Add Additional Trusted CAs and Registry CA to Build Pods #21614
Conversation
openshift-ci-robot
added
the
size/XL
adambkaplan
left a comment
adambkaplan
left a comment
There was a problem hiding this comment.
/assign @bparees
May also need input from @openshift/sig-auth wrt. updating the trust store in the build pod.
| AddFunc: c.configMapAdded, | ||
| UpdateFunc: c.configMapUpdated, | ||
| DeleteFunc: c.configMapDeleted, | ||
| }) |
There was a problem hiding this comment.
Watch Build.config.openshift.io and openshift-config ConfigMap resources.
| } | ||
| bc.additionalTrustedCAData = caData | ||
| } | ||
| defer bc.controllerConfigQueue.ShutDown() |
There was a problem hiding this comment.
Instead of mounting the additional trusted CA bundle, we populate the additional CAs map from a separate control loop.
adambkaplan
force-pushed
the
ca-mounting
branch
from
9ca9714 to
58a71b8
Compare
|
/retest |
|
/hold Need to fix mounting in the build pod |
openshift-ci-robot
added
the
do-not-merge/hold
openshift-ci-robot
added
size/XXL
adambkaplan
force-pushed
the
ca-mounting
branch
2 times, most recently
from
23ef169 to
e75386f
Compare
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
@bparees @smarterclayton with openshift/builder#29, builds will be able to pull from/push to image streams. I think this is the last blocker to moving the extended build tests to 4.0 clusters. |
adambkaplan
changed the title
|
/test e2e-aws |
|
/hold e2e-aws will fail until openshift/builder#31 lands |
openshift-ci-robot
added
the
do-not-merge/hold
adambkaplan
force-pushed
the
ca-mounting
branch
2 times, most recently
from
d06eb84 to
2bac879
Compare
|
/hold cancel @bparees as soon as the builder image updates, this should pass tests 😃 |
openshift-ci-robot
removed
the
do-not-merge/hold
| }, | ||
| }, | ||
| KubernetesInformers: kexternalinformers.NewSharedInformerFactory(kubeClient, defaultInformerResyncPeriod), | ||
| OpenshiftConfigInformers: kexternalinformers.NewSharedInformerFactoryWithOptions(kubeClient, defaultInformerResyncPeriod, kexternalinformers.WithNamespace("openshift-config")), |
There was a problem hiding this comment.
OpenShiftConfigKubernetesInformers (NamespaceClientTypeInformer)
| } | ||
|
|
||
| func (bc *BuildController) configMapAdded(obj interface{}) { | ||
| configMap, ok := obj.(*corev1.ConfigMap) |
There was a problem hiding this comment.
all these functions should be checking if event is for the configmap name we care about (whatever build config currently points to)
There was a problem hiding this comment.
@bparees updated by caching the ConfigMap name on the build controller. Better off pulling that data directly from the lister?
There was a problem hiding this comment.
caching it on the controller seems fine because the controller is going to get restarted if it ever changes, right?
There was a problem hiding this comment.
I don't think it will restart - the controller manager's operator doesn't watch this ConfigMap.
well the configmap is moot, this is about the configmap reference field in the build config cluster resource, but you're right, i keep forgetting we redesigned this.
But basically the build controller needs to be watching the build config resource so that when things like the AdditionalCAConfigMapNameRef field is changed, the controller sees the name change. The build controller can store that value whenever it sees it change, it doesn't need to get it from anywhere.
It's possible i'm confused about what you were originally asking.
adambkaplan
force-pushed
the
ca-mounting
branch
from
34d9ffb to
af5d985
Compare
|
@bparees fixed conflicts. |
|
/lgtm |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
8 similar comments
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/hold
|
openshift-ci-robot
added
the
do-not-merge/hold
|
/retest |
|
/hold cancel i think we've cleaned up the build failures, 🤞 |
openshift-ci-robot
removed
the
do-not-merge/hold
|
Looks like there was a change in openshift/api/config/v1/types.go from ConfigMapReference to ConfigMapNameReference |
adambkaplan
force-pushed
the
ca-mounting
branch
from
af5d985 to
a92eec2
Compare
* Enhance the build controller to watch and update the map of additional trusted certificate authorities copied into build pods. * Mount all trusted CAs in the map to new build pods for buildah under /etc/docker/certs.d * Mount service cert signing CA with the internal registry's domain JIRA-ID: [DEVEXP-154](https://jira.coreos.com/browse/DEVEXP-154)
|
@coreydaley @bparees rebased & fixed the test that used |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adambkaplan, bparees The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@adambkaplan: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest level=fatal msg="waiting for openshift-console URL: context deadline exceeded" |
9 participants
map of additional trusted certificate authorities copied
into build pods.
under /etc/docker/certs.d