Add AdditionalTrustBundle to InstallConfig #2055
Conversation
openshift-ci-robot
added
do-not-merge/work-in-progress
|
Is there a case where user might have one cert for proxy and a different one for registry, so they need 2 bundles? |
should be able to combine the certificate files together and use that string in the install-config.yaml. |
There was a problem hiding this comment.
maybe this systemd service is not needed if coreos/fedora-coreos-config#120 merges?
There was a problem hiding this comment.
@patrickdillon nope you're right I don't think we would need it. Maybe it will be a timing issue when it makes it into RHCOS?
|
@jcpowermac curious, MITM stands for ? |
|
@DanyC97 MITM = Man in the Middle. |
openshift-ci-robot
added
size/L
jcpowermac
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
@abhinavdahiya when you have a chance can you PTAL, thanks! |
There was a problem hiding this comment.
you can add newline.
There was a problem hiding this comment.
these needs to be ca-bundle.crt
There was a problem hiding this comment.
should rename to something like user-ca-bundle
There was a problem hiding this comment.
name is somethings like user-ca-bundle
There was a problem hiding this comment.
@abhinavdahiya that was the name based on the google doc.
There was a problem hiding this comment.
namespace is required to be openshift-config-managed
the key should be ca-bundle.crt
so restriction on name, and since we use this for more than proxy, user-ca-bundle like is more appropriate.
pkg/validate/validate.go
Outdated
There was a problem hiding this comment.
this should probably be CABundle as that's what's is validating ie that the string is ca bundle.
pkg/validate/validate.go
Outdated
There was a problem hiding this comment.
this error is most appropriate in pkg/types/validate where we are validating the field..
invalid block should be enough here.
pkg/validate/validate.go
Outdated
There was a problem hiding this comment.
@danehans do we want all the certificates in the ConfigMap or just the CA certificates?
To support MITM (ssl) proxy and registries add an optional AdditionalTrustBundle string to InstallConfig. Modified InstallConfig to include AdditionalTrustBundle Add validation of certificate that is provided via InstallConfig Modify BootstrapTemplateData to include AdditionalTrustBundle Add a template for ca.crt in /etc/pki/ca-trust/source/anchors Add update-trust.sh script to update-ca-trust if ca.crt file exists in /etc/pki/ca-trust/source/anchors Add machineconfig ForAdditionalTrustBundle function Modified master and worker asset machines for AdditionalTrustBundle Add Tests for validate AdditionalTrustBundle Add additionaltrustbundleconfig that creates a ConfigMap that contains the Proxy CA files.
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhinavdahiya, jcpowermac The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
@jcpowermac: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
| Kind: "ConfigMap", | ||
| }, | ||
| ObjectMeta: metav1.ObjectMeta{ | ||
| Namespace: "openshift-config-managed", |
There was a problem hiding this comment.
@abhinavdahiya @jcpowermac according to the proxy workflow doc and after talking with @bparees, it appears the installer is creating the configmap in the wrong namespace. The namespace should be openshift-config instead of openshift-config-managed.
There was a problem hiding this comment.
No i think it's supposed to be openshift-config-managed https://github.com/openshift/api/blob/9ef0612c775d8571388e16d1bc68c4b3df83e7fb/config/v1/types_proxy.go#L49
8 participants
To support MITM (ssl) proxy and registries add an optional
AdditionalTrustBundle string to InstallConfig.
Modified InstallConfig to include AdditionalTrustBundle
Add validation of certificate that is provided via InstallConfig
Modify BootstrapTemplateData to include AdditionalTrustBundle
Add a template for ca.crt in /etc/pki/ca-trust/source/anchors
Add update-trust.sh script to update-ca-trust if ca.crt file exists in /etc/pki/ca-trust/source/anchors
Add systemd unit to run update-trust.sh script