search

openziti / helm-charts

various helm charts for openziti-test-kitchen projects
https://openziti.io/helm-charts/
Apache License 2.0
7 stars 8 forks source link

Current trust-bundle (ca-bundle.yaml) produces duplicate root CA entries #119

Open jan94 opened 1 year ago

jan94 commented 1 year ago

Currently, the ca-bundle has duplicate entries for each Root CA.

openssl storeutl -noout -text -certs ctrl-plane-cas.crt
0: Certificate
Certificate:
    Data:
        ...
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN=ziti-controller-ctrl-plane-root
        Validity
            Not Before: Jun 30 12:36:32 2023 GMT
            Not After : Jul  7 12:36:32 2033 GMT
        Subject: CN=ziti-controller-ctrl-plane-root
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
    ...
    Signature Algorithm: ecdsa-with-SHA256
    ...
1: Certificate
Certificate:
    Data:
        ...
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN=ziti-controller-ctrl-plane-root
        Validity
            Not Before: Jun 30 12:36:32 2023 GMT
            Not After : Jul  7 12:36:32 2033 GMT
        Subject: CN=ziti-controller-ctrl-plane-root
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
    ...            
    Signature Algorithm: ecdsa-with-SHA256
    ...
2: Certificate
Certificate:
    Data:
        ...
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN=tds-openziti-base-controller-edge-root
        Validity
            Not Before: Jun 30 12:36:34 2023 GMT
            Not After : Jul  7 12:36:34 2033 GMT
        Subject: CN=tds-openziti-base-controller-edge-root
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
    ...
    Signature Algorithm: ecdsa-with-SHA256
3: Certificate
Certificate:
    Data:
        ...
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN=tds-openziti-base-controller-edge-root
        Validity
            Not Before: Jun 30 12:36:34 2023 GMT
            Not After : Jul  7 12:36:34 2033 GMT
        Subject: CN=tds-openziti-base-controller-edge-root
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
    ...            
    Signature Algorithm: ecdsa-with-SHA256
    ...
4: Certificate
Certificate:
    Data:
        ...
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN=ziti-controller-web-root
        Validity
            Not Before: Jun 30 12:36:32 2023 GMT
            Not After : Jul  7 12:36:32 2033 GMT
        Subject: CN=ziti-controller-web-root
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
    ...
    Signature Algorithm: ecdsa-with-SHA256
    ...
5: Certificate
Certificate:
    Data:
       ...
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN=ziti-controller-web-root
        Validity
            Not Before: Jun 30 12:36:32 2023 GMT
            Not After : Jul  7 12:36:32 2033 GMT
        Subject: CN=ziti-controller-web-root
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
    ...
    Signature Algorithm: ecdsa-with-SHA256
    ...
Total found: 6

Solution: Remove the following secrets from the trust-bundle:

Also it would be good to directly include the root certs and not the intermediate ones - although this produces the same output , but it improves readability and clarity a lot. So the outcome would be that there are just the Root CA certs for ctrl-plane, web-identity and edge-signing.

jan94 commented 1 year ago

Linked to https://github.com/openziti/helm-charts/issues/117

qrkourier commented 1 year ago

Pruning those ca.crt data from the Bundle may be best. I haven't done that yet because someone, maybe me, still needs to analyze whether any predictable scenario would cause those root CAs to be needed. For example, when an alternative issuer is configured in the controller chart's Helm values.

The redundancy is functionally harmless because Ziti de-duplicates root CAs when they're aggregated to compute the well-known trust bundle that's used by clients to verify Ziti's server certs.

I agree the opportunity to optimize here is a more readable and understandable Bundle template and resultant ConfigMap.