AGENT-1389: create InternalReleaseImage registry TLS certificate#10147
AGENT-1389: create InternalReleaseImage registry TLS certificate#10147openshift-merge-bot[bot] merged 1 commit intoopenshift:mainfrom
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@andfasano: This pull request references AGENT-1389 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
andfasano
force-pushed
the
iri-certs
branch
2 times, most recently
from
7ffe266 to
87c2c7e
Compare
| } | ||
| } | ||
|
|
||
| if installConfig.Config.EnabledFeatureGates().Enabled(features.FeatureGateNoRegistryClusterInstall) { |
There was a problem hiding this comment.
Is this feature only enabled/disabled by the feature gate? It does not require opt in through the install config or anything?
There was a problem hiding this comment.
That's a good point that I've missed it, thanks!
In general to opt in the feature, it is expected that the InternalReleaseImage resource will be provided as an extra manifest (ie, if not present, during the bootstrap the related MCO controller will simply ignore it).
Anyhow currently the only way to consume such feature is via OVE ISO, so the injection point of this extra manifest is done via the Appliance (there's a pending PR for this openshift/appliance#612), the underlying tool used to build the ISO in konflux.
I've added then a support asset to check for the presence of the InternalReleaseImage manifests (note: due the imports rules the best location I was able to find was /pkg/asset/template/content/manifests, please let me know if you think there's a more suitable one)
There was a problem hiding this comment.
(and included an existence check wherever necessary for the IRI manifest)
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: patrickdillon The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
approved
openshift-merge-robot
added
the
needs-rebase
| cfg := &CertCfg{ | ||
| Subject: pkix.Name{CommonName: "system:internal-release-image"}, | ||
| ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, | ||
| Validity: time.Hour * 24 * 182, // 6 months |
There was a problem hiding this comment.
Just curious, why 6 months? MCSCertKey uses ValidityTenYears().
openshift-merge-robot
removed
the
needs-rebase
| continue | ||
| } | ||
|
|
||
| if u.GetKind() == internalReleaseImageKind && u.GetName() == internalReleaseImageInstanceName { |
There was a problem hiding this comment.
note: a future improvement could be to check an exact match for the current release version
|
/test golint
|
|
@andfasano: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/payload-job periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-techpreview-serial-1of3 |
|
@patrickdillon: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/db64dd40-d1e2-11f0-9c33-5b02a65e89d7-0 |
|
/payload-job periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-techpreview-serial-2of3 |
|
/payload-job periodic-ci-openshift-release-master-ci-4.21-e2e-aws-ovn-techpreview-serial-3of3 |
|
@patrickdillon: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/e2c7bbc0-d1e2-11f0-9bc4-efb6b057c087-0 |
|
@patrickdillon: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/e52fbb10-d1e2-11f0-9bfd-d3ceb8cbe66a-0 |
|
/lgtm |
|
/label acknowledge-critical-fixes-only |
openshift-ci
Bot
added
the
acknowledge-critical-fixes-only
openshift-ci-robot
added
verified-later
verified
|
@andfasano: This PR has been marked to be verified later by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-merge-bot
Bot
merged commit ca7b596
into
openshift:main
6 participants
This patch adds two new assets, respectively
IRICertKeyandInternalReleaseImageTLSSecret, for generating a new TLS certificate (signed by the RootCA asset) to be used for the InternalReleaseImage registry (introduced in #5452).The code is completely fenced by the
NoRegistryClusterInstallfeature gate, as it's still in TP.