Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add certificate option to cincinnati client #226

Merged
merged 2 commits into from Jul 31, 2019
Merged

Add certificate option to cincinnati client #226

merged 2 commits into from Jul 31, 2019

Conversation

jcpowermac
Copy link
Contributor

Adds support to use a ConfigMap that contains a certificate bundle if a MITM proxy is used with cincinnati http client.

  • Modify cincinnati client struct to included tlsConfig
  • Modify cincinnati NewClient for tls change
  • Modify getHTTPSProxyURL to return ConfigMapNameReference
  • Add new method getTLSConfig that uses ConfigMap to extract the CA bundle and creates a tlsConfig

@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 25, 2019
@openshift-ci-robot openshift-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jul 25, 2019
abhinavdahiya
abhinavdahiya reviewed Jul 25, 2019
View reviewed changes
pkg/cvo/availableupdates.go Outdated
if err != nil {
return err
}
tlsConfig, err := optr.getTLSConfig(cmNameRef)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the trustedCA for proxies is optional.. so we should keep that in mind.

abhinavdahiya
abhinavdahiya reviewed Jul 25, 2019
View reviewed changes
pkg/cvo/availableupdates.go Outdated
return nil, configv1.ConfigMapNameReference{}, nil
}

func (optr *Operator) getTLSConfig(cmNameRef configv1.ConfigMapNameReference) (*tls.Config, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this function should assume that the reference is required.

abhinavdahiya
abhinavdahiya reviewed Jul 25, 2019
View reviewed changes
pkg/cvo/availableupdates.go Outdated
}

func (optr *Operator) getTLSConfig(cmNameRef configv1.ConfigMapNameReference) (*tls.Config, error) {
cm, err := optr.kubeClient.CoreV1().ConfigMaps("openshift-config-managed").Get(cmNameRef.Name, metav1.GetOptions{})
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

c147732

added an informer/lister for configmaps for openshif-config namespaces.. could we do somethings like that do that we are calling the api and using the cache if possible..

@jcpowermac
Copy link
Contributor Author

I think we should fix the name of previous informer and create a new one based on namespace rather the name for proxy ca

@abhinavdahiya
Could we create a shared informer for both? Or do we want to limit the namespaces?

@openshift-ci-robot openshift-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 29, 2019
@jcpowermac
Copy link
Contributor Author

I think we should fix the name of previous informer and create a new one based on namespace rather the name for proxy ca

@abhinavdahiya
Could we create a shared informer for both? Or do we want to limit the namespaces?

Nevermind.

abhinavdahiya
abhinavdahiya reviewed Jul 29, 2019
View reviewed changes
pkg/start/start.go Outdated
opts.FieldSelector = fmt.Sprintf("metadata.name=%s", internal.InstallerConfigMap)
})
cmManagedInformer := informers.NewFilteredSharedInformerFactory(kubeClient, resyncPeriod(o.ResyncInterval)(), internal.ConfigManagedNamespace, func(opts *metav1.ListOptions) {
opts.FieldSelector = fmt.Sprintf("metadata.name=%s", internal.InstallerConfigMap)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is make it so that the informer will be restricted to only one object (named internal.InstallerConfigMap) in managed namespace. this will not cache the proxy-ca.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ack

abhinavdahiya
abhinavdahiya reviewed Jul 29, 2019
View reviewed changes
pkg/start/start.go Outdated
sharedInformers := externalversions.NewSharedInformerFactory(client, resyncPeriod(o.ResyncInterval)())

ctx := &Context{
CVInformerFactory: cvInformer,
CMInformerFactory: cmInformer,
CMInformerFactory: cmConfigInformer,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if you don't add the informer here, then the informer cannot be started here

cluster-version-operator/pkg/start/start.go

Lines 366 to 368 in f443b93

c.CVInformerFactory.Start(ch)
c.CMInformerFactory.Start(ch)
c.InformerFactory.Start(ch)

@jcpowermac jcpowermac changed the title [WIP] Add certificate option to cincinnati client Add certificate option to cincinnati client Jul 29, 2019
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 29, 2019
@jcpowermac
Copy link
Contributor Author

/retest

abhinavdahiya
abhinavdahiya reviewed Jul 30, 2019
View reviewed changes
pkg/cvo/availableupdates.go Outdated
func (optr *Operator) getTLSConfig(cmNameRef string) (*tls.Config, error) {
cm, err := optr.cmManagedLister.Get(cmNameRef)

if errors.IsNotFound(err) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can make this function fail on not found.... ?
what the effects of doing that..?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see your point. Since we are checking if cmNameRef is not empty if the ConfigMap isn't found that is probably not a good thing.

The latest commit would return err:
https://github.com/openshift/cluster-version-operator/pull/226/files#diff-78f2af341fa49292dd6930f378018867R49

abhinavdahiya
abhinavdahiya reviewed Jul 30, 2019
View reviewed changes
pkg/start/start.go Outdated
opts.FieldSelector = fmt.Sprintf("metadata.name=%s", internal.InstallerConfigMap)
})
cmManagedInformer := informers.NewFilteredSharedInformerFactory(kubeClient, resyncPeriod(o.ResyncInterval)(), internal.ConfigManagedNamespace, func(opts *metav1.ListOptions) {
opts.FieldSelector = fmt.Sprintf("metadata.name=%s", internal.UserCAConfigMap)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we can force ourselves to only objects with name UserCAConfigMap.. I think we can create a list for maybe keep it for entire namespace to begin with.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ack...will fix this tomorrow.

abhinavdahiya
abhinavdahiya reviewed Jul 31, 2019
View reviewed changes
pkg/internal/constants.go Outdated
ConfigNamespace = "openshift-config"
ConfigManagedNamespace = "openshift-config-managed"
InstallerConfigMap = "openshift-install"
UserCAConfigMap = "user-ca-bundle"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is no longer use.

@jcpowermac
Add certificate option to cincinnati client
3875a44 
Adds support to use a ConfigMap that contains a certificate bundle
if a MITM proxy is used with cincinnati http client.

Modify cincinnati client struct to included tlsConfig
Modify cincinnati NewClient for tls change
Modify getHTTPSProxyURL to return string of ConfigMapNameReference
Add new method getTLSConfig that uses ConfigMap to extract
the CA bundle and creates a tlsConfig
@abhinavdahiya
Copy link
Contributor

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Jul 31, 2019
@openshift-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abhinavdahiya, jcpowermac

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 31, 2019
@openshift-merge-robot openshift-merge-robot merged commit b57ee63 into openshift:master Jul 31, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abhinavdahiya abhinavdahiya abhinavdahiya left review comments

@smarterclayton smarterclayton Awaiting requested review from smarterclayton

@wking wking Awaiting requested review from wking

Assignees

@abhinavdahiya abhinavdahiya

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jcpowermac @abhinavdahiya @openshift-ci-robot @openshift-merge-robot