cert.subject = OpenSSL::X509::Name.parse(subject)
           cert.issuer = self.cert.subject
           cert.not_before = Time.now
-          cert.not_after = Time.now + 365 * 24 * 60 * 60
+          cert.not_after = expires_in.from_now
           cert.public_key = public_key
           cert.serial = 0x0
           cert.version = 2
diff --git a/spec/lib/gitlab/kubernetes/helm/certificate_spec.rb b/spec/lib/gitlab/kubernetes/helm/certificate_spec.rb
new file mode 100644
index 00000000000..f8d00c95a36
--- /dev/null
+++ b/spec/lib/gitlab/kubernetes/helm/certificate_spec.rb
@@ -0,0 +1,27 @@
+require 'spec_helper'
+
+describe Gitlab::Kubernetes::Helm::Certificate do
+  describe '.generate_root' do
+    subject { described_class.generate_root }
+
+    it 'should generate a root CA that expires a long way in the future' do
+      expect(subject.cert.not_after).to be > 999.years.from_now
+    end
+  end
+
+  describe '#issue' do
+    subject { described_class.generate_root.issue }
+
+    it 'should generate a cert that expires soon' do
+      expect(subject.cert.not_after).to be < 60.minutes.from_now
+    end
+
+    context 'passing in INFINITE_EXPIRY' do
+      subject { described_class.generate_root.issue(expires_in: described_class::INFINITE_EXPIRY) }
+
+      it 'should generate a cert that expires a long way in the future' do
+        expect(subject.cert.not_after).to be > 999.years.from_now
+      end
+    end
+  end
+end
diff --git a/spec/models/clusters/applications/helm_spec.rb b/spec/models/clusters/applications/helm_spec.rb
index 535e9f15919..6396048492e 100644
--- a/spec/models/clusters/applications/helm_spec.rb
+++ b/spec/models/clusters/applications/helm_spec.rb
@@ -43,6 +43,9 @@ describe Clusters::Applications::Helm do
 
       expect(subject.files[:'cert.pem']).to be_present
       expect(subject.files[:'key.pem']).to be_present
+
+      cert = OpenSSL::X509::Certificate.new(subject.files[:'cert.pem'])
+      expect(cert.not_after).to be > 999.years.from_now
     end
   end
 end
diff --git a/spec/models/clusters/applications/ingress_spec.rb b/spec/models/clusters/applications/ingress_spec.rb
index 6426818d349..c76aae432f9 100644
--- a/spec/models/clusters/applications/ingress_spec.rb
+++ b/spec/models/clusters/applications/ingress_spec.rb
@@ -108,6 +108,9 @@ describe Clusters::Applications::Ingress do
 
       expect(subject[:'cert.pem']).to be_present
       expect(subject[:'key.pem']).to be_present
+
+      cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem'])
+      expect(cert.not_after).to be < 60.minutes.from_now
     end
   end
 end
diff --git a/spec/models/clusters/applications/jupyter_spec.rb b/spec/models/clusters/applications/jupyter_spec.rb
index 4a470bbea74..a8cf44ac8a8 100644
--- a/spec/models/clusters/applications/jupyter_spec.rb
+++ b/spec/models/clusters/applications/jupyter_spec.rb
@@ -53,6 +53,9 @@ describe Clusters::Applications::Jupyter do
 
       expect(subject[:'cert.pem']).to be_present
       expect(subject[:'key.pem']).to be_present
+
+      cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem'])
+      expect(cert.not_after).to be < 60.minutes.from_now
     end
 
     context 'when the helm application does not have a ca_cert' do
diff --git a/spec/models/clusters/applications/prometheus_spec.rb b/spec/models/clusters/applications/prometheus_spec.rb
index c506d3a69e2..313bd741f88 100644
--- a/spec/models/clusters/applications/prometheus_spec.rb
+++ b/spec/models/clusters/applications/prometheus_spec.rb
@@ -168,6 +168,9 @@ describe Clusters::Applications::Prometheus do
 
       expect(subject[:'cert.pem']).to be_present
       expect(subject[:'key.pem']).to be_present
+
+      cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem'])
+      expect(cert.not_after).to be < 60.minutes.from_now
     end
 
     context 'when the helm application does not have a ca_cert' do
diff --git a/spec/models/clusters/applications/runner_spec.rb b/spec/models/clusters/applications/runner_spec.rb
index ab37603e4ec..65aaa1ee882 100644
--- a/spec/models/clusters/applications/runner_spec.rb
+++ b/spec/models/clusters/applications/runner_spec.rb
@@ -49,6 +49,9 @@ describe Clusters::Applications::Runner do
 
       expect(subject[:'cert.pem']).to be_present
       expect(subject[:'key.pem']).to be_present
+
+      cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem'])
+      expect(cert.not_after).to be < 60.minutes.from_now
     end
 
     context 'when the helm application does not have a ca_cert' do