Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use stronger algorithm defaults for certificates #326

Merged
merged 7 commits into from
Oct 12, 2021
Merged

use stronger algorithm defaults for certificates #326

merged 7 commits into from
Oct 12, 2021

Conversation

ssoroka
Copy link
Contributor

@ssoroka ssoroka commented Sep 25, 2021

No description provided.

@jmorganca
Copy link
Contributor

Great stuff. Should we also update (OK in a separate PR) how we generate the certs we use to sign JWTs?

infra/internal/registry/data.go

Line 403 in e414cb7

key, err := rsa.GenerateKey(rand.Reader, 2048)

jmorganca
jmorganca approved these changes Sep 27, 2021
View reviewed changes
Copy link
Contributor

@jmorganca jmorganca left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@ssoroka
Copy link
Contributor Author

ssoroka commented Sep 27, 2021

hmm. this last change seems to break when I use it with prod,

$ k get nodes                                                                        
error: You must be logged in to the server (Unauthorized)

so I'm guessing it's not backwards compatible with what's currently in prod, or I missed something. I would really expect that I should be able to change the algorithm without breaking existing deployments.

@jmorganca
Copy link
Contributor

I do think this is unrelated, and worth trying now after rebasing :-)

@ssoroka ssoroka self-assigned this Sep 30, 2021
@ssoroka ssoroka force-pushed the cert-algs branch 3 times, most recently from ac0a132 to 59cf854 Compare October 5, 2021 20:52
jmorganca
jmorganca reviewed Oct 6, 2021
View reviewed changes
internal/registry/api.go Outdated
@@ -136,6 +136,8 @@ func extractToken(context context.Context) (*Token, error) {
return nil, errors.New("token not found in context")
}

// todo: should validate token?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This happens in line 100 (this function is really just for type casting!). That said, maybe the function naming / structure isn't the greatest if it looks naked without validation

jmorganca
jmorganca reviewed Oct 6, 2021
View reviewed changes
internal/registry/api_test.go
@@ -779,3 +779,15 @@ func containsUser(users []api.User, email string) bool {

return false
}

func TestCredentials(t *testing.T) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤩

jmorganca
jmorganca approved these changes Oct 6, 2021
View reviewed changes
Copy link
Contributor

@jmorganca jmorganca left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few optional comments and a small lint error to fix 😉 . LGTM!

@ssoroka ssoroka merged commit 9997b6e into main Oct 12, 2021
@ssoroka ssoroka deleted the cert-algs branch October 12, 2021 17:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jmorganca jmorganca jmorganca approved these changes

Assignees

@ssoroka ssoroka

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ssoroka @jmorganca