Page MenuHomePhabricator
Create Task
Maniphest T365681

toolforge: kubernetes can't revoke certificates
Closed, ResolvedPublic
Actions

Description

Toolforge kubernetes uses x509 certificates as the main authentication mechanism. But as of today, it cannot revoke such certs, or check a CRL, as documented in various places upstream, and in the internet:

We should keep this in mind when dealing with stuff like T363983: [toolforge] Investigate authentication.

Some options we could explore to mitigate the consequences of this limitation include:

  • issue x509 certs with a very short lifetime, like 1 day -- this will put some additional pressure on maintain-kubeusers
  • maybe we can instrument a poor-man CRL-like mechanism via Custom Admission controllers, or Kyverno -- this is unknown as of today

Details

Related Changes in GitLab:
TitleReferenceAuthorSource BranchDest Branch
maintain-kubeusers: bump to 0.0.173-20250513143459-bcd0852brepos/cloud/toolforge/toolforge-deploy!779group_203_bot_f4d95069bb2675e4ce1fff090c1c1620bump_maintain-kubeusersmain
kubecerts: stop renewing certs on a random basisrepos/cloud/toolforge/maintain-kubeusers!69aborreroarturo-248-kubecerts-stop-renemain
maintain-kubeusers: bump to 0.0.164-20240710151051-a518392erepos/cloud/toolforge/toolforge-deploy!405ghostbump_maintain-kubeusersmain
kubecerts: only randomly select certs for renew in case they are oldrepos/cloud/toolforge/maintain-kubeusers!57aborreroarturo-156-kubecerts-only-randmain
maintain-kubeusers: bump to 0.0.163-20240710124028-b9245afdrepos/cloud/toolforge/toolforge-deploy!402ghostbump_maintain-kubeusersmain
kubecerts: have certificates lifetime to be max 10 days, renew them oftenrepos/cloud/toolforge/maintain-kubeusers!55aborreroarturo-306-kubecerts-have-certmain
Customize query in GitLab

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedLucasWerkmeisterT320140 Migrate wd-shex-infer from Toolforge GridEngine to Toolforge Kubernetes
 ResolvedmatmarexT319707 Migrate dtcheck from Toolforge GridEngine to Toolforge Kubernetes
 ResolvedLegoktmT320062 Migrate steve-adder from Toolforge GridEngine to Toolforge Kubernetes
 ResolvedLegoktmT320011 Migrate rfa-voting-history from Toolforge GridEngine to Toolforge Kubernetes
 In ProgressdcaroT194332 [builds-api,components-api,webservice,jobs-api] Make Toolforge a proper platform as a service with push-to-deploy and build packs
 ResolveddcaroT393564 [Hypothesis] WE6.3.10 start a beta for the push-to-deploy features
 In ProgresskomlaT368600 [KR] WE6.3 Introduce a sustainability scoring system for the Toolforge platform
 ResolveddcaroT375199 [Hypothesis] WE6.3.4 If we enable the automatic deployment of a minimal tool, we will be able to evaluate the end to end flow and set the groundwork for adding support for more complex tools and deployment flows.
 ResolveddcaroT362051 [components-api] First iteration of the component API
 ResolveddcaroT362066 [components-api] Develop the webhook mechanism to trigger a deployment
 OpendcaroT362071 [components-api] Add source polling build trigger
 ResolveddcaroT362076 [components-api] Add support for pre-built images (ex. python3.11, to refine)
 OpendcaroT362075 [components-api] add order to the components deployment
 OpendcaroT362077 [components-api] Add webservice support
 ResolveddcaroT362082 [components-api] Add minimal cli with build-only features
 ResolvedSlst2020T362069 [components-api] Get a skeleton of API webservice and implement `/tool/<toolname>/deploy` with single continuous job deployment only
 OpenNoneT363983 [toolforge] Investigate authentication
 Resolved aborreroT365681 toolforge: kubernetes can't revoke certificates

Event Timeline

aborrero created this task.May 23 2024, 8:59 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 23 2024, 8:59 AM
aborrero mentioned this in T365644: Remote Code Execution on svgtranslate.May 23 2024, 9:08 AM
aborrero updated the task description. (Show Details)May 23 2024, 9:16 AM
aborrero added a parent task: T363983: [toolforge] Investigate authentication.
aborrero mentioned this in T365724: [infra] Allow users to self-rotate the all the credentials.May 23 2024, 3:22 PM
komla subscribed.May 23 2024, 3:39 PM
aborrero moved this task from Backlog to Next on the User-aborrero board.Jun 3 2024, 9:22 AM
aborrero edited projects, added Toolforge (Toolforge iteration 11); removed Toolforge.Jul 2 2024, 1:14 PM
fnegri assigned this task to aborrero.Jul 2 2024, 1:18 PM
dcaro triaged this task as High priority.Jul 2 2024, 1:23 PM
dcaro edited projects, added Toolforge (Toolforge iteration 12); removed Toolforge (Toolforge iteration 11).Jul 2 2024, 1:59 PM
aborrero moved this task from Next to Doing on the User-aborrero board.Jul 8 2024, 9:35 AM
CodeReviewBot added a project: Patch-For-Review.Jul 8 2024, 1:09 PM

aborrero opened https://gitlab.wikimedia.org/repos/cloud/toolforge/maintain-kubeusers/-/merge_requests/55

kubecerts: have certificates lifetime to be max 10 days, renew them often

CodeReviewBot added a comment.Jul 10 2024, 12:40 PM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/toolforge/maintain-kubeusers/-/merge_requests/55

kubecerts: have certificates lifetime to be max 10 days, renew them often

CodeReviewBot added a comment.Jul 10 2024, 12:42 PM

project_1317_bot_df3177307bed93c3f34e421e26c86e38 opened https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/402

maintain-kubeusers: bump to 0.0.163-20240710124028-b9245afd

CodeReviewBot added a comment.Jul 10 2024, 12:53 PM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/402

maintain-kubeusers: bump to 0.0.163-20240710124028-b9245afd

Maintenance_bot removed a project: Patch-For-Review.Jul 10 2024, 1:30 PM
CodeReviewBot added a project: Patch-For-Review.Jul 10 2024, 2:37 PM

aborrero opened https://gitlab.wikimedia.org/repos/cloud/toolforge/maintain-kubeusers/-/merge_requests/57

kubecerts: only randomly select certs for renew in case they are old

CodeReviewBot added a comment.Jul 10 2024, 3:10 PM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/toolforge/maintain-kubeusers/-/merge_requests/57

kubecerts: only randomly select certs for renew in case they are old

CodeReviewBot added a comment.Jul 10 2024, 3:13 PM

project_1317_bot_df3177307bed93c3f34e421e26c86e38 opened https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/405

maintain-kubeusers: bump to 0.0.164-20240710151051-a518392e

CodeReviewBot added a comment.Jul 10 2024, 3:18 PM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/405

maintain-kubeusers: bump to 0.0.164-20240710151051-a518392e

Maintenance_bot removed a project: Patch-For-Review.Jul 10 2024, 3:30 PM
aborrero added a comment.Jul 11 2024, 10:18 AM

We have taken the following measures:

  • reduced the lifetime of the certificates to 10 days for new certificates
  • certs will get renewed 2 days before they expire
  • on each maintain-kubeusers loop, pick a few random old 1year lifetime certificates, and renew them with 10 days lifetime

So far the system is stable and everything seems working just fine.

The first certificates with 10 days lifetime were generated on 2024-07-10, so on 2024-07-18 we should check to see if the 2 days before expiration renewal is working as expected.

Leaving the ticket open until then.

aborrero added a comment.Jul 11 2024, 10:24 AM

there are some risks with lower lifetime values, for example 2 or 5 days:

  • if there is a problem with maintain-kubeusers, or with the k8s certificate renewal process, or some other bug, we will get a lot (if not all) certificates expired, meaning users wont be able to run their stuff on Toolforge.
  • lower lifetime values give us little margin to react and fix things. It could be a weekend, or the end of year holiday break.

So, I would rather:

  • keep a slightly higher lifetime value -- will give us some additional margin to react to failures
  • keep some amount of randomization on certificate renewal -- so not all certificates expire on the same day, and not all users are affected by a potential failure, keeping the 'blast radius' a bit smaller
aborrero moved this task from Doing to Blocked/waiting on the User-aborrero board.Jul 11 2024, 11:29 AM
dcaro edited projects, added Toolforge (Toolforge iteration 13); removed Toolforge (Toolforge iteration 12).Jul 17 2024, 11:23 AM
aborrero closed this task as Resolved.Jul 19 2024, 8:21 AM
In T365681#9972877, @aborrero wrote:

The first certificates with 10 days lifetime were generated on 2024-07-10, so on 2024-07-18 we should check to see if the 2 days before expiration renewal is working as expected.

Leaving the ticket open until then.

Working as expected:

image.png (361×1 px, 119 KB)

dcaro moved this task from Next Up to Done on the Toolforge (Toolforge iteration 13) board.Jul 22 2024, 1:49 PM
CodeReviewBot added a project: Patch-For-Review.Apr 30 2025, 10:55 AM

aborrero opened https://gitlab.wikimedia.org/repos/cloud/toolforge/maintain-kubeusers/-/merge_requests/69

kubecerts: stop renewing certs on a random basis

CodeReviewBot added a comment.May 13 2025, 2:34 PM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/toolforge/maintain-kubeusers/-/merge_requests/69

kubecerts: stop renewing certs on a random basis

CodeReviewBot added a comment.May 13 2025, 2:37 PM

group_203_bot_f4d95069bb2675e4ce1fff090c1c1620 opened https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/779

maintain-kubeusers: bump to 0.0.173-20250513143459-bcd0852b

CodeReviewBot added a comment.May 13 2025, 3:48 PM

aborrero merged https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-deploy/-/merge_requests/779

maintain-kubeusers: bump to 0.0.173-20250513143459-bcd0852b

Maintenance_bot removed a project: Patch-For-Review.May 13 2025, 4:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits