New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow accessing odcs repos via https #1597
Conversation
This pull request introduces 2 alerts when merging 7779b0a into ef43ab2 - view on LGTM.com new alerts:
|
28cea59
to
fab732d
Compare
Choosing Does atomic-reactor already have a dedicated directory to hold such files used during build time? |
"I Am Not An Expert", but AFAICT, atomic-reactor uses I imagine that bandit's problem is indeed with hard-coding the string 'tmp' - here's a canonical example of with tempfile.TemporaryDirectory() as tmpdirname:
BUILD_TIME_CA_BUNDLE = f'{tmpdirname}/tls-ca-bundle.pem')
# etc...
EDIT: On further inspection, it seems like all you really want is something like Footnotes
|
@ben-alkov Thanks for your explanation. The I chose the |
@tkdchen looks good. I think it might be worth documenting this change also in osbs-docs. How about an integration test? Are we going to merge it before testing it? |
with other plugins we are using Will be /opt/.. propagated to the final image? |
this is about directory during build, tempfile can be created locally in buildroot, but we need to copy it into build itself Footnotes
|
yeah we should just use /tmp in build, the same we are doing when hiding ubi.repo file |
82205db
to
5bee237
Compare
In the latest update, the ca bundle is copied to |
The original tests are migrated to the new test |
from atomic_reactor.constants import YUM_REPOS_DIR, RELATIVE_REPOS_PATH, INSPECT_CONFIG | ||
from atomic_reactor.plugin import PreBuildPlugin | ||
from atomic_reactor.util import df_parser | ||
from atomic_reactor.utils.yum import YumRepo | ||
|
||
BUILDER_CA_BUNDLE = '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't be this configurable?
* CLOUDBLD-4345 Signed-off-by: Chenxiong Qi <cqi@redhat.com>
768bb49
to
7ddd370
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code looks good to me. Should be tested with autotest from CLOUDBLD-4622 though
atomic_reactor/schemas/config.json
Outdated
"builder_ca_bundle": { | ||
"description": "The path to the ca-bundle certificate inside the buildroot.", | ||
"type": "string", | ||
"default": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where is this default value used? I cannot see it in the code
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see no fallback there, so it will fail (or return None), but it will NOT use /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
as a default path when it's not configured.
@lkolacek @ssalatsk I'd like to have a flag to disable injecting CA bundles to dockerfile Edit: Resolved |
Please add also documentation about new config option ^ |
Please add issue ID to commit msg |
* CLOUDBLD-4345 * The plugin's run method is refactored in order to avoid passing many argument to a function, the original function add_yum_repos_to_dockerfile. * Tests are updated according to the refactor. * New test case is added for the optional builder_ca_bundle. Signed-off-by: Chenxiong Qi <cqi@redhat.com>
Updated.
Adding the Therefore, after rethinking, from my point of view, it should make much sense to add a flag (should be the same thing you mentioned yesterday) for ODCS integration specifically. That is, whether to use the ca-bundle for accessing repos via HTTPS is determined by two configure options, one is under the
What do you think? |
Setting a feature flag for odcs is not applicable for now, because current solution is to add the So far, the osbs-docs is updated as well and all comments have been addressed already I think. |
I'd go just with one bundle and didn't complicate things ODCS vs yum repo url passed by arg |
yes please just keep it simple and do it for all repos |
Signed-off-by: Chenxiong Qi cqi@redhat.com
Maintainers will complete the following section