Skip to content

Adds Trust Bundle Publishing to Proxy Controller#271

Merged
openshift-merge-robot merged 1 commit intoopenshift:masterfrom
danehans:ca_bundle_controller
Aug 16, 2019
Merged

Adds Trust Bundle Publishing to Proxy Controller#271
openshift-merge-robot merged 1 commit intoopenshift:masterfrom
danehans:ca_bundle_controller

Conversation

@danehans
Copy link
Copy Markdown
Contributor

@danehans danehans commented Aug 2, 2019
edited
Loading

Depends on #245

  • Reconcile "openshift-config-managed/trusted-ca-bundle" ConfigMap object.
  • Validate Data of "openshift-config-managed/user-ca-bundle" ConfigMap object.
  • Validate cluster-network-operator's system trust bundle as valid certificate(s).
  • Merge user/system trust bundles.
  • Create/update "openshift-config-managed/trusted-ca-bundle" ConfigMap object.
  • Godocs

Jira: SDN-501

PTAL @squeed @danwinship @dcbw @bparees @JacobTanenbaum

@openshift-ci-robot openshift-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 2, 2019
@danehans danehans force-pushed the ca_bundle_controller branch 2 times, most recently from 1cddc5c to d333e71 Compare August 2, 2019 17:23
@openshift-ci-robot openshift-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 2, 2019
@danehans danehans force-pushed the ca_bundle_controller branch from d333e71 to d5f3e80 Compare August 2, 2019 20:01
@danehans danehans changed the title WIP: Adds Trust Bundle Publisher Controller Adds Trust Bundle Publisher Controller Aug 2, 2019
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 2, 2019
bparees
bparees reviewed Aug 2, 2019
View reviewed changes
Comment thread pkg/controller/trustbundle-publisher/controller.go Outdated
squeed
squeed reviewed Aug 5, 2019
View reviewed changes
Comment thread pkg/controller/trustbundle-publisher/controller.go Outdated
// encoded certificates, embeds the merged byte slice into a configmap
// named "proxy-ca-bundle" in namespace "openshift-config-managed" and
// returns the configmap.
func (r *ConfigMapReconciler) ensureMergedConfigMap(additionalData, systemData []byte) (*corev1.ConfigMap, error) {
Copy link
Copy Markdown
Contributor

@squeed squeed Aug 5, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it a problem if the additional CA is already present in the system trust? Will that break expectations?

Copy link
Copy Markdown

@bparees bparees Aug 5, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's just going to result in 2 copies of that cert in the bundle, right?

Copy link
Copy Markdown
Contributor

@squeed squeed Aug 6, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup. The question is: does that break anything? Does the bundle need to be unique? (I have no idea)

Copy link
Copy Markdown

@bparees bparees Aug 6, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'd be surprised but it would definitely be a good thing to test.

@danehans danehans force-pushed the ca_bundle_controller branch from d5f3e80 to 59f1bcc Compare August 5, 2019 23:15
@openshift-ci-robot openshift-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 5, 2019
@danehans danehans force-pushed the ca_bundle_controller branch from 59f1bcc to 2590627 Compare August 5, 2019 23:20
@danehans danehans mentioned this pull request Aug 6, 2019
Merged
3 tasks
@danehans danehans force-pushed the ca_bundle_controller branch from 2590627 to 9cf327d Compare August 6, 2019 19:45
JacobTanenbaum added a commit to JacobTanenbaum/cluster-network-operator that referenced this pull request Aug 6, 2019
@JacobTanenbaum
added names from openshift#271
4597336
JacobTanenbaum added a commit to JacobTanenbaum/cluster-network-operator that referenced this pull request Aug 6, 2019
@JacobTanenbaum
added validation from openshift#271
1780b39
@danehans danehans mentioned this pull request Aug 7, 2019
Merged
3 tasks
JacobTanenbaum added a commit to JacobTanenbaum/cluster-network-operator that referenced this pull request Aug 8, 2019
@JacobTanenbaum
added names from openshift#271
0a0947c
JacobTanenbaum added a commit to JacobTanenbaum/cluster-network-operator that referenced this pull request Aug 8, 2019
@JacobTanenbaum
added validation from openshift#271
fcadcdc
@openshift-ci-robot openshift-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 8, 2019
bparees
bparees reviewed Aug 8, 2019
View reviewed changes
Comment thread pkg/controller/proxyconfig/controller.go
bparees
bparees reviewed Aug 8, 2019
View reviewed changes
Comment thread pkg/controller/proxyconfig/controller.go Outdated

// Reconcile expects request to refer to a proxy object named "cluster"
// in the default namespace or to a configmap object named
// "user-ca-bundle" in namespace "openshift-config-managed", and will
Copy link
Copy Markdown

@bparees bparees Aug 8, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this comment is wrong... i'd expect this controller to be watching 3 things:

  1. the trust-bundle configmap in openshift-config-managed (this CM has a fixed name), because you need to stomp it back to the correct value if it gets updated by something else
  2. the additional CA bundle configmap in the openshift-config namespace (this configmap name can change, so you need to detect if it changes, by watching the proxy config resource), because if the bundle changes, you need to re-merge the values w/ the system values and publish it to the CM in (1).
  3. the proxyconfig resource (so you can determine the name of the configmap in (2) and perform the merge action on it)

Copy link
Copy Markdown
Contributor Author

@danehans danehans Aug 14, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bparees see #271 (comment)

@danehans danehans force-pushed the ca_bundle_controller branch from 9cf327d to 5a0adf0 Compare August 8, 2019 19:55
@openshift-ci-robot openshift-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 8, 2019
@danehans danehans force-pushed the ca_bundle_controller branch from 5a0adf0 to d68c724 Compare August 8, 2019 20:06
@danehans danehans force-pushed the ca_bundle_controller branch 2 times, most recently from 2960d45 to 2a0c159 Compare August 14, 2019 17:24
bparees
bparees requested changes Aug 14, 2019
View reviewed changes
Comment thread pkg/controller/proxyconfig/controller.go
Comment thread pkg/names/names.go Outdated
Comment thread pkg/names/names.go Outdated
@danehans danehans force-pushed the ca_bundle_controller branch from 2a0c159 to b0e2c1c Compare August 14, 2019 19:03
@bparees
Copy link
Copy Markdown

bparees commented Aug 14, 2019

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Aug 14, 2019
@danehans
Copy link
Copy Markdown
Contributor Author

danehans commented Aug 14, 2019

/test e2e-aws-upgrade

@danehans danehans mentioned this pull request Aug 14, 2019
Merged
@danehans
Copy link
Copy Markdown
Contributor Author

danehans commented Aug 15, 2019

/test e2e-aws-upgrade

@awgreene awgreene mentioned this pull request Aug 15, 2019
Merged
@jmrodri jmrodri mentioned this pull request Aug 15, 2019
Merged
@danehans danehans force-pushed the ca_bundle_controller branch from b0e2c1c to 46e0ac1 Compare August 15, 2019 19:08
@openshift-ci-robot openshift-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed lgtm Indicates that a PR is ready to be merged. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Aug 15, 2019
@bparees
Copy link
Copy Markdown

bparees commented Aug 15, 2019

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Aug 15, 2019
@knobunc
Copy link
Copy Markdown
Contributor

knobunc commented Aug 15, 2019

/approve

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 15, 2019
@danehans
Copy link
Copy Markdown
Contributor Author

danehans commented Aug 15, 2019
edited
Loading

aws-e2e-upgrade job failure due to:
Aug 15 20:45:11.316 E clusterversion/version changed Failing to True: ClusterOperatorDegraded: Cluster operator network is reporting a failure: failed to generate system trust bundle configmap ’openshift-config-managed/trusted-ca-bundle (failed to validate trust bundle /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem: certificate is not a CA certificate: <nil>).

I found that /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem contains a certificate with serial # 9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57 that does not contain CA: True. This is because the CA field was introduced in v3 of x509 and the offending cert is v1.

I am removing the following from CertificateData in validation/trustbundle.go:

if !cert.IsCA {
    return nil, nil, fmt.Errorf("certificate is not a CA certificate: %v", err)
}

@danehans danehans force-pushed the ca_bundle_controller branch from 46e0ac1 to 6de48c6 Compare August 15, 2019 23:46
@openshift-ci-robot openshift-ci-robot removed the lgtm Indicates that a PR is ready to be merged. label Aug 15, 2019
@danehans danehans mentioned this pull request Aug 16, 2019
Merged
@bparees
Copy link
Copy Markdown

bparees commented Aug 16, 2019

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Aug 16, 2019
@openshift-ci-robot
Copy link
Copy Markdown
Contributor

openshift-ci-robot commented Aug 16, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bparees, danehans, knobunc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit 273dbd7 into openshift:master Aug 16, 2019
@danehans danehans mentioned this pull request Aug 16, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bparees bparees bparees requested changes

@JacobTanenbaum JacobTanenbaum Awaiting requested review from JacobTanenbaum

+2 more reviewers

@wking wking wking left review comments

@squeed squeed squeed left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@bparees bparees

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@danehans @bparees @knobunc @openshift-ci-robot @wking @squeed @openshift-merge-robot