From 345b0c055622b943fbc6218ad86a054c9a985574 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Tue, 5 Nov 2024 14:11:48 -0500 Subject: [PATCH] fix(tls): use fixed-length cert CommonNames --- .../cryostat-operator.clusterserviceversion.yaml | 2 +- .../common/resource_definitions/certificates.go | 11 ++++++----- internal/controllers/constants/constants.go | 6 ++++++ internal/test/resources.go | 10 +++++----- 4 files changed, 18 insertions(+), 11 deletions(-) diff --git a/bundle/manifests/cryostat-operator.clusterserviceversion.yaml b/bundle/manifests/cryostat-operator.clusterserviceversion.yaml index 9aa26834..297b8298 100644 --- a/bundle/manifests/cryostat-operator.clusterserviceversion.yaml +++ b/bundle/manifests/cryostat-operator.clusterserviceversion.yaml @@ -30,7 +30,7 @@ metadata: capabilities: Seamless Upgrades categories: Monitoring, Developer Tools containerImage: quay.io/cryostat/cryostat-operator:4.0.0-dev - createdAt: "2024-10-10T18:16:26Z" + createdAt: "2024-11-05T19:02:47Z" description: JVM monitoring and profiling tool operatorframework.io/initialization-resource: |- { diff --git a/internal/controllers/common/resource_definitions/certificates.go b/internal/controllers/common/resource_definitions/certificates.go index be757c74..55bf7645 100644 --- a/internal/controllers/common/resource_definitions/certificates.go +++ b/internal/controllers/common/resource_definitions/certificates.go @@ -20,6 +20,7 @@ import ( certv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" certMeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" "github.com/cryostatio/cryostat-operator/internal/controllers/common" + "github.com/cryostatio/cryostat-operator/internal/controllers/constants" "github.com/cryostatio/cryostat-operator/internal/controllers/model" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" @@ -62,7 +63,7 @@ func NewCryostatCACert(gvk *schema.GroupVersionKind, cr *model.CryostatInstance) Namespace: cr.InstallNamespace, }, Spec: certv1.CertificateSpec{ - CommonName: fmt.Sprintf("ca.%s.cert-manager", cr.Name), + CommonName: constants.CryostatCATLSCommonName, SecretName: common.ClusterUniqueNameWithPrefix(gvk, "ca", cr.Name, cr.InstallNamespace), IssuerRef: certMeta.ObjectReference{ Name: cr.Name + "-self-signed", @@ -79,7 +80,7 @@ func NewCryostatCert(cr *model.CryostatInstance, keystoreSecretName string) *cer Namespace: cr.InstallNamespace, }, Spec: certv1.CertificateSpec{ - CommonName: fmt.Sprintf("%s.%s.svc", cr.Name, cr.InstallNamespace), + CommonName: constants.CryostatTLSCommonName, DNSNames: []string{ cr.Name, fmt.Sprintf("%s.%s.svc", cr.Name, cr.InstallNamespace), @@ -115,7 +116,7 @@ func NewReportsCert(cr *model.CryostatInstance) *certv1.Certificate { Namespace: cr.InstallNamespace, }, Spec: certv1.CertificateSpec{ - CommonName: fmt.Sprintf("%s-reports.%s.svc", cr.Name, cr.InstallNamespace), + CommonName: constants.ReportsTLSCommonName, DNSNames: []string{ cr.Name + "-reports", fmt.Sprintf("%s-reports.%s.svc", cr.Name, cr.InstallNamespace), @@ -140,7 +141,7 @@ func NewAgentCert(cr *model.CryostatInstance, namespace string, gvk *schema.Grou Namespace: cr.InstallNamespace, }, Spec: certv1.CertificateSpec{ - CommonName: fmt.Sprintf("*.%s.pod", namespace), + CommonName: constants.AgentsTLSCommonName, DNSNames: []string{ fmt.Sprintf("*.%s.pod", namespace), }, @@ -163,7 +164,7 @@ func NewAgentProxyCert(cr *model.CryostatInstance) *certv1.Certificate { Namespace: cr.InstallNamespace, }, Spec: certv1.CertificateSpec{ - CommonName: fmt.Sprintf("%s-agent.%s.svc", cr.Name, cr.InstallNamespace), + CommonName: constants.AgentAuthProxyTLSCommonName, DNSNames: []string{ cr.Name + "-agent", fmt.Sprintf("%s-agent.%s.svc", cr.Name, cr.InstallNamespace), diff --git a/internal/controllers/constants/constants.go b/internal/controllers/constants/constants.go index 59b7bd9b..5b3b26ec 100644 --- a/internal/controllers/constants/constants.go +++ b/internal/controllers/constants/constants.go @@ -50,4 +50,10 @@ const ( targetNamespaceCRLabelPrefix = "operator.cryostat.io/" TargetNamespaceCRNameLabel = targetNamespaceCRLabelPrefix + "name" TargetNamespaceCRNamespaceLabel = targetNamespaceCRLabelPrefix + "namespace" + + CryostatCATLSCommonName = "cryostat-ca-cert-manager" + CryostatTLSCommonName = "cryostat" + ReportsTLSCommonName = "cryostat-reports" + AgentsTLSCommonName = "cryostat-agent" + AgentAuthProxyTLSCommonName = "cryostat-agent-proxy" ) diff --git a/internal/test/resources.go b/internal/test/resources.go index 0e804e80..bcad9166 100644 --- a/internal/test/resources.go +++ b/internal/test/resources.go @@ -1027,7 +1027,7 @@ func (r *TestResources) NewCryostatCert() *certv1.Certificate { Namespace: r.Namespace, }, Spec: certv1.CertificateSpec{ - CommonName: fmt.Sprintf(r.Name+".%s.svc", r.Namespace), + CommonName: "cryostat", DNSNames: []string{ r.Name, fmt.Sprintf(r.Name+".%s.svc", r.Namespace), @@ -1065,7 +1065,7 @@ func (r *TestResources) NewReportsCert() *certv1.Certificate { Namespace: r.Namespace, }, Spec: certv1.CertificateSpec{ - CommonName: fmt.Sprintf(r.Name+"-reports.%s.svc", r.Namespace), + CommonName: "cryostat-reports", DNSNames: []string{ r.Name + "-reports", fmt.Sprintf(r.Name+"-reports.%s.svc", r.Namespace), @@ -1091,7 +1091,7 @@ func (r *TestResources) NewAgentProxyCert() *certv1.Certificate { Namespace: r.Namespace, }, Spec: certv1.CertificateSpec{ - CommonName: fmt.Sprintf(r.Name+"-agent.%s.svc", r.Namespace), + CommonName: "cryostat-agent-proxy", DNSNames: []string{ r.Name + "-agent", fmt.Sprintf(r.Name+"-agent.%s.svc", r.Namespace), @@ -1117,7 +1117,7 @@ func (r *TestResources) NewCACert() *certv1.Certificate { Namespace: r.Namespace, }, Spec: certv1.CertificateSpec{ - CommonName: fmt.Sprintf("ca.%s.cert-manager", r.Name), + CommonName: "cryostat-ca-cert-manager", SecretName: r.getClusterUniqueNameForCA(), IssuerRef: certMeta.ObjectReference{ Name: r.Name + "-self-signed", @@ -1135,7 +1135,7 @@ func (r *TestResources) NewAgentCert(namespace string) *certv1.Certificate { Namespace: r.Namespace, }, Spec: certv1.CertificateSpec{ - CommonName: fmt.Sprintf("*.%s.pod", namespace), + CommonName: "cryostat-agent", DNSNames: []string{ fmt.Sprintf("*.%s.pod", namespace), },