New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for AdditionalTrustBundle #972
Add support for AdditionalTrustBundle #972
Conversation
✔️ Deploy Preview for hypershift-docs ready! 🔨 Explore the source changes: cbd329c 🔍 Inspect the deploy log: https://app.netlify.com/sites/hypershift-docs/deploys/62349e17297c970009572250 😎 Browse the preview: https://deploy-preview-972--hypershift-docs.netlify.app/reference/api |
This implements the changes described in HOSTEDCP-291 - I went with the local object reference option, since it seems more convenient (particularly in the case where you want to copy the ConfigMap from the management cluster) than inlining the cert contents. Left as WIP because:
I'm also not sure if we need to replicate any of the CNO ConfigMapInjector logic - since we do see several CMs with that label in the guest cluster:
Any thoughts on that, and review of the changes so far would be welcome, thanks! |
API changes require |
ef9395b
to
e591110
Compare
e591110
to
2c0cb60
Compare
This is closer, the hypershift operator can now start consuming a release image from a local self-signed mirror, but I need to also wire in the trusted-ca-bundle to the CPO |
8db40d6
to
050eb1f
Compare
This is now working - tested with this dev-scripts branch (None platform) Hypershift was installed using a local release image, now that the user CA is wired into the pods that use the registryclient all pods start up OK
The cluster was then deployed like:
Note --render was used to enable addition of the ICSP config as follows (in future adding a CLI option for this would be nice):
This results in a working cluster, with the expected ICSP and two nodes were joined and pulled their images correctly from the mirror:
This still needs some tests/docs but otherwise ready for review :) |
050eb1f
to
ed76598
Compare
/retitle Add support for AdditionalTrustBundle |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hardys thank you so much for working on this. It looks good to me. Just a couple of nits.
hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go
Show resolved
Hide resolved
/hold the CI failures are real
|
cbd329c
to
0801be1
Compare
0801be1
to
5b3d516
Compare
/hold cancel |
@csrwng this is ready for another review pass when you get some time, thanks! |
HostedCluster can optionally reference a configmap, in which case we copy the configmap to the HostedControlPlane namespace (similar to SSHKey and other fields).
When AdditionalTrustBundle is defined we create this ConfigMap to align with the behavior of regular OCP clusters and enable consumption of user-defined CA certs by the guest cluster.
When AdditionalTrustBundle is specified, we serialize the configmap and pass to the MCO bootstrap command via the default user-ca-bundle-config.yaml location - this means the MCO bootstrap will read the file when included, (the code already ignores the case where the file doesn't exist, since openshift/installer only conditionally creates the manifest)
This can be used to reference a ConfigMap that contains a user CA bundle.
The CPO and ignition server need the user CA so the registryclient can access a local registry with a self-signed cert
Adds a CLI option and corresponding volume to the operator pod, this is needed so the operator can look up release image metadata when the release image specified is locally mirrored. Note the mount path/filename were chosen to align with the expected defaults ref https://go.dev/src/crypto/x509/root_linux.go (and also current OCP docs for cert injection using operators)
5b3d516
to
8fd5d43
Compare
@hardys looks like the verify is complaining about:
Other than that lgtm |
Thanks I thought I fixed that in my latest push (previously I missed the |
/retest
Looks like it may be from before the push as the head of the branch is now 8fd5d43 |
/lgtm |
/approve |
/retest-required |
@hardys: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/test capi-provider-agent-sanity |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: csrwng, hardys The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
In openshift#972 I relied on the fact that MCSIgnitionProvider mounts the MCO ConfigMap under /assets/manifests - this means that the user-ca-bundle-config.yaml file path matches the default location from the MCO bootstrap code, thus no explicit --additional-trust-bundle-config-file argument was required. In openshift#1214 we introduced a new LocalIgnitionProvider, which unpacks the MCO config to a different path e.g /payloads/get-payload123/config hence we need to explicitly pass --additional-trust-bundle-config-file or the additionalTrustBundle data is ignored.
This adds initial support for a new HostedCluster API
additionalTrustBundle
which allows user provided CA certs to be provided, similar to the standalone installerThis is useful when you want to use a local container registry that uses a self-signed cert - this is a common scenario for developing on-prem scenarios, particularly disconnected and ipv6 where access to an upstream registry is not possible.
The expected usage is to reference a local object reference, e.g
ConfigMap
in theclusters
namespace:If the management cluster already contains such a ConfigMap, it may be copied from the
openshift-config
namespace, e.g:Partially-Fixes https://issues.redhat.com/browse/HOSTEDCP-291
Checklist