Skip to content

Bug 2015493: [OCPCLOUD-1306] User CA bundle sync controller #136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-robot merged 4 commits into from
Oct 15, 2021
Merged

Bug 2015493: [OCPCLOUD-1306] User CA bundle sync controller #136

openshift-merge-robot merged 4 commits into from
Oct 15, 2021

Conversation

@lobziik
Copy link
Contributor

@lobziik lobziik commented Oct 11, 2021
edited
Loading

Separate controller for syncing user defined ca bundle (seed doc: https://docs.openshift.com/container-platform/4.8/networking/configuring-a-custom-pki.html#nw-proxy-configure-object_configuring-a-custom-pki) to CCM namespace for merge it with FCOS system bundle and usage in CCM as trusted CA.

Implementation logic mostly got from cluster-network-operator one.

Notes:

  • cloud-config-sync-controller binary was renamed to config-sync-controllers
  • In case if user-ca-bundle is invalid, only system one will be used.

@lobziik
Copy link
Contributor Author

lobziik commented Oct 12, 2021

/cc @JoelSpeed @elmiko

@openshift-ci openshift-ci bot requested review from JoelSpeed and elmiko October 12, 2021 11:20
JoelSpeed
JoelSpeed reviewed Oct 12, 2021
View reviewed changes
Copy link
Contributor

@JoelSpeed JoelSpeed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! I've added some stylistic go idiom stuff, but otherwise nothing to add. Very nitty review, sorry 😅 Please swap all the Expect(err).To(Succeed() for Expect(err).NotTo(HaveOccurred())

Fedosin
Fedosin reviewed Oct 12, 2021
View reviewed changes
cmd/config-sync-controllers/main.go Outdated
Client: mgr.GetClient(),
Scheme: mgr.GetScheme(),
Recorder: mgr.GetEventRecorderFor("cloud-controller-manager-operator-config-sync-controller"),
Recorder: mgr.GetEventRecorderFor("cloud-controller-manager-operator-cloud-config-sync-controllers"),
Copy link
Contributor

@Fedosin Fedosin Oct 12, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"cloud-controller-manager-operator-config-sync-controllers"

Copy link
Contributor Author

@lobziik lobziik Oct 12, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is another controller. https://github.com/openshift/cluster-cloud-controller-manager-operator/pull/136/files#diff-1b5385a70b9fc88e69ee8b33229144a2c42b3a4182d16c0045ba543d6d9af027R132 this one for ca sync. Should it be same recorder?

pkg/controllers/trusted_ca_bundle_controller.go
return systemTrustBundlePath
}

func (r *TrustedCABundleReconciler) getSystemTrustBundle() ([]byte, error) {
Copy link
Contributor

@Fedosin Fedosin Oct 12, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just wonder if we can cache these bytes somewhere. I'm sure that the system trust bundle won't be changed, but decoding that every time is resource-intensive.
No necessary to do it right now, it's just an idea.

@Fedosin
Copy link
Contributor

Fedosin commented Oct 12, 2021

/retest

JoelSpeed
JoelSpeed reviewed Oct 12, 2021
View reviewed changes
pkg/cloud/aws/assets/deployment.yaml
Comment on lines +58 to +60
- name: trusted-ca
mountPath: /etc/pki/ca-trust/extracted/pem
readOnly: true
Copy link
Contributor

@JoelSpeed JoelSpeed Oct 12, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this need to be marked optional?

Copy link
Contributor Author

@lobziik lobziik Oct 12, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think so, since system CA will be written to this config-map anyway.

@lobziik
Copy link
Contributor Author

lobziik commented Oct 12, 2021

/retest

@lobziik
Copy link
Contributor Author

lobziik commented Oct 13, 2021

/test e2e-azure-ccm

@openshift-ci openshift-ci bot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Oct 13, 2021
@lobziik lobziik requested a review from JoelSpeed October 13, 2021 09:53
@lobziik lobziik changed the title User CA bundle sync controller [OCPCLOUD-1306] User CA bundle sync controller Oct 13, 2021
JoelSpeed
JoelSpeed reviewed Oct 13, 2021
View reviewed changes
@JoelSpeed
Copy link
Contributor

JoelSpeed commented Oct 13, 2021

/approve

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 13, 2021
@lobziik
Rename cloud-config-sync-controller binary to config-sync-controllers
4ff5bea 
In order to add more similar controllers within this binary,
cloud-config-sync-controller binary renamed to config-sync controller
@lobziik
Introduce trusted CA sync controller
30aa4b8 
Introduce separate controller for sync `user-ca-bundle` from
`openshift-config` namespace to target CCCMO namespace for use
user defined certificate authority during communication with
cloud-provider
@lobziik
CA sync controller description doc
3e224e1
@lobziik
Add trusted ca mounts to all CCMs
d1d1d30
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 14, 2021

@lobziik: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-gcp-ccm d1d1d30 link false /test e2e-gcp-ccm
ci/prow/e2e-openstack-ccm d1d1d30 link false /test e2e-openstack-ccm
ci/prow/e2e-gcp-ccm-install d1d1d30 link false /test e2e-gcp-ccm-install
ci/prow/e2e-azure-upgrade d1d1d30 link false /test e2e-azure-upgrade
ci/prow/e2e-azure-ccm-install d1d1d30 link false /test e2e-azure-ccm-install
ci/prow/e2e-azure-ccm d1d1d30 link false /test e2e-azure-ccm

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@lobziik
Copy link
Contributor Author

lobziik commented Oct 15, 2021

/retest

Fedosin
Fedosin approved these changes Oct 15, 2021
View reviewed changes
Copy link
Contributor

@Fedosin Fedosin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 15, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 15, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Fedosin, JoelSpeed

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit 01b73ca into openshift:master Oct 15, 2021
@lobziik lobziik changed the title [OCPCLOUD-1306] User CA bundle sync controller Bug 2015493: [OCPCLOUD-1306] User CA bundle sync controller Oct 19, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 19, 2021

@lobziik: All pull requests linked via external trackers have merged:

Bugzilla bug 2015493 has been moved to the MODIFIED state.

Details

In response to this:

Bug 2015493: [OCPCLOUD-1306] User CA bundle sync controller

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@lobziik
Copy link
Contributor Author

lobziik commented Oct 19, 2021

/bugzilla-refresh

@lobziik
Copy link
Contributor Author

lobziik commented Oct 19, 2021

/cherry-pick release-4.9

@openshift-cherrypick-robot
Copy link

openshift-cherrypick-robot commented Oct 19, 2021

@lobziik: #136 failed to apply on top of branch "release-4.9":

Applying: Rename cloud-config-sync-controller binary to config-sync-controllers
Using index info to reconstruct a base tree...
M	Dockerfile
M	Makefile
M	cmd/cloud-config-sync-controller/main.go
Falling back to patching base and 3-way merge...
Auto-merging cmd/config-sync-controllers/main.go
Auto-merging Makefile
Auto-merging Dockerfile
Applying: Introduce trusted CA sync controller
Using index info to reconstruct a base tree...
M	cmd/config-sync-controllers/main.go
M	pkg/controllers/clusteroperator_controller.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/controllers/clusteroperator_controller.go
CONFLICT (content): Merge conflict in pkg/controllers/clusteroperator_controller.go
Auto-merging cmd/config-sync-controllers/main.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0002 Introduce trusted CA sync controller
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".
Details

In response to this:

/cherry-pick release-4.9

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@lobziik lobziik mentioned this pull request Oct 19, 2021
Merged
@patrickdillon patrickdillon mentioned this pull request Oct 19, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JoelSpeed JoelSpeed JoelSpeed left review comments

@alexander-demicev alexander-demicev Awaiting requested review from alexander-demicev

@elmiko elmiko Awaiting requested review from elmiko

+1 more reviewer

@Fedosin Fedosin Fedosin approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@Fedosin Fedosin

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@lobziik @Fedosin @JoelSpeed @openshift-cherrypick-robot @openshift-merge-robot