Skip to content

Bug 1797107: config/v1/types_proxy: Clarify trustedCA semantics #582

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-robot merged 1 commit into from
Jan 31, 2020
Merged

Bug 1797107: config/v1/types_proxy: Clarify trustedCA semantics #582

openshift-merge-robot merged 1 commit into from
Jan 31, 2020

Conversation

@wking
Copy link
Member

@wking wking commented Jan 31, 2020
edited
Loading

Logic for merging with the "system" trust store is here. We might want to optionally relax that in the future, but it's not clear to me what the API change associated with that relaxation would look like.

To motivate the "may" for the non-proxy case:

@openshift-ci-robot openshift-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jan 31, 2020
@wking wking force-pushed the proxy-trust-details branch from 331b7ac to 0bbb031 Compare January 31, 2020 21:44
@bparees
Copy link
Contributor

bparees commented Jan 31, 2020

/lgtm

@openshift-ci-robot openshift-ci-robot added lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jan 31, 2020
@wking wking mentioned this pull request Jan 31, 2020
Merged
@wking wking force-pushed the proxy-trust-details branch from 0bbb031 to 830aa0e Compare January 31, 2020 22:01
@openshift-ci-robot openshift-ci-robot removed the lgtm Indicates that a PR is ready to be merged. label Jan 31, 2020
@bparees
Copy link
Contributor

bparees commented Jan 31, 2020

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Jan 31, 2020
@wking wking force-pushed the proxy-trust-details branch from 830aa0e to 1161fae Compare January 31, 2020 22:09
@openshift-ci-robot openshift-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed lgtm Indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jan 31, 2020
@wking wking changed the title config/v1/types_proxy: Clarify trustedCA semantics Bug 1797107: config/v1/types_proxy: Clarify trustedCA semantics Jan 31, 2020
@openshift-ci-robot openshift-ci-robot added the bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. label Jan 31, 2020
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 31, 2020

@wking: This pull request references Bugzilla bug 1797107, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Bug 1797107: config/v1/types_proxy: Clarify trustedCA semantics

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@wking
config/v1/types_proxy: Clarify trustedCA semantics
60d997e 
Logic for merging with the "system" trust store is [1].  We might want
to optionally relax that in the future [2], but it's not clear to me
what the API change associated with that relaxation would look like.

To motivate the "may" for the non-proxy case:

* Here's the registry calling for the merged CA bundle to get injected
  [3] and dropping it into its system store [4].  That means the
  merged CA bundle will be used for all connections from that registry
  container, regardless of whether they are intended for the proxy or
  not (e.g. via a NO_PROXY environment variable [5,6]).

* The cluster-version operator loads the proxy transport directly from
  the Proxy object [7,8].  This is probably a CVO bug, because as the
  docs I'm touching here say, reading the Proxy's trustedCA directly
  (like [9]) is frowned on.  But regardless, It then appends its own
  system cert pool locally [10], and uses the resulting transport when
  retrieving image signatures [11,12] and Cincinnati graphs [13].  It
  does not use the additional proxy CAs for other HTTPS, e.g. talking
  to the Kubernetes API.

[1]: https://github.com/openshift/cluster-network-operator/blob/4175354bbe5d12273d4f877f64478127e9d2777f/pkg/controller/proxyconfig/validation.go#L95-L109
[2]: https://github.com/openshift/enhancements/blame/14b2d1a262dc8520603eaec1910aabf5f2d0115f/enhancements/proxy/global-cluster-egress-proxy.md#L208-L211
[3]: https://github.com/openshift/cluster-image-registry-operator/blob/75e8e851700add9c847190fb228d2e702b2af2e8/manifests/04-ca-trusted.yaml#L5-L8
[4]: https://github.com/openshift/cluster-image-registry-operator/blob/75e8e851700add9c847190fb228d2e702b2af2e8/manifests/07-operator.yaml#L87-L97
[5]: https://github.com/openshift/cluster-image-registry-operator/blob/75e8e851700add9c847190fb228d2e702b2af2e8/manifests/07-operator.yaml#L8
[6]: https://github.com/openshift/enhancements/blame/14b2d1a262dc8520603eaec1910aabf5f2d0115f/enhancements/proxy/global-cluster-egress-proxy.md#L155-L156
[7]: https://github.com/openshift/cluster-version-operator/blob/27c4671aa0cbfbbf20324cf06145b44ec2bca45e/pkg/cvo/cvo.go#L749-L765
[8]: https://github.com/openshift/cluster-version-operator/blob/27c4671aa0cbfbbf20324cf06145b44ec2bca45e/pkg/cvo/availableupdates.go#L201-L223
[9]: https://github.com/openshift/cluster-version-operator/blob/27c4671aa0cbfbbf20324cf06145b44ec2bca45e/pkg/cvo/availableupdates.go#L219
[10]: https://github.com/openshift/cluster-version-operator/blob/27c4671aa0cbfbbf20324cf06145b44ec2bca45e/pkg/cvo/availableupdates.go#L238
[11]: https://github.com/openshift/cluster-version-operator/blob/27c4671aa0cbfbbf20324cf06145b44ec2bca45e/pkg/cvo/cvo.go#L728-L738
[12]: https://github.com/openshift/cluster-version-operator/blob/27c4671aa0cbfbbf20324cf06145b44ec2bca45e/pkg/verify/verify.go#L277
[13]: https://github.com/openshift/cluster-version-operator/blob/27c4671aa0cbfbbf20324cf06145b44ec2bca45e/pkg/cvo/availableupdates.go#L43-L48
@wking wking force-pushed the proxy-trust-details branch from 1161fae to 60d997e Compare January 31, 2020 22:15
@bparees
Copy link
Contributor

bparees commented Jan 31, 2020

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Jan 31, 2020
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 31, 2020

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bparees, wking

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit f2a771e into openshift:master Jan 31, 2020
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 31, 2020

@wking: All pull requests linked via external trackers have merged. Bugzilla bug 1797107 has been moved to the MODIFIED state.

Details

In response to this:

Bug 1797107: config/v1/types_proxy: Clarify trustedCA semantics

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@wking wking mentioned this pull request Feb 1, 2020
Closed
@wking wking deleted the proxy-trust-details branch February 5, 2020 01:17
danwinship added a commit to danwinship/cluster-kube-controller-manager-operator that referenced this pull request Mar 2, 2020
@danwinship
bump: openshift/api
aead715 
In particular, to get

openshift/api#585: config: disable IPv6DualStack feature flag

so we don't launch kube-controller-manager with that (still-broken) feature

Also includes:

openshift/api#557: create the IBMCLoudPlatform type for the ingress operator try2
openshift/api#570: Clarify image config doc
openshift/api#569: Enable overriding service account issuer for bound tokens
openshift/api#527: Add kubebuilder annotations to the network types
openshift/api#574: add deprecaction notice for build pipeline strategy
openshift/api#582: config/v1/types_proxy: Clarify trustedCA semantics
openshift/api#583: Clarify FROM behavior in builds
openshift/api#573: Add CRD generator documentation to Readme
openshift/api#576: Remove Description from CLI output to improve its display
openshift/api#589: Add missing enum validations
openshift/api#583: operator/ingress: add dnsrecord type
@danwinship danwinship mentioned this pull request Mar 2, 2020
Closed
soltysh added a commit to soltysh/cluster-kube-controller-manager-operator that referenced this pull request Mar 4, 2020
@soltysh
bump: openshift/api
225eeed 
In particular, to get

openshift/api#585: config: disable IPv6DualStack feature flag

so we don't launch kube-controller-manager with that (still-broken) feature

Also includes:

openshift/api#557: create the IBMCLoudPlatform type for the ingress operator try2
openshift/api#570: Clarify image config doc
openshift/api#569: Enable overriding service account issuer for bound tokens
openshift/api#527: Add kubebuilder annotations to the network types
openshift/api#574: add deprecaction notice for build pipeline strategy
openshift/api#582: config/v1/types_proxy: Clarify trustedCA semantics
openshift/api#583: Clarify FROM behavior in builds
openshift/api#573: Add CRD generator documentation to Readme
openshift/api#576: Remove Description from CLI output to improve its display
openshift/api#589: Add missing enum validations
openshift/api#583: operator/ingress: add dnsrecord type
@soltysh soltysh mentioned this pull request Mar 4, 2020
Merged
soltysh added a commit to soltysh/cluster-kube-controller-manager-operator that referenced this pull request Mar 6, 2020
@soltysh
bump: openshift/api
cc7de31 
In particular, to get

openshift/api#585: config: disable IPv6DualStack feature flag

so we don't launch kube-controller-manager with that (still-broken) feature

Also includes:

openshift/api#557: create the IBMCLoudPlatform type for the ingress operator try2
openshift/api#570: Clarify image config doc
openshift/api#569: Enable overriding service account issuer for bound tokens
openshift/api#527: Add kubebuilder annotations to the network types
openshift/api#574: add deprecaction notice for build pipeline strategy
openshift/api#582: config/v1/types_proxy: Clarify trustedCA semantics
openshift/api#583: Clarify FROM behavior in builds
openshift/api#573: Add CRD generator documentation to Readme
openshift/api#576: Remove Description from CLI output to improve its display
openshift/api#589: Add missing enum validations
openshift/api#583: operator/ingress: add dnsrecord type
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@abhinavdahiya abhinavdahiya Awaiting requested review from abhinavdahiya

@adambkaplan adambkaplan Awaiting requested review from adambkaplan

Assignees

@bparees bparees

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@wking @bparees @openshift-ci-robot @openshift-merge-robot