New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MGMT-16508: Add API to AgentServiceConfig CRD to allow pass of CA certificates for image pull. #5884
MGMT-16508: Add API to AgentServiceConfig CRD to allow pass of CA certificates for image pull. #5884
Conversation
@paul-maidment: This pull request references MGMT-16508 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
692ceb3
to
2adc972
Compare
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #5884 +/- ##
==========================================
+ Coverage 68.18% 68.21% +0.02%
==========================================
Files 236 236
Lines 34788 34836 +48
==========================================
+ Hits 23721 23763 +42
- Misses 8999 9002 +3
- Partials 2068 2071 +3
|
2adc972
to
84082e5
Compare
/retest |
2fe86ed
to
0a38c5a
Compare
/retest |
@paul-maidment: This pull request references MGMT-16508 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
1 similar comment
@paul-maidment: This pull request references MGMT-16508 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
// this certificate will be used by the assisted-image-service when pulling OS images. | ||
//+operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Image pull CA config map reference" | ||
// +optional | ||
ImagePullCAConfigMapRef *corev1.LocalObjectReference `json:"imagePullCAConfigMapRef,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should reference OSImages
in some way to make sure it's not confused with pulling container images.
Maybe OSImageCACertRef
?
@@ -109,6 +109,12 @@ type AgentServiceConfigSpec struct { | |||
//+operator-sdk:csv:customresourcedefinitions:type=spec,displayName="List of container registries without authentication" | |||
// +optional | |||
UnauthenticatedRegistries []string `json:"unauthenticatedRegistries,omitempty"` | |||
// ImagePullCAConfigMapRef is a reference to a config map containing a certificate authority certificate |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you just add a blank line between all the fields and the next field comment?
I see it's inconsistent in this struct, but we can fix that now.
@@ -109,6 +109,12 @@ type AgentServiceConfigSpec struct { | |||
//+operator-sdk:csv:customresourcedefinitions:type=spec,displayName="List of container registries without authentication" | |||
// +optional | |||
UnauthenticatedRegistries []string `json:"unauthenticatedRegistries,omitempty"` | |||
// ImagePullCAConfigMapRef is a reference to a config map containing a certificate authority certificate | |||
// this is an optional certificate to allow a customer to add a certificate authority for a HTTPS source of images |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/customer/user/
// Read the referenced ConfigMap to ensure that it contains a single file "extra-ca.crt" | ||
additionalCABundleCM := &corev1.ConfigMap{} | ||
if err := asc.Client.Get(ctx, types.NamespacedName{Name: asc.spec.ImagePullCAConfigMapRef.Name, Namespace: asc.namespace}, additionalCABundleCM); err != nil { | ||
log.WithError(err).Errorf("Failed to get additional CA Bundle config map %s", asc.spec.ImagePullCAConfigMapRef.Name) | ||
return err | ||
} | ||
var err error | ||
_, ok := additionalCABundleCM.Data["extra-ca.pem"] | ||
if !ok { | ||
err = multierror.Append(err, fmt.Errorf("expected to find single file `extra-ca.pem` in the ConfigMap %s but it was not found", asc.spec.ImagePullCAConfigMapRef.Name)) | ||
} | ||
if len(additionalCABundleCM.Data) != 1 { | ||
err = multierror.Append(err, fmt.Errorf("found multiple files in ConfigMap %s, a single file was expected but %d files were found", asc.spec.ImagePullCAConfigMapRef.Name, len(additionalCABundleCM.Data))) | ||
} | ||
if err != nil { | ||
return err | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel like all this validation doesn't belong in the StatefulSet mutate function.
I'd say this should be in the validate
function and we should set a condition if any of the references are invalid.
volumes = ensureVolume(volumes, corev1.Volume{ | ||
Name: "additional-ca-bundle", | ||
VolumeSource: corev1.VolumeSource{ | ||
EmptyDir: &corev1.EmptyDirVolumeSource{}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're not putting anything here in this case so the volume and volume mount should be added only if we have certs to add.
volumeSource := &corev1.ConfigMapVolumeSource{ | ||
LocalObjectReference: corev1.LocalObjectReference{ | ||
Name: asc.spec.ImagePullCAConfigMapRef.Name, | ||
}, | ||
} | ||
volumes = ensureVolume(volumes, corev1.Volume{ | ||
Name: "additional-ca-bundle", | ||
VolumeSource: corev1.VolumeSource{ | ||
ConfigMap: volumeSource, | ||
}, | ||
}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think you need the volumeSource
intermediate variable here I'd just put it all in one struct.
@@ -1177,6 +1178,7 @@ func newImageServiceStatefulSet(ctx context.Context, log logrus.FieldLogger, asc | |||
{Name: "tls-certs", MountPath: "/etc/image-service/certs"}, | |||
{Name: "service-cabundle", MountPath: "/etc/image-service/ca-bundle"}, | |||
{Name: "image-service-data", MountPath: "/data"}, | |||
{Name: "additional-ca-bundle", MountPath: "/additional-ca-bundle"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe put this in /etc/image-service
like the others. How about /etc/image-service/os-images-ca-bundle
?
0a38c5a
to
c4fe712
Compare
/retest |
2 similar comments
/retest |
/retest |
c4fe712
to
048de5a
Compare
1093ca5
to
0a28772
Compare
/hold Just thought of this. Are we doing anything to ensure we update the image service when the contents of this config map change? |
When you make a change to the content of the ConfigMap these are kept in sync automatically, I actually believe this is core functionality in Kubernetes. There doesn't appear to be a redeployment but the volume is simply kept in sync, if you shell into the image service then you can see the files being updated within 30 seconds of any change to the ConfigMap As we can see in this excerpt of the statefulset, there is a reference to the ConfigMap in the volume, I think Kubernetes must be watching these ConfigMaps.
I would assume this is similar for EnvFrom. |
0a28772
to
1d6ce11
Compare
/retest |
@@ -1712,6 +1743,7 @@ func newAssistedServiceDeployment(ctx context.Context, log logrus.FieldLogger, a | |||
setAnnotation(meta, assistedConfigHashAnnotation, assistedConfigHash) | |||
setAnnotation(meta, mirrorConfigHashAnnotation, mirrorConfigHash) | |||
setAnnotation(meta, userConfigHashAnnotation, userConfigHash) | |||
setAnnotation(meta, osImagesCAConfigHashAnnotation, osImagesCAConfigHash) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be being set on the image service, not assisted.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: paul-maidment The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
3f1da87
to
746d282
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Last nit. Otherwise looks good.
@@ -168,6 +171,7 @@ func initASC(r *AgentServiceConfigReconciler, instance *aiv1beta1.AgentServiceCo | |||
return asc | |||
} | |||
|
|||
type NewStatefulSetFn func(context.Context, logrus.FieldLogger, ASC) (*appsv1.StatefulSet, controllerutil.MutateFn) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this should be defined here if it's only used in tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are also only using AssertReconcileSuccessStatefulSetFn
in one place. Maybe just don't define that function and then you wouldn't need this type.
…tificates for image pull. This PR introduces a new field to the AgentServiceConfig CRD `imagePullCAConfigMap` which is a LocalObjectReference to a config map containing CA certificates These certificates are to be used by the image service for the purpose of verifying the CA of HTTPS connections used for pulling images. `imagePullConfigMap` is expected to reference a ConfigMap containing a single file `extra-ca.pem` which contains the CA certificate. If multiple CA certificates are to be used, the user is expected to append these into the same PEM. This code also passes the path `ADDITIONAL_CA_FILE` to the image service if the additional CA file is present. This code sets up the Volume for this and maps to either an empty directory or maps the content of the ConfigMap. This will ensure that the CA's will be available for use by the image service.
746d282
to
c4f131d
Compare
/unhold |
1 similar comment
/unhold |
/lgtm |
/retest |
268d4ed
into
openshift:master
[ART PR BUILD NOTIFIER] This PR has been included in build ose-agent-installer-api-server-container-v4.16.0-202401302041.p0.g268d4ed.assembly.stream for distgit ose-agent-installer-api-server. |
MGMT-16508: Add API to AgentServiceConfig CRD to allow pass of CA certificates for image pull.
This PR introduces a new field to the AgentServiceConfig CRD
imagePullCAConfigMap
which is a LocalObjectReference to a config map containing CA certificatesThese certificates are to be used by the image service for the purpose of verifying the CA of HTTPS connections used for pulling images.
imagePullConfigMap
is expected to reference a ConfigMap containing a single fileextra-ca.pem
which contains the CA certificate.If multiple CA certificates are to be used, the user is expected to append these into the same PEM.
This code also passes the path
ADDITIONAL_CA_FILE
to the image service if the additional CA file is present.This code sets up the Volume for this and maps to either an empty directory or maps the content of the ConfigMap.
This will ensure that the CA's will be available for use by the image service.
What environments does this code impact?
How was this code tested?
Checklist
docs
, README, etc)Docstrings have been updated to describe the purpose of this change.
There is also a ticket in the Epic to support more general documentation.
Reviewers Checklist