Additional trust bundle #1152
Additional trust bundle #1152
Conversation
openshift-ci-robot
added
the
needs-ok-to-test
|
Hi @Avielyo10. Thanks for your PR. I'm waiting for a openshift-metal3 member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
ocp_install_env.sh
Outdated
| if [ ! -z "$ADDITIONAL_TRUST_BUNDLE" ]; then | ||
| cat <<EOF | ||
| additionalTrustBundle: | | ||
| $(echo ${ADDITIONAL_TRUST_BUNDLE} | sed -e ':a;N;$!ba;s/\n/\n /g') |
There was a problem hiding this comment.
This will create a duplicate section when image_mirror_config is called (when MIRROR_IMAGES or ipv6 is specified), we'll need some way to merge the content.
There was a problem hiding this comment.
Why duplicated?does image_mirror_config adds this section?
There was a problem hiding this comment.
Yes exactly, it already adds this section https://github.com/openshift-metal3/dev-scripts/blob/master/utils.sh#L331
|
Thanks for the PR @Avielyo10 - I made a comment since we do already configure this when using a local registry, can you add this additional var in a way that's compatible with that please? Also interested to understand the reason this is needed, can you expand on what you're testing at all? |
|
@hardys We are testing OCP deployment & upgrades with our operators, so instead of deploying the cluster and then Adding the certs and waiting for the MC to finish we can do it in one shot |
When MIRROR_IMAGES is set or when using ipv6 (this is always true for ipv6) additionalTrustBundle section gets created, so give precedence to MIRROR_IMAGES CA
|
@hardys Please review :) |
|
/ok-to-test |
openshift-ci-robot
added
ok-to-test
|
/label tide/merge-method-squash |
openshift-ci-robot
added
the
tide/merge-method-squash
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hardys The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
@hardys @dhellmann @zaneb Can this get /lgtm? |
|
/lgtm |
| # PEM-encoded X.509 certificate bundle that will be added to the nodes' trusted | ||
| # certificate store. This trust bundle may also be used when a proxy has | ||
| # been configured. | ||
| # export ADDITIONAL_TRUST_BUNDLE=$(cat ca) |
There was a problem hiding this comment.
If we're expecting this to start as a file, and we need it as a stream, it seems a little odd to be passing around the contents (rather than just the filename) in an environment variable.
There was a problem hiding this comment.
@zaneb I believe you are right, I'll work to fix this
| cat <<EOF | ||
| $(echo ${ADDITIONAL_TRUST_BUNDLE} | awk '{ print " ", $0 }') | ||
| EOF | ||
| fi |
There was a problem hiding this comment.
A less complicated version of this function:
if [ -n "${ADDITIONAL_TRUST_BUNDLE}" ]; then
if [ -z "${MIRROR_IMAGES}" ]; then
echo "additionalTrustBundle: |"
fi
echo "${ADDITIONAL_TRUST_BUNDLE}" | awk '{ print " ", $0 }'
fi
This reverts commit 1e82cb5.
* Simplify additional_trust_bundle() * Pass ca via path instead of via env vars Improve readability Fix loca-bmo script (openshift-metal3#1144) (openshift-metal3#1084) Co-authored-by: Andrea Fasano <60063538+andfasano@users.noreply.github.com> Fix incorrect group name (openshift-metal3#1155) `whoami` does not always match the group name for the user. Use `id -gn` to set the group name properly. Also create GROUP environment variable and replace USER where appropriate for chown commands. Signed-off-by: Melvin Hillsman <mrhillsman@redhat.com> Additional trust bundle (openshift-metal3#1152) * Adding the option to add certs to install-config.yaml * Add ADDITIONAL_TRUST_BUNDLE to the config_example.sh * Avoid additionalTrustBundle duplication & move from sed to awk When MIRROR_IMAGES is set or when using ipv6 (this is always true for ipv6) additionalTrustBundle section gets created, so give precedence to MIRROR_IMAGES CA * In case MIRROR_IMAGES is set, concat ADDITIONAL_TRUST_BUNDLE Co-authored-by: Aviel Yosef <ayosef@redhat.com> Account for podman version < 2.0.0 (openshift-metal3#1151) The default for CentOS 8 is 1.6.4 which does not support units in `podman wait -i`. Add a version check to support both. Follow-up to commit 42af610. Update version detection and make dnsVIP conditional (openshift-metal3#1146) * Store local copy of release info We retrive this several times, so caching locally will be faster, and also provides a useful reference for debugging * Replace OPENSHIFT_VERSION reference with function This variable isn't always set, in particular in CI, so instead of relying on it, we can use a new openshift_version function which derives the version from the locally cached release info. * Only specify dnsVIP for < 4.5 This was removed in openshift/installer#3304
6 participants
Adding the option to add certificate bundle that will be added to the nodes' trusted certificate store.