Restore compatibility in specifying custom CAs by using Go client #1735
Conversation
kubevirt-bot
added
release-note
|
Needs tests. |
|
Also needs to fix the unit tests and imageio functional tests that are now broken. |
pkg/importer/http-datasource.go
Outdated
| // CURL either supports a hashed-directory of certificates or a single file certificate. | ||
| // Create a single file containing all our certificates. | ||
| func createCAFile(certDir string) error { | ||
| systemCertDir := "/etc/pki/tls/certs/" |
There was a problem hiding this comment.
Why are we hard coding some path that may or may not exist in various variations of linux. That is why we used x509.SystemCertPool, so we don't have to care about the paths of the system certs.
There was a problem hiding this comment.
I mainly want to create a file later to be used by nbdkit curl plugin, I didn't find a way to go from a certpool to a file
pkg/importer/http-datasource.go
Outdated
| // append the user-provided trusted CA certificates bundle when making egress connections using proxy | ||
| if files, err := ioutil.ReadDir(common.ImporterProxyCertDir); err == nil { | ||
| for dir := range certDirs { | ||
| files, err := ioutil.ReadDir(certDir) |
There was a problem hiding this comment.
Why are looping over the different dirs, and then only reading certDir, I am assuming you want
files, err := ioutils.ReadDir(dir)
maya-r
force-pushed
the
nbdkit-compat-custom-ca
branch
from
5875f0e
to
e2a43ed
Compare
|
I went back because I had trouble making the more complex patch work. |
|
oops, a rebase accident... I wanted to test that the test fails before the fix, and accidentally pushed that version :-) |
maya-r
force-pushed
the
nbdkit-compat-custom-ca
branch
from
e2a43ed
to
89d2b85
Compare
|
/test pull-cdi-unit-test |
tests/utils/configmaps.go
Outdated
| for _, value := range srcCm.Data { | ||
| certBytes = value | ||
| } |
There was a problem hiding this comment.
Why the iteration? It gets the last item, so let's just to that.
There was a problem hiding this comment.
I wasn't sure about the idiomatic way to do it, there's usually only going to be one element here, I could add a break for clarity.
kubevirt-bot
added
the
needs-rebase
maya-r
force-pushed
the
nbdkit-compat-custom-ca
branch
from
89d2b85
to
227f5b6
Compare
kubevirt-bot
added
needs-rebase
This restores support for the following scenarios: - Now the system certs are considered as valid when a custom CA is used. - The custom CA will be accepted regardless of the key value used in the configmap. Add a test for the second scenario. Signed-off-by: Maya Rashish <mrashish@redhat.com>
Signed-off-by: Maya Rashish <mrashish@redhat.com>
maya-r
force-pushed
the
nbdkit-compat-custom-ca
branch
from
227f5b6
to
cc2917b
Compare
kubevirt-bot
removed
the
needs-rebase
|
/lgtm |
|
/retest |
|
/test pull-containerized-data-importer-e2e-k8s-1.17-ceph |
maya-r
changed the title
|
/cherry-pick release-v1.34 |
|
@maya-r: once the present PR merges, I will cherry-pick it on top of release-v1.34 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
ping @awels |
|
So basically this is reverting some of the usage of nbdkit because we can't get it to properly read the certs? |
|
It's switching the custom cert case to use the Go client for downloading, so we have the same behaviour as we did before. Had a hard time replicating the cert behaviour with nbdkit (if a cert is specified, global certs are still accepted. if multiple certs are specified, they are all accepted). |
Signed-off-by: Maya Rashish <mrashish@redhat.com>
|
/test pull-containerized-data-importer-e2e-k8s-1.17-ceph |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: awels The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubevirt-bot
added
the
approved
|
/lgtm |
|
@maya-r: new pull request created: #1787 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This restores support for the following scenarios:
Add a test for the second scenario.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1946100
Special notes for your reviewer:
The scenario of system-wide certs is not tested because it requires using an external server.
Release note: