OCPBUGS-17811: add certificate input to bootstrap mcs by cdoern · Pull Request #3876 · openshift/machine-config-operator

cdoern · 2023-08-17T15:23:50Z

if someone needs image registry (or any) certificates, they can provide it via --bootstrap-certs key=value,key=value and they will be added as files in /etc/docker/certs.d to the ignition spec.

This flag is not used in the bootstrap pod yaml as it is mainly intended for manual usage by components like hypershift. Components aiming to use this will need to wire up the key providing on their end.

The MCS will check for a cert (ex: image-registry=registry.crt) by checking the server's base dir for registry.crt. If the MCS finds registry.crt, we will read the cert, and place it into ignition at /etc/docker/certs.d/image-registry/ca.crt

openshift-ci-robot · 2023-08-17T15:23:54Z

@cdoern: This pull request references Jira Issue OCPBUGS-17811, which is invalid:

expected the bug to target the "4.14.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

if someone needs image registry (or any) certificates, they can provide it via --bootstrap-certs key=value,key=value and they will be added as files in /etc/docker/certs.d to the ignition spec.

This flag is not used in the bootstrap pod yaml as it is mainly intended for manual usage by components like hypershift. Components aiming to use this will need to wire up the key providing on their end.

The MCS will check for a cert (ex: image-registry=registry.crt) by checking the server's base dir for registry.crt. If it finds it, we will read the cert, and place it into ignition at /etc/docker/certs.d/image-registry/ca.crt

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci · 2023-08-17T15:24:49Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

cdoern · 2023-08-17T15:40:29Z

/jira refresh

openshift-ci-robot · 2023-08-17T15:40:36Z

@cdoern: This pull request references Jira Issue OCPBUGS-17811, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.14.0) matches configured target version for branch (4.14.0)
bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @sergiordlr

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

cdoern · 2023-08-17T15:40:44Z

/test all

cdoern · 2023-08-17T19:32:06Z

/retest-required

cdoern · 2023-08-17T20:03:38Z

/test all

sergiordlr · 2023-08-21T14:33:57Z

Verified using IPI on AWS

The new --bootstrap-certs flag is available in the machine-config-server binary

$ oc -n openshift-machine-config-operator rsh ds/machine-config-server /usr/bin/machine-config-server bootstrap --help
Run the machine config server in the bootstrap mode

Usage:
  machine-config-server bootstrap [flags]

Flags:
      --bootstrap-certs stringArray   a certificate bundle formatted in a string array with the format key=value,key=value
      --bootstrap-kubeconfig string   path to bootstrap kubeconfig served by the bootstrap server. (default "/etc/kubernetes/kubeconfig")
  -h, --help                          help for bootstrap
      --server-basedir string         base directory on the host, relative to which machine-configs and pools can be found. (default "/etc/mcs/bootstrap")

The cluster was deployed without problems and MCO doesn't seem to have any problem either. We have run these test cases:

"[sig-mco] MCO scale Author:sregidor-NonHyperShiftHOST-NonPreRelease-Longduration-LongDuration-High-63894-Scaleup using 4.1 cloud image[Disruptive] [Serial]"
"[sig-mco] MCO Author:sregidor-NonHyperShiftHOST-NonPreRelease-Longduration-Medium-63477-Deploy files using all available ignition configs. Default 3.4.0[Disruptive] [Serial]"
"[sig-mco] MCO Layering Author:sregidor-ConnectedOnly-VMonly-Longduration-NonPreRelease-Critical-54085-Update osImage changing /etc /usr and rpm [Disruptive] [Serial]"

We can add the qe-approved label.

/label qe-approved

openshift-ci-robot · 2023-08-23T13:27:58Z

@cdoern: This pull request references Jira Issue OCPBUGS-17811, which is valid.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.14.0) matches configured target version for branch (4.14.0)
bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @sergiordlr

Details

In response to this:

if someone needs image registry (or any) certificates, they can provide it via --bootstrap-certs key=value,key=value and they will be added as files in /etc/docker/certs.d to the ignition spec.

This flag is not used in the bootstrap pod yaml as it is mainly intended for manual usage by components like hypershift. Components aiming to use this will need to wire up the key providing on their end.

The MCS will check for a cert (ex: image-registry=registry.crt) by checking the server's base dir for registry.crt. If the MCS finds registry.crt, we will read the cert, and place it into ignition at /etc/docker/certs.d/image-registry/ca.crt

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

cdoern · 2023-08-23T13:44:20Z

/test unit

yuqi-zhang

Functionally seems fine, will let Hypershift team take a look

if someone needs image registry (or any) certificates, they can provide it via --bootstrap-certs key=value,key=value and they will be added as files in /etc/docker/certs.d to the ignition spec Signed-off-by: Charlie Doern <cdoern@redhat.com>

yuqi-zhang · 2023-09-25T15:02:41Z

/lgtm

This should be not doing anything outside of explicit usage so it should be safe to merge

openshift-ci · 2023-09-25T15:03:58Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cdoern, yuqi-zhang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [cdoern,yuqi-zhang]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci · 2023-09-25T17:50:31Z

@cdoern: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

openshift-ci-robot · 2023-09-25T17:54:22Z

@cdoern: Jira Issue OCPBUGS-17811: All pull requests linked via external trackers have merged:

openshift/machine-config-operator#3876

Jira Issue OCPBUGS-17811 has been moved to the MODIFIED state.

Details

In response to this:

if someone needs image registry (or any) certificates, they can provide it via --bootstrap-certs key=value,key=value and they will be added as files in /etc/docker/certs.d to the ignition spec.

This flag is not used in the bootstrap pod yaml as it is mainly intended for manual usage by components like hypershift. Components aiming to use this will need to wire up the key providing on their end.

The MCS will check for a cert (ex: image-registry=registry.crt) by checking the server's base dir for registry.crt. If the MCS finds registry.crt, we will read the cert, and place it into ignition at /etc/docker/certs.d/image-registry/ca.crt

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-merge-robot · 2023-09-27T15:47:50Z

Fix included in accepted release 4.15.0-0.nightly-2023-09-27-073353

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Aug 17, 2023

openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Aug 17, 2023

openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 17, 2023

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 17, 2023

openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Aug 17, 2023

openshift-ci bot requested a review from sergiordlr August 17, 2023 15:40

openshift-ci bot added the qe-approved Signifies that QE has signed off on this PR label Aug 21, 2023

cdoern marked this pull request as ready for review August 21, 2023 17:07

openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 21, 2023

openshift-ci bot requested review from dkhater-redhat and yuqi-zhang August 21, 2023 17:07

cdoern force-pushed the bootstrapCerts branch 3 times, most recently from 245e877 to 889f068 Compare August 22, 2023 17:46

This was referenced Aug 22, 2023

Revert "CNF-9385: add ImageRegistry capability" openshift/cluster-version-operator#956

Closed

OCPBUGS-17806: Remove ImageRegistry capability openshift/cluster-version-operator#957

Closed

cdoern force-pushed the bootstrapCerts branch from 889f068 to fc646cf Compare August 23, 2023 13:24

yuqi-zhang approved these changes Aug 24, 2023

View reviewed changes

add certificate input to bootstrap mcs

e6167b2

if someone needs image registry (or any) certificates, they can provide it via --bootstrap-certs key=value,key=value and they will be added as files in /etc/docker/certs.d to the ignition spec Signed-off-by: Charlie Doern <cdoern@redhat.com>

cdoern force-pushed the bootstrapCerts branch from fc646cf to e6167b2 Compare September 25, 2023 14:45

openshift-ci bot assigned yuqi-zhang Sep 25, 2023

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Sep 25, 2023

openshift-merge-robot merged commit 49bf9f6 into openshift:master Sep 25, 2023

Conversation

cdoern commented Aug 17, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci-robot commented Aug 17, 2023

Uh oh!

openshift-ci bot commented Aug 17, 2023

Uh oh!

cdoern commented Aug 17, 2023

Uh oh!

openshift-ci-robot commented Aug 17, 2023

Uh oh!

cdoern commented Aug 17, 2023

Uh oh!

cdoern commented Aug 17, 2023

Uh oh!

cdoern commented Aug 17, 2023

Uh oh!

sergiordlr commented Aug 21, 2023

Uh oh!

openshift-ci-robot commented Aug 23, 2023

Uh oh!

cdoern commented Aug 23, 2023

Uh oh!

yuqi-zhang left a comment

Choose a reason for hiding this comment

Uh oh!

yuqi-zhang commented Sep 25, 2023

Uh oh!

openshift-ci bot commented Sep 25, 2023

Uh oh!

openshift-ci bot commented Sep 25, 2023

Uh oh!

openshift-ci-robot commented Sep 25, 2023

Uh oh!

openshift-merge-robot commented Sep 27, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

cdoern commented Aug 17, 2023 •

edited

Loading