MGMT-16508: Add API to AgentServiceConfig CRD to allow pass of CA certificates for image pull. #5884
Conversation
|
@paul-maidment: This pull request references MGMT-16508 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/valid-reference
openshift-ci
bot
added
the
size/XL
openshift-ci
bot
added
api-review
paul-maidment
force-pushed
the
MGMT-16508
branch
2 times, most recently
from
692ceb3
to
2adc972
Compare
openshift-ci
bot
added
size/L
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #5884 +/- ##
==========================================
+ Coverage 68.18% 68.21% +0.02%
==========================================
Files 236 236
Lines 34788 34836 +48
==========================================
+ Hits 23721 23763 +42
- Misses 8999 9002 +3
- Partials 2068 2071 +3
|
paul-maidment
force-pushed
the
MGMT-16508
branch
from
2adc972
to
84082e5
Compare
|
/retest |
paul-maidment
force-pushed
the
MGMT-16508
branch
5 times, most recently
from
2fe86ed
to
0a38c5a
Compare
|
/retest |
|
@paul-maidment: This pull request references MGMT-16508 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
1 similar comment
|
@paul-maidment: This pull request references MGMT-16508 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
| // this certificate will be used by the assisted-image-service when pulling OS images. | ||
| //+operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Image pull CA config map reference" | ||
| // +optional | ||
| ImagePullCAConfigMapRef *corev1.LocalObjectReference `json:"imagePullCAConfigMapRef,omitempty"` |
There was a problem hiding this comment.
I think this should reference OSImages in some way to make sure it's not confused with pulling container images.
Maybe OSImageCACertRef?
| @@ -109,6 +109,12 @@ type AgentServiceConfigSpec struct { | |||
| //+operator-sdk:csv:customresourcedefinitions:type=spec,displayName="List of container registries without authentication" | |||
| // +optional | |||
| UnauthenticatedRegistries []string `json:"unauthenticatedRegistries,omitempty"` | |||
| // ImagePullCAConfigMapRef is a reference to a config map containing a certificate authority certificate | |||
There was a problem hiding this comment.
Can you just add a blank line between all the fields and the next field comment?
I see it's inconsistent in this struct, but we can fix that now.
| @@ -109,6 +109,12 @@ type AgentServiceConfigSpec struct { | |||
| //+operator-sdk:csv:customresourcedefinitions:type=spec,displayName="List of container registries without authentication" | |||
| // +optional | |||
| UnauthenticatedRegistries []string `json:"unauthenticatedRegistries,omitempty"` | |||
| // ImagePullCAConfigMapRef is a reference to a config map containing a certificate authority certificate | |||
| // this is an optional certificate to allow a customer to add a certificate authority for a HTTPS source of images | |||
| // Read the referenced ConfigMap to ensure that it contains a single file "extra-ca.crt" | ||
| additionalCABundleCM := &corev1.ConfigMap{} | ||
| if err := asc.Client.Get(ctx, types.NamespacedName{Name: asc.spec.ImagePullCAConfigMapRef.Name, Namespace: asc.namespace}, additionalCABundleCM); err != nil { | ||
| log.WithError(err).Errorf("Failed to get additional CA Bundle config map %s", asc.spec.ImagePullCAConfigMapRef.Name) | ||
| return err | ||
| } | ||
| var err error | ||
| _, ok := additionalCABundleCM.Data["extra-ca.pem"] | ||
| if !ok { | ||
| err = multierror.Append(err, fmt.Errorf("expected to find single file `extra-ca.pem` in the ConfigMap %s but it was not found", asc.spec.ImagePullCAConfigMapRef.Name)) | ||
| } | ||
| if len(additionalCABundleCM.Data) != 1 { | ||
| err = multierror.Append(err, fmt.Errorf("found multiple files in ConfigMap %s, a single file was expected but %d files were found", asc.spec.ImagePullCAConfigMapRef.Name, len(additionalCABundleCM.Data))) | ||
| } | ||
| if err != nil { | ||
| return err | ||
| } |
There was a problem hiding this comment.
I feel like all this validation doesn't belong in the StatefulSet mutate function.
I'd say this should be in the validate function and we should set a condition if any of the references are invalid.
| volumes = ensureVolume(volumes, corev1.Volume{ | ||
| Name: "additional-ca-bundle", | ||
| VolumeSource: corev1.VolumeSource{ | ||
| EmptyDir: &corev1.EmptyDirVolumeSource{}, |
There was a problem hiding this comment.
We're not putting anything here in this case so the volume and volume mount should be added only if we have certs to add.
| volumeSource := &corev1.ConfigMapVolumeSource{ | ||
| LocalObjectReference: corev1.LocalObjectReference{ | ||
| Name: asc.spec.ImagePullCAConfigMapRef.Name, | ||
| }, | ||
| } | ||
| volumes = ensureVolume(volumes, corev1.Volume{ | ||
| Name: "additional-ca-bundle", | ||
| VolumeSource: corev1.VolumeSource{ | ||
| ConfigMap: volumeSource, | ||
| }, | ||
| }) |
There was a problem hiding this comment.
I don't think you need the volumeSource intermediate variable here I'd just put it all in one struct.
| @@ -1177,6 +1178,7 @@ func newImageServiceStatefulSet(ctx context.Context, log logrus.FieldLogger, asc | |||
| {Name: "tls-certs", MountPath: "/etc/image-service/certs"}, | |||
| {Name: "service-cabundle", MountPath: "/etc/image-service/ca-bundle"}, | |||
| {Name: "image-service-data", MountPath: "/data"}, | |||
| {Name: "additional-ca-bundle", MountPath: "/additional-ca-bundle"}, | |||
There was a problem hiding this comment.
Maybe put this in /etc/image-service like the others. How about /etc/image-service/os-images-ca-bundle?
paul-maidment
force-pushed
the
MGMT-16508
branch
from
0a38c5a
to
c4fe712
Compare
|
/retest |
2 similar comments
|
/retest |
|
/retest |
paul-maidment
force-pushed
the
MGMT-16508
branch
from
c4fe712
to
048de5a
Compare
paul-maidment
force-pushed
the
MGMT-16508
branch
2 times, most recently
from
1093ca5
to
0a28772
Compare
|
/hold Just thought of this. Are we doing anything to ensure we update the image service when the contents of this config map change? |
openshift-ci
bot
added
the
do-not-merge/hold
When you make a change to the content of the ConfigMap these are kept in sync automatically, I actually believe this is core functionality in Kubernetes. There doesn't appear to be a redeployment but the volume is simply kept in sync, if you shell into the image service then you can see the files being updated within 30 seconds of any change to the ConfigMap As we can see in this excerpt of the statefulset, there is a reference to the ConfigMap in the volume, I think Kubernetes must be watching these ConfigMaps. I would assume this is similar for EnvFrom. |
paul-maidment
force-pushed
the
MGMT-16508
branch
from
0a28772
to
1d6ce11
Compare
|
/retest |
| @@ -1712,6 +1743,7 @@ func newAssistedServiceDeployment(ctx context.Context, log logrus.FieldLogger, a | |||
| setAnnotation(meta, assistedConfigHashAnnotation, assistedConfigHash) | |||
| setAnnotation(meta, mirrorConfigHashAnnotation, mirrorConfigHash) | |||
| setAnnotation(meta, userConfigHashAnnotation, userConfigHash) | |||
| setAnnotation(meta, osImagesCAConfigHashAnnotation, osImagesCAConfigHash) | |||
There was a problem hiding this comment.
This should be being set on the image service, not assisted.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: paul-maidment The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
paul-maidment
force-pushed
the
MGMT-16508
branch
2 times, most recently
from
3f1da87
to
746d282
Compare
| @@ -168,6 +171,7 @@ func initASC(r *AgentServiceConfigReconciler, instance *aiv1beta1.AgentServiceCo | |||
| return asc | |||
| } | |||
|
|
|||
| type NewStatefulSetFn func(context.Context, logrus.FieldLogger, ASC) (*appsv1.StatefulSet, controllerutil.MutateFn) | |||
There was a problem hiding this comment.
I don't think this should be defined here if it's only used in tests.
There was a problem hiding this comment.
You are also only using AssertReconcileSuccessStatefulSetFn in one place. Maybe just don't define that function and then you wouldn't need this type.
…tificates for image pull. This PR introduces a new field to the AgentServiceConfig CRD `imagePullCAConfigMap` which is a LocalObjectReference to a config map containing CA certificates These certificates are to be used by the image service for the purpose of verifying the CA of HTTPS connections used for pulling images. `imagePullConfigMap` is expected to reference a ConfigMap containing a single file `extra-ca.pem` which contains the CA certificate. If multiple CA certificates are to be used, the user is expected to append these into the same PEM. This code also passes the path `ADDITIONAL_CA_FILE` to the image service if the additional CA file is present. This code sets up the Volume for this and maps to either an empty directory or maps the content of the ConfigMap. This will ensure that the CA's will be available for use by the image service.
paul-maidment
force-pushed
the
MGMT-16508
branch
from
746d282
to
c4f131d
Compare
|
/unhold |
1 similar comment
|
/unhold |
|
/lgtm |
openshift-ci
bot
added
lgtm
|
/retest |
openshift-merge-bot
bot
merged commit 268d4ed
into
openshift:master
|
[ART PR BUILD NOTIFIER] This PR has been included in build ose-agent-installer-api-server-container-v4.16.0-202401302041.p0.g268d4ed.assembly.stream for distgit ose-agent-installer-api-server. |
MGMT-16508: Add API to AgentServiceConfig CRD to allow pass of CA certificates for image pull.
This PR introduces a new field to the AgentServiceConfig CRD
imagePullCAConfigMapwhich is a LocalObjectReference to a config map containing CA certificatesThese certificates are to be used by the image service for the purpose of verifying the CA of HTTPS connections used for pulling images.
imagePullConfigMapis expected to reference a ConfigMap containing a single fileextra-ca.pemwhich contains the CA certificate.If multiple CA certificates are to be used, the user is expected to append these into the same PEM.
This code also passes the path
ADDITIONAL_CA_FILEto the image service if the additional CA file is present.This code sets up the Volume for this and maps to either an empty directory or maps the content of the ConfigMap.
This will ensure that the CA's will be available for use by the image service.
What environments does this code impact?
How was this code tested?
Checklist
docs, README, etc)Docstrings have been updated to describe the purpose of this change.
There is also a ticket in the Epic to support more general documentation.
Reviewers Checklist