New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1826183: Generate trust bundle for builds #158
Bug 1826183: Generate trust bundle for builds #158
Conversation
@adambkaplan: This pull request references Bugzilla bug 1826183, which is valid. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@adambkaplan: This pull request references Bugzilla bug 1826183, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/lgtm |
/retest Please review the full test history for this PR and help us cut down flakes. |
17 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
6 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/hold the client plugin test is broke again via the upstream pipeline example in that repo @adambkaplan @akram @waveywaves I'm talking the file https://github.com/openshift/jenkins-client-plugin/blob/master/examples/jenkins-image-sample.groovy I saw the same thing in recent samples repo PRs I'll create a PR shortly that will move the build suite off of its use and instead onto a more stable pipeline in openshift/origin so we still have regression coverage I am also working on PR for jenkins-client-plugin that will finally allow e2e's in that repo to test against version of that test in that repo (and finally avoid the manual missteps that can occur testing that client plugin changes against the master branch vs. the version of the file in a given PR). |
/hold Placing a second hold on this based on the demo. The current chain of PRs will merge the trust bundle with the OS defaults. I need to check with the network team if this is acceptable. /cc @danehans |
@adambkaplan this is what the Network Operator does when an operator or operand requests proxy trust bundle injection, for example. If you're not requesting trust bundle injection, then yes, you need to combine the OS default bundle with the bundle referenced by |
@danehans then it isn't clear if we are doing the right thing. The openshift controller manager operator creates a ConfigMap for the injected CA, which is then read in by the build controller. When a build is started, the build controller creates a new ConfigMap with this CA data, and mounts the contents into the build pod. This was originally mounted into Trust bundle injection is not sufficient because not all processes can use the TLS trust bundle. Java processes need the trust bundle in the keytool format. |
Plumbing the trust bundle configmap is up to the operator/operand implementation. For example, ingress operator mounts the trust bundle configmap to |
* Create entrypoint script which does the following: ** Check if the CA trust bundle exists in the new neutral location. ** Run `update-ca-trust extract` if a custom PKI is present. * Add mounts.conf to /etc/containers ** Mount /run/secrets from build pod containers to buildah's containers. In RHEL/Fedora, /run/secrets is mounted in from /usr/share/rhel/secrets, and contains host information needed to access subscription content. ** Mount /etc/pki/ca-trust from the build pod to buildah's containers. This contains the TLS trust store that the entrypoint script configures via `update-ca-trust extract`. * Organize image content to simplify the Dockerfile instructions for building `openshift/builder`.
1c3a03e
to
32f5b57
Compare
/hold cancel This PR can merge because it will run |
@gabemontero @coreydaley @otaviof ptal - I had to change the mount point for |
Is there any testing that goes along with this or is the existing case covered and will automatically pass if this change is done correctly? |
@coreydaley openshift/origin#25156 will verify once everything merges. |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adambkaplan, coreydaley, gabemontero The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@adambkaplan: Some pull requests linked via external trackers have merged: . The following pull requests linked via external trackers have not merged:
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
update-ca-trust extract
if a custom PKI is present.In RHEL/Fedora, /run/secrets is mounted in from /usr/share/rhel/secrets, and contains host
information needed to access subscription content.
that the entrypoint script configures via
update-ca-trust extract
.openshift/builder
.