New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add certificate option to cincinnati client #226
Conversation
pkg/cvo/availableupdates.go
Outdated
if err != nil { | ||
return err | ||
} | ||
tlsConfig, err := optr.getTLSConfig(cmNameRef) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the trustedCA for proxies is optional.. so we should keep that in mind.
pkg/cvo/availableupdates.go
Outdated
return nil, configv1.ConfigMapNameReference{}, nil | ||
} | ||
|
||
func (optr *Operator) getTLSConfig(cmNameRef configv1.ConfigMapNameReference) (*tls.Config, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this function should assume that the reference is required.
pkg/cvo/availableupdates.go
Outdated
} | ||
|
||
func (optr *Operator) getTLSConfig(cmNameRef configv1.ConfigMapNameReference) (*tls.Config, error) { | ||
cm, err := optr.kubeClient.CoreV1().ConfigMaps("openshift-config-managed").Get(cmNameRef.Name, metav1.GetOptions{}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added an informer/lister for configmaps for openshif-config
namespaces.. could we do somethings like that do that we are calling the api and using the cache if possible..
@abhinavdahiya |
Nevermind. |
pkg/start/start.go
Outdated
opts.FieldSelector = fmt.Sprintf("metadata.name=%s", internal.InstallerConfigMap) | ||
}) | ||
cmManagedInformer := informers.NewFilteredSharedInformerFactory(kubeClient, resyncPeriod(o.ResyncInterval)(), internal.ConfigManagedNamespace, func(opts *metav1.ListOptions) { | ||
opts.FieldSelector = fmt.Sprintf("metadata.name=%s", internal.InstallerConfigMap) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is make it so that the informer will be restricted to only one object (named internal.InstallerConfigMap
) in managed namespace. this will not cache the proxy-ca.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ack
pkg/start/start.go
Outdated
sharedInformers := externalversions.NewSharedInformerFactory(client, resyncPeriod(o.ResyncInterval)()) | ||
|
||
ctx := &Context{ | ||
CVInformerFactory: cvInformer, | ||
CMInformerFactory: cmInformer, | ||
CMInformerFactory: cmConfigInformer, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if you don't add the informer here, then the informer cannot be started here
cluster-version-operator/pkg/start/start.go
Lines 366 to 368 in f443b93
c.CVInformerFactory.Start(ch) | |
c.CMInformerFactory.Start(ch) | |
c.InformerFactory.Start(ch) |
/retest |
pkg/cvo/availableupdates.go
Outdated
func (optr *Operator) getTLSConfig(cmNameRef string) (*tls.Config, error) { | ||
cm, err := optr.cmManagedLister.Get(cmNameRef) | ||
|
||
if errors.IsNotFound(err) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can make this function fail on not found.... ?
what the effects of doing that..?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see your point. Since we are checking if cmNameRef
is not empty if the ConfigMap isn't found that is probably not a good thing.
The latest commit would return err
:
https://github.com/openshift/cluster-version-operator/pull/226/files#diff-78f2af341fa49292dd6930f378018867R49
pkg/start/start.go
Outdated
opts.FieldSelector = fmt.Sprintf("metadata.name=%s", internal.InstallerConfigMap) | ||
}) | ||
cmManagedInformer := informers.NewFilteredSharedInformerFactory(kubeClient, resyncPeriod(o.ResyncInterval)(), internal.ConfigManagedNamespace, func(opts *metav1.ListOptions) { | ||
opts.FieldSelector = fmt.Sprintf("metadata.name=%s", internal.UserCAConfigMap) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we can force ourselves to only objects with name UserCAConfigMap
.. I think we can create a list for maybe keep it for entire namespace to begin with.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ack...will fix this tomorrow.
pkg/internal/constants.go
Outdated
ConfigNamespace = "openshift-config" | ||
ConfigManagedNamespace = "openshift-config-managed" | ||
InstallerConfigMap = "openshift-install" | ||
UserCAConfigMap = "user-ca-bundle" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is no longer use.
Adds support to use a ConfigMap that contains a certificate bundle if a MITM proxy is used with cincinnati http client. Modify cincinnati client struct to included tlsConfig Modify cincinnati NewClient for tls change Modify getHTTPSProxyURL to return string of ConfigMapNameReference Add new method getTLSConfig that uses ConfigMap to extract the CA bundle and creates a tlsConfig
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhinavdahiya, jcpowermac The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Adds support to use a ConfigMap that contains a certificate bundle if a MITM proxy is used with cincinnati http client.