Remove use of createcerts in Fulcio (#1834)

Simplify the Fulcio configuration by removing the createcerts job and
pre-generating the keys for Fulcio from the setup script.

This is a prerequisite to updating ctlog to accept the pre-generated
Fulcio roots as an input value rather than using createctconfig to fetch
the roots from Fulcio's rootCert HTTP endpoint.

Signed-off-by: Colleen Murphy <[email protected]>

Author: cmurphy

.github/workflows/add-remove-new-fulcio.yaml

@@ -179,6 +179,13 @@ jobs:
 
     - name: Spin up a new Fulcio with new keys
       run: |
+        pass=$(uuidgen)
+        tmp=$(mktemp -d)
+        openssl ecparam -name prime256v1 -genkey | openssl pkcs8 -passout "pass:${pass}" -topk8 -out "${tmp}/key.pem"
+        openssl req -x509 -new -key "${tmp}/key.pem" -out "${tmp}/cert.pem" -sha256 -days 10 -subj "/O=test/CN=new.fulcio.test" -passin "pass:${pass}"
+        sed -i -e "s/<private-placeholder>/$(cat "${tmp}/key.pem" | base64 -w0)/" \
+          -e "s/<cert-placeholder>/$(cat "${tmp}/cert.pem" | base64 -w0)/" \
+          -e "s/<password-placeholder>/$(echo -n "$pass" | base64 -w0)/" testdata/config/new-fulcio/fulcio/200-secret.yaml
         ko apply -BRf ./testdata/config/new-fulcio
         kubectl wait --timeout 5m -n fulcio-system --for=condition=Ready ksvc fulcio-new
         NEW_FULCIO_URL=$(kubectl -n fulcio-system get ksvc fulcio-new -ojsonpath='{.status.url}')

README.md

@@ -184,26 +184,27 @@ entry in it called `public` that holds the public key for the Rekor.
 ## Fulcio
 
 For Fulcio we just need to create a Root Certificate that it will use to sign
-incoming Signing Certificate requests. For this we again have a Job
-‘**createcerts**’ that will create a self signed certificate, private/public
-keys as well as password used to encrypt the private key.
-Basically we need to ensure we have all the
+incoming Signing Certificate requests. For this we will need to create a self
+signed certificate, private key as well as password used to encrypt the
+private key.  Basically we need to ensure we have all the
 [necessary pieces](https://github.com/sigstore/fulcio/blob/156bc98ddacda11850d7aad5f37cda94ed160315/cmd/app/serve.go#L91-L93)
 to start up Fulcio.
 
 This ‘**createcerts**’ job just creates the pieces mentioned above and creates
 two Secrets, one called `fulcio-secrets` containing the following keys:
+These pieces can be created using openssl:
 
-* cert - Root Certificate
-* private - Private key
-* password - Password to use for decrypting the private key
-* public - Public key
+```
+pass=$(uuidgen)
+openssl ecparam -name prime256v1 -genkey | openssl pkcs8 -passout "pass:${pass}" -topk8 -out "/pki/key.pem"
+openssl req -x509 -new -key "/pki/key.pem" -out "/pki/cert.pem" -sha256 -days 10 -subj "/O=yourorg/CN=fulcio.your.domain" -passin "pass:${pass}"
+kubectl -n fulcio-system create secret generic --from-file=private=/pki/key.pem --from-file=cert=/pki/cert.pem --from-literal=password=${pass} fulcio-secret
+```
 
 We also create another secret that just holds the public information called
-`pubkeysecret` that has two keys:
+`fulcio-pub-key` that has one key:
 
 * cert - Root Certificate
-* public - Public key
 
 And as seen already above, we modify the Deployment to not start the Pod until
 all the pieces are available, making our Deployment of Fulcio look (simplified

config/fulcio/certs/100-namespace.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: fulcio-secret
+  namespace: fulcio-system
+type: Opaque
+data:
+  password: <password-placeholder>
+  private: <private-placeholder>
+  cert: <cert-placeholder>
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: fulcio-pub-key
+  namespace: fulcio-system
+type: Opaque
+data:
+  cert: <cert-placeholder>

config/fulcio/certs/101-binding.yaml

@@ -91,17 +91,30 @@ echo '::endgroup::'
 
 # Install Fulcio and wait for it to come up
 echo '::group:: Install Fulcio'
+fulcio=$(mktemp --tmpdir fulcioXXX)
+curl -Ls -o "${fulcio}" "${FULCIO}"
 if [[ "${NEED_TO_UPDATE_FULCIO_CONFIG}" == "true" ]]; then
   echo "Fixing Fulcio config for < 1.23.X Kubernetes"
-  curl -Ls "${FULCIO}" | sed 's@https://kubernetes.default.svc.cluster.local@https://kubernetes.default.svc@' | kubectl apply -f -
-else
-  kubectl apply -f "${FULCIO}"
+  sed -i -e 's@https://kubernetes.default.svc.cluster.local@https://kubernetes.default.svc@' "${fulcio}"
 fi
+pass=$(uuidgen)
+tmp=$(mktemp -d)
+openssl ecparam -name prime256v1 -genkey | openssl pkcs8 -passout "pass:${pass}" -topk8 -out "${tmp}/key.pem"
+openssl req -x509 -new -key "${tmp}/key.pem" -out "${tmp}/cert.pem" -sha256 -days 10 -subj "/O=test/CN=fulcio.scaffolding.test" -passin "pass:${pass}"
+cleanup() {
+    rm "${tmp}/cert.pem" "${tmp}/key.pem"
+}
+trap cleanup EXIT
+sed -i -e "s/<private-placeholder>/$(cat "${tmp}/key.pem" | base64 -w0)/" \
+  -e "s/<cert-placeholder>/$(cat "${tmp}/cert.pem" | base64 -w0)/" \
+  -e "s/<password-placeholder>/$(echo -n "$pass" | base64 -w0)/" "${fulcio}"
+kubectl apply -f "${fulcio}"
+rm "${fulcio}"
 
 kubectl get -n fulcio-system cm fulcio-config -o json
 
 echo '::group:: Wait for Fulcio ready'
-kubectl wait --timeout 5m -n fulcio-system --for=condition=Complete jobs --all
+kubectl -n fulcio-system get job 2>&1 | grep 'No resources found' || kubectl wait --timeout 5m -n fulcio-system --for=condition=Complete jobs --all
 kubectl wait --timeout 5m -n fulcio-system --for=condition=Ready ksvc fulcio
 # this checks if the requested version is > 0.4.12 (and therefore has fulcio-grpc in it)
 if [[ "${PATCH}" -gt 12 ]] || [[ "${MINOR}" -ge 5 ]]; then
@@ -132,12 +145,12 @@ kubectl apply -f "${TUF}"
 
 # Then copy the secrets (even though it's all public stuff, certs, public keys)
 # to the tuf-system namespace so that we can construct a tuf root out of it.
-kubectl -n ctlog-system get secrets ctlog-public-key -oyaml | sed 's/namespace: .*/namespace: tuf-system/' | kubectl apply -f -
-kubectl -n fulcio-system get secrets fulcio-pub-key -oyaml | sed 's/namespace: .*/namespace: tuf-system/' | kubectl apply -f -
-kubectl -n rekor-system get secrets rekor-pub-key -oyaml | sed 's/namespace: .*/namespace: tuf-system/' | kubectl apply -f -
+kubectl -n ctlog-system get secrets ctlog-public-key -oyaml | sed -e '/creationTimestamp:/d' -e '/uid:/d' -e '/resourceVersion:/d' -e 's/namespace: .*/namespace: tuf-system/' | kubectl apply -f -
+kubectl -n fulcio-system get secrets fulcio-pub-key -oyaml | sed -e '/creationTimestamp:/d' -e '/uid:/d' -e '/resourceVersion:/d' -e 's/namespace: .*/namespace: tuf-system/' | kubectl apply -f -
+kubectl -n rekor-system get secrets rekor-pub-key -oyaml | sed -e '/creationTimestamp:/d' -e '/uid:/d' -e '/resourceVersion:/d' -e 's/namespace: .*/namespace: tuf-system/' | kubectl apply -f -
 
 if [[ "${INSTALL_TSA}" == "true" ]]; then
-kubectl -n tsa-system get secrets tsa-cert-chain -oyaml | sed 's/namespace: .*/namespace: tuf-system/' | kubectl apply -f -
+kubectl -n tsa-system get secrets tsa-cert-chain -oyaml | sed -e '/creationTimestamp:/d' -e '/uid:/d' -e '/resourceVersion:/d' -e 's/namespace: .*/namespace: tuf-system/' | kubectl apply -f -
 fi
 echo '::endgroup::'
 

config/fulcio/certs/101-service-account.yaml

@@ -57,15 +57,30 @@ if [[ "${NEED_TO_UPDATE_FULCIO_CONFIG}" == "true" ]]; then
   sed 's@https://kubernetes.default.svc.cluster.local@https://kubernetes.default.svc@' config/fulcio/fulcio/200-configmap.yaml > ./200-configmap-new.yaml
   mv ./200-configmap-new.yaml config/fulcio/fulcio/200-configmap.yaml
 fi
+
+pass=$(uuidgen)
+tmp=$(mktemp -d)
+openssl ecparam -name prime256v1 -genkey | openssl pkcs8 -passout "pass:${pass}" -topk8 -out "${tmp}/key.pem"
+openssl req -x509 -new -key "${tmp}/key.pem" -out "${tmp}/cert.pem" -sha256 -days 10 -subj "/O=test/CN=fulcio.scaffolding.test" -passin "pass:${pass}"
+cleanup() {
+    rm "${tmp}/cert.pem" "${tmp}/key.pem"
+}
+trap cleanup EXIT
+cp config/fulcio/fulcio/200-secret.yaml 200-secret.original.yaml
+sed -i -e "s/<private-placeholder>/$(cat "${tmp}/key.pem" | base64 -w0)/" \
+  -e "s/<cert-placeholder>/$(cat "${tmp}/cert.pem" | base64 -w0)/" \
+  -e "s/<password-placeholder>/$(echo -n "$pass" | base64 -w0)/" config/fulcio/fulcio/200-secret.yaml
+
 make ko-apply-fulcio
 echo '::endgroup::'
 
+echo "Restoring Fulcio secret placeholder"
+mv ./200-secret.original.yaml config/fulcio/fulcio/200-secret.yaml
 if [[ "${NEED_TO_UPDATE_FULCIO_CONFIG}" == "true" ]]; then
   echo "Restoring Fulcio config"
   mv ./200-configmap.yaml config/fulcio/fulcio/200-configmap.yaml
 fi
 echo '::group:: Wait for Fulcio ready'
-kubectl wait --timeout 5m -n fulcio-system --for=condition=Complete jobs --all
 kubectl wait --timeout 5m -n fulcio-system --for=condition=Ready ksvc fulcio
 kubectl wait --timeout 5m -n fulcio-system --for=condition=Ready ksvc fulcio-grpc
 echo '::endgroup::'
@@ -96,10 +111,10 @@ make ko-apply-tuf
 
 # Then copy the secrets (even though it's all public stuff, certs, public keys)
 # to the tuf-system namespace so that we can construct a tuf root out of it.
-kubectl -n ctlog-system get secrets ctlog-public-key -oyaml | sed 's/namespace: .*/namespace: tuf-system/' | kubectl apply -f -
-kubectl -n fulcio-system get secrets fulcio-pub-key -oyaml | sed 's/namespace: .*/namespace: tuf-system/' | kubectl apply -f -
-kubectl -n rekor-system get secrets rekor-pub-key -oyaml | sed 's/namespace: .*/namespace: tuf-system/' | kubectl apply -f -
-kubectl -n tsa-system get secrets tsa-cert-chain -oyaml | sed 's/namespace: .*/namespace: tuf-system/' | kubectl apply -f -
+kubectl -n ctlog-system get secrets ctlog-public-key -oyaml | sed -e '/creationTimestamp:/d' -e '/uid:/d' -e '/resourceVersion:/d' -e 's/namespace: .*/namespace: tuf-system/' | kubectl apply -f -
+kubectl -n fulcio-system get secrets fulcio-pub-key -oyaml | sed -e '/creationTimestamp:/d' -e '/uid:/d' -e '/resourceVersion:/d' -e 's/namespace: .*/namespace: tuf-system/' | kubectl apply -f -
+kubectl -n rekor-system get secrets rekor-pub-key -oyaml | sed -e '/creationTimestamp:/d' -e '/uid:/d' -e '/resourceVersion:/d' -e 's/namespace: .*/namespace: tuf-system/' | kubectl apply -f -
+kubectl -n tsa-system get secrets tsa-cert-chain -oyaml | sed -e '/creationTimestamp:/d' -e '/uid:/d' -e '/resourceVersion:/d' -e 's/namespace: .*/namespace: tuf-system/' | kubectl apply -f -
 echo '::endgroup::'
 
 # Make sure the tuf jobs complete