Hello!

I hope you are doing well!

We are a security research team. Our tool automatically detected a vulnerability in this repository. We want to disclose it responsibly. GitHub has a feature called Private vulnerability reporting, which enables security research to privately disclose a vulnerability. Unfortunately, it is not enabled for this repository.

Can you enable it, so that we can report it?

Thanks in advance!

PS: you can read about how to enable private vulnerability reporting here: https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository

Watch for non standard error handling e.g. if err == nil should be if err != nil

Follow Go idioms wherever possible.

https://github.com/giantswarm/cert-operator/blob/setup-pki/service/create/service.go#L116

I think this change #63 breaks kvm install for me

I can be wrong, but let me describe what i'm getting.

I have cert-operator configured with token that we're generating here

And cert-oprator and I getting permission denied for /v1/sys/mounts path, but with token i can issue new cert (see below)?

[rs@tpad tmp]$ export VAULT_TOKEN=XXXXXXXXX
[rs@tpad tmp]$ export VAULT_ADDR=http://172.16.238.2:8200
[rs@tpad tmp]$ curl -H "X-Vault-Token: $VAULT_TOKEN" http://172.16.238.2:8200/v1/sys/mounts
{"errors":["permission denied"]}
[rs@tpad tmp]$ echo '{"ttl": "3460h", "common_name": "foobarcert.g8s.local"}' | vault write pki-g8s/issue/role-g8s -
Key                     Value
---                     -----
certificate             -----BEGIN CERTIFICATE-----
MIIDVTCCAj2gAwIBAgIUPhOQo21jqD12mbKVZs0/NndIXt8wDQYJKoZIhvcNAQEL

We reverted this value in #48, but having a timeout actually makes sense.

The CoreOS people say they usually set it to 10 minutes, FWIW.

The change to certctl to set CN and O for RBAC introduced a bug where the allowed domains were cleared for guest cluster Vault roles.

A temp fix was made to correct the allowed domains. Now certctl only sets the allowed domains if the vault role doesn't exist. This is the correct behavior and the temp fix can now be removed.

I'd like to be able to do:

kubectl get certificates -l=cluster=foobar

to grab all the certificates belonging to one cluster (grepping makes me sad)

Ideally should use exponential backoff retry logic from microkit.

Currently there is a just a single create service that both sets up the CA and issues certs. Splitting this into CA and Cert services is be a cleaner design. It also makes it easier to move the CA service to a separate CA operator in future.

Currently the cert-operator handles CA setup and issuing certs. This should be split out to a CA operator with its own TPR. The TPR should contain the default TTL for the CA which is currently a constant.

Dependabot couldn't parse the go.mod found at /go.mod.

The error Dependabot encountered was:

go: github.com/giantswarm/[email protected] requires
	gopkg.in/[email protected] requires
	gopkg.in/[email protected]: invalid version: git fetch -f origin refs/heads/*:refs/heads/* refs/tags/*:refs/tags/* in /opt/go/gopath/pkg/mod/cache/vcs/9241c28341fcedca6a799ab7a465dd6924dc5d94044cbfabb75778817250adfc: exit status 128:
	fatal: The remote end hung up unexpectedly

View the update logs.

Towards #giantswarm/giantswarm/1030

PKI flags should follow the naming convention

• Vault.PKI.CATTL should be Vault.PKI.CA.TTL
• Vault.PKI.CommonNameFormat should be Vault.PKI.CommonName.Format

Code of github.com/giantswarm/certctl is checked in to the vendor directory, but it's unavailable in a separate github repo (https://github.com/giantswarm/certctl responds with 404).

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• Update Giant Swarm Go modules (github.com/giantswarm/apiextensions/v6, github.com/giantswarm/exporterkit, github.com/giantswarm/k8sclient/v7, github.com/giantswarm/microendpoint, github.com/giantswarm/microerror, github.com/giantswarm/micrologger, github.com/giantswarm/operatorkit/v7)
• Update actions/checkout action to v3.6.0
• Update alpine Docker tag to v3.19.1
• Update architect orb to v4.38.0
• Update module github.com/hashicorp/vault/api to v1.12.1
• Update module github.com/prometheus/client_golang to v1.19.0
• Update module github.com/spf13/viper to v1.18.2
• Update module github.com/stretchr/testify to v1.9.0
• Update actions/checkout action to v4
• Update architect orb to v5
• Click on this checkbox to rebase all open PRs at once

Ignored or Blocked

These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.

• Update module github.com/giantswarm/operatorkit/v7 to v8

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

• AWS integration testing has found a problem with secrets not being deleting.
• With a large number of secrets aws-operator has problems reading them.

Need to investigate and fix as the delete watch should do this.

Hello!

I hope you are doing well!

We are a security research team. Our tool automatically detected a vulnerability in this repository. We want to disclose it responsibly. GitHub has a feature called Private vulnerability reporting, which enables security research to privately disclose a vulnerability. Unfortunately, it is not enabled for this repository.

Can you enable it, so that we can report it?

Thanks in advance!

PS: you can read about how to enable private vulnerability reporting here: https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-a-repository

Currently all secrets created in default namespace. I want to be able to control this behaviour.

Current behaviour. I created TPO in namespace, but secrets created in default namespace.

apiVersion: giantswarm.io/v1
kind: Certificate
metadata:
  labels:
    clusterComponent: node-controller
    clusterID: efk16
  name: efk16-node-controller
  namespace: efk16
spec:
  allowBareDomains: true
  clusterComponent: node-controller
  clusterID: efk16
  commonName: node-controller.efk16.g8s.fra-1.giantswarm.io
  ttl: 4320h

~|⇒ kubectl get certificate -n efk16                          
NAME                    KIND
efk16-node-controller   Certificate.v1.giantswarm.io
~|⇒ kubectl get secrets -n default | grep efk16-node-controller
efk16-node-controller   Opaque                                3         11s

Expected behaviour:
If spec ->namespace is set create resulted secrets in specified namespace.

Error below can happen if the watch starts before the TPR has been created.

{"caller":"github.com/giantswarm/cert-operator/service/crt/service.go:131","info":"starting watch","time":"17-05-16 08:16:03.222"}
E0516 08:16:03.224005       1 reflector.go:199] github.com/giantswarm/cert-operator/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *certificatetpr.CustomObject: the server could not find the requested resource

We should check the TPR exists and this should be fixed in operatorkit as it applies to all operators.