Skip to content

OCPBUGS-33787: Add cluster wide trusted CA bundle to operator #911

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-bot merged 1 commit into from
Jun 21, 2024
Merged

OCPBUGS-33787: Add cluster wide trusted CA bundle to operator #911

openshift-merge-bot merged 1 commit into from
Jun 21, 2024

Conversation

@alebedev87
Copy link
Contributor

@alebedev87 alebedev87 commented Jun 20, 2024
edited
Loading

The alternative ingress can be provided via the console config API. This PR ensures that health checks to the alternative ingress pass TLS certificate validation even when the TLS certificate has an unknown CA.
Additionally, this PR would help with the proxy support similar to how it was done in the cluster ingress operator.

@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jun 20, 2024
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jun 20, 2024

@alebedev87: This pull request references Jira Issue OCPBUGS-33787, which is invalid:

  • expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

The alternative ingress can be provided via the console config API. This PR ensures that health checks to the alternative ingress pass TLS certificate validation even when the TLS certificate has an unknown CA.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from jhadvig and spadgett June 20, 2024 17:55
@alebedev87
OCPBUGS-33787: Add cluster wide trusted CA bundle to operator
7053619 
The alternative ingress can be provided via the console config API.
This commit ensures that health checks to the alternative ingress
pass TLS certificate validation even when the TLS certificate has an unknown CA.
@alebedev87 alebedev87 force-pushed the tolerate-ingress-absence-doc-dns branch from 132eddb to 7053619 Compare June 20, 2024 18:28
@alebedev87
Copy link
Contributor Author

alebedev87 commented Jun 20, 2024

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jun 20, 2024
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jun 20, 2024

@alebedev87: This pull request references Jira Issue OCPBUGS-33787, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.17.0) matches configured target version for branch (4.17.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @melvinjoseph86

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested a review from melvinjoseph86 June 20, 2024 18:31
@alebedev87
Copy link
Contributor Author

alebedev87 commented Jun 20, 2024

/assign @jhadvig

jhadvig
jhadvig reviewed Jun 21, 2024
View reviewed changes
manifests/06-trusted-ca-configmap.yaml
@@ -0,0 +1,16 @@
# The network operator is responsible for injecting
# the trusted ca bundle into this configmap.
Copy link
Member

@jhadvig jhadvig Jun 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So the operator already create a trusted-ca-bundle CM, check: https://github.com/openshift/console-operator/blob/master/pkg/console/subresource/configmap/trusted_ca.go#L22
which is then used in sync_400, which is then passed to the console deployment

Copy link
Contributor Author

@alebedev87 alebedev87 Jun 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right. As we discussed in Slack. The two configmaps are from different namespaces as since they are consumed as volume mounts we cannot consume the operator's one in the operand's namespace.

jhadvig
jhadvig approved these changes Jun 21, 2024
View reviewed changes
Copy link
Member

@jhadvig jhadvig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@jhadvig
Copy link
Member

jhadvig commented Jun 21, 2024

/retest

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jun 21, 2024
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jun 21, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alebedev87, jhadvig

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 21, 2024
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jun 21, 2024

/retest-required

Remaining retests: 0 against base HEAD c608dec and 2 for PR HEAD 7053619 in total

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jun 21, 2024

@alebedev87: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot bot merged commit 7f3a07b into openshift:master Jun 21, 2024
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jun 21, 2024

@alebedev87: Jira Issue OCPBUGS-33787: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-33787 has been moved to the MODIFIED state.

Details

In response to this:

The alternative ingress can be provided via the console config API. This PR ensures that health checks to the alternative ingress pass TLS certificate validation even when the TLS certificate has an unknown CA.
Additionally, this PR would help with the proxy support similar to how it was done in the cluster ingress operator.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-bot
Copy link
Contributor

openshift-bot commented Jun 21, 2024

[ART PR BUILD NOTIFIER]

This PR has been included in build openshift-enterprise-console-operator-container-v4.17.0-202406212042.p0.g7f3a07b.assembly.stream.el9 for distgit openshift-enterprise-console-operator.
All builds following this will include this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhadvig jhadvig jhadvig approved these changes

@spadgett spadgett Awaiting requested review from spadgett

@melvinjoseph86 melvinjoseph86 Awaiting requested review from melvinjoseph86

Assignees

@jhadvig jhadvig

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@alebedev87 @openshift-ci-robot @jhadvig @openshift-bot