openshift · openshift-ci · Jul 14, 2022 · Jul 5, 2022 · Jul 8, 2022 · Jul 7, 2022
diff --git a/cmd/openshift-install/agent.go b/cmd/openshift-install/agent.go
@@ -7,6 +7,7 @@ import (
 	"github.com/openshift/installer/pkg/asset"
 	"github.com/openshift/installer/pkg/asset/agent/image"
 	"github.com/openshift/installer/pkg/asset/agent/manifests"
+	"github.com/openshift/installer/pkg/asset/agent/mirror"
 	"github.com/openshift/installer/pkg/asset/kubeconfig"
 )
 
@@ -34,6 +35,8 @@ var (
 		},
 		assets: []asset.WritableAsset{
 			&manifests.AgentManifests{},
+			&mirror.RegistriesConf{},
+			&mirror.CaBundle{},
 		},
 	}
 

diff --git a/data/data/agent/systemd/units/assisted-service.service.template b/data/data/agent/systemd/units/assisted-service.service.template
@@ -12,7 +12,7 @@ EnvironmentFile=/usr/local/share/assisted-service/agent-images.env
 Restart=on-failure
 TimeoutStopSec=300
 ExecStartPre=/bin/rm -f %t/%n.ctr-id
-ExecStart=/usr/bin/podman run --cidfile=%t/%n.ctr-id --cgroups=no-conmon --log-driver=journald --rm --pod-id-file=%t/assisted-service-pod.pod-id --sdnotify=conmon --replace -d --name=service -v /opt/agent/tls:/opt/agent/tls:z {{.MirrorRegistriesMount}} {{.CaBundleMount}} --env-file=/usr/local/share/assisted-service/assisted-service.env --env-file=/usr/local/share/assisted-service/images.env --env-file=/etc/assisted-service/node0 --env-file=/usr/local/share/assisted-service/agent-images.env $SERVICE_IMAGE
+ExecStart=/usr/bin/podman run --cidfile=%t/%n.ctr-id --cgroups=no-conmon --log-driver=journald --rm --pod-id-file=%t/assisted-service-pod.pod-id --sdnotify=conmon --replace -d --name=service -v /opt/agent/tls:/opt/agent/tls:z {{ if .HaveMirrorConfig }}-v /etc/containers:/etc/containers{{ end }} -v /etc/pki/ca-trust:/etc/pki/ca-trust --env-file=/usr/local/share/assisted-service/assisted-service.env --env-file=/usr/local/share/assisted-service/images.env --env-file=/etc/assisted-service/node0 --env-file=/usr/local/share/assisted-service/agent-images.env $SERVICE_IMAGE
 ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id
 ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id
 Type=notify

diff --git a/pkg/asset/agent/image/ignition.go b/pkg/asset/agent/image/ignition.go
@@ -28,7 +28,6 @@ import (
 const manifestPath = "/etc/assisted/manifests"
 const hostnamesPath = "/etc/assisted/hostnames"
 const nmConnectionsPath = "/etc/assisted/network"
-const mirrorPath = "/etc/assisted/mirror"
 
 // Ignition is an asset that generates the agent installer ignition file.
 type Ignition struct {
@@ -43,18 +42,17 @@ type agentTemplateData struct {
 	PullSecret      string
 	// PullSecretToken is token to use for authentication when AUTH_TYPE=rhsso
 	// in assisted-service
-	PullSecretToken       string
-	NodeZeroIP            string
-	AssistedServiceHost   string
-	APIVIP                string
-	ControlPlaneAgents    int
-	WorkerAgents          int
-	ReleaseImages         string
-	ReleaseImage          string
-	ReleaseImageMirror    string
-	MirrorRegistriesMount string
-	CaBundleMount         string
-	InfraEnvID            string
+	PullSecretToken     string
+	NodeZeroIP          string
+	AssistedServiceHost string
+	APIVIP              string
+	ControlPlaneAgents  int
+	WorkerAgents        int
+	ReleaseImages       string
+	ReleaseImage        string
+	ReleaseImageMirror  string
+	HaveMirrorConfig    bool
+	InfraEnvID          string
 }
 
 var (
@@ -89,7 +87,8 @@ func (a *Ignition) Dependencies() []asset.Asset {
 		&tls.AdminKubeConfigSignerCertKey{},
 		&tls.AdminKubeConfigClientCertKey{},
 		&agentconfig.Asset{},
-		&mirror.AgentMirror{},
+		&mirror.RegistriesConf{},
+		&mirror.CaBundle{},
 	}
 }
 
@@ -128,25 +127,14 @@ func (a *Ignition) Generate(dependencies asset.Parents) error {
 		return err
 	}
 
-	agentMirror := &mirror.AgentMirror{}
-	dependencies.Get(agentMirror)
-
-	// Mount files for assisted-service
-	mirrorRegistriesMount := ""
-	caBundleMount := ""
-	for _, file := range agentMirror.FileList {
-		if file.Filename == mirror.RegistriesConfFilename {
-			mirrorRegistriesMount = fmt.Sprintf("-v %s:/etc/containers/registries.conf:z", filepath.Join("/etc/assisted", file.Filename))
-		}
-		if file.Filename == mirror.CaBundleFilename {
-			caBundleMount = fmt.Sprintf("-v %s:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:z", filepath.Join("/etc/assisted", file.Filename))
-		}
-	}
+	registriesConfig := &mirror.RegistriesConf{}
+	registryCABundle := &mirror.CaBundle{}
+	dependencies.Get(registriesConfig, registryCABundle)
 
 	// Get the mirror for release image
 	releaseImageMirror := ""
 	source := strings.Split(agentManifests.ClusterImageSet.Spec.ReleaseImage, ":")
-	for _, config := range agentMirror.MirrorConfig {
+	for _, config := range registriesConfig.MirrorConfig {
 		if config.Location == source[0] {
 			// include the tag with the build release image
 			releaseImageMirror = fmt.Sprintf("%s:%s", config.Mirror, source[1])
@@ -162,8 +150,7 @@ func (a *Ignition) Generate(dependencies asset.Parents) error {
 		releaseImageList,
 		agentManifests.ClusterImageSet.Spec.ReleaseImage,
 		releaseImageMirror,
-		mirrorRegistriesMount,
-		caBundleMount,
+		len(registriesConfig.MirrorConfig) > 0,
 		agentManifests.AgentClusterInstall,
 		infraEnvID)
 
@@ -208,38 +195,39 @@ func (a *Ignition) Generate(dependencies asset.Parents) error {
 
 	addTLSData(&config, dependencies)
 
-	addMirrorData(&config, agentMirror)
+	addMirrorData(&config, registriesConfig, registryCABundle)
 
 	addHostConfig(&config, agentConfigAsset)
 
 	a.Config = &config
 	return nil
 }
 
-func getTemplateData(pullSecret string, nodeZeroIP string, releaseImageList string, releaseImage string,
-	releaseImageMirror string, mirrorRegistriesMount string, caBundleMount string, agentClusterInstall *hiveext.AgentClusterInstall, infraEnvID string) *agentTemplateData {
+func getTemplateData(pullSecret, nodeZeroIP, releaseImageList, releaseImage,
+	releaseImageMirror string, haveMirrorConfig bool,
+	agentClusterInstall *hiveext.AgentClusterInstall,
+	infraEnvID string) *agentTemplateData {
 	serviceBaseURL := url.URL{
 		Scheme: "http",
 		Host:   net.JoinHostPort(nodeZeroIP, "8090"),
 		Path:   "/",
 	}
 
 	return &agentTemplateData{
-		ServiceProtocol:       serviceBaseURL.Scheme,
-		ServiceBaseURL:        serviceBaseURL.String(),
-		PullSecret:            pullSecret,
-		PullSecretToken:       "",
-		NodeZeroIP:            serviceBaseURL.Hostname(),
-		AssistedServiceHost:   serviceBaseURL.Host,
-		APIVIP:                agentClusterInstall.Spec.APIVIP,
-		ControlPlaneAgents:    agentClusterInstall.Spec.ProvisionRequirements.ControlPlaneAgents,
-		WorkerAgents:          agentClusterInstall.Spec.ProvisionRequirements.WorkerAgents,
-		ReleaseImages:         releaseImageList,
-		ReleaseImage:          releaseImage,
-		ReleaseImageMirror:    releaseImageMirror,
-		MirrorRegistriesMount: mirrorRegistriesMount,
-		CaBundleMount:         caBundleMount,
-		InfraEnvID:            infraEnvID,
+		ServiceProtocol:     serviceBaseURL.Scheme,
+		ServiceBaseURL:      serviceBaseURL.String(),
+		PullSecret:          pullSecret,
+		PullSecretToken:     "",
+		NodeZeroIP:          serviceBaseURL.Hostname(),
+		AssistedServiceHost: serviceBaseURL.Host,
+		APIVIP:              agentClusterInstall.Spec.APIVIP,
+		ControlPlaneAgents:  agentClusterInstall.Spec.ProvisionRequirements.ControlPlaneAgents,
+		WorkerAgents:        agentClusterInstall.Spec.ProvisionRequirements.WorkerAgents,
+		ReleaseImages:       releaseImageList,
+		ReleaseImage:        releaseImage,
+		ReleaseImageMirror:  releaseImageMirror,
+		HaveMirrorConfig:    haveMirrorConfig,
+		InfraEnvID:          infraEnvID,
 	}
 }
 
@@ -286,27 +274,20 @@ func addTLSData(config *igntypes.Config, dependencies asset.Parents) {
 	}
 }
 
-func addMirrorData(config *igntypes.Config, agentMirror *mirror.AgentMirror) {
+func addMirrorData(config *igntypes.Config, registriesConfig *mirror.RegistriesConf, registryCABundle *mirror.CaBundle) {
 
-	// add mirror files to ignition
-	for _, file := range agentMirror.FileList {
-		// These are required for assisted-service to build the ICSP for openshift-install
-		mirrorFile := ignition.FileFromBytes(filepath.Join(mirrorPath, filepath.Base(file.Filename)),
-			"root", 0600, file.Data)
-		config.Storage.Files = append(config.Storage.Files, mirrorFile)
-
-		// This is required for the agent to run the podman commands to the mirror
-		if file.Filename == mirror.CaBundleFilename {
-			mirrorFile := ignition.FileFromBytes("/etc/pki/ca-trust/source/anchors/domain.crt",
-				"root", 0600, file.Data)
-			config.Storage.Files = append(config.Storage.Files, mirrorFile)
-		}
-		if file.Filename == mirror.RegistriesConfFilename {
-			registriesFile := ignition.FileFromBytes("/etc/containers/registries.conf",
-				"root", 0600, file.Data)
-			config.Storage.Files = append(config.Storage.Files, registriesFile)
+	// This is required for assisted-service to build the ICSP for openshift-install
+	if registriesConfig.File != nil {
+		registriesFile := ignition.FileFromBytes("/etc/containers/registries.conf",
+			"root", 0600, registriesConfig.File.Data)
+		config.Storage.Files = append(config.Storage.Files, registriesFile)
+	}
 
-		}
+	// This is required for the agent to run the podman commands to the mirror
+	if registryCABundle.File != nil && len(registryCABundle.File.Data) > 0 {
+		caFile := ignition.FileFromBytes("/etc/pki/ca-trust/source/anchors/domain.crt",
+			"root", 0600, registryCABundle.File.Data)
+		config.Storage.Files = append(config.Storage.Files, caFile)
 	}
 }
 

diff --git a/pkg/asset/agent/image/ignition_test.go b/pkg/asset/agent/image/ignition_test.go
@@ -48,13 +48,12 @@ func TestIgnition_getTemplateData(t *testing.T) {
 	}
 	releaseImage := "quay.io:443/openshift-release-dev/ocp-release:4.10.0-rc.1-x86_64"
 	releaseImageMirror := "virthost.ostest.test.metalkube.org:5000/localimages/local-release-image"
-	mirrorRegistriesMount := "-v /etc/assisted/mirror/registries.conf:/etc/containers/registries.conf"
-	caBundleMount := "-v /etc/assisted/mirror/ca-bundle.crt:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
 	infraEnvID := "random-infra-env-id"
+	haveMirrorConfig := true
 
 	releaseImageList, err := releaseImageList(clusterImageSet.Spec.ReleaseImage, "x86_64")
 	assert.NoError(t, err)
-	templateData := getTemplateData(pullSecret, nodeZeroIP, releaseImageList, releaseImage, releaseImageMirror, mirrorRegistriesMount, caBundleMount, agentClusterInstall, infraEnvID)
+	templateData := getTemplateData(pullSecret, nodeZeroIP, releaseImageList, releaseImage, releaseImageMirror, haveMirrorConfig, agentClusterInstall, infraEnvID)
 	assert.Equal(t, "http", templateData.ServiceProtocol)
 	assert.Equal(t, "http://"+nodeZeroIP+":8090/", templateData.ServiceBaseURL)
 	assert.Equal(t, pullSecret, templateData.PullSecret)
@@ -67,8 +66,7 @@ func TestIgnition_getTemplateData(t *testing.T) {
 	assert.Equal(t, releaseImageList, templateData.ReleaseImages)
 	assert.Equal(t, releaseImage, templateData.ReleaseImage)
 	assert.Equal(t, releaseImageMirror, templateData.ReleaseImageMirror)
-	assert.Equal(t, mirrorRegistriesMount, templateData.MirrorRegistriesMount)
-	assert.Equal(t, caBundleMount, templateData.CaBundleMount)
+	assert.Equal(t, haveMirrorConfig, templateData.HaveMirrorConfig)
 	assert.Equal(t, infraEnvID, templateData.InfraEnvID)
 }
 

diff --git a/pkg/asset/agent/mirror/cabundle.go b/pkg/asset/agent/mirror/cabundle.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/openshift/installer/pkg/asset"
 	"github.com/openshift/installer/pkg/asset/agent"
+	"github.com/openshift/installer/pkg/asset/manifests"
 	"github.com/pkg/errors"
 )
 
@@ -37,23 +38,43 @@ func (*CaBundle) Dependencies() []asset.Asset {
 
 // Generate generates the Mirror Registries certificate file from install-config.
 func (i *CaBundle) Generate(dependencies asset.Parents) error {
+	installConfig := &agent.OptionalInstallConfig{}
+	dependencies.Get(installConfig)
+	if !installConfig.Supplied {
+		return nil
+	}
 
-	// installConfig := &agent.OptionalInstallConfig{}
-	// dependencies.Get(installConfig)
+	if installConfig.Config.AdditionalTrustBundle == "" {
+		i.File = &asset.File{
+			Filename: CaBundleFilename,
+			Data:     []byte{},
+		}
+		return nil
+	}
+
+	return i.parseCertificates(installConfig.Config.AdditionalTrustBundle)
+}
 
-	// if installConfig.Config.AdditionalTrustBundle == "" {
-	//        return nil
-	// }
-	// data, err := parseCertificates(installConfig.Config.AdditionalTrustBundle)
+func (i *CaBundle) parseCertificates(certs string) error {
+	if len(certs) == 0 {
+		return nil
+	}
 
-	//if err != nil {
-	//        return err
-	//}
+	data, err := manifests.ParseCertificates(certs)
+	if err != nil {
+		return err
+	}
 
-	// i.File = &asset.File{
-	//      Filename: CaBundleFilename,
-	//      Data:     data,
-	// }
+	for filename, content := range data {
+		if filepath.Base(CaBundleFilename) == filename {
+			i.File = &asset.File{
+				Filename: CaBundleFilename,
+				Data:     []byte(content),
+			}
+		} else {
+			return fmt.Errorf("unexpected CA Bundle filename %s", filename)
+		}
+	}
 
 	return nil
 }
@@ -77,6 +98,5 @@ func (i *CaBundle) Load(f asset.FileFetcher) (bool, error) {
 		return false, errors.Wrap(err, fmt.Sprintf("failed to load %s file", CaBundleFilename))
 	}
 
-	i.File = file
-	return true, nil
+	return true, i.parseCertificates(string(file.Data))
 }