-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1755140: do not force skip tls verify to true on image source injection #110
Conversation
@gabemontero: This pull request references Bugzilla bug 1755140, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
a networking metrics flake in e2e-aws |
@adambkaplan per our slack exchange yesterday, simply removing the setting of skip tls verify was insufficient. Our image source tests are having tls difficulties:
Looks like we need to explicitly seed the the containers client in openshift/builder with the certs provided by OCM. |
/test e2e-aws |
@nalind shouldn't buildah use the certs in |
Technically speaking @adambkaplan the config map certs are stored in However, certs from secrets are copied to In the test failure, we were trying to pull from the image registry; its certs are in the pull secret cert, no? That said, I would have expected Or perhaps we need to explicitly set @nalind ?? |
Found the answer to my question: https://github.com/openshift/builder/blob/master/vendor/github.com/containers/image/v5/docker/docker_client.go#L50
|
@gabemontero the errors are |
agree on the weirdness @adambkaplan I suspect the extract source from image setup is different enough from builder image pull to cause the weirdness. Certainly the original //TODO comment about getting it from the host implies that (at least it does to me). Oh, and I forgot that |
One thing that is interesting is that the Going to see about pulling the |
ok let's see what effect this additional commit has |
So passing in the context from our containers/image based client didn't help. So doing some more digging @adambkaplan @nalind so far I see:
Still digging, but of course any pointers/clues are appreciated. |
I believe I'm zeroing in on it. c/images' There are a few callers into it so I'm having to sort the various permutations. This method is called by the extract img source/buildah mount path, but not I believe in the generic image pull path. |
Prior theory debunked .... still trying to uncover what is different in the two buildah/images paths. |
Actually I misspoke earlier ... the image registry cert is in the config map. Mounted in locations like /var/run/configs/openshift.io/certs/..2019_11_06_21_45_49.155501101/certs.d/image-registry.openshift-image-registry.svc:5000/ca.crt |
OK finally got somewhere ... openshift/builder is not successful in its population of Debug:
Now, why do pulls of the builder image work? .... Still a little fuzzy on details, but so far:
@adambkaplan let's actively pursue @nalind or somebody else on container team on Thursday to confirm/deny that second bullet if he doesn't catch up with these PR comments by then. In the interim, going to see about fixing openshift/builder's copy of the config map data to |
@adambkaplan realized what is up in scrum today ... we are doing the image/src stuff in a init container vs. regular one, and the img registry cert cfg map is not getting mounted in the init containers for the build pod. I'm starting on the needed OCM PR. |
locally testing with openshift/openshift-controller-manager#46 also shows that commit 641f36b is not needed, so will remove |
641f36b
to
5d8b75d
Compare
/retest |
CI / acquire lease flake on e2e-aws-builds /retest |
/retest |
tests are green now @adambkaplan ... bump/ptal |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adambkaplan, gabemontero The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@gabemontero: All pull requests linked via external trackers have merged. Bugzilla bug 1755140 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cherrypick release-4.2 |
@gabemontero: new pull request created: #111 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cherrypick release-4.1 |
@gabemontero: new pull request created: #112 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/assign @adambkaplan
@openshift/openshift-team-developer-experience FYI
The registry.conf built by the OCM and passed to openshift/builder should have the correct settings based on what has been supplied to the build config for pulling in source from an image, or from any global image config that has been created.