Merge pull request #2522 from amazeeio/fix-long-autogen-host-backport

Limit the size of the CN field in certificate requests (backport)
uselagoon · Feb 22, 2021 · d46fa3e · d46fa3e
2 parents fb1bc6e + c4cc8d8
commit d46fa3e
Show file tree

Hide file tree

Showing 21 changed files with 192 additions and 1 deletion.
diff --git a/images/kubectl-build-deploy-dind/build-deploy-docker-compose.sh b/images/kubectl-build-deploy-dind/build-deploy-docker-compose.sh
@@ -546,6 +546,7 @@ yq write -i -- /kubectl-build-deploy/values.yaml 'buildType' $BUILD_TYPE
 yq write -i -- /kubectl-build-deploy/values.yaml 'routesAutogenerateInsecure' $ROUTES_AUTOGENERATE_INSECURE
 yq write -i -- /kubectl-build-deploy/values.yaml 'routesAutogenerateEnabled' $ROUTES_AUTOGENERATE_ENABLED
 yq write -i -- /kubectl-build-deploy/values.yaml 'routesAutogenerateSuffix' $ROUTER_URL
+yq write -i -- /kubectl-build-deploy/values.yaml 'routesAutogenerateShortSuffix' $SHORT_ROUTER_URL
 for i in $ROUTES_AUTOGENERATE_PREFIXES; do yq write -i -- /kubectl-build-deploy/values.yaml 'routesAutogeneratePrefixes[+]' $i; done
 yq write -i -- /kubectl-build-deploy/values.yaml 'kubernetes' $KUBERNETES
 yq write -i -- /kubectl-build-deploy/values.yaml 'lagoonVersion' $LAGOON_VERSION

diff --git a/images/kubectl-build-deploy-dind/helmcharts/nginx-php-persistent/templates/_helpers.tpl b/images/kubectl-build-deploy-dind/helmcharts/nginx-php-persistent/templates/_helpers.tpl
@@ -32,6 +32,14 @@ Create full hostname for autogenerated hosts
 {{ end }}
 {{- end -}}
 
+{{/*
+Create short hostname for autogenerated hosts.
+This is used to work around problems with long CN fields in certificates.
+*/}}
+{{- define "nginx-php-persistent.autogeneratedShortHost" -}}
+{{- printf "%s.%s" .root.Release.Name .root.Values.routesAutogenerateShortSuffix }}
+{{- end }}
+
 {{/*
 Generate name of Persistent Storage
 Uses the Release Name (Lagoon Service Name) unless it's overwritten via .Values.persistentStorage.name

diff --git a/images/kubectl-build-deploy-dind/helmcharts/nginx-php-persistent/templates/ingress.yaml b/images/kubectl-build-deploy-dind/helmcharts/nginx-php-persistent/templates/ingress.yaml
@@ -25,6 +25,9 @@ spec:
   tls:
     - hosts:
       {{- $host := include "nginx-php-persistent.autogeneratedHost" (dict "root" $) }}
+      {{- if and .Values.routesAutogenerateShortSuffix (gt ($host | len) 63) }}
+        - {{ include "nginx-php-persistent.autogeneratedShortHost" (dict "root" $) | quote }}
+      {{- end }}
         -   {{ $host | quote }}
       {{- if $.Values.routesAutogeneratePrefixes }}
       {{- range $k, $prefix := $.Values.routesAutogeneratePrefixes }}

diff --git a/images/kubectl-build-deploy-dind/helmcharts/nginx-php/templates/_helpers.tpl b/images/kubectl-build-deploy-dind/helmcharts/nginx-php/templates/_helpers.tpl
@@ -32,6 +32,14 @@ Create full hostname for autogenerated hosts
 {{ end }}
 {{- end -}}
 
+{{/*
+Create short hostname for autogenerated hosts.
+This is used to work around problems with long CN fields in certificates.
+*/}}
+{{- define "nginx-php.autogeneratedShortHost" -}}
+{{- printf "%s.%s" .root.Release.Name .root.Values.routesAutogenerateShortSuffix }}
+{{- end }}
+
 {{/*
 Common labels
 */}}

diff --git a/images/kubectl-build-deploy-dind/helmcharts/nginx-php/templates/ingress.yaml b/images/kubectl-build-deploy-dind/helmcharts/nginx-php/templates/ingress.yaml
@@ -25,6 +25,9 @@ spec:
   tls:
     - hosts:
       {{- $host := include "nginx-php.autogeneratedHost" (dict "root" $) }}
+      {{- if and .Values.routesAutogenerateShortSuffix (gt ($host | len) 63) }}
+        - {{ include "nginx-php.autogeneratedShortHost" (dict "root" $) | quote }}
+      {{- end }}
         -   {{ $host | quote }}
       {{- if $.Values.routesAutogeneratePrefixes }}
       {{- range $k, $prefix := $.Values.routesAutogeneratePrefixes }}

diff --git a/images/kubectl-build-deploy-dind/helmcharts/nginx/templates/_helpers.tpl b/images/kubectl-build-deploy-dind/helmcharts/nginx/templates/_helpers.tpl
@@ -32,6 +32,14 @@ Create full hostname for autogenerated hosts
 {{ end }}
 {{- end -}}
 
+{{/*
+Create short hostname for autogenerated hosts.
+This is used to work around problems with long CN fields in certificates.
+*/}}
+{{- define "nginx.autogeneratedShortHost" -}}
+{{- printf "%s.%s" .root.Release.Name .root.Values.routesAutogenerateShortSuffix }}
+{{- end }}
+
 {{/*
 Common labels
 */}}

diff --git a/images/kubectl-build-deploy-dind/helmcharts/nginx/templates/ingress.yaml b/images/kubectl-build-deploy-dind/helmcharts/nginx/templates/ingress.yaml
@@ -25,6 +25,9 @@ spec:
   tls:
     - hosts:
       {{- $host := include "nginx.autogeneratedHost" (dict "root" $) }}
+      {{- if and .Values.routesAutogenerateShortSuffix (gt ($host | len) 63) }}
+        - {{ include "nginx.autogeneratedShortHost" (dict "root" $) | quote }}
+      {{- end }}
         -   {{ $host | quote }}
       {{- if $.Values.routesAutogeneratePrefixes }}
       {{- range $k, $prefix := $.Values.routesAutogeneratePrefixes }}

diff --git a/images/kubectl-build-deploy-dind/helmcharts/node-persistent/templates/_helpers.tpl b/images/kubectl-build-deploy-dind/helmcharts/node-persistent/templates/_helpers.tpl
@@ -32,6 +32,14 @@ Create full hostname for autogenerated hosts
 {{ end }}
 {{- end -}}
 
+{{/*
+Create short hostname for autogenerated hosts.
+This is used to work around problems with long CN fields in certificates.
+*/}}
+{{- define "node-persistent.autogeneratedShortHost" -}}
+{{- printf "%s.%s" .root.Release.Name .root.Values.routesAutogenerateShortSuffix }}
+{{- end }}
+
 {{/*
 Generate name of Persistent Storage
 Uses the Release Name (Lagoon Service Name) unless it's overwritten via .Values.persistentStorage.name

diff --git a/images/kubectl-build-deploy-dind/helmcharts/node-persistent/templates/ingress.yaml b/images/kubectl-build-deploy-dind/helmcharts/node-persistent/templates/ingress.yaml
@@ -25,6 +25,9 @@ spec:
   tls:
     - hosts:
       {{- $host := include "node-persistent.autogeneratedHost" (dict "root" $) }}
+      {{- if and .Values.routesAutogenerateShortSuffix (gt ($host | len) 63) }}
+        - {{ include "node-persistent.autogeneratedShortHost" (dict "root" $) | quote }}
+      {{- end }}
         -   {{ $host | quote }}
       {{- if $.Values.routesAutogeneratePrefixes }}
       {{- range $k, $prefix := $.Values.routesAutogeneratePrefixes }}

diff --git a/images/kubectl-build-deploy-dind/helmcharts/node/templates/_helpers.tpl b/images/kubectl-build-deploy-dind/helmcharts/node/templates/_helpers.tpl
@@ -32,6 +32,14 @@ Create full hostname for autogenerated hosts
 {{ end }}
 {{- end -}}
 
+{{/*
+Create short hostname for autogenerated hosts.
+This is used to work around problems with long CN fields in certificates.
+*/}}
+{{- define "node.autogeneratedShortHost" -}}
+{{- printf "%s.%s" .root.Release.Name .root.Values.routesAutogenerateShortSuffix }}
+{{- end }}
+
 {{/*
 Common labels
 */}}

diff --git a/images/kubectl-build-deploy-dind/helmcharts/node/templates/ingress.yaml b/images/kubectl-build-deploy-dind/helmcharts/node/templates/ingress.yaml
@@ -25,6 +25,9 @@ spec:
   tls:
     - hosts:
       {{- $host := include "node.autogeneratedHost" (dict "root" $) }}
+      {{- if and .Values.routesAutogenerateShortSuffix (gt ($host | len) 63) }}
+        - {{ include "node.autogeneratedShortHost" (dict "root" $) | quote }}
+      {{- end }}
         -   {{ $host | quote }}
       {{- if $.Values.routesAutogeneratePrefixes }}
       {{- range $k, $prefix := $.Values.routesAutogeneratePrefixes }}

diff --git a/images/kubectl-build-deploy-dind/helmcharts/python/templates/_helpers.tpl b/images/kubectl-build-deploy-dind/helmcharts/python/templates/_helpers.tpl
@@ -32,6 +32,14 @@ Create full hostname for autogenerated hosts
 {{ end }}
 {{- end -}}
 
+{{/*
+Create short hostname for autogenerated hosts.
+This is used to work around problems with long CN fields in certificates.
+*/}}
+{{- define "python.autogeneratedShortHost" -}}
+{{- printf "%s.%s" .root.Release.Name .root.Values.routesAutogenerateShortSuffix }}
+{{- end }}
+
 {{/*
 Common labels
 */}}

diff --git a/images/kubectl-build-deploy-dind/helmcharts/python/templates/ingress.yaml b/images/kubectl-build-deploy-dind/helmcharts/python/templates/ingress.yaml
@@ -25,6 +25,9 @@ spec:
   tls:
     - hosts:
       {{- $host := include "python.autogeneratedHost" (dict "root" $) }}
+      {{- if and .Values.routesAutogenerateShortSuffix (gt ($host | len) 63) }}
+        - {{ include "python.autogeneratedShortHost" (dict "root" $) | quote }}
+      {{- end }}
         -   {{ $host | quote }}
       {{- if $.Values.routesAutogeneratePrefixes }}
       {{- range $k, $prefix := $.Values.routesAutogeneratePrefixes }}

diff --git a/images/kubectl-build-deploy-dind/helmcharts/varnish-persistent/templates/_helpers.tpl b/images/kubectl-build-deploy-dind/helmcharts/varnish-persistent/templates/_helpers.tpl
@@ -32,6 +32,14 @@ Create full hostname for autogenerated hosts
 {{ end }}
 {{- end -}}
 
+{{/*
+Create short hostname for autogenerated hosts.
+This is used to work around problems with long CN fields in certificates.
+*/}}
+{{- define "varnish-persistent.autogeneratedShortHost" -}}
+{{- printf "%s.%s" .root.Release.Name .root.Values.routesAutogenerateShortSuffix }}
+{{- end }}
+
 {{/*
 Generate name of Persistent Storage
 Uses the Release Name (Lagoon Service Name) unless it's overwritten via .Values.persistentStorage.name

diff --git a/images/kubectl-build-deploy-dind/helmcharts/varnish-persistent/templates/ingress.yaml b/images/kubectl-build-deploy-dind/helmcharts/varnish-persistent/templates/ingress.yaml
@@ -25,6 +25,9 @@ spec:
   tls:
     - hosts:
       {{- $host := include "varnish-persistent.autogeneratedHost" (dict "root" $) }}
+      {{- if and .Values.routesAutogenerateShortSuffix (gt ($host | len) 63) }}
+        - {{ include "varnish-persistent.autogeneratedShortHost" (dict "root" $) | quote }}
+      {{- end }}
         -   {{ $host | quote }}
       {{- if $.Values.routesAutogeneratePrefixes }}
       {{- range $k, $prefix := $.Values.routesAutogeneratePrefixes }}

diff --git a/images/kubectl-build-deploy-dind/helmcharts/varnish/templates/_helpers.tpl b/images/kubectl-build-deploy-dind/helmcharts/varnish/templates/_helpers.tpl
@@ -32,6 +32,14 @@ Create full hostname for autogenerated hosts
 {{ end }}
 {{- end -}}
 
+{{/*
+Create short hostname for autogenerated hosts.
+This is used to work around problems with long CN fields in certificates.
+*/}}
+{{- define "varnish.autogeneratedShortHost" -}}
+{{- printf "%s.%s" .root.Release.Name .root.Values.routesAutogenerateShortSuffix }}
+{{- end }}
+
 {{/*
 Common labels
 */}}

diff --git a/images/kubectl-build-deploy-dind/helmcharts/varnish/templates/ingress.yaml b/images/kubectl-build-deploy-dind/helmcharts/varnish/templates/ingress.yaml
@@ -25,6 +25,9 @@ spec:
   tls:
     - hosts:
       {{- $host := include "varnish.autogeneratedHost" (dict "root" $) }}
+      {{- if and .Values.routesAutogenerateShortSuffix (gt ($host | len) 63) }}
+        - {{ include "varnish.autogeneratedShortHost" (dict "root" $) | quote }}
+      {{- end }}
         -   {{ $host | quote }}
       {{- if $.Values.routesAutogeneratePrefixes }}
       {{- range $k, $prefix := $.Values.routesAutogeneratePrefixes }}

diff --git a/node-packages/commons/src/tasks.ts b/node-packages/commons/src/tasks.ts
@@ -302,7 +302,7 @@ const getControllerBuildData = async function(deployData: any) {
   var projectProductionEnvironment = projectOpenShift.productionEnvironment
   var projectStandbyEnvironment = projectOpenShift.standbyProductionEnvironment
   var subfolder = projectOpenShift.subfolder || ""
-  var routerPattern = projectOpenShift.openshift.routerPattern ? projectOpenShift.openshift.routerPattern.replace('${environment}',environmentName).replace('${project}', projectName) : ""
+  var routerPattern = projectOpenShift.openshift.routerPattern
   var prHeadBranch = headBranch || ""
   var prHeadSha = headSha || ""
   var prBaseBranch = baseBranch || ""

diff --git a/tests/checks/check-auto-generated-ingress-short-router-url.yaml b/tests/checks/check-auto-generated-ingress-short-router-url.yaml
@@ -0,0 +1,43 @@
+---
+- name: >
+    {{ testname }} - Check if auto-generated ingress of namespace
+    {{ project }}-{{ lagoon_environment }} has the short-router-url in TLS hosts
+  shell: |
+    set -e
+    set -x
+
+    export KUBECONFIG=$(mktemp)
+    echo "{{ kubeconfig }}" > $KUBECONFIG
+    # replace with the IP of host from within container
+    sed -i "s/localhost/$(ip -4 route list match 0/0 | cut -d' ' -f3)/" $KUBECONFIG
+
+    INGRESS_JSON=$(kubectl -n {{ project }}-{{ lagoon_environment }} get ingress -o json)
+
+    NUM_TLS_HOSTS=$(echo $INGRESS_JSON | jq -er '.items[] | select(.metadata.name == "node") | .spec.tls[0].hosts | length')
+    if [ $NUM_TLS_HOSTS -lt 2 ]; then
+      echo NUM_TLS_HOSTS: $NUM_TLS_HOSTS
+      echo $INGRESS_JSON
+      exit 1
+    fi
+
+    FIRST_HOST_LEN=$(echo $INGRESS_JSON | jq -er '.items[] | select(.metadata.name == "node") | .spec.tls[0].hosts[0] | length')
+    if [ $FIRST_HOST_LEN -gt 63 ]; then
+      echo FIRST_HOST_LEN: $FIRST_HOST_LEN
+      echo $INGRESS_JSON
+      exit 1
+    fi
+
+    SECOND_HOST_LEN=$(echo $INGRESS_JSON | jq -er '.items[] | select(.metadata.name == "node") | .spec.tls[0].hosts[1] | length')
+    if [ $SECOND_HOST_LEN -lt 63 ]; then
+      echo SECOND_HOST_LEN: $SECOND_HOST_LEN
+      echo $INGRESS_JSON
+      exit 1
+    fi
+  register: result
+  retries: 30
+  delay: 10
+  until: result.rc == 0
+- name: >
+    {{ testname }} - Check if {{ ingress }} ingress of namespace
+    {{ project }}-{{ lagoon_environment }} has the short-router-url in TLS hosts
+  debug: msg="Success!!!"
diff --git a/tests/tests/features-kubernetes.yaml b/tests/tests/features-kubernetes.yaml
@@ -26,6 +26,17 @@
     project: ci-features-{{ lookup('env','CLUSTER_TYPE') }}
     branch: ingress-annotations
 
+- include: features/short-router-url.yaml
+  vars:
+    testname: "SHORT ROUTER URL {{ lookup('env','CLUSTER_TYPE')|upper }}"
+    git_repo_name: features.git
+    project: ci-features-{{ lookup('env','CLUSTER_TYPE') }}
+    branch: short-router-url-from-a-very-long-environment-name-like-this
+    # lagoon_environment is truncated for very long branches.
+    # See commons/src/tasks.ts
+    lagoon_environment: short-router-url-from-a-very-l-ebe8
+    check_url: "http://node.{{ project | regex_replace('_', '-') }}.{{ branch | regex_replace('/', '-') }}.{{ lookup('env','ROUTE_SUFFIX_HTTP') }}:{{ lookup('env','ROUTE_SUFFIX_HTTP_PORT') }}"
+
 - include: features/namespace-labels.yaml
   vars:
     testname: "NAMESPACE LABELS {{ lookup('env','CLUSTER_TYPE')|upper }}"

diff --git a/tests/tests/features/short-router-url.yaml b/tests/tests/features/short-router-url.yaml
@@ -0,0 +1,48 @@
+
+- name: "{{ testname }} - init git, add files, commit, git push"
+  hosts: localhost
+  serial: 1
+  vars:
+    git_files: "features/"
+  tasks:
+  - include: ../../tasks/git-init.yaml
+  - include: ../../tasks/git-add-commit-push.yaml
+
+- name: "{{ testname }} - api deployEnvironmentBranch on {{ project }}"
+  hosts: localhost
+  serial: 1
+  vars:
+    branch: "{{ branch }}"
+    project: "{{ project }}"
+  tasks:
+  - include: ../../tasks/api/deploy-no-sha.yaml
+
+- name: >
+    {{ testname }} - check that the auto-generated ingress has the
+    short-router-url
+  hosts: localhost
+  serial: 1
+  vars:
+    branch: "{{ branch }}"
+    project: "{{ project }}"
+    lagoon_environment: "{{ lagoon_environment }}"
+  tasks:
+  - include: ../../checks/check-auto-generated-ingress-short-router-url.yaml
+
+- name: "{{ testname }} - api deleteEnvironment on {{ project }}, which should remove all resources"
+  hosts: localhost
+  serial: 1
+  vars:
+    project: "{{ project }}"
+    branch: "{{ branch }}"
+  tasks:
+  - include: ../../tasks/api/remove.yaml
+
+- name: "{{ testname }} - check if site for {{ project }} does not exist anymore"
+  hosts: localhost
+  serial: 1
+  vars:
+    url: "{{ check_url }}"
+    expected_returncode: "{{ lookup('env','DELETED_STATUS_CODE') }}"
+  tasks:
+  - include: ../../checks/check-url-returncode.yaml