New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1704874: Create ConfigMap for Registry CA #96
Bug 1704874: Create ConfigMap for Registry CA #96
Conversation
@bparees I think we'll want the operator to create the ConfigMap to hold the CA for the registry. |
since it's something consumed by the controllers, that seems reasonable to me. |
/retest |
/retest |
With openshift/cluster-openshift-controller-manager-operator#96, the openshift controller manager will be able to read the internal registry's certificate authority from a central ConfigMap. Updating build controller to copy the registry CA into each build's CA ConfigMap.
With openshift/cluster-openshift-controller-manager-operator#96, the openshift controller manager will be able to read the internal registry's certificate authority from a central ConfigMap. Updating build controller to copy the registry CA into each build's CA ConfigMap.
ping @bparees |
kind: ConfigMap | ||
apiVersion: v1 | ||
metadata: | ||
name: openshift-registry-ca |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is the openshift-service-ca, it's not registry specific.
// Otherwise ignore the contents of the ConfigMap | ||
modified := resourcemerge.BoolPtr(false) | ||
existingCopy := existing.DeepCopy() | ||
resourcemerge.EnsureObjectMeta(modified, &existingCopy.ObjectMeta, configMap.ObjectMeta) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how are you checking whether the service-ca value within the configmap has changed?
in our other configmaps we store a hash of the keys/values so we know if something has changed that needs to force a rollout of the configmap consumer....
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you should be able to just add that in manageOpenShiftControllerManagerConfigMap. In fact isn't that already watching a client-ca configmap? (maybe for a differnet ca)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, we are watching the client-ca ConfigMap and the serving-cert secret.
We'll still need this function to create the openshift-service-ca
ConfigMap and ensure that it has the inject-cabundle
annotation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh. you do not need to watch the openshift-service-ca configmap from here because the controller-manager itself does not care if that configmap changes. only the buildcontroller logic inside the controllermanager, which already watches the configmap itself.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bparees renamed ConfigMap to openshift-service-ca
- ptal
Create a ConfigMap that the openshift-controller-manager can use to hold the registry's CA. Use the service.beta.openshift.io/inject-cabundle annotation to have the service-ca-operator dynamically inject the internal registry's certificate authority.
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adambkaplan, bparees The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
With openshift/cluster-openshift-controller-manager-operator#96, the openshift controller manager will be able to read the internal registry's certificate authority from a central ConfigMap. Updating build controller to copy the registry CA into each build's CA ConfigMap.
With openshift/cluster-openshift-controller-manager-operator#96, the openshift controller manager will be able to read the internal registry's certificate authority from a central ConfigMap. Updating build controller to copy the registry CA into each build's CA ConfigMap.
With openshift/cluster-openshift-controller-manager-operator#96, the openshift controller manager will be able to read the internal registry's certificate authority from a central ConfigMap. Updating build controller to copy the registry CA into each build's CA ConfigMap.
Create a ConfigMap that the openshift-controller-manager can use to hold the registry's CA.
Use the service.beta.openshift.io/inject-cabundle annotation to have the service-ca-operator dynamically inject the internal registry's certificate authority.
See https://bugzilla.redhat.com/show_bug.cgi?id=1704874