Use certs which expire in 3022 for cluster fixtures
What does this MR do and why?
Describe in detail what your merge request does and why.
These tests have used certs which expired in 1 year and this has caused two previous master-broken incidents:
This change updates the fixtures to use custom-generated CA certificates which expire in 3022. This should be sufficiently long enough to outlive the cluster integration.
Click to view X.509 metadata
$ openssl x509 -in spec/fixtures/clusters/intermediate_certificate.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c4:d5:d2:27:87:9e:0d:bf
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=San Francisco, L=California, O=GitLab (Test), CN=Test Root CA
Validity
Not Before: Nov 20 23:37:42 2022 GMT
Not After : Mar 23 23:37:42 3022 GMT
Subject: C=US, ST=San Francisco, L=California, O=GitLab (Test), CN=Test Intermediate CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:97:da:cc:97:c2:2e:36:3d:c0:65:1f:23:93:31:
5a:dc:97:e8:7f:c3:00:08:98:35:27:d1:c3:6f:0c:
e1:90:40:c0:97:20:0a:5b:f0:10:77:91:14:65:4e:
c3:54:f0:0f:2a:29:31:5d:c9:20:3b:64:fb:ce:c0:
1a:f1:75:27:2b:be:e6:4f:97:90:9b:4e:99:be:87:
b6:8b:63:7a:55:09:4b:58:02:83:36:c1:a2:a9:5f:
1d:37:c5:09:83:51:0f:fa:d6:57:5c:c1:16:4a:b9:
c1:33:1e:45:0b:f2:ed:0e:4c:a1:c0:73:af:65:47:
c0:5b:c1:af:56:24:4f:93:fc:9d:2b:10:da:21:40:
de:be:cb:b2:fe:5c:b2:08:f5:0f:bc:85:b8:8e:8b:
41:c5:8d:dc:8a:42:39:1b:94:ef:5e:38:64:db:8a:
dc:28:61:72:6a:d5:f5:2d:bb:ef:4a:80:82:a7:66:
49:4a:48:61:03:b8:c4:23:85:24:1d:d9:b3:b9:07:
26:42:97:9f:57:33:8c:35:c5:b1:b4:3f:fe:8b:8a:
1b:cc:c1:0f:37:82:6b:03:6c:1c:c5:5e:8b:6a:17:
07:24:99:61:25:57:68:72:35:7d:10:7d:31:82:00:
76:17:82:9f:94:10:4b:2a:86:cc:de:e6:3f:4d:e2:
42:af
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
96:97:86:01:6b:1b:88:a3:03:f4:e2:9d:8d:80:a4:04:58:e6:
5b:24:d2:89:7c:0c:aa:bb:e2:15:43:0e:e7:51:a3:51:13:e6:
05:b7:56:16:d8:22:43:7d:af:e8:59:79:19:f3:7f:75:a0:84:
2e:f9:b2:2e:d6:44:ea:6f:d8:37:8d:28:ab:f6:17:31:60:e0:
ea:85:9f:0d:79:e0:45:6f:11:62:7c:b7:20:93:67:ff:2d:a8:
80:44:ac:42:54:3d:fc:ee:3b:c6:d9:8d:5a:4d:fb:67:92:54:
36:e8:dd:40:4b:54:56:ec:13:7e:e2:b3:b9:62:7a:a8:e2:73:
e9:26:4b:aa:27:be:51:bb:c4:df:71:08:0c:28:ef:31:ac:c9:
f7:1e:4c:b0:bd:9f:70:fc:91:f2:5d:d5:86:15:f0:8f:e5:d2:
35:35:1b:17:fa:4b:b8:38:d8:39:ea:35:a3:86:4c:1c:1d:8a:
82:00:85:a5:01:e1:a9:97:c3:83:59:fc:d6:61:1b:76:d5:b0:
dc:96:b7:df:5c:be:d2:de:30:54:d2:97:d9:51:44:c4:f7:c7:
10:88:f9:33:da:4f:7d:11:f6:a4:6e:23:54:9d:d0:8c:5d:c9:
b4:b1:e5:01:ba:02:e6:40:7b:fe:6f:fb:6f:82:e3:ef:2e:ea:
89:e9:b9:71
$ openssl x509 -in spec/fixtures/clusters/leaf_certificate.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
b2:38:d1:0c:86:33:3f:80
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=San Francisco, L=California, O=GitLab (Test), CN=Test Intermediate CA
Validity
Not Before: Nov 21 00:03:16 2022 GMT
Not After : Mar 24 00:03:16 3022 GMT
Subject: C=US, ST=San Francisco, L=California, O=GitLab (Test), CN=Test Leaf Cert
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c4:f1:d1:94:c9:2c:02:e6:da:d1:4c:45:a0:bd:
b8:f2:37:c2:40:d5:a9:11:b4:68:22:68:ff:07:d5:
b9:66:6d:ac:76:62:69:68:3d:35:35:57:d1:f8:ee:
de:a2:f6:d6:a3:33:7a:27:e8:2c:30:a4:b9:49:45:
43:22:ed:04:e6:25:41:b0:4b:10:94:30:05:f9:c9:
0f:a3:79:2f:a1:60:c0:17:67:0b:80:d8:e9:44:0a:
48:89:2f:58:0b:2f:5d:64:bc:54:97:7e:31:17:89:
d7:cb:5f:7e:e7:79:a8:bb:0f:ed:5f:b9:0f:2f:09:
c7:c5:35:6f:04:4a:43:7c:8b:6d:38:24:e5:5e:72:
ee:eb:6b:f6:2d:13:f9:96:de:6f:15:71:34:07:fd:
34:6c:3e:ad:fa:55:65:ed:e6:a6:be:30:d1:03:3d:
87:a0:53:18:fa:6d:4f:a2:9b:6c:ee:3e:0f:8f:7a:
d6:55:67:e8:d5:14:6e:f3:c3:6f:8d:02:e7:a9:c7:
05:40:59:dd:b4:3b:2f:dd:8a:ad:89:60:dd:09:b7:
27:90:82:9c:81:9d:dc:92:90:e1:4c:ac:11:8e:72:
a6:b9:be:2e:9f:f3:a9:12:09:ff:59:54:75:88:b0:
8e:08:34:b5:45:7d:6e:8f:91:ca:87:28:84:cd:12:
6d:d5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:test.example.com
Signature Algorithm: sha256WithRSAEncryption
37:d5:5e:b4:a6:94:4b:fb:f6:03:d6:a9:46:bb:6b:83:5c:a9:
f6:55:a2:b8:d4:b4:31:a3:3e:d1:2c:24:29:ea:a7:f9:d1:78:
50:14:c0:6e:d8:c7:5f:e5:c0:1b:31:d8:08:70:01:3a:05:0e:
eb:ee:46:b1:3b:87:52:5e:7f:49:dd:cc:b9:41:be:26:b1:1b:
c6:cb:ad:cf:ae:6d:06:ef:54:e6:00:ad:e2:85:82:cf:d7:d7:
93:e6:0f:68:38:76:ab:45:cd:e0:5d:5b:54:c4:20:1d:fd:75:
6b:c6:9d:46:5b:6b:f1:29:31:a8:e3:aa:ca:29:57:94:9b:25:
37:62:7f:61:96:ee:95:b3:3b:f2:6a:c7:9a:0e:8e:13:bd:de:
be:bd:f7:69:19:1a:3a:95:c2:48:76:37:10:dc:87:b6:6c:7e:
a4:17:54:56:5d:3d:ac:80:15:bf:5e:c0:eb:17:b3:b5:e4:35:
04:f6:76:bf:ed:a9:3c:b4:23:a7:c4:56:9a:83:b7:fb:48:b1:
07:0b:e3:52:88:c9:2b:46:bc:bb:61:cd:d6:10:53:1e:25:3c:
c7:09:71:a7:e5:4c:25:e0:52:ae:8e:61:64:4f:03:8f:39:e2:
b2:58:89:03:26:0f:8f:41:55:e7:56:b4:ef:66:5c:7e:ea:4f:
8a:a6:fd:a3
$ openssl x509 -in spec/fixtures/clusters/root_certificate.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c3:13:59:39:cb:56:36:70
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=San Francisco, L=California, O=GitLab (Test), CN=Test Root CA
Validity
Not Before: Nov 20 23:23:08 2022 GMT
Not After : Mar 23 23:23:08 3022 GMT
Subject: C=US, ST=San Francisco, L=California, O=GitLab (Test), CN=Test Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c5:7b:90:64:74:64:b0:00:bd:70:ee:41:0c:80:
c5:6e:aa:e6:a7:9d:d5:4f:23:b3:33:e5:8b:61:ae:
62:4f:d5:08:2f:e5:36:3b:e3:8d:0f:ac:a2:9b:b5:
2a:b1:e1:a4:b6:29:d3:4a:ab:db:61:ee:c1:d9:e9:
07:ba:34:a6:ea:1b:af:c7:64:f0:95:3b:e5:fb:39:
12:3c:c8:66:d6:0f:58:98:04:b0:97:98:c3:a4:5d:
8e:54:b0:37:0d:e7:3f:e8:29:15:f3:1d:f2:c3:d2:
e6:12:43:91:69:d0:3f:49:3b:d6:34:23:68:b3:d7:
2c:2c:1a:6e:fc:e3:1b:74:9f:b6:33:cf:71:e0:8e:
f6:30:53:65:5d:2c:93:d2:cf:04:81:3e:98:63:eb:
81:36:71:f3:3e:e6:b1:a8:68:97:7b:12:bd:c5:a1:
da:91:d1:87:a0:ae:c3:26:82:0a:4a:fd:03:c8:ca:
5b:7e:4c:29:13:80:12:ff:fa:96:8c:e0:ac:a7:51:
8b:ac:07:e2:f3:a9:79:b4:bb:59:98:b9:99:ad:fb:
d6:38:b0:a5:59:88:d2:a5:40:57:e0:f5:77:d9:46:
99:5d:9f:ca:67:14:13:27:2d:a5:14:ef:9e:fe:98:
f2:4e:bb:2e:66:2d:59:70:02:7b:70:f6:a8:22:e9:
47:d7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
93:f3:36:c9:d6:71:5f:a5:38:cf:11:3a:5b:43:85:76:05:1e:
35:63:80:59:5c:53:dc:9d:f5:98:fd:bc:82:f2:c4:6b:12:f6:
f0:88:35:88:7a:16:3f:77:12:07:89:af:bc:75:88:68:5c:44:
7f:81:60:b5:81:cf:ab:ad:6f:01:8a:5f:a7:e7:5d:7d:54:45:
fd:22:3e:a8:16:84:09:80:da:f0:ad:c3:fe:5b:a0:63:97:d5:
53:4b:5e:7e:03:7f:41:a3:cc:7c:12:53:57:46:de:9b:f7:57:
c1:77:be:f0:cc:36:a6:68:1e:d4:5e:ae:de:0c:83:ee:e8:eb:
f9:ea:db:a2:46:26:22:f7:15:c8:c2:99:56:34:7f:d7:3e:5d:
87:73:00:70:f6:14:b9:a8:6e:b4:f2:a2:bd:b7:f7:49:22:94:
c8:75:62:66:aa:0d:20:0b:14:7c:aa:6b:9b:ae:0e:7c:ba:fc:
bc:02:16:d8:6a:62:c7:4d:46:bd:29:fe:02:33:17:e5:e9:08:
eb:20:c1:42:42:20:7b:83:a6:9a:31:9c:51:4d:0a:3d:79:14:
cc:8e:8c:b0:36:1f:30:77:ad:e0:55:81:5a:80:34:d9:65:41:
a5:89:7c:88:1e:43:7a:01:52:af:23:b2:08:17:6d:6b:ed:ce:
6a:6a:b6:d7MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Brian Williams