Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-11958: Add the trusted CA bundle in UWM Prometheus pods #1970

Merged
merged 3 commits into from Jun 19, 2023
Merged

OCPBUGS-11958: Add the trusted CA bundle in UWM Prometheus pods #1970

merged 3 commits into from Jun 19, 2023

Conversation

rexagod
Copy link
Member

@rexagod rexagod commented May 22, 2023

Add the trusted CA bundle in UWM Prometheus pods, so users can secure
the remote-write endpoint, in response to OCPBUGS-11958.

  • I added CHANGELOG entry for this change.
  • No user facing changes, so no entry in CHANGELOG was needed.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 22, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented May 22, 2023

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@rexagod rexagod changed the title Add the trusted CA bundle in UWM Prometheus pods OCPBUGS-11958: Add the trusted CA bundle in UWM Prometheus pods May 22, 2023
@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels May 22, 2023
@openshift-ci-robot
Copy link
Contributor

@rexagod: This pull request references Jira Issue OCPBUGS-11958, which is invalid:

  • expected the bug to target the "4.14.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Add the trusted CA bundle in UWM Prometheus pods, so users can secure
the remote-write endpoint, in response to OCPBUGS-11958.

  • I added CHANGELOG entry for this change.
  • No user facing changes, so no entry in CHANGELOG was needed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@rexagod
Copy link
Member Author

rexagod commented May 22, 2023

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels May 22, 2023
@openshift-ci-robot
Copy link
Contributor

@rexagod: This pull request references Jira Issue OCPBUGS-11958, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.14.0) matches configured target version for branch (4.14.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot removed the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label May 22, 2023
@rexagod rexagod marked this pull request as ready for review May 24, 2023 02:20
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 24, 2023
@rexagod
Add the trusted CA bundle in UWM Prometheus pods
e9a8c72 
Add the trusted CA bundle in UWM Prometheus pods, so users can secure
the remote-write endpoint, in response to [OCPBUGS-11958](https://issues.redhat.com/browse/OCPBUGS-11958).

Signed-off-by: Pranshu Srivastava <rexagod@gmail.com>
@rexagod
Copy link
Member Author

rexagod commented May 24, 2023

make versions hangs up for me locally. The e2e tests seem to fail (flake) at the login step.

403 ("\n<!DOCTYPE html>\n<html lang=\"en\" charset=\"utf-8\">\n<head>\n  <title>Log In</title>\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no\">\n  <style>\n    @font-face {\n      font-family: \"Open Sans\";\n      src: url(data:application/x-font-woff;charset=utf-8;base64,d09GRgABAAAAAFeoABMAAAAAlkQAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAABGRlRNAAABqAAAABwAAAAcavCZq0dERUYAAAHEAAAAHQAAAB4AJwD1R1BPUwAAAeQAAASjAAAJni1yF0JHU1VCAAAGiAAAAIEAAACooGKInk9TLzIAAAcMAAAAYAAAAGCh3ZrDY21hcAAAB2wAAAGcAAACAv1rbL5jdnQgAAAJCAAAADIAAAA8K3MG4GZwZ20AAAk8AAAE+gAACZGLC3pBZ2FzcAAADjgAAAAIAAAACAAAABBnbHlmAAAOQAAAQG0AAHBIDuDVH2hlYWQAAE6wAAAANAAAADYHgk2EaGhlYQAATuQAAAAgAAAAJA37BfVobXR4AABPBAAAAjgAAAO8MaBM1GxvY2EAAFE8AAAB1QAAAeB9N5qybWF4cAAAUxQAAAAgAAAAIAMhAjxuYW1lAABTNAAAAeQAAARWRvKTBXBvc3QAAFUYAAAB+AAAAvgEbWOAcHJlcAAAVxAAAACQAAAAkPNEIux3ZWJmAABXoAAAAAYAAAAGxDVUvgAAAAEAAAAA0MoNVwAAAADJQhegAAAAANDkdLN42mNgZGBg4AFiMSBmYmAEwndAzALmMQAADdgBHQAAAHjarZZNTJRHGMf/uyzuFm2RtmnTj2hjKKE0tikxAb..."): timed out waiting for the condition

@rexagod
Copy link
Member Author

rexagod commented May 25, 2023

/retest all

@openshift-ci
Copy link
Contributor

openshift-ci bot commented May 25, 2023

@rexagod: The /retest command does not accept any targets.
The following commands are available to trigger required jobs:

  • /test e2e-agnostic-operator
  • /test e2e-aws-ovn
  • /test e2e-aws-ovn-upgrade
  • /test generate
  • /test go-fmt
  • /test images
  • /test jsonnet-fmt
  • /test rules
  • /test shellcheck
  • /test unit
  • /test vendor
  • /test verify

The following commands are available to trigger optional jobs:

  • /test e2e-aws-ovn-single-node
  • /test versions

Use /test all to run all jobs.

In response to this:

/retest all

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@rexagod
Copy link
Member Author

rexagod commented May 25, 2023

/test all

@simonpasquier
Copy link
Contributor

/skip

simonpasquier
simonpasquier reviewed May 26, 2023
View reviewed changes
pkg/tasks/prometheus_user_workload.go Outdated
prefix: "prometheus-user-workload",
}

hashedTrustedCA, err := cbs.syncTrustedCABundle(ctx, trustedCA)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instead of using caBundleSyncer, it's better to use DeleteHashedConfigMap like here

cluster-monitoring-operator/pkg/tasks/thanos_ruler_user_workload.go

Lines 384 to 397 in 88d97c8

trustedCA, err := t.factory.ThanosRulerTrustedCABundle()
if err != nil {
return errors.Wrap(err, "initializing Thanos Ruler trusted CA bundle ConfigMap failed")
}
err = t.client.DeleteConfigMap(ctx, trustedCA)
if err != nil {
return errors.Wrap(err, "deleting Thanos Ruler trusted CA bundle ConfigMap failed")
}
err = t.client.DeleteHashedConfigMap(ctx, trustedCA.GetNamespace(), "thanos-ruler", "")
if err != nil {
return errors.Wrap(err, "deleting all hashed Thanos Ruler trusted CA bundle ConfigMap failed")
}

pkg/manifests/manifests.go Outdated
@@ -1731,6 +1737,27 @@ func (f *Factory) PrometheusUserWorkload(grpcTLS *v1.Secret) (*monv1.Prometheus,
p.Spec.Secrets = append(p.Spec.Secrets, getAdditionalAlertmanagerSecrets(alertManagerConfigs)...)
}

if trustedCABundleCM != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there a real need to check for nil? if not, it might be more readable to inject the configmap along with the configuration of the startup probe (e.g. have only one loop iterating over the containers).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK, Simon. I've pushed the snippet in the loop above.

@rexagod rexagod force-pushed the OCPBUGS-11958 branch 2 times, most recently from 3dcd4ef to 6ea7a45 Compare May 29, 2023 16:33
@rexagod
Copy link
Member Author

rexagod commented May 30, 2023

/retest

@jerolimov jerolimov mentioned this pull request May 30, 2023
Merged
2 tasks
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 19, 2023
@rexagod rexagod force-pushed the OCPBUGS-11958 branch 2 times, most recently from d1ba20b to b152c8c Compare June 19, 2023 11:04
@rexagod rexagod marked this pull request as ready for review June 19, 2023 11:05
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 19, 2023
@rexagod rexagod marked this pull request as draft June 19, 2023 11:05
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 19, 2023
@openshift-ci openshift-ci bot requested a review from sthaha June 19, 2023 11:05
@rexagod rexagod marked this pull request as ready for review June 19, 2023 11:08
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 19, 2023
simonpasquier
simonpasquier reviewed Jun 19, 2023
View reviewed changes
Copy link
Contributor

@simonpasquier simonpasquier left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@simonpasquier
Copy link
Contributor

/skip

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jun 19, 2023
@simonpasquier
Copy link
Contributor

/retest-required

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jun 19, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rexagod, simonpasquier

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 19, 2023
@openshift-merge-robot openshift-merge-robot merged commit 6375989 into openshift:master Jun 19, 2023
15 of 16 checks passed
@openshift-ci-robot
Copy link
Contributor

@rexagod: Jira Issue OCPBUGS-11958: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-11958 has been moved to the MODIFIED state.

In response to this:

Add the trusted CA bundle in UWM Prometheus pods, so users can secure
the remote-write endpoint, in response to OCPBUGS-11958.

  • I added CHANGELOG entry for this change.
  • No user facing changes, so no entry in CHANGELOG was needed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jun 19, 2023

@rexagod: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/versions cc650ea link false /test versions

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@rexagod
Copy link
Member Author

rexagod commented Jul 11, 2023

/cherry-pick release-4.13

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Jul 11, 2023
Merged
@openshift-cherrypick-robot
Copy link

@rexagod: new pull request created: #2041

In response to this:

/cherry-pick release-4.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@rexagod
Copy link
Member Author

rexagod commented Jul 11, 2023

/cherry-pick release-4.12

@openshift-cherrypick-robot
Copy link

@rexagod: #1970 failed to apply on top of branch "release-4.12":

Applying: Add the trusted CA bundle in UWM Prometheus pods
Using index info to reconstruct a base tree...
M	jsonnet/components/prometheus-user-workload.libsonnet
M	pkg/manifests/manifests.go
M	pkg/manifests/manifests_test.go
M	pkg/tasks/prometheus_user_workload.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/tasks/prometheus_user_workload.go
Auto-merging pkg/manifests/manifests_test.go
Auto-merging pkg/manifests/manifests.go
CONFLICT (content): Merge conflict in pkg/manifests/manifests.go
Auto-merging jsonnet/components/prometheus-user-workload.libsonnet
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 Add the trusted CA bundle in UWM Prometheus pods
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-4.12

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@rexagod rexagod mentioned this pull request Jul 11, 2023
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simonpasquier simonpasquier simonpasquier left review comments

@JoaoBraveCoding JoaoBraveCoding Awaiting requested review from JoaoBraveCoding

@raptorsun raptorsun Awaiting requested review from raptorsun

@sthaha sthaha Awaiting requested review from sthaha

@slashpai slashpai Awaiting requested review from slashpai

Assignees

@simonpasquier simonpasquier

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@rexagod @openshift-ci-robot @simonpasquier @openshift-cherrypick-robot @openshift-merge-robot