Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 2017565: [OCPCLOUD-1306] Add user defined trusted CA from cloud-config to ccm-trusted-ca bundle #140

Merged
merged 3 commits into from Nov 4, 2021
Merged

Bug 2017565: [OCPCLOUD-1306] Add user defined trusted CA from cloud-config to ccm-trusted-ca bundle #140

merged 3 commits into from Nov 4, 2021

Conversation

lobziik
Copy link
Contributor

@lobziik lobziik commented Oct 26, 2021

Additional trusted CA from cloud-config should also be counted during
ccm-trusted-ca sync procedure. Due to OCP installer nuances,
'additionalTrustBundle' not always ends up in the proxy object.

For handling such situation this patch introduces support of 'ca-bundle.pem'
key in cloud-config. CA from there will be added to ccm-trusted-ca along with
additional CA bundle which reffered by proxy object.

For additional context see:
openshift/installer#5251 (comment)

@lobziik
Extract 'cloudConfigMapName' constant to common consts file, extend t…
b1632f4 
…ests

Test for cloud-conf sync controller was extended for ensure that
all keys are handled and synced
@openshift-ci openshift-ci bot added the bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. label Oct 26, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 26, 2021

@lobziik: This pull request references Bugzilla bug 2015493, which is invalid:

  • expected the bug to be in one of the following states: NEW, ASSIGNED, ON_DEV, POST, POST, but it is ON_QA instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Bug 2015493: [OCPCLOUD-1306] Add user defined trusted CA from cloud-config to ccm-trusted-ca bundle

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added the bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. label Oct 26, 2021
@lobziik
Copy link
Contributor Author

lobziik commented Oct 26, 2021

/cc @JoelSpeed @Fedosin @elmiko

@lobziik
Copy link
Contributor Author

lobziik commented Oct 26, 2021

/test unit

JoelSpeed
JoelSpeed reviewed Oct 26, 2021
View reviewed changes
Copy link
Contributor

@JoelSpeed JoelSpeed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One stylistic nit otherwise I think this looks good

pkg/controllers/trusted_ca_bundle_controller.go Outdated Show resolved Hide resolved
elmiko
elmiko reviewed Oct 26, 2021
View reviewed changes
Copy link
Contributor

@elmiko elmiko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

couple of nits in the documentation, otherwise lgtm

docs/dev/trusted_ca_bundle_sync.md Outdated Show resolved Hide resolved
docs/dev/trusted_ca_bundle_sync.md Outdated Show resolved Hide resolved
docs/dev/trusted_ca_bundle_sync.md Outdated Show resolved Hide resolved
@lobziik
Copy link
Contributor Author

lobziik commented Oct 27, 2021

/test e2e-aws-ccm-install
/test e2e-aws-ccm

elmiko
elmiko reviewed Oct 27, 2021
View reviewed changes
Copy link
Contributor

@elmiko elmiko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks Denis
/approve

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 27, 2021
@elmiko
Copy link
Contributor

elmiko commented Oct 27, 2021

seems like the unit tests broke

@lobziik
Copy link
Contributor Author

lobziik commented Oct 27, 2021

Apparently we need to count on missed cloud config as on expected situation.
Changed code accordingly.

Also unit-tests are not stable, there is some cleanup issues, didn't figure out why exactly this happen.
Wanna hold it, till i will fix up units.
/hold
/remove-approve

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 27, 2021
@lobziik lobziik changed the title Bug 2015493: [OCPCLOUD-1306] Add user defined trusted CA from cloud-config to ccm-trusted-ca bundle Bug 2017565: [OCPCLOUD-1306] Add user defined trusted CA from cloud-config to ccm-trusted-ca bundle Oct 27, 2021
@openshift-ci openshift-ci bot added bugzilla/severity-medium Referenced Bugzilla bug's severity is medium for the branch this PR is targeting. and removed bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. labels Oct 27, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Oct 27, 2021

@lobziik: This pull request references Bugzilla bug 2017565, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.10.0) matches configured target release for branch (4.10.0)
  • bug is in the state NEW, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact:
/cc @sunzhaohua2

In response to this:

Bug 2017565: [OCPCLOUD-1306] Add user defined trusted CA from cloud-config to ccm-trusted-ca bundle

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. and removed bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. labels Oct 27, 2021
@elmiko
Copy link
Contributor

elmiko commented Oct 27, 2021

no worries, thanks for the extra detail @lobziik
/approve cancel

@openshift-ci openshift-ci bot removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 27, 2021
@lobziik
Copy link
Contributor Author

lobziik commented Nov 1, 2021
edited

I fixed tests in 494fc0b
/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 1, 2021
@lobziik
Copy link
Contributor Author

lobziik commented Nov 1, 2021

/retest

elmiko
elmiko reviewed Nov 1, 2021
View reviewed changes
Copy link
Contributor

@elmiko elmiko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks Denis
/approve

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 1, 2021
JoelSpeed
JoelSpeed reviewed Nov 2, 2021
View reviewed changes
pkg/controllers/cloud_config_sync_controller_test.go Outdated Show resolved Hide resolved
pkg/controllers/cloud_config_sync_controller_test.go Outdated
Comment on lines 177 to 181
allCMs := &corev1.ConfigMapList{}
Expect(cl.List(ctx, allCMs)).To(Succeed())
for _, cm := range allCMs.Items {
Expect(cl.Delete(ctx, &cm, deleteOptions)).To(Succeed())
Eventually(
apierrors.IsNotFound(cl.Get(ctx, client.ObjectKeyFromObject(managedCloudConfig), &corev1.ConfigMap{})),
).Should(BeTrue())
}

if syncedCloudConfigMap != nil {
Expect(cl.Delete(ctx, syncedCloudConfigMap, deleteOptions)).To(Succeed())
Eventually(
apierrors.IsNotFound(cl.Get(ctx, client.ObjectKeyFromObject(syncedCloudConfigMap), &corev1.Namespace{})),
apierrors.IsNotFound(cl.Get(ctx, client.ObjectKeyFromObject(&cm), &corev1.ConfigMap{})),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As mentioned in slack, but for the benefit or future selves. You could also use a DeleteAllOf call here, which will delete all of the configmaps in a particular namespace. For example this could be done:

By("Cleanup resources")
for _, ns := range []string{targetNamespaceName, OpenshiftConfigNamespace, OpenshiftManagedConfigNamespace} {
	Expect(cl.DeleteAllOf(ctx, &corev1.ConfigMap{},
		client.GracePeriodSeconds(0),
		client.InNamespace(ns),
	)).To(Succeed())
	Eventually(func() (bool, error) {
		cmList := &corev1.ConfigMapList{}
		if err := cl.List(ctx, cmList, client.InNamespace(ns)); err != nil {
			return false, err
		}
		return len(cmList.Items) == 0, nil
	},
	).Should(BeTrue())
}

@lobziik
Copy link
Contributor Author

lobziik commented Nov 3, 2021

I squashed commits and cleaned up tests for cloud-conf syncer a bit, IMHO it's ready for final review.
@JoelSpeed @Fedosin @elmiko PTAL

JoelSpeed
JoelSpeed reviewed Nov 3, 2021
View reviewed changes
Copy link
Contributor

@JoelSpeed JoelSpeed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One nit, I don't think it makes too much difference here but could cause a bug down the line if you were to create a list from within the loop or something

pkg/controllers/cloud_config_sync_controller_test.go Outdated Show resolved Hide resolved
@lobziik
Copy link
Contributor Author

lobziik commented Nov 3, 2021

/retest

@lobziik
Add user defined trusted CA from cloud-config to ccm-trusted-ca bundle
2852fa4 
Additional trusted CA from cloud-config should also be counted during
ccm-trusted-ca sync procedure. Due to OCP installer nuances,
'additionalTrustBundle' not always ends up in the proxy object.

For handling such situation this patch introduces support of 'ca-bundle.pem'
key in cloud-config. CA from there will be added to ccm-trusted-ca along with
additional CA bundle which reffered by proxy object.

However, cloud-config might not be always presented.
On some platforms (AWS), there might be no cloud-config at all.
So, missed cloud config does not considering as an error.

For additional context see:
openshift/installer#5251 (comment)
@lobziik
Update CA sync related doc part
372db61
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 3, 2021
edited

@lobziik: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-gcp-ccm 372db61 link false /test e2e-gcp-ccm
ci/prow/e2e-gcp-ccm-install 372db61 link false /test e2e-gcp-ccm-install
ci/prow/e2e-vsphere-ccm 372db61 link false /test e2e-vsphere-ccm
ci/prow/e2e-vsphere-ccm-install 372db61 link false /test e2e-vsphere-ccm-install
ci/prow/e2e-openstack-ccm 372db61 link false /test e2e-openstack-ccm
ci/prow/e2e-azure-upgrade 372db61 link false /test e2e-azure-upgrade
ci/prow/e2e-azure 372db61 link false /test e2e-azure
ci/prow/e2e-azure-ccm 372db61 link false /test e2e-azure-ccm

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@lobziik
Copy link
Contributor Author

lobziik commented Nov 4, 2021

/test e2e-aws-ccm

Fedosin
Fedosin approved these changes Nov 4, 2021
View reviewed changes
Copy link
Contributor

@Fedosin Fedosin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Nov 4, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 4, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: elmiko, Fedosin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit b87c310 into openshift:master Nov 4, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 4, 2021

@lobziik: All pull requests linked via external trackers have merged:

Bugzilla bug 2017565 has been moved to the MODIFIED state.

In response to this:

Bug 2017565: [OCPCLOUD-1306] Add user defined trusted CA from cloud-config to ccm-trusted-ca bundle

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@lobziik lobziik mentioned this pull request Nov 8, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@elmiko elmiko elmiko left review comments

@Fedosin Fedosin Fedosin approved these changes

@sunzhaohua2 sunzhaohua2 Awaiting requested review from sunzhaohua2

@JoelSpeed JoelSpeed Awaiting requested review from JoelSpeed

Assignees

@Fedosin Fedosin

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-medium Referenced Bugzilla bug's severity is medium for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@lobziik @elmiko @JoelSpeed @Fedosin @openshift-merge-robot