fix(certs): update checkAndRotate to use current durations (#4800)

Updates the checkAndRotate method to update certs with the current
validity duration specified in the MeshConfig for their respective
cert type. Adds a certType to the certificate struct that is used
to lookup validity duration when calling IssuingCertificates.
Updates shouldRotate to check if the cert needs to be rotated due
to an in-progress root certificate rotation. 

Signed-off-by: jaellio <[email protected]>

Author: jaellio

cmd/osm-controller/osm-controller.go

@@ -242,7 +242,7 @@ func main() {
 	proxyRegistry := registry.NewProxyRegistry(proxyMapper, msgBroker)
 	go proxyRegistry.ReleaseCertificateHandler(certManager, stop)
 
-	adsCert, err := certManager.IssueCertificate(xdsServerCertificateCommonName, certificate.WithValidityPeriod(constants.XDSCertificateValidityPeriod))
+	adsCert, err := certManager.IssueCertificate(xdsServerCertificateCommonName, certificate.Internal)
 	if err != nil {
 		events.GenericEventRecorder().FatalEvent(err, events.CertificateIssuanceFailure, "Error issuing XDS certificate to ADS server")
 	}

go.mod

@@ -75,6 +75,7 @@ require (
 	github.com/moby/sys/mountinfo v0.6.2 // indirect
 	github.com/stretchr/objx v0.3.0 // indirect
 	golang.org/x/net v0.0.0-20220607020251-c690dde0001d // indirect
+	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
 	golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d // indirect
 	google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac // indirect
 	honnef.co/go/tools v0.1.1 // indirect
@@ -356,7 +357,6 @@ require (
 	golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd // indirect
 	golang.org/x/mod v0.4.2 // indirect
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
-	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f // indirect
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
 	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11 // indirect

go.sum

@@ -2341,9 +2341,8 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f h1:Ax0t5p6N38Ga0dThY21weqDEyz2oklo4IvDkpigvkD8=
-golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180117170059-2c42eef0765b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=

pkg/certificate/certificate.go

@@ -1,7 +1,6 @@
 package certificate
 
 import (
-	"math/rand"
 	time "time"
 
 	"github.com/rs/zerolog/log"
@@ -69,18 +68,6 @@ func (c *Certificate) GetTrustedCAs() pem.RootCertificate {
 	return c.TrustedCAs
 }
 
-// ShouldRotate determines whether a certificate should be rotated.
-func (c *Certificate) ShouldRotate() bool {
-	// The certificate is going to expire at a timestamp T
-	// We want to renew earlier. How much earlier is defined in renewBeforeCertExpires.
-	// We add a few seconds noise to the early renew period so that certificates that may have been
-	// created at the same time are not renewed at the exact same time.
-
-	intNoise := rand.Intn(noiseSeconds) // #nosec G404
-	secondsNoise := time.Duration(intNoise) * time.Second
-	return time.Until(c.GetExpiration()) <= (RenewBeforeCertExpires + secondsNoise)
-}
-
 // NewFromPEM is a helper returning a *certificate.Certificate from the PEM components given.
 func NewFromPEM(pemCert pem.Certificate, pemKey pem.PrivateKey) (*Certificate, error) {
 	x509Cert, err := DecodePEMCertificate(pemCert)

pkg/certificate/certificate_test.go

@@ -14,19 +14,6 @@ import (
 	"github.com/openservicemesh/osm/pkg/certificate/pem"
 )
 
-func TestShouldRotate(t *testing.T) {
-	assert := tassert.New(t)
-	cert := &Certificate{
-		Expiration: time.Now().Add(-1 * time.Hour),
-	}
-	assert.True(cert.ShouldRotate())
-
-	cert = &Certificate{
-		Expiration: time.Now().Add(time.Hour),
-	}
-	assert.False(cert.ShouldRotate())
-}
-
 func TestNewFromPEM(t *testing.T) {
 	assert := tassert.New(t)
 	cn := CommonName("Test CA")

pkg/certificate/fake_manager.go

@@ -92,10 +92,12 @@ func (i *fakeIssuer) IssueCertificate(cn CommonName, validityPeriod time.Duratio
 
 // FakeCertManager is a testing helper that returns a *certificate.Manager
 func FakeCertManager() (*Manager, error) {
+	getCertValidityDuration := func() time.Duration { return validity }
 	cm, err := NewManager(
 		context.Background(),
 		&fakeMRCClient{},
-		validity,
+		getCertValidityDuration,
+		getCertValidityDuration,
 		nil,
 		1*time.Hour,
 	)

pkg/certificate/manager.go

@@ -3,6 +3,7 @@ package certificate
 import (
 	"context"
 	"errors"
+	"math/rand"
 	"sync"
 	"time"
 
@@ -16,9 +17,10 @@ import (
 )
 
 // NewManager creates a new CertificateManager with the passed MRCClient and options
-func NewManager(ctx context.Context, mrcClient MRCClient, serviceCertValidityDuration time.Duration, msgBroker *messaging.Broker, checkInterval time.Duration) (*Manager, error) {
+func NewManager(ctx context.Context, mrcClient MRCClient, getServiceCertValidityPeriod func() time.Duration, getIngressCertValidityDuration func() time.Duration, msgBroker *messaging.Broker, checkInterval time.Duration) (*Manager, error) {
 	m := &Manager{
-		serviceCertValidityDuration: serviceCertValidityDuration,
+		serviceCertValidityDuration: getServiceCertValidityPeriod,
+		ingressCertValidityDuration: getIngressCertValidityDuration,
 		msgBroker:                   msgBroker,
 	}
 
@@ -152,75 +154,119 @@ func (m *Manager) GetTrustDomain() string {
 	return m.signingIssuer.TrustDomain
 }
 
+// shouldRotate determines whether a certificate should be rotated.
+func (m *Manager) shouldRotate(c *Certificate) bool {
+	// The certificate is going to expire at a timestamp T
+	// We want to renew earlier. How much earlier is defined in renewBeforeCertExpires.
+	// We add a few seconds noise to the early renew period so that certificates that may have been
+	// created at the same time are not renewed at the exact same time.
+	intNoise := rand.Intn(noiseSeconds) // #nosec G404
+	secondsNoise := time.Duration(intNoise) * time.Second
+	renewBefore := RenewBeforeCertExpires + secondsNoise
+	if time.Until(c.GetExpiration()) <= renewBefore {
+		log.Info().Msgf("Cert %s should be rotated; expires in %+v; renewBefore is %+v",
+			c.GetCommonName(),
+			time.Until(c.GetExpiration()),
+			renewBefore)
+		return true
+	}
+
+	m.mu.Lock()
+	validatingIssuer := m.validatingIssuer
+	signingIssuer := m.signingIssuer
+	m.mu.Unlock()
+
+	// During root certificate rotation the Issuers will change. If the Manager's Issuers are
+	// different than the validating Issuer and signing Issuer IDs in the certificate, the
+	// certificate must be reissued with the correct Issuers for the current rotation stage and
+	// state. If there is no root certificate rotation in progress, the cert and Manager Issuers
+	// will match.
+	if c.signingIssuerID != signingIssuer.ID || c.validatingIssuerID != validatingIssuer.ID {
+		log.Info().Msgf("Cert %s should be rotated; in progress root certificate rotation",
+			c.GetCommonName())
+		return true
+	}
+	return false
+}
+
 func (m *Manager) checkAndRotate() {
 	// NOTE: checkAndRotate can reintroduce a certificate that has been released, thereby creating an unbounded cache.
 	// A certificate can also have been rotated already, leaving the list of issued certs stale, and we re-rotate.
 	// the latter is not a bug, but a source of inefficiency.
-
 	certs := map[string]*Certificate{}
 	m.cache.Range(func(keyIface interface{}, certInterface interface{}) bool {
 		key := keyIface.(string)
 		certs[key] = certInterface.(*Certificate)
 		return true // continue the iteration
 	})
-	for key, cert := range certs {
-		shouldRotate := cert.ShouldRotate()
-
-		word := map[bool]string{true: "will", false: "will not"}[shouldRotate]
-		log.Trace().Msgf("Cert %s %s be rotated; expires in %+v; renewBeforeCertExpires is %+v",
-			cert.GetCommonName(),
-			word,
-			time.Until(cert.GetExpiration()),
-			RenewBeforeCertExpires)
-
-		if shouldRotate {
-			opts := []IssueOption{WithValidityPeriod(m.serviceCertValidityDuration)}
-			// if the key is equal to the common name, then it was issued with FullCNProvided(). This will prevent
-			// an additional trust domain from being appended. We don't do this in every case, in case the trust domain
-			// has changed since the last issue.
-			if key == cert.CommonName.String() {
-				opts = append(opts, FullCNProvided())
-			}
-			newCert, err := m.IssueCertificate(key, opts...)
-			if err != nil {
-				// TODO(#3962): metric might not be scraped before process restart resulting from this error
-				log.Error().Err(err).Str(errcode.Kind, errcode.GetErrCodeWithMetric(errcode.ErrRotatingCert)).
-					Msgf("Error rotating cert SerialNumber=%s", cert.GetSerialNumber())
-				continue
-			}
 
-			m.msgBroker.GetCertPubSub().Pub(events.PubSubMessage{
-				Kind:   announcements.CertificateRotated,
-				NewObj: newCert,
-				OldObj: cert,
-			}, announcements.CertificateRotated.String())
+	for key, cert := range certs {
+		opts := []IssueOption{}
+		if key == cert.CommonName.String() {
+			opts = append(opts, FullCNProvided())
+		}
 
-			log.Debug().Msgf("Rotated certificate (old SerialNumber=%s) with new SerialNumber=%s", cert.SerialNumber, newCert.SerialNumber)
+		_, err := m.IssueCertificate(key, cert.certType, opts...)
+		if err != nil {
+			log.Error().Err(err).Str(errcode.Kind, errcode.GetErrCodeWithMetric(errcode.ErrRotatingCert)).
+				Msgf("Error rotating cert SerialNumber=%s", cert.GetSerialNumber())
 		}
 	}
 }
 
+func (m *Manager) getValidityDurationForCertType(ct CertType) time.Duration {
+	switch ct {
+	case Internal:
+		return constants.OSMCertificateValidityPeriod
+	case IngressGateway:
+		return m.ingressCertValidityDuration()
+	case Service:
+		return m.serviceCertValidityDuration()
+	default:
+		log.Debug().Msgf("Unknown certificate type %s provided when getting validity duration", ct)
+		return constants.OSMCertificateValidityPeriod
+	}
+}
+
+// getFromCache returns the certificate with the specified cn from cache if it exists.
+// Note: getFromCache might return an expired or invalid certificate.
 func (m *Manager) getFromCache(key string) *Certificate {
 	certInterface, exists := m.cache.Load(key)
 	if !exists {
 		return nil
 	}
 	cert := certInterface.(*Certificate)
 	log.Trace().Msgf("Certificate found in cache SerialNumber=%s", cert.GetSerialNumber())
-	if cert.ShouldRotate() {
-		log.Trace().Msgf("Certificate found in cache but has expired SerialNumber=%s", cert.GetSerialNumber())
-		return nil
-	}
 	return cert
 }
 
-// IssueCertificate implements Manager and returns a newly issued certificate from the given client.
-func (m *Manager) IssueCertificate(prefix string, opts ...IssueOption) (*Certificate, error) {
-	var err error
-	cert := m.getFromCache(prefix) // Don't call this while holding the lock
+// IssueCertificate returns a newly issued certificate from the given client
+// or an existing valid certificate from the local cache.
+func (m *Manager) IssueCertificate(prefix string, ct CertType, opts ...IssueOption) (*Certificate, error) {
+	// a singleflight group is used here to ensure that only one issueCertificate is in
+	// flight at a time for a given certificate prefix. Helps avoid a race condition if
+	// issueCertificate is called multiple times in a row for the same certificate prefix.
+	cert, err, _ := m.group.Do(prefix, func() (interface{}, error) {
+		return m.issueCertificate(prefix, ct, opts...)
+	})
+	if err != nil {
+		return nil, err
+	}
+	return cert.(*Certificate), nil
+}
 
-	options := defaultOptions(m.serviceCertValidityDuration)
+func (m *Manager) issueCertificate(prefix string, ct CertType, opts ...IssueOption) (*Certificate, error) {
+	var rotate bool
+	cert := m.getFromCache(prefix) // Don't call this while holding the lock
+	if cert != nil {
+		// check if cert needs to be rotated
+		rotate = m.shouldRotate(cert)
+		if !rotate {
+			return cert, nil
+		}
+	}
 
+	options := &issueOptions{}
 	for _, o := range opts {
 		o(options)
 	}
@@ -231,27 +277,40 @@ func (m *Manager) IssueCertificate(prefix string, opts ...IssueOption) (*Certifi
 	m.mu.Unlock()
 
 	start := time.Now()
-	if cert == nil || cert.signingIssuerID != signingIssuer.ID || cert.validatingIssuerID != validatingIssuer.ID {
-		cert, err = signingIssuer.IssueCertificate(options.formatCN(prefix, signingIssuer.TrustDomain), options.validityPeriod)
-		if err != nil {
-			return nil, err
-		}
 
-		// if we have different signing and validating issuers,
-		// create the cert's trust context
-		if validatingIssuer.ID != signingIssuer.ID {
-			cert = cert.newMergedWithRoot(validatingIssuer.CertificateAuthority)
-		}
+	validityDuration := m.getValidityDurationForCertType(ct)
+	newCert, err := signingIssuer.IssueCertificate(options.formatCN(prefix, signingIssuer.TrustDomain), validityDuration)
+	if err != nil {
+		return nil, err
+	}
 
-		cert.signingIssuerID = signingIssuer.ID
-		cert.validatingIssuerID = validatingIssuer.ID
+	// if we have different signing and validating issuers,
+	// create the cert's trust context
+	if validatingIssuer.ID != signingIssuer.ID {
+		newCert = newCert.newMergedWithRoot(validatingIssuer.CertificateAuthority)
 	}
 
-	m.cache.Store(prefix, cert)
+	newCert.signingIssuerID = signingIssuer.ID
+	newCert.validatingIssuerID = validatingIssuer.ID
 
-	log.Trace().Msgf("It took %s to issue certificate with SerialNumber=%s", time.Since(start), cert.GetSerialNumber())
+	newCert.certType = ct
+
+	m.cache.Store(prefix, newCert)
+
+	log.Trace().Msgf("It took %s to issue certificate with SerialNumber=%s", time.Since(start), newCert.GetSerialNumber())
+
+	if rotate {
+		// Certificate was rotated
+		m.msgBroker.GetCertPubSub().Pub(events.PubSubMessage{
+			Kind:   announcements.CertificateRotated,
+			NewObj: newCert,
+			OldObj: cert,
+		}, announcements.CertificateRotated.String())
+
+		log.Debug().Msgf("Rotated certificate (old SerialNumber=%s) with new SerialNumber=%s", cert.SerialNumber, newCert.SerialNumber)
+	}
 
-	return cert, nil
+	return newCert, nil
 }
 
 // ReleaseCertificate is called when a cert will no longer be needed and should be removed from the system.