[ca][api]: Root rotation object in cluster

[cyli]

Add a field in the API types for the new root certificate, root key, and cross-signed root certificate for use during root rotation. Also add a field to ExternalCA types to specify the root certificate that should be expected from the external CA URL.

Also, when updating the security config on cluster change, take into account whether or not this root rotation object exists.

This is stacked on top of #2038. This was merged.

[aaronlehmann]

CI is failing:

/tmp/go-build507923640/github.com/docker/swarmkit/integration/_test/_obj_test/node.go:65: rootCA.Cert undefined (type *ca.RootCA has no field or method Cert)
integration/integration_test.go:520: rootCA.Cert undefined (type ca.RootCA has no field or method Cert)

Not sure if this is expected, as the PR is marked WIP.

[cyli]

@aaronlehmann Ah sorry, I had failed to rebase this one while I was trying to track down the possible test failure in #2038. Fixing, but this one is still lacking tests for changes.

[codecov]

Codecov Report

Merging #2037 into master will decrease coverage by 0.06%.
The diff coverage is 87.8%.

@@            Coverage Diff             @@
##           master    #2037      +/-   ##
==========================================
- Coverage   54.22%   54.15%   -0.07%     
==========================================
  Files         111      111              
  Lines       19289    19332      +43     
==========================================
+ Hits        10460    10470      +10     
- Misses       7571     7612      +41     
+ Partials     1258     1250       -8

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5ae0a39...563cb1d. Read the comment docs.

[diogomonica]

typo on external

[diogomonica]

extra new line?

[cyli]

Removed

[diogomonica]

why do we call the current CACert externalCACert?

[cyli]

I added a field to api.ExternalCA specifying which root certificate should be associated with the external URL so we can make sure that only the right external URLs are being added. So during root rotation, only the external URLs with the right root certificate get added to the external URL.

This is the URL to filter for. Although I guess if we are explicitly not supporting external->external rotation, this change is probably not necessary.

[cyli]

I've renamed this variable and added a comment about why it's here

[diogomonica]

what's the difference between rCA.CACert and externalCACert?

[cyli]

rCA.CACert is the root of trust we're generally using to validate TLS certificates. externalCACert specifies which cert this external CA will use to sign - we want to match the external CA cert to the signing cert, which may be the new root cert if a root rotation is in progress. I've renamed this variable and added a comment about why it's here.

[diogomonica]

Same thing here rCA is only set one right? externalCACert always == rCA.CACert

[cyli]

It's either the new root rotation cert, which is not set to rCA.CACert yet, or it's the rCA.CACert if there is no outstanding root rotation.

[cyli]

I've renamed this variable and added a comment about why it's here

[diogomonica]

LGTM

[cyli]

This is ready for another look, whenever you have time @aaronlehmann

[aaronlehmann]

if len(certForExtCA) == 0

[aaronlehmann]

logger.Debug

[aaronlehmann]

Should we log when we skip external CAs that don't match the current cert? I think it might be difficult to understand why an external CA isn't being used. Or would that be too noisy?

[cyli]

It may be noisy, just because we update every time the cluster object is changed, as opposed to specifically when the RootCA object or external CAs are changed. I wonder if we should copy the RootCA object and externalCA objects to the server so that we can skip doing any changes if the objects themselves haven't changed...

[diogomonica]

That's a good idea.

[cyli]

Have added this functionality in e870413.

[cyli]

After a discussion with @aaronlehmann, going to explore putting the desired signing cert and key in the cluster spec instead of this root rotation object.

[diogomonica]

@cyli do we also keep the old cert/keypair for rollbacks?

[cyli]

@diogomonica I think I still need to keep the current root CA object in the api.Cluster.RootCA, and the current being rotated to object in api.Cluster.RootCA.RootRotation, but there will just be extra stuff in the spec, so rolling back could use the data in that. I may need to copy external CAs over, because currently there isn't a good way to roll those back if they're changed.

[aaronlehmann]

This is super nitpicky, but as a former C programmer I find this confusing. How about:

if a == nil && b == nil {
        return true
}
if a == nil || b == nil {
        return false
}

[cyli]

Sure. :)

[aaronlehmann]

Wondering if any harm can come from holding the lock for the whole function. I'm not sure whether we weren't before as an optimization, or because there's a long-lived operation here, or one that might deadlock.

[cyli]

It doesn't seem super long-lived, as we're not generating any new creds, so this seems relatively short. I can create a separate lock, though if we like, just for updating the security config maybe.

[aaronlehmann]

Curious why straight up reflect.DeepEqual doesn't work for this.

[cyli]

We don't actually necessarily want a reflect.DeepEqual of the whole struct - reflect.DeepEqual doesn't treat nil and empty values the same: https://play.golang.org/p/VGgZq6MVik

I figure an empty list of external CA should be the same, for our purposes, as a nil list. It also won't treat an empty map the same as a nil map (and the api.ExternalCA object has a map of options).

[aaronlehmann]

Yeah, but can this situation ever come up? I believe we are always assigning s.externalCA from the protobuf object, so I don't see how an empty map could change to a nil or vice versa.

Is the concern about the first call, before we've initialized anything in the Server struct, where nil may actually be equivalent to what we would update it to (if the protobuf object contains an empty list)?

In this case, could the function be shortened to:

if len(a) == 0 && len(b) == 0 {
        return true
}
return reflect.DeepEqual(a, b)

[cyli]

That's true - the map is created from the same object. I was writing this from the perspective of this function can be used no matter who creates the external CAs, but happy to make a change and a comment stating the assumption.

[aaronlehmann]

I think it would be easier to maintain that way. I can't see any scenario where we care about nil maps vs empty maps.

The same goes for RootCAEqualStable, except in that case you're using subtle.ConstantTimeCompare, so arguably there's a security reason to avoid using reflect.DeepEqual directly (though it's a weak one, and I'm not really sure it's worth the maintenance burden).

[cyli]

I could specifically pull those out to do subtle.ConstantTimeCompare, and reflect.DeepEqual the rest.

[aaronlehmann]

SGTM. I guess once the keys are confirmed to be equal, comparing them with reflect.DeepEqual would not yield any side channel information.

[cyli]

Done

[aaronlehmann]

Let's make this cluster.RootCA.Copy() to avoid storing a pointer into the object living in the store. Just in case we were to write into it for some reason...

[aaronlehmann]

cluster.Spec.CAConfig.ExternalCAs.Copy()

[aaronlehmann]

Wondering if we should name these something different to avoid confusing them with actual RootCA and ExternalCA objects. Not sure what to suggest, though.

[cyli]

lastSeenClusterRoot and lastSeenExternalCAs maybe?

[aaronlehmann]

SGTM

[cyli]

Done

[aaronlehmann]

extra blank line

[aaronlehmann]

LGTM

[diogomonica]

Are we ready to merge this?

[cyli]

I think so, I was just waiting for ci after removing the extra newline.