Merge pull request #4136 from emissary-ingress/ci/repatriate/from-v2.…

…2-to-v2.3 [v2.3] Repatriate from v2.2
emissary-ingress · Apr 27, 2022 · 5b9fc30 · 5b9fc30
2 parents bc77af8 + 883046a
commit 5b9fc30
Show file tree

Hide file tree

Showing 12 changed files with 456 additions and 39 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -88,7 +88,7 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest
 ## RELEASE NOTES
 
 ## [2.3.0] TBD
-[2.3.0]: https://github.com/emissary-ingress/emissary/compare/v2.2.1...v2.3.0
+[2.3.0]: https://github.com/emissary-ingress/emissary/compare/v2.2.2...v2.3.0
 
 ### Emissary-ingress and Ambassador Edge Stack
 
@@ -99,6 +99,20 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest
 
 [#4179]: https://github.com/emissary-ingress/emissary/pull/4179
 
+## [2.2.2] TBD
+[2.2.2]: https://github.com/emissary-ingress/emissary/compare/v2.2.1...v2.2.2
+
+### Emissary-ingress and Ambassador Edge Stack
+
+- Change: You may now choose to enable TLS Secret validation by setting the
+  `AMBASSADOR_FORCE_SECRET_VALIDATION=true` environment variable. The default configuration does not
+  enforce secret validation.
+
+- Bugfix: Kubernetes Secrets that should contain an EC (Elliptic Curve) TLS Private Key are now
+  properly validated. ([4134])
+
+[4134]: https://github.com/emissary-ingress/emissary/issues/4134
+
 ## [2.2.1] February 22, 2022
 [2.2.1]: https://github.com/emissary-ingress/emissary/compare/v2.2.0...v2.2.1
 

diff --git a/cmd/entrypoint/secrets.go b/cmd/entrypoint/secrets.go
@@ -6,6 +6,8 @@ import (
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
+	"os"
+	"strconv"
 	"strings"
 
 	amb "github.com/datawire/ambassador/v2/pkg/api/getambassador.io/v3alpha1"
@@ -25,6 +27,7 @@ func checkSecret(
 	what string,
 	ref snapshotTypes.SecretRef,
 	secret *v1.Secret) {
+	forceSecretValidation, _ := strconv.ParseBool(os.Getenv("AMBASSADOR_FORCE_SECRET_VALIDATION"))
 	// Make it more convenient to consistently refer to this secret.
 	secretName := fmt.Sprintf("%s secret %s.%s", what, ref.Name, ref.Namespace)
 
@@ -59,10 +62,16 @@ func checkSecret(
 				_, err = x509.ParsePKCS8PrivateKey(caKeyBlock.Bytes)
 			}
 
+			if err != nil {
+				// Try EC? (No, = instead of := is not a typo here: we're overwriting the
+				// earlier error.)
+				_, err = x509.ParseECPrivateKey(caKeyBlock.Bytes)
+			}
+
 			// Any issues here?
 			if err != nil {
 				errs = append(errs,
-					fmt.Errorf("%s %s cannot be parsed as PKCS1 or PKCS8: %s", secretName, v1.TLSPrivateKeyKey, err.Error()))
+					fmt.Errorf("%s %s cannot be parsed as PKCS1, PKCS8, or EC: %s", secretName, v1.TLSPrivateKeyKey, err.Error()))
 				isValid = false
 			}
 		} else {
@@ -95,10 +104,11 @@ func checkSecret(
 		}
 	}
 
-	if isValid {
+	if isValid || !forceSecretValidation {
 		dlog.Debugf(ctx, "taking %s", secretName)
 		sh.k8sSnapshot.Secrets = append(sh.k8sSnapshot.Secrets, secret)
-	} else {
+	}
+	if !isValid {
 		// This secret is invalid, but we're not going to log about it -- instead, it'll go into the
 		// list of Invalid resources.
 		dlog.Debugf(ctx, "%s is not valid, skipping: %s", secretName, errs.Error())

diff --git a/cmd/entrypoint/testdata/BrokenSecret.yaml b/cmd/entrypoint/testdata/BrokenSecret.yaml
@@ -0,0 +1,20 @@
+---
+# This is an invalid Secret.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: tls-broken-cert
+type: kubernetes.io/tls
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNzRENDQVpnQ0NRRFd2TnRjRzNpelZEQU5CZ2txaGtpRzl3MEJBUXNGQURBYU1SZ3dGZ1lEVlFRRERBOWgKYldKaGMzTmhaRzl5TFdObGNuUXdIaGNOTWpFd056QTRNakF5T0RNd1doY05Nakl3TnpBNE1qQXlPRE13V2pBYQpNUmd3RmdZRFZRUUREQTloYldKaGMzTmhaRzl5TFdObGNuUXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQ1pVbXhqT1lrTWlKRm0yZSttZDlMelNwd0oxSWlic1lUWHp5a1NiMExZYlNqcG5jMGoKZ2dFQkFKYU41RXFxOWoyL0hWclZaT3BPcG5ZVFJmVTQ5TWk0OW9uQXVmOWZCT21Hd2UwcFZKampNWXJBb2RnUgphZXJQdVZSUERYZHNldzN6MmQyOWJHMExVMlN0SkEwRjRnTm9ZNjRsZVlRM3RGMUNSbGxzN0ppZVZ6U3VFVXJTCktmNmJpYnRpSUtJTjBoR1NXdHZhTThleGpvZjdkZTJ5YUs0RU94TWlCYnJmQU82cnoxeDNzWi84Q0ZOenc5c1EKWEI1allJaE1laGxvbGFHRTlEY3J1R2ttK0VDdkI2NmRqMU1yblRqZUlxZzhCc3hablZiVnhwOVRlMlFnaHJOaQpyRXJKd2NXU1JTeVRnMERld1R6S1hBTHZpbmJFOWJnek10WE1ISGRSZlBhQy9aYUJNR3VBcTF5YlM5RXczYy9aCjV2TTRoV05odTkxL0NKY3lRUkd2UlFZcWJlMD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBbVZKc1l6bUpESWlSWnRudnBuZlM4MHFjQ2RTSW03R0UxODhwRW05QzJHMG82WjNOCkkxaGxkQ1l2Y0hrcWtSMER0TFBPUlpNUXJEcE9mbndWOVNQZXZwRmIxcks4b2RLZlpiOXUzaVJuV2JnbFpTWGMKS1oyNldWME14cTNHRkdjdE9seEZmSlhZVmpTRnk1TytaNVpXV3ZkNVhJK0ZodDBnODdEblByU2xZU2pJYUR5UgpHVkJacktvRHVMNk5ud2Ftek4rY1FEc2hCOFlic2YxVWlza2RaYkxTaHBjSjI2WW0zZStrQlFibjlKYkw1UVVDCkFsMStEMGJOQnB5Q1J3V0IybzV2aHRnMityd1pBQ051MVB2YkZzSDltREZSK3Z6UkFPWjJwVEMzNHBYMGFyS0QKdTIwYUxNTU9PY0RNY3RtanY4cmtxUlVFa3ppM25XSWNZVVVhcUpUbVRvZEtmVGhteGxsbHloODlRUDNQbytoTAphaTRvRUlrQ2dZRUF5Ry9DbFpreDhYcXczQ2tlcmtmVmhObzc4cjFYVUVEUTdTd0xRSWVoejVGL2JFT1ZFLzJSCkl4YVlCTHZqUzBGRHNjSzdOSk95T2RNUGlTVU1wd0xIL2Q2c2taMDZBZFNWWU9tQmk1QUIxQk1leTVvRy9Ka1cKWnNKbjZDeDloQlRlNXNCdEJRZDUrWmFRdThoMGFQVzBwWHdvWHlpbUl6M2lndXF2TUNzemU1TUNnWUVBdzlNZApjZmYrUWFubGoydWlyZzFueWMwVWQ3WHp6QVlFdUxQRE90eW1ybVJJT0E0aXhzcnMzNGZtUThJNzhxekMyeGY1CkR2Uk81M3Mxb1dIc3Ntd3FyaDNDRFVoMXZQRURwdWpHd0t3YThsTXJDamJYOG1iTWJtU3J6UG5zNVZ5WFdoSEUKQ3dUc09XdGV5Rnc5UWRlNHUrTXVIRjNIcHRIcW9mVEVMZklFcFdzQ2dZRUF1UE8zd0VkZWVJOVlSNitCNmh2TApBUTVIcHhQa1Q5K2ZhbHJyL3gyb3lGcGdGRXpBY1hQWHkyTDczOUpvU0hidXVrY1FhOUdsOGdtNkdqa2YxYlNSClNzZUF3ZFV0UTZjZ09BOEFSUUliVGRCZTZFMDNDVHRTR254bFdTNUVtKzZPU0t0amJmS2FNUjhvYXI3ci9EWk4KL1MzMkt1amRkVU9Ua201d1BhaC9seFVDZ1lCaHc3R01wNklCaUYrNlphTlhRQXdUL05YK0doSDRSdnp1ZFppLwpkMCtqK3g3dkZXZVpWZEJDbk9lQjVxUGxPUWtqTnVtNTVKRE1Fb0FvN09tdC9rQ2tvdWl4bHY1bzhPN0EwcS8vCm15enMxRWJGbDdIaUxCNWQ4dGF1eEF2WVNveXBnL3NiQVQ4cVA0ZVhnaTEzQk1zT3lwSEh5YTRXZy9DZklNTWMKcVJwV3R3S0JnSFhGNVJZSjhqWktOcTZscjlNVmFkVFd2SlFnTVVsdHRRaVozdmsyZzRLT0pzU1Z1a0RuMWlnKwpDQ0plRTZVL05LQ3d6MlIxcGNJZURPd3B6T0hjMlY2S3hnRFhlRjJVay8yMzJ2UHdpdGNUTGFLaGxNOUM4Y0tzCnpEaUlxUWRkNEt0WENqNzhLTjROWEdnWEl1V1c4dkREVjhDTnBCbjl5SVRRcVJPc1FIdGsKLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0=
+---
+# This Host references our invalid Secret, so it'll get loaded.
+apiVersion: getambassador.io/v3alpha1
+kind: Host
+metadata:
+  name: broken-host
+spec:
+  hostname: "*"
+  tlsSecret:
+    name: tls-broken-cert
diff --git a/cmd/entrypoint/testdata/FakeHello.yaml b/cmd/entrypoint/testdata/FakeHello.yaml
@@ -51,23 +51,3 @@ spec:
   hostname: "*"
   tlsSecret:
     name: tls-cert
----
-# This is an invalid Secret.
-apiVersion: v1
-kind: Secret
-metadata:
-  name: tls-broken-cert
-type: kubernetes.io/tls
-data:
-  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNzRENDQVpnQ0NRRFd2TnRjRzNpelZEQU5CZ2txaGtpRzl3MEJBUXNGQURBYU1SZ3dGZ1lEVlFRRERBOWgKYldKaGMzTmhaRzl5TFdObGNuUXdIaGNOTWpFd056QTRNakF5T0RNd1doY05Nakl3TnpBNE1qQXlPRE13V2pBYQpNUmd3RmdZRFZRUUREQTloYldKaGMzTmhaRzl5TFdObGNuUXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCkR3QXdnZ0VLQW9JQkFRQ1pVbXhqT1lrTWlKRm0yZSttZDlMelNwd0oxSWlic1lUWHp5a1NiMExZYlNqcG5jMGoKZ2dFQkFKYU41RXFxOWoyL0hWclZaT3BPcG5ZVFJmVTQ5TWk0OW9uQXVmOWZCT21Hd2UwcFZKampNWXJBb2RnUgphZXJQdVZSUERYZHNldzN6MmQyOWJHMExVMlN0SkEwRjRnTm9ZNjRsZVlRM3RGMUNSbGxzN0ppZVZ6U3VFVXJTCktmNmJpYnRpSUtJTjBoR1NXdHZhTThleGpvZjdkZTJ5YUs0RU94TWlCYnJmQU82cnoxeDNzWi84Q0ZOenc5c1EKWEI1allJaE1laGxvbGFHRTlEY3J1R2ttK0VDdkI2NmRqMU1yblRqZUlxZzhCc3hablZiVnhwOVRlMlFnaHJOaQpyRXJKd2NXU1JTeVRnMERld1R6S1hBTHZpbmJFOWJnek10WE1ISGRSZlBhQy9aYUJNR3VBcTF5YlM5RXczYy9aCjV2TTRoV05odTkxL0NKY3lRUkd2UlFZcWJlMD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
-  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBbVZKc1l6bUpESWlSWnRudnBuZlM4MHFjQ2RTSW03R0UxODhwRW05QzJHMG82WjNOCkkxaGxkQ1l2Y0hrcWtSMER0TFBPUlpNUXJEcE9mbndWOVNQZXZwRmIxcks4b2RLZlpiOXUzaVJuV2JnbFpTWGMKS1oyNldWME14cTNHRkdjdE9seEZmSlhZVmpTRnk1TytaNVpXV3ZkNVhJK0ZodDBnODdEblByU2xZU2pJYUR5UgpHVkJacktvRHVMNk5ud2Ftek4rY1FEc2hCOFlic2YxVWlza2RaYkxTaHBjSjI2WW0zZStrQlFibjlKYkw1UVVDCkFsMStEMGJOQnB5Q1J3V0IybzV2aHRnMityd1pBQ051MVB2YkZzSDltREZSK3Z6UkFPWjJwVEMzNHBYMGFyS0QKdTIwYUxNTU9PY0RNY3RtanY4cmtxUlVFa3ppM25XSWNZVVVhcUpUbVRvZEtmVGhteGxsbHloODlRUDNQbytoTAphaTRvRUlrQ2dZRUF5Ry9DbFpreDhYcXczQ2tlcmtmVmhObzc4cjFYVUVEUTdTd0xRSWVoejVGL2JFT1ZFLzJSCkl4YVlCTHZqUzBGRHNjSzdOSk95T2RNUGlTVU1wd0xIL2Q2c2taMDZBZFNWWU9tQmk1QUIxQk1leTVvRy9Ka1cKWnNKbjZDeDloQlRlNXNCdEJRZDUrWmFRdThoMGFQVzBwWHdvWHlpbUl6M2lndXF2TUNzemU1TUNnWUVBdzlNZApjZmYrUWFubGoydWlyZzFueWMwVWQ3WHp6QVlFdUxQRE90eW1ybVJJT0E0aXhzcnMzNGZtUThJNzhxekMyeGY1CkR2Uk81M3Mxb1dIc3Ntd3FyaDNDRFVoMXZQRURwdWpHd0t3YThsTXJDamJYOG1iTWJtU3J6UG5zNVZ5WFdoSEUKQ3dUc09XdGV5Rnc5UWRlNHUrTXVIRjNIcHRIcW9mVEVMZklFcFdzQ2dZRUF1UE8zd0VkZWVJOVlSNitCNmh2TApBUTVIcHhQa1Q5K2ZhbHJyL3gyb3lGcGdGRXpBY1hQWHkyTDczOUpvU0hidXVrY1FhOUdsOGdtNkdqa2YxYlNSClNzZUF3ZFV0UTZjZ09BOEFSUUliVGRCZTZFMDNDVHRTR254bFdTNUVtKzZPU0t0amJmS2FNUjhvYXI3ci9EWk4KL1MzMkt1amRkVU9Ua201d1BhaC9seFVDZ1lCaHc3R01wNklCaUYrNlphTlhRQXdUL05YK0doSDRSdnp1ZFppLwpkMCtqK3g3dkZXZVpWZEJDbk9lQjVxUGxPUWtqTnVtNTVKRE1Fb0FvN09tdC9rQ2tvdWl4bHY1bzhPN0EwcS8vCm15enMxRWJGbDdIaUxCNWQ4dGF1eEF2WVNveXBnL3NiQVQ4cVA0ZVhnaTEzQk1zT3lwSEh5YTRXZy9DZklNTWMKcVJwV3R3S0JnSFhGNVJZSjhqWktOcTZscjlNVmFkVFd2SlFnTVVsdHRRaVozdmsyZzRLT0pzU1Z1a0RuMWlnKwpDQ0plRTZVL05LQ3d6MlIxcGNJZURPd3B6T0hjMlY2S3hnRFhlRjJVay8yMzJ2UHdpdGNUTGFLaGxNOUM4Y0tzCnpEaUlxUWRkNEt0WENqNzhLTjROWEdnWEl1V1c4dkREVjhDTnBCbjl5SVRRcVJPc1FIdGsKLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0=
----
-# This Host references our invalid Secret, so it'll get loaded.
-apiVersion: getambassador.io/v3alpha1
-kind: Host
-metadata:
-  name: broken-host
-spec:
-  hostname: "*"
-  tlsSecret:
-    name: tls-broken-cert