create self-signed crt if failing to read default

Ingress operator manages and exposes a default certificate for Router.
A default certificate is used if the route does not provide one, or a
request is made for a non matching route.

Current approach uses a hardcoded certificate in the router image, which
should lead to image scanners reporting the storage of its private key.

This implementation removes the hardcoded certificate, as well as the
template code that ensures a default certificate is provided. In the Go
code side, we are ensuring that the default certificate is provided
somehow, either by serving the certificate provided by the operator,
or in the case of a failure, using a self-signed certificate created on
the fly.

https://issues.redhat.com/browse/OCPBUGS-77263

Author: jcmoraisjr

images/router/haproxy/conf/default_pub_keys.pem

@@ -339,7 +339,7 @@ frontend fe_sni
   # terminate ssl on edge
   bind unix@/var/lib/haproxy/run/haproxy-sni.sock ssl
   {{- if isTrue (env "ROUTER_STRICT_SNI") }} strict-sni {{ end }}
-    {{- "" }} crt {{firstMatch ".+" .DefaultCertificate "/var/lib/haproxy/conf/default_pub_keys.pem" }}
+    {{- "" }} crt {{ .DefaultCertificate }}
     {{- "" }} crt-list /var/lib/haproxy/conf/cert_config.map accept-proxy
     {{- with (env "ROUTER_MUTUAL_TLS_AUTH") }}
       {{- "" }} verify {{. }}
@@ -455,7 +455,7 @@ backend be_no_sni
 
 frontend fe_no_sni
   # terminate ssl on edge
-  bind unix@/var/lib/haproxy/run/haproxy-no-sni.sock ssl crt {{ firstMatch ".+" .DefaultCertificate "/var/lib/haproxy/conf/default_pub_keys.pem" }} accept-proxy
+  bind unix@/var/lib/haproxy/run/haproxy-no-sni.sock ssl crt {{ .DefaultCertificate }} accept-proxy
     {{- with (env "ROUTER_MUTUAL_TLS_AUTH") }}
       {{- "" }} verify {{. }}
       {{- if (ne (env "ROUTER_MUTUAL_TLS_AUTH_CRL") "") }}

images/router/haproxy/conf/haproxy-config.template

@@ -166,7 +166,10 @@ func NewTemplatePlugin(cfg TemplatePluginConfig, lookupSvc ServiceLookup) (*Temp
 		httpRequestHeaders:            cfg.HTTPRequestHeaders,
 	}
 	router, err := newTemplateRouter(templateRouterCfg)
-	return newDefaultTemplatePlugin(router, cfg.IncludeUDP, lookupSvc), err
+	if err != nil {
+		return nil, err
+	}
+	return newDefaultTemplatePlugin(router, cfg.IncludeUDP, lookupSvc), nil
 }
 
 // Stop instructs the router plugin to stop invoking the reload method, and waits until no further

pkg/router/template/plugin.go

@@ -415,13 +415,25 @@ func (r *templateRouter) writeDefaultCert() error {
 			// Just use the provided path
 			return nil
 		}
+
+		// Use the custom file name, to be created below, either with a
+		// self signed certificate or one read from the certificate dir.
+		r.defaultCertificatePath = outPath
+
+		// There is no default cert path as well. If cert dir is also missing ...
+		if len(r.defaultCertificateDir) == 0 {
+			// ... use the self signed certificate. Finish here since it won't be updated during the router lifecycle.
+			return generateSelfSignedCert(outPath)
+		}
+
+		// Use certificate from the provided dir, and return (finishes the process) in case of a failure.
+		// This differs from previous versions: previously we were defaulting to the self signed one,
+		// now we enforce that provided certificates should be valid.
 		if err := secretToPem(r.defaultCertificateDir, outPath); err != nil {
-			log.Error(err, "failed to write default cert")
-			// no pem file, no default cert, use cert from container
-			log.V(0).Info("using default cert from router container image")
-		} else {
-			r.defaultCertificatePath = outPath
+			return fmt.Errorf("failed to write default cert: %w", err)
 		}
+
+		// watching for changes
 		reloadFn := func() {
 			log.V(0).Info("updating default certificate", "path", outPath)
 			os.Remove(outPath)

pkg/router/template/router.go

@@ -0,0 +1,59 @@
+package templaterouter
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"math/big"
+	"os"
+	"time"
+)
+
+func generateSelfSignedCert(outputFile string) error {
+	const cn = "openshift-router"
+	san := "localhost"
+	if domain := os.Getenv("ROUTER_DOMAIN"); domain != "" {
+		san = "*." + domain
+	}
+	crt, key, err := createX509Certificate(cn, san)
+	if err != nil {
+		return fmt.Errorf("error creating self-signed certificate: %w", err)
+	}
+	return os.WriteFile(outputFile, append(crt, key...), 0600)
+}
+
+func createX509Certificate(cn string, san ...string) (crtpem, keypem []byte, err error) {
+	serial, err := rand.Int(rand.Reader, big.NewInt(1<<63-1))
+	if err != nil {
+		return nil, nil, err
+	}
+	notBefore := time.Now().Add(-time.Hour)
+	notAfter := notBefore.Add(3652 * 24 * time.Hour) // 10y
+	template := x509.Certificate{
+		SerialNumber: serial,
+		Subject: pkix.Name{
+			CommonName: cn,
+		},
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		NotBefore:             notBefore,
+		NotAfter:              notAfter,
+		DNSNames:              san,
+	}
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, nil, err
+	}
+	crtder, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
+	if err != nil {
+		return nil, nil, err
+	}
+	keyder := x509.MarshalPKCS1PrivateKey(priv)
+	crtpem = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: crtder})
+	keypem = pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: keyder})
+	return crtpem, keypem, nil
+}