SDN-5342: Signer username validation

[pperiyasamy]

In CNO we have an approver that signs certs automatically, without checking any identity information, so this PR enhances the signer to check on CSR's user name that is populated by API server upon receiving CSR request from the nodes. So it's sufficient to verify the user name before signing the CSR.

It also adds required unit tests to test signer controller, it needed to change from using kubernetes.Clientset to cnoclient.Client for accessing CSR's UpdateApproval API. This needs to be tested on OCP cluster.

cc @kyrtapz @trozet @jcaamano

[openshift-ci-robot]

@pperiyasamy: This pull request references SDN-5342 which is a valid jira issue.

In response to this:

In CNO we have an approver that signs certs automatically, without checking any identity information, so this PR enhances the signer to check on CSR's user name that is populated by API server upon receiving CSR request from the nodes. So it's sufficient to verify the user name before signing the CSR.

It also adds required unit tests to test signer controller, it needed to change from using kubernetes.Clientset to cnoclient.Client for accessing CSR's UpdateApproval API. This needs to be tested on OCP cluster.

cc @kyrtapz @trozet @jcaamano

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pperiyasamy]

/retest

[pperiyasamy]

/assign @kyrtapz @trozet @jcaamano

[pperiyasamy]

/retest

[martinkennelly]

/assign @martinkennelly

[pperiyasamy]

/testwith openshift/cluster-network-operator/master/e2e-aws-ovn-ipsec-upgrade openshift/machine-config-operator#4854

[huiran0826]

pre-merge tested it, sent CSR manually via kubectl for signing, CNO rejected that CSR which was expected.

% cat  cno-csr.yaml                               
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  generateName: ipsec-csr-ip-test-
  labels:
    k8s.ovn.org/ipsec-csr: test-node
spec:
  request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2lEQ0NBWEFDQVFBd1F6RUxNQWtHQTFVRUJoTUNWVk14RmpBVUJnTlZCQW9NRFc5MmJtdDFZbVZ5Ym1WMApaWE14RFRBTEJnTlZCQXNNQkd0cGJtUXhEVEFMQmdOVkJBTU1CRlJGVTFRd2dnRWlNQTBHQ1NxR1NJYjNEUUVCCkFRVUFBNElCRHdBd2dnRUtBb0lCQVFERC96ZGhpYWppVlJJQmhMeTIwR1RENWE1QTBuZEVsVXg1ckEyWHVNZ0gKL2g1Yk11SWlvOUhOR1lVdnVwU1ZZNFJhV01CbC9yRFZYQzZPenZzVk53Vk92UVlnTnlhcVJzWnJrY1lSUTAycApsT0NFWTM3VStLQXN3RDF4amxiTGp3YU56Z2hsVVU5U2c0TFY4VkorQ3JLcFZId2laelBoVGpLUVVBZTBJbHRMCmlXRmNwTit2NC9GeGdKcXRKQXZtUjFZenN0ZUVmOEFwZExvNHpyUDJuMEJzUmx5TnlTVUxDWWFFekpkbXE2QWkKckVVdEVFekVNUEtqR1ZJZzljZDlvYVpuUTZDKzlXcUQwcUttWmJXZ2piNXV5OEpmdGxKNGxqbjNRNExPZWNnNgpqUFNXZ3VIV1NMYUFzYmg2bFNMdEkydVNRNnppYlBMdkIwWTR4WnA4ZjV4ckFnTUJBQUdnQURBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFzQW00VDhHK3lUekJnWTBaeE1oeEQ0eFFWSk84Nm1FSmRsaVZMMUVsaTlIcG9Wa1MKNHRmWlpuNXdBUGhKRGtSMjZCUjJseE9hZDJYdWhCWkl0MjFqOS9CWFNtdmJpbmc2R3hva2pGWFN2VFh1eHNIUgpDdUhWZ09DcUpxN1puOCtnT0ZaMG51OGVIcUNSRDFyZjBEdUdmNWphbDN4UVhOY0xMSEo5VEFLVGdnU0lqL21GCk9QS21wMEJEL3l3VkkrWlpNQ3ZFYWNLMUhINTV6Zk1rK2VSRTlIdWVpMWk4SkswYmZqZUI5Z3BFek9ZSEhVZ2oKOTd0NHE2YkZUTnIrbTh3N3FUYzZaU0I2Z20yVUhOYTVIRUtKaXdMdWdvR0V2K0wzamZsUE5idlBReVVRbkFpVAo1TDV3RFYxV2ZBV2FHdk5saXZYWm9sVGloTFpEQWl1S25tRkRmUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo= 
  signerName: network.openshift.io/signer
  usages:
  - ipsec tunnel
  username: system:ovn-node:ip-10-0-10-68

% oc get csr -o yaml
apiVersion: v1
items:
- apiVersion: certificates.k8s.io/v1
  kind: CertificateSigningRequest
  metadata:
    creationTimestamp: "2025-03-05T08:24:45Z"
    generateName: ipsec-csr-ip-test-
    labels:
      k8s.ovn.org/ipsec-csr: test-node
    name: ipsec-csr-ip-test-ndkd8
    resourceVersion: "108541"
    uid: 85838c3f-7d56-44a6-95c3-1a617131eed6
  spec:
    extra:
      authentication.kubernetes.io/credential-id:
      - X509SHA256=daad4da1f04861c673084eb815d3eb5df80b4cc84d7570f4694c15d6f45477da
    groups:
    - system:masters
    - system:authenticated
    request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2lEQ0NBWEFDQVFBd1F6RUxNQWtHQTFVRUJoTUNWVk14RmpBVUJnTlZCQW9NRFc5MmJtdDFZbVZ5Ym1WMApaWE14RFRBTEJnTlZCQXNNQkd0cGJtUXhEVEFMQmdOVkJBTU1CRlJGVTFRd2dnRWlNQTBHQ1NxR1NJYjNEUUVCCkFRVUFBNElCRHdBd2dnRUtBb0lCQVFERC96ZGhpYWppVlJJQmhMeTIwR1RENWE1QTBuZEVsVXg1ckEyWHVNZ0gKL2g1Yk11SWlvOUhOR1lVdnVwU1ZZNFJhV01CbC9yRFZYQzZPenZzVk53Vk92UVlnTnlhcVJzWnJrY1lSUTAycApsT0NFWTM3VStLQXN3RDF4amxiTGp3YU56Z2hsVVU5U2c0TFY4VkorQ3JLcFZId2laelBoVGpLUVVBZTBJbHRMCmlXRmNwTit2NC9GeGdKcXRKQXZtUjFZenN0ZUVmOEFwZExvNHpyUDJuMEJzUmx5TnlTVUxDWWFFekpkbXE2QWkKckVVdEVFekVNUEtqR1ZJZzljZDlvYVpuUTZDKzlXcUQwcUttWmJXZ2piNXV5OEpmdGxKNGxqbjNRNExPZWNnNgpqUFNXZ3VIV1NMYUFzYmg2bFNMdEkydVNRNnppYlBMdkIwWTR4WnA4ZjV4ckFnTUJBQUdnQURBTkJna3Foa2lHCjl3MEJBUXNGQUFPQ0FRRUFzQW00VDhHK3lUekJnWTBaeE1oeEQ0eFFWSk84Nm1FSmRsaVZMMUVsaTlIcG9Wa1MKNHRmWlpuNXdBUGhKRGtSMjZCUjJseE9hZDJYdWhCWkl0MjFqOS9CWFNtdmJpbmc2R3hva2pGWFN2VFh1eHNIUgpDdUhWZ09DcUpxN1puOCtnT0ZaMG51OGVIcUNSRDFyZjBEdUdmNWphbDN4UVhOY0xMSEo5VEFLVGdnU0lqL21GCk9QS21wMEJEL3l3VkkrWlpNQ3ZFYWNLMUhINTV6Zk1rK2VSRTlIdWVpMWk4SkswYmZqZUI5Z3BFek9ZSEhVZ2oKOTd0NHE2YkZUTnIrbTh3N3FUYzZaU0I2Z20yVUhOYTVIRUtKaXdMdWdvR0V2K0wzamZsUE5idlBReVVRbkFpVAo1TDV3RFYxV2ZBV2FHdk5saXZYWm9sVGloTFpEQWl1S25tRkRmUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
    signerName: network.openshift.io/signer
    usages:
    - ipsec tunnel
    username: system:admin
  status:
    conditions:
    - lastTransitionTime: "2025-03-05T08:24:45Z"
      lastUpdateTime: "2025-03-05T08:24:45Z"
      message: Certificate Signing Request is set with invalid user name, can't sign
        it
      reason: CSRInvalidUser
      status: "True"
      type: Failed
kind: List
metadata:
  resourceVersion: ""

[martinkennelly]

is there a e2e test somewhere to validate this code works for ipsec?
Looks good to me - nice PR! I like switching to ocp crypto lib too! Was there a reason you switched in this PR?

[pperiyasamy]

is there a e2e test somewhere to validate this code works for ipsec?

This is being tested in the ipsec install CI lanes while configuring IPsec in the ipsec init container here, so i think we may not need an e2e test specifically for this.

I like switching to ocp crypto lib too! Was there a reason you switched in this PR?

This is just to reuse library-go utility to create CA which aligns with OCP (instead of CNO creating its own self signed cert) for the unit test.

[pperiyasamy]

/retest-required

[martinkennelly]

@pperiyasamy How can i validate this works in the CI? link?

[martinkennelly]

@pperiyasamy can you point me to the jobs that execute it? e2e-ovn-ipsec-step-registry && e2e-metal-ipi-ovn-ipv6-ipsec ? And post install, can you point me to the origin tests ? I want to educate myself.
I looked here but couldnt find ipsec tests. https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-network-operator/2560/pull-ci-openshift-cluster-network-operator-master-e2e-ovn-ipsec-step-registry/1899044072979435520/artifacts/e2e-ovn-ipsec-step-registry/openshift-e2e-test/artifacts/e2e.log

[pperiyasamy]

@pperiyasamy can you point me to the jobs that execute it? e2e-ovn-ipsec-step-registry && e2e-metal-ipi-ovn-ipv6-ipsec ? And post install, can you point me to the origin tests ? I want to educate myself. I looked here but couldnt find ipsec tests. https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-network-operator/2560/pull-ci-openshift-cluster-network-operator-master-e2e-ovn-ipsec-step-registry/1899044072979435520/artifacts/e2e-ovn-ipsec-step-registry/openshift-e2e-test/artifacts/e2e.log

@martinkennelly currently these jobs only verifies the ipsec deployment and runs regular e2e test suite but doesn't run ipsec specific tests. IPsec tests are run with CI lane introduced with this PR openshift/release#61740.

[martinkennelly]

ack - do you think its valuable to at least do a run-with command to the bot in-order to test that PR with this?

[martinkennelly]

Peri, the e2e test suite thats run for the current ip sec jobs would verify this PR is working because intra node traffic wouldnt work if this PR failed right?

[pperiyasamy]

yes @martinkennelly , this particular PR change is already validated in e2e-ovn-ipsec-step-registry job, otherwise ipsec pods would have crashed.

openshift-ovn-kubernetes                           ovn-ipsec-host-2jbff                                              2/2     Running                  0               63m     10.0.125.165   ip-10-0-125-165.ec2.internal   <none>           <none>
openshift-ovn-kubernetes                           ovn-ipsec-host-fzmsx                                              2/2     Running                  0               63m     10.0.120.83    ip-10-0-120-83.ec2.internal    <none>           <none>
openshift-ovn-kubernetes                           ovn-ipsec-host-qc2hv                                              2/2     Running                  0               63m     10.0.101.188   ip-10-0-101-188.ec2.internal   <none>           <none>
openshift-ovn-kubernetes                           ovn-ipsec-host-rm5sl                                              2/2     Running                  0               63m     10.0.14.92     ip-10-0-14-92.ec2.internal     <none>           <none>
openshift-ovn-kubernetes                           ovn-ipsec-host-tbqlt                                              2/2     Running                  0               63m     10.0.112.193   ip-10-0-112-193.ec2.internal   <none>           <none>
openshift-ovn-kubernetes                           ovn-ipsec-host-wc5v2                                              2/2     Running                  0               63m     10.0.29.102    ip-10-0-29-102.ec2.internal    <none>           <none>

[martinkennelly]

/lgtm

[pperiyasamy]

/retest

[pperiyasamy]

/retest-required

[trozet]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: martinkennelly, pperiyasamy, trozet

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [trozet]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[trozet]

@pperiyasamy this is a step in the right direction, but I don't think it encompasses everything we need for SDN-5342. In that JIRA it talks about including the kubelet certificate in the CSR so that we can then compare the can confirm the identity, rather than just someone sending us a valid node name.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 2ca824b and 2 for PR HEAD c88f5d8 in total

[pperiyasamy]

/retest-required

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 2ca824b and 2 for PR HEAD c88f5d8 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 66f0e13 and 1 for PR HEAD c88f5d8 in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 66f0e13 and 2 for PR HEAD c88f5d8 in total

[pperiyasamy]

/retest-required

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 66f0e13 and 2 for PR HEAD c88f5d8 in total

[pperiyasamy]

/retest-required

[openshift-ci]

@pperiyasamy: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/security	c88f5d8	link	false	/test security
ci/prow/4.19-upgrade-from-stable-4.18-e2e-aws-ovn-upgrade	c88f5d8	link	false	/test 4.19-upgrade-from-stable-4.18-e2e-aws-ovn-upgrade
ci/prow/e2e-vsphere-ovn-dualstack-primaryv6	c88f5d8	link	false	/test e2e-vsphere-ovn-dualstack-primaryv6
ci/prow/4.19-upgrade-from-stable-4.18-e2e-azure-ovn-upgrade	c88f5d8	link	false	/test 4.19-upgrade-from-stable-4.18-e2e-azure-ovn-upgrade
ci/prow/4.19-upgrade-from-stable-4.18-e2e-gcp-ovn-upgrade	c88f5d8	link	false	/test 4.19-upgrade-from-stable-4.18-e2e-gcp-ovn-upgrade
ci/prow/e2e-aws-hypershift-ovn-kubevirt	c88f5d8	link	false	/test e2e-aws-hypershift-ovn-kubevirt

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[pperiyasamy]

/retest-required

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: cluster-network-operator
This PR has been included in build cluster-network-operator-container-v4.20.0-202504101220.p0.ga1283bf.assembly.stream.el9.
All builds following this will include this PR.