[
https://issues.apache.org/jira/browse/FLINK-39216?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated FLINK-39216:
-----------------------------------
Labels: pull-request-available (was: )
> [Kubernetes Operator] Add PKCS12 profile option for webhook certificate to
> support FIPS environments
> ----------------------------------------------------------------------------------------------------
>
> Key: FLINK-39216
> URL: https://issues.apache.org/jira/browse/FLINK-39216
> Project: Flink
> Issue Type: Improvement
> Components: Kubernetes Operator
> Affects Versions: 1.14.0
> Reporter: Breno Caetano
> Priority: Major
> Labels: pull-request-available
>
> h2. Summary
> Add a new Helm value \{{webhook.keystore.pkcs12Profile}} to allow users to
> configure the PKCS12 encryption profile for the webhook certificate. This is
> required for FIPS-compliant environments where the default encryption
> algorithm (3DES) is not supported.
> h2. Problem
> When using cert-manager FIPS images, the Flink Operator webhook Certificate
> fails to renew because the chart creates PKCS12 keystores without specifying
> a \{{profile}}, defaulting to \{{LegacyDES}} (3DES encryption), which is not
> FIPS-compliant.
> *Error observed:*
> {code}
> E0213 18:03:17.750375 1 controller.go:157] "re-queuing item due to error
> processing"
> err="failed to add keystores to Secret: error encoding PKCS12 bundle: pkcs12:
> error
> encrypting PKCS#8 shrouded key bag: crypto/cipher: unsupported cipher: DES3"
> logger="cert-manager.controller"
> {code}
> h2. Root Cause
> In \{{helm/flink-kubernetes-operator/templates/webhook.yaml}}, the
> Certificate is created with:
> {code:yaml}
> keystores:
> pkcs12:
> create: true
> passwordSecretRef:
> name: flink-operator-webhook-secret
> key: password
> {code}
> No \{{profile}} is specified, so cert-manager uses the default \{{LegacyDES}}
> profile which uses 3DES encryption. FIPS-compliant cert-manager images block
> this algorithm.
> h2. Proposed Solution
> Add a new optional Helm value that allows users to specify the PKCS12 profile:
> {code:yaml}
> webhook:
> keystore:
> pkcs12Profile: "Modern2023" # Options: Modern2023, LegacyDES, LegacyRC2
> {code}
> h3. Available profiles:
> || Profile || Algorithm || FIPS Compliant || Compatibility ||
> | \{{Modern2023}} | AES-256-CBC | Yes | Java 8u301+, Java 11+, OpenSSL 3.x |
> | \{{LegacyDES}} | 3DES | No | Wide compatibility (default) |
> | \{{LegacyRC2}} | RC2-40 | No | Legacy systems |
> h2. Changes Required
> # *helm/flink-kubernetes-operator/values.yaml*: Add
> \{{webhook.keystore.pkcs12Profile}} option
> # *helm/flink-kubernetes-operator/templates/webhook.yaml*: Add conditional
> profile field in Certificate spec
> # *docs/content/docs/operations/helm.md*: Add documentation for the new
> parameter
> h2. Workaround
> Until this is fixed, users can patch the Certificate manually:
> {code:bash}
> kubectl patch certificate flink-operator-serving-cert -n flink-operator \
> --type=merge \
> -p '\{"spec":{"keystores":{"pkcs12":{"profile":"Modern2023"}}}}'
> {code}
> h2. References
> * cert-manager PKCS12 profiles:
> https://cert-manager.io/docs/usage/certificate/
> * go-pkcs12 documentation:
> https://pkg.go.dev/software.sslmate.com/src/go-pkcs12
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
