Restore "copy build certificates to /etc/docker/certs.d" #31
Conversation
Restores functionality in openshift#29 Reverts openshift#30
openshift-ci-robot
added
the
size/M
|
/assign @bparees |
|
/hold Not merging until |
openshift-ci-robot
added
the
do-not-merge/hold
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
/hold
Ben Parees | OpenShift
…On Fri, Dec 7, 2018, 16:45 Adam Kaplan ***@***.*** wrote:
/hold cancel
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#31 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AEvl3joxlZMimdAmCC87bERZBWFINphvks5u2uGLgaJpZM4ZHrBy>
.
|
openshift-ci-robot
added
the
do-not-merge/hold
|
/test e2e-aws |
| clusterCASrc := fmt.Sprintf("%s/ca.crt", builder.SecretCertsMountPath) | ||
| clusterCADst := fmt.Sprintf("%s/cluster.crt", tlsCertRoot) | ||
| err := CopyIfExists(clusterCASrc, clusterCADst) | ||
| err := CopyFileIfExists(clusterCASrc, clusterCADst) |
There was a problem hiding this comment.
looking at a cluster today, this location exists:
ls -l /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
lrwxrwxrwx. 1 root root 13 Dec 12 20:58 /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -> ..data/ca.crt
There was a problem hiding this comment.
perhaps that is not the service-ca though? i'm not sure what it is....
There was a problem hiding this comment.
I guess we want this for cases where the registry is signed by the cluster ca, which was the case in 3.11.
| oldServiceCASrc := fmt.Sprintf("%s/service-ca.crt", builder.SecretCertsMountPath) | ||
| oldServiceCADst := fmt.Sprintf("%s/service.crt", tlsCertRoot) | ||
| err = CopyIfExists(oldServiceCASrc, oldServiceCADst) | ||
| err = CopyFileIfExists(oldServiceCASrc, oldServiceCADst) |
There was a problem hiding this comment.
this location does not exist:
ls -l /var/run/secrets/kubernetes.io/serviceaccount
total 0
lrwxrwxrwx. 1 root root 13 Dec 12 20:58 ca.crt -> ..data/ca.crt
lrwxrwxrwx. 1 root root 16 Dec 12 20:58 namespace -> ..data/namespace
lrwxrwxrwx. 1 root root 12 Dec 12 20:58 token -> ..data/token
There was a problem hiding this comment.
so this no longer serves any purpose except confusion i guess.
There was a problem hiding this comment.
(and i guess gets used on ansible installs?)
| newServiceCASrc := fmt.Sprintf("%s/service-ca.crt", builder.ConfigMapCertsMountPath) | ||
| newServiceCADst := fmt.Sprintf("%s/openshift-service.crt", tlsCertRoot) | ||
| err = CopyIfExists(newServiceCASrc, newServiceCADst) | ||
| err = CopyFileIfExists(newServiceCASrc, newServiceCADst) |
There was a problem hiding this comment.
and this, presumably, "might" exist depending on the raciness of the creation/population of the configmap that was created by the build controller.
There was a problem hiding this comment.
and this is only working for us because the configmap is getting populated fast enough
| additionalCADst := fmt.Sprintf("%s/additional-ca.crt", tlsCertRoot) | ||
| err = CopyIfExists(additionalCASrc, additionalCADst) | ||
| runtimeCASrc := fmt.Sprintf("%s/certs.d", builder.ConfigMapCertsMountPath) | ||
| err = CopyDirIfExists(runtimeCASrc, runtimeCertRoot) |
There was a problem hiding this comment.
similarly "might" exist depending on raciness and the level of code in the origin build controller that dictates where this gets mounted i guess.
|
/hold cancel |
openshift-ci-robot
added
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adambkaplan, bparees The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/retest |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
5 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
11 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/skip e2e-aws-builds |
|
passed everything that matters, manually merging. |
|
@adambkaplan: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
4 participants
Restores functionality in #29
Reverts #30