Bug 1826183: Sync proxy CA to openshift-controller-manager #162
Conversation
openshift-ci-robot
added
do-not-merge/work-in-progress
|
@adambkaplan: This pull request references Bugzilla bug 1826183, which is valid. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
the
approved
adambkaplan
force-pushed
the
sync-user-ca
branch
from
1f56174 to
10f3dc6
Compare
adambkaplan
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
gabemontero
left a comment
gabemontero
left a comment
There was a problem hiding this comment.
I would like to see some additional comments and details around the "whys" of the needed change.
Otherwise, the code certainly uses library-go to the utmost. No additional comments.
|
|
||
| // Bug 1826183: The global CA bundle is not intended to be used with workloads which run `update-ca-trust extract` on their own. | ||
| // In 4.6 we need to create this ConfigMap with the trust bundle injected so that the controller manager does not have an outage during upgrade. | ||
| // In 4.7 and beyond this ConfigMap should be deleted. |
There was a problem hiding this comment.
So to connect some dots:
- builds, either docker or s2i strategy, always call
update-ca-trust extractnow? - if yes, then some clarification here (vs. explanations I assume exist in openshift/builder or openshift/openshift-controller-manager) on how the global CAs are picked up, so things work with the proxy in addition to the direct contact to external repos like nexus, artifactory, etc. would be good
- if no, then don't we still need global CA bundle for the "non update-ca-trust" scenarios
There was a problem hiding this comment.
* builds, either docker or s2i strategy, _always_ call `update-ca-trust extract` now?
Yes - this was added in openshift/builder#158
* if yes, then some clarification here (vs. explanations I assume exist in openshift/builder or openshift/openshift-controller-manager) on how the global CAs are picked up, so things work with the proxy in addition to the direct contact to external repos like nexus, artifactory, etc. would be good
The new flow will be a follows:
- ocm-o copies the user trusted CA to
openshift-controller-manager/openshift-user-ca - For each build, openshift-controller-manager reads
openshift-user-caand copies that into aConfigMapin the build's namespace, mounting it at/var/run/configs/openshift.io/pki/tls-ca-bundle.peminside the build pod containers. - When builds run, it copies this CA to
/etc/pki/ca-trust/source/anchorsand runsupdate-ca-trust extract. This merges the custom CA with the default CAs provided by the builder image.
I will update with additional comments.
| Namespace: util.TargetNamespace, | ||
| Name: "openshift-user-ca", | ||
| } | ||
| err = c.resourceSyncer.SyncConfigMap(destination, source) |
There was a problem hiding this comment.
so either user ca is a singleton like proxy ca, or SyncConfigMap is doing a merge of some sort
come clarification either way would be good
also, some details on why we need to copy ... i.e. the specfics around what breaks down with update-ca-trust if we read the "original" global CA vs. the user CA we've copied to would be good
How does the fact that we copy the proxy's trusted CA reconcile, get us out of jail, play nice, etc. with what I read in https://github.com/openshift/api/blob/master/config/v1/types_proxy.go#L44-L69
There was a problem hiding this comment.
I updated the comment above to clarify what is going on overall, and why we need to copy the user CA to the openshift-controller-manager namespace. We get out of jail because build pods run update-ca-trust extract themselves.
My updated commit message indicates why we need to do this (namely, the issue with keytool formatted trust bundles).
Previously, builds mounted the global CA trust bundle as the PEM-encoded TLS trust bundle. This trust bundle is generated by the Network Operator, which validates any user-provided CA trust bundle and merges it with the default trus bundle provided by RHCOS. Using the global CA is problematic because maven and other JVM-based processes establish trust using `keytool` formatted trust bundles. To generate trust bundles in the `keytool` format (as well as other formats used by RHEL), builds will run `update-ca-trust extract` on startup. To merge the trust bundle correctly, the build controller needs to mount any user-provided CA in a well-known location. The openshift-builder process is then responsible for copying the CA to /etc/ca-trust/source/anchors prior to running `update-ca-trust extract`. To achieve this, the operator is being enhanced with the following: * Added a separate controller for observing the user CA config. * Added a ResourceSync controller to copy the user CA to the openshift-controller-manager namespace. * Updated starter to launch the new controllers. The operator will continue to create the `openshift-global-ca` ConfigMap to ensure that the openshift controller manager does not have an outage during upgrades. This can be removed in a subsequent release.
Add fake clientset from openshift/client-go used for unit testing.
adambkaplan
force-pushed
the
sync-user-ca
branch
from
10f3dc6 to
e4b644f
Compare
adambkaplan
left a comment
adambkaplan
left a comment
There was a problem hiding this comment.
/cc @otaviof @coreydaley
I've added additional code comments per Gabe's feedback and tried to clarify the big picture in the commit message. PR description will be updated accordingly.
| Namespace: util.TargetNamespace, | ||
| Name: "openshift-user-ca", | ||
| } | ||
| err = c.resourceSyncer.SyncConfigMap(destination, source) |
There was a problem hiding this comment.
I updated the comment above to clarify what is going on overall, and why we need to copy the user CA to the openshift-controller-manager namespace. We get out of jail because build pods run update-ca-trust extract themselves.
My updated commit message indicates why we need to do this (namely, the issue with keytool formatted trust bundles).
|
@adambkaplan: This pull request references Bugzilla bug 1826183, which is valid. 3 validation(s) were run on this bug
DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/assign @coreydaley /retest |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adambkaplan, coreydaley The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
5 participants
Previously, builds mounted the global CA trust bundle as the PEM-encoded TLS
trust bundle. This trust bundle is generated by the Network Operator, which
validates any user-provided CA trust bundle and merges it with the default trus
bundle provided by RHCOS. Using the global CA is problematic because maven and
other JVM-based processes establish trust using
keytoolformatted trustbundles.
To generate trust bundles in the
keytoolformat (as well as other formats usedby RHEL), builds will run
update-ca-trust extracton startup. To merge thetrust bundle correctly, the build controller needs to mount any user-provided CA
in a well-known location. The openshift-builder process is then responsible for
copying the CA to /etc/ca-trust/source/anchors prior to running
update-ca-trust extract.To achieve this, the operator is being enhanced with the following:
openshift-controller-manager namespace.
The operator will continue to create the
openshift-global-caConfigMap toensure that the openshift controller manager does not have an outage during
upgrades. This can be removed in a subsequent release.
See also openshift/builder#153, openshift/builder#158, openshift/openshift-controller-manager#119