OCPBUGS-440: improve CA and certificate generation #361
Conversation
openshift-ci
bot
added
the
approved
|
/hold don't merge before #360 gets merged and qe approves |
openshift-ci
bot
added
the
do-not-merge/hold
perdasilva
changed the title
|
/lgtm |
perdasilva
force-pushed
the
cert_generation_improvement
branch
from
6d26e03 to
8b92082
Compare
|
/retest |
Recently during an audit on a user's cluster, it was discovered that
OLM's certificate generation functionality has a few minor shortcomings.
1) The generated CA and server cert do not include a common name,
which causes some tooling to have trouble tracing the cert chain.
2) The generated CA and server cert include unnecessary key usages,
which means those certificates can be used for more than their
intended purposes.
This commit resolves the above issues by ensuring the certificates
include common names and by using the minimal key usages necessary.
Signed-off-by: Joe Lanford <[email protected]>
Upstream-commit: 13fa7be0e153711a9ef6b8c3d4315ce088ad6274
Upstream-repository: operator-lifecycle-manager
perdasilva
force-pushed
the
cert_generation_improvement
branch
from
8b92082 to
4d356d1
Compare
|
/retest |
1 similar comment
|
/retest |
perdasilva
changed the title
openshift-ci-robot
added
the
jira/valid-bug
|
@perdasilva: This pull request references [Jira Issue OCPBUGS-440](https://issues.redhat.com//browse/OCPBUGS-440), which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
the
bugzilla/valid-bug
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: perdasilva, timflannagan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@perdasilva: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@perdasilva: All pull requests linked via external trackers have merged: [Jira Issue OCPBUGS-440](https://issues.redhat.com//browse/OCPBUGS-440) has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Recently during an audit on a user's cluster, it was discovered that
OLM's certificate generation functionality has a few minor shortcomings.
which causes some tooling to have trouble tracing the cert chain.
which means those certificates can be used for more than their
intended purposes.
This commit resolves the above issues by ensuring the certificates
include common names and by using the minimal key usages necessary.
Signed-off-by: Joe Lanford [email protected]
Upstream-commit: 13fa7be0e153711a9ef6b8c3d4315ce088ad6274
Upstream-repository: operator-lifecycle-manager