New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restore compatibility in specifying custom CAs by using Go client #1735
Conversation
Needs tests. |
Also needs to fix the unit tests and imageio functional tests that are now broken. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So why not use x509.SystemCertPool to create a cert pool, and then append the certs from the other directories to it. Then pass this cert pool to the http client somehow instead of writing everything to a file somewhere, and re-reading it into a cert pool.
pkg/importer/http-datasource.go
Outdated
// CURL either supports a hashed-directory of certificates or a single file certificate. | ||
// Create a single file containing all our certificates. | ||
func createCAFile(certDir string) error { | ||
systemCertDir := "/etc/pki/tls/certs/" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are we hard coding some path that may or may not exist in various variations of linux. That is why we used x509.SystemCertPool, so we don't have to care about the paths of the system certs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mainly want to create a file later to be used by nbdkit curl plugin, I didn't find a way to go from a certpool to a file
pkg/importer/http-datasource.go
Outdated
// append the user-provided trusted CA certificates bundle when making egress connections using proxy | ||
if files, err := ioutil.ReadDir(common.ImporterProxyCertDir); err == nil { | ||
for dir := range certDirs { | ||
files, err := ioutil.ReadDir(certDir) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are looping over the different dirs, and then only reading certDir, I am assuming you want
files, err := ioutils.ReadDir(dir)
5875f0e
to
e2a43ed
Compare
I went back because I had trouble making the more complex patch work. |
oops, a rebase accident... I wanted to test that the test fails before the fix, and accidentally pushed that version :-) |
e2a43ed
to
89d2b85
Compare
/test pull-cdi-unit-test |
tests/utils/configmaps.go
Outdated
for _, value := range srcCm.Data { | ||
certBytes = value | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why the iteration? It gets the last item, so let's just to that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wasn't sure about the idiomatic way to do it, there's usually only going to be one element here, I could add a break for clarity.
89d2b85
to
227f5b6
Compare
This restores support for the following scenarios: - Now the system certs are considered as valid when a custom CA is used. - The custom CA will be accepted regardless of the key value used in the configmap. Add a test for the second scenario. Signed-off-by: Maya Rashish <mrashish@redhat.com>
Signed-off-by: Maya Rashish <mrashish@redhat.com>
227f5b6
to
cc2917b
Compare
/lgtm |
/retest |
/test pull-containerized-data-importer-e2e-k8s-1.17-ceph |
/cherry-pick release-v1.34 |
@maya-r: once the present PR merges, I will cherry-pick it on top of release-v1.34 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
ping @awels |
So basically this is reverting some of the usage of nbdkit because we can't get it to properly read the certs? |
It's switching the custom cert case to use the Go client for downloading, so we have the same behaviour as we did before. Had a hard time replicating the cert behaviour with nbdkit (if a cert is specified, global certs are still accepted. if multiple certs are specified, they are all accepted). |
Signed-off-by: Maya Rashish <mrashish@redhat.com>
/test pull-containerized-data-importer-e2e-k8s-1.17-ceph |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: awels The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/lgtm |
@maya-r: new pull request created: #1787 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This restores support for the following scenarios:
Add a test for the second scenario.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1946100
Special notes for your reviewer:
The scenario of system-wide certs is not tested because it requires using an external server.
Release note: