OCPBUGS-17811: add certificate input to bootstrap mcs

[cdoern]

if someone needs image registry (or any) certificates, they can provide it via --bootstrap-certs key=value,key=value and they will be added as files in /etc/docker/certs.d to the ignition spec.

This flag is not used in the bootstrap pod yaml as it is mainly intended for manual usage by components like hypershift. Components aiming to use this will need to wire up the key providing on their end.

The MCS will check for a cert (ex: image-registry=registry.crt) by checking the server's base dir for registry.crt. If the MCS finds registry.crt, we will read the cert, and place it into ignition at /etc/docker/certs.d/image-registry/ca.crt

[openshift-ci-robot]

@cdoern: This pull request references Jira Issue OCPBUGS-17811, which is invalid:

• expected the bug to target the "4.14.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

if someone needs image registry (or any) certificates, they can provide it via --bootstrap-certs key=value,key=value and they will be added as files in /etc/docker/certs.d to the ignition spec.

This flag is not used in the bootstrap pod yaml as it is mainly intended for manual usage by components like hypershift. Components aiming to use this will need to wire up the key providing on their end.

The MCS will check for a cert (ex: image-registry=registry.crt) by checking the server's base dir for registry.crt. If it finds it, we will read the cert, and place it into ignition at /etc/docker/certs.d/image-registry/ca.crt

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[cdoern]

/jira refresh

[openshift-ci-robot]

@cdoern: This pull request references Jira Issue OCPBUGS-17811, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.14.0) matches configured target version for branch (4.14.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @sergiordlr

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[cdoern]

/test all

[cdoern]

/retest-required

[cdoern]

/test all

[sergiordlr]

Verified using IPI on AWS

1. The new --bootstrap-certs flag is available in the machine-config-server binary

$ oc -n openshift-machine-config-operator rsh ds/machine-config-server /usr/bin/machine-config-server bootstrap --help
Run the machine config server in the bootstrap mode

Usage:
  machine-config-server bootstrap [flags]

Flags:
      --bootstrap-certs stringArray   a certificate bundle formatted in a string array with the format key=value,key=value
      --bootstrap-kubeconfig string   path to bootstrap kubeconfig served by the bootstrap server. (default "/etc/kubernetes/kubeconfig")
  -h, --help                          help for bootstrap
      --server-basedir string         base directory on the host, relative to which machine-configs and pools can be found. (default "/etc/mcs/bootstrap")

2. The cluster was deployed without problems and MCO doesn't seem to have any problem either. We have run these test cases:

"[sig-mco] MCO scale Author:sregidor-NonHyperShiftHOST-NonPreRelease-Longduration-LongDuration-High-63894-Scaleup using 4.1 cloud image[Disruptive] [Serial]"
"[sig-mco] MCO Author:sregidor-NonHyperShiftHOST-NonPreRelease-Longduration-Medium-63477-Deploy files using all available ignition configs. Default 3.4.0[Disruptive] [Serial]"
"[sig-mco] MCO Layering Author:sregidor-ConnectedOnly-VMonly-Longduration-NonPreRelease-Critical-54085-Update osImage changing /etc /usr and rpm [Disruptive] [Serial]"

We can add the qe-approved label.

/label qe-approved

[openshift-ci-robot]

@cdoern: This pull request references Jira Issue OCPBUGS-17811, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.14.0) matches configured target version for branch (4.14.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @sergiordlr

Details

In response to this:

if someone needs image registry (or any) certificates, they can provide it via --bootstrap-certs key=value,key=value and they will be added as files in /etc/docker/certs.d to the ignition spec.

This flag is not used in the bootstrap pod yaml as it is mainly intended for manual usage by components like hypershift. Components aiming to use this will need to wire up the key providing on their end.

The MCS will check for a cert (ex: image-registry=registry.crt) by checking the server's base dir for registry.crt. If the MCS finds registry.crt, we will read the cert, and place it into ignition at /etc/docker/certs.d/image-registry/ca.crt

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[cdoern]

/test unit

[yuqi-zhang]

Functionally seems fine, will let Hypershift team take a look

[yuqi-zhang]

/lgtm

This should be not doing anything outside of explicit usage so it should be safe to merge

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cdoern, yuqi-zhang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [cdoern,yuqi-zhang]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@cdoern: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-ci-robot]

@cdoern: Jira Issue OCPBUGS-17811: All pull requests linked via external trackers have merged:

• openshift/machine-config-operator#3876

Jira Issue OCPBUGS-17811 has been moved to the MODIFIED state.

Details

In response to this:

if someone needs image registry (or any) certificates, they can provide it via --bootstrap-certs key=value,key=value and they will be added as files in /etc/docker/certs.d to the ignition spec.

This flag is not used in the bootstrap pod yaml as it is mainly intended for manual usage by components like hypershift. Components aiming to use this will need to wire up the key providing on their end.

The MCS will check for a cert (ex: image-registry=registry.crt) by checking the server's base dir for registry.crt. If the MCS finds registry.crt, we will read the cert, and place it into ignition at /etc/docker/certs.d/image-registry/ca.crt

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-merge-robot]

Fix included in accepted release 4.15.0-0.nightly-2023-09-27-073353