Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Vulnerabilities in Istio Gateway Secret Rotation #2075

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: Vulnerabilities in Istio Gateway Secret Rotation #2075

wants to merge 1 commit into from

Conversation

c-pius
Copy link
Contributor

@c-pius c-pius commented Nov 29, 2024

Description

Changes proposed in this pull request:

  • tries to fix vulnerabilities reported by checkmarx

Related issue(s)

@c-pius c-pius requested a review from a team as a code owner November 29, 2024 09:58
@kyma-bot kyma-bot added cla: yes Indicates the PR's author has signed the CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Nov 29, 2024
c-pius
c-pius commented Nov 29, 2024
View reviewed changes
cmd/main.go
go setupIstioGatewaySecretRotation(config, kcpClient, setupLog)
go gatewaysecret.NewGatewaySecretHandler(kcpClient).
StartRootCertificateWatch(kubernetes.NewForConfigOrDie(config), setupLog)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to reviewer: Checkmarx was complaining about potential race conditions on config and kcpClient. With this change, we keep using config and kcpClient in the current thread, and only then branch of to the go routine.

pkg/gatewaysecret/handler.go
panic(err)
return
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to reviewer: Checkmarx was complaining that the panic is not properly handled. Since this is a go routine, I think the panic would anyway just abort the startup of the watch. Therefore we can also just return here since the error is logged and the go routine will "gracefully" stop.

Copy link
Contributor

@LeelaChacha LeelaChacha Nov 29, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The startup of the watch is vital to the function of the istio gateway secret - the secret that allows TLS for SKR webhook communication. I believe that not being able to set up that secret is an extreme situation (highly unlikely though), and the runtime should stop the execution. If panic is not suitable in this case. I would suggest exiting with a bootstrap error code like so

@c-pius c-pius force-pushed the fix/vulnerability-reports-on-istio-gateway-secret-rotation branch from c68398b to 4d1faa6 Compare November 29, 2024 10:03
@c-pius c-pius mentioned this pull request Nov 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LeelaChacha LeelaChacha LeelaChacha left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
cla: yes Indicates the PR's author has signed the CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@c-pius @LeelaChacha @kyma-bot