Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Certificate revocation from CAS Console #28

Open
prateeknayak opened this issue Mar 7, 2021 · 2 comments
Open

Certificate revocation from CAS Console #28

prateeknayak opened this issue Mar 7, 2021 · 2 comments
Labels
triage/support Indicates an issue that is a support question.

Comments

@prateeknayak
Copy link

Hey Folks, Firstly thanks for the google-cas-issuer this really simplifies our integration with Google CAS.

While trialing this we observed the following behavior while revoking certificates

  1. if I revoke the certificate that was issued by CAS to cert-manager from the CAS console the issuer doesn't know about it. I am guessing there is no event stream or check to ascertain if the cert is still valid? Just wanted to check if it was on the roadmap or any high level plan for revocation to be handled. A workaround for me would be to set the TTL of the cert to super low ( which will start hitting api aggressively ) but it will minimize the risk with revocation.

  2. After revocation when I delete the certificate object google-cas-issuer starts spitting out errors like below

google-cas-issuer-d866f5f58-45bdm google-cas-issuer 
{
  "level": "error",
  "ts": 1615083602.4735746,
  "logger": "controller-runtime.manager.controller.certificaterequest",
  "msg": "Reconciler error",
  "reconciler group": "cert-manager.io",
  "reconciler kind": "CertificateRequest",
  "name": "demo-certificate-m27js",
  "namespace": "default",
  "error": "CertificateRequest.cert-manager.io \"demo-certificate-m27js\" not found",
  "stacktrace": "github.com/go-logr/zapr.(*zapLogger).Error\n\t/go/pkg/mod/github.com/go-logr/[email protected]/zapr.go:132\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:297\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:248\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1.1\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:211\nk8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext.func1\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:185\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.JitterUntilWithContext\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:185\nk8s.io/apimachinery/pkg/util/wait.UntilWithContext\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:99"
}

thing to note is if i just delete the secret, cert-manager gets a new certificate from CAS. so maybe just delete the secret to rotate / revoke the cert?

  1. When I delete the secret cert-manager gets a new cert issued via CAS but leaves the old certificate as is in the CAS issued-certificates list. I have to manually revoke it.

Overall would like to understand what is the best way to handle revocation gracefully via cert-manager.

Thanks

@jakexks
Copy link
Member

jakexks commented Mar 9, 2021

Hi @prateeknayak

  1. This is more of a question for upstream cert-manager. Currently there's no support for revocation, although the feature request has been floated before. The current recommendation is to set certificate lifetimes to a short duration. It would be interesting to learn about your use case for revocation to add some weight to the issue, come chat with us in the #cert-manager channel on Kubernetes slack or our community meetings!
    In a future release, the issuer should be able to detect the revocation of the root or intermediate CA. We're just waiting for the Google CAS API to be finalised before implementing this.
  2. That's looks like a bug, a deleted certificate has got stuck in the reconcile loop. I'll double check that. To force a renwal of an existing certificate you can use our kubectl plugin (or delete the secret): https://cert-manager.io/docs/usage/kubectl-plugin/
  3. This feature has been requested before, and is still open. Handling 'unregistering' certificates from Venafi TPP cert-manager#2178. I don't believe anything is currently on the roadmap but we can prioritise features if they have commercial interest!

@jakexks jakexks added the triage/support Indicates an issue that is a support question. label Mar 11, 2021
@jakexks
Copy link
Member

jakexks commented Mar 11, 2021

The error loop should have been fixed in v0.2.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
triage/support Indicates an issue that is a support question.
Projects
None yet
Development

No branches or pull requests

2 participants