Ensure CA + Tiller cert never expire and Helm client cert expires quickly

cb21560b · Dylan Griffith · 039a8ebd · cb21560b · cb21560b · cb21560b
Commit cb21560b authored Jul 24, 2018 by Dylan Griffith
8 changed files
--- a/app/models/clusters/applications/helm.rb
+++ b/app/models/clusters/applications/helm.rb
@@ -31,8 +31,7 @@ module Clusters
      end
      def issue_cert
-        ca_cert_obj
+        ca_cert_obj.issue
-          .issue
      end
      def set_initial_status
@@ -42,7 +41,8 @@ module Clusters
      end
      def install_command
-        tiller_cert = issue_cert
+        tiller_cert = ca_cert_obj.issue(expires_in: Gitlab::Kubernetes::Helm::Certificate::INFINITE_EXPIRY)
        Gitlab::Kubernetes::Helm::InitCommand.new(
          name: name,
          files: {

--- a/lib/gitlab/kubernetes/helm/certificate.rb
+++ b/lib/gitlab/kubernetes/helm/certificate.rb
@@ -2,6 +2,9 @@ module Gitlab
  module Kubernetes
    module Helm
      class Certificate
+        INFINITE_EXPIRY = 1000.years
+        SHORT_EXPIRY = 30.minutes
        attr_reader :key, :cert
        def key_string
@@ -27,7 +30,7 @@ module Gitlab
          cert = OpenSSL::X509::Certificate.new
          cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)
          cert.not_before = Time.now
-          cert.not_after = Time.now + 365 * 24 * 60 * 60
+          cert.not_after = INFINITE_EXPIRY.from_now
          cert.public_key = public_key
          cert.serial = 0x0
          cert.version = 2
@@ -44,7 +47,7 @@ module Gitlab
          new(key, cert)
        end
-        def issue
+        def issue(expires_in: SHORT_EXPIRY)
          key = OpenSSL::PKey::RSA.new(4096)
          public_key = key.public_key
@@ -54,7 +57,7 @@ module Gitlab
          cert.subject = OpenSSL::X509::Name.parse(subject)
          cert.issuer = self.cert.subject
          cert.not_before = Time.now
-          cert.not_after = Time.now + 365 * 24 * 60 * 60
+          cert.not_after = expires_in.from_now
          cert.public_key = public_key
          cert.serial = 0x0
          cert.version = 2

--- a/spec/lib/gitlab/kubernetes/helm/certificate_spec.rb
+++ b/spec/lib/gitlab/kubernetes/helm/certificate_spec.rb
+require 'spec_helper'
+describe Gitlab::Kubernetes::Helm::Certificate do
+  describe '.generate_root' do
+    subject { described_class.generate_root }
+    it 'should generate a root CA that expires a long way in the future' do
+      expect(subject.cert.not_after).to be > 999.years.from_now
+    end
+  end
+  describe '#issue' do
+    subject { described_class.generate_root.issue }
+    it 'should generate a cert that expires soon' do
+      expect(subject.cert.not_after).to be < 60.minutes.from_now
+    end
+    context 'passing in INFINITE_EXPIRY' do
+      subject { described_class.generate_root.issue(expires_in: described_class::INFINITE_EXPIRY) }
+      it 'should generate a cert that expires a long way in the future' do
+        expect(subject.cert.not_after).to be > 999.years.from_now
+      end
+    end
+  end
+end
--- a/spec/models/clusters/applications/helm_spec.rb
+++ b/spec/models/clusters/applications/helm_spec.rb
@@ -43,6 +43,9 @@ describe Clusters::Applications::Helm do
      expect(subject.files[:'cert.pem']).to be_present
      expect(subject.files[:'key.pem']).to be_present
+      cert = OpenSSL::X509::Certificate.new(subject.files[:'cert.pem'])
+      expect(cert.not_after).to be > 999.years.from_now
    end
  end
 end
--- a/spec/models/clusters/applications/ingress_spec.rb
+++ b/spec/models/clusters/applications/ingress_spec.rb
@@ -108,6 +108,9 @@ describe Clusters::Applications::Ingress do
      expect(subject[:'cert.pem']).to be_present
      expect(subject[:'key.pem']).to be_present
+      cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem'])
+      expect(cert.not_after).to be < 60.minutes.from_now
    end
  end
 end
--- a/spec/models/clusters/applications/jupyter_spec.rb
+++ b/spec/models/clusters/applications/jupyter_spec.rb
@@ -53,6 +53,9 @@ describe Clusters::Applications::Jupyter do
      expect(subject[:'cert.pem']).to be_present
      expect(subject[:'key.pem']).to be_present
+      cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem'])
+      expect(cert.not_after).to be < 60.minutes.from_now
    end
    context 'when the helm application does not have a ca_cert' do

--- a/spec/models/clusters/applications/prometheus_spec.rb
+++ b/spec/models/clusters/applications/prometheus_spec.rb
@@ -168,6 +168,9 @@ describe Clusters::Applications::Prometheus do
      expect(subject[:'cert.pem']).to be_present
      expect(subject[:'key.pem']).to be_present
+      cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem'])
+      expect(cert.not_after).to be < 60.minutes.from_now
    end
    context 'when the helm application does not have a ca_cert' do

--- a/spec/models/clusters/applications/runner_spec.rb
+++ b/spec/models/clusters/applications/runner_spec.rb
@@ -49,6 +49,9 @@ describe Clusters::Applications::Runner do
      expect(subject[:'cert.pem']).to be_present
      expect(subject[:'key.pem']).to be_present
+      cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem'])
+      expect(cert.not_after).to be < 60.minutes.from_now
    end
    context 'when the helm application does not have a ca_cert' do