Breno Caetano created FLINK-39216:
-------------------------------------
Summary: [Kubernetes Operator] Add PKCS12 profile option for
webhook certificate to support FIPS environments
Key: FLINK-39216
URL: https://issues.apache.org/jira/browse/FLINK-39216
Project: Flink
Issue Type: Improvement
Components: Kubernetes Operator
Affects Versions: 1.14.0
Reporter: Breno Caetano
h2. Summary
Add a new Helm value \{{webhook.keystore.pkcs12Profile}} to allow users to
configure the PKCS12 encryption profile for the webhook certificate. This is
required for FIPS-compliant environments where the default encryption algorithm
(3DES) is not supported.
h2. Problem
When using cert-manager FIPS images, the Flink Operator webhook Certificate
fails to renew because the chart creates PKCS12 keystores without specifying a
\{{profile}}, defaulting to \{{LegacyDES}} (3DES encryption), which is not
FIPS-compliant.
*Error observed:*
{code}
E0213 18:03:17.750375 1 controller.go:157] "re-queuing item due to error
processing"
err="failed to add keystores to Secret: error encoding PKCS12 bundle: pkcs12:
error
encrypting PKCS#8 shrouded key bag: crypto/cipher: unsupported cipher: DES3"
logger="cert-manager.controller"
{code}
h2. Root Cause
In \{{helm/flink-kubernetes-operator/templates/webhook.yaml}}, the Certificate
is created with:
{code:yaml}
keystores:
pkcs12:
create: true
passwordSecretRef:
name: flink-operator-webhook-secret
key: password
{code}
No \{{profile}} is specified, so cert-manager uses the default \{{LegacyDES}}
profile which uses 3DES encryption. FIPS-compliant cert-manager images block
this algorithm.
h2. Proposed Solution
Add a new optional Helm value that allows users to specify the PKCS12 profile:
{code:yaml}
webhook:
keystore:
pkcs12Profile: "Modern2023" # Options: Modern2023, LegacyDES, LegacyRC2
{code}
h3. Available profiles:
|| Profile || Algorithm || FIPS Compliant || Compatibility ||
| \{{Modern2023}} | AES-256-CBC | Yes | Java 8u301+, Java 11+, OpenSSL 3.x |
| \{{LegacyDES}} | 3DES | No | Wide compatibility (default) |
| \{{LegacyRC2}} | RC2-40 | No | Legacy systems |
h2. Changes Required
# *helm/flink-kubernetes-operator/values.yaml*: Add
\{{webhook.keystore.pkcs12Profile}} option
# *helm/flink-kubernetes-operator/templates/webhook.yaml*: Add conditional
profile field in Certificate spec
# *docs/content/docs/operations/helm.md*: Add documentation for the new
parameter
h2. Workaround
Until this is fixed, users can patch the Certificate manually:
{code:bash}
kubectl patch certificate flink-operator-serving-cert -n flink-operator \
--type=merge \
-p '\{"spec":{"keystores":{"pkcs12":{"profile":"Modern2023"}}}}'
{code}
h2. References
* cert-manager PKCS12 profiles: https://cert-manager.io/docs/usage/certificate/
* go-pkcs12 documentation: https://pkg.go.dev/software.sslmate.com/src/go-pkcs12
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
