Add support for AdditionalTrustBundle

[hardys]

This adds initial support for a new HostedCluster API additionalTrustBundle which allows user provided CA certs to be provided, similar to the standalone installer

This is useful when you want to use a local container registry that uses a self-signed cert - this is a common scenario for developing on-prem scenarios, particularly disconnected and ipv6 where access to an upstream registry is not possible.

The expected usage is to reference a local object reference, e.g ConfigMap in the clusters namespace:

spec:
  additionalTrustBundle:
    name: user-ca-bundle

If the management cluster already contains such a ConfigMap, it may be copied from the openshift-config namespace, e.g:

oc patch cm user-ca-bundle -p '{"metadata":{ "namespace":"clusters"}}' -n openshift-config --dry-run=client -o yaml | oc apply -f -

Partially-Fixes https://issues.redhat.com/browse/HOSTEDCP-291

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

[netlify]

✔️ Deploy Preview for hypershift-docs ready!

🔨 Explore the source changes: cbd329c

🔍 Inspect the deploy log: https://app.netlify.com/sites/hypershift-docs/deploys/62349e17297c970009572250

😎 Browse the preview: https://deploy-preview-972--hypershift-docs.netlify.app/reference/api

[hardys]

/cc @csrwng @enxebre

This implements the changes described in HOSTEDCP-291 - I went with the local object reference option, since it seems more convenient (particularly in the case where you want to copy the ConfigMap from the management cluster) than inlining the cert contents.

Left as WIP because:

• I've not yet tested the MCS part, or e2e with a local registry
• I need to add some unit tests
• It doesn't yet handle the delete path (when AdditionalTrustBundle is removed from HostedCluster/HostedControlPlane, although this seems a fairly unlikely corner-case)
• I suspect we need to wire the user CA into some hosted controlplane pods

I'm also not sure if we need to replicate any of the CNO ConfigMapInjector logic - since we do see several CMs with that label in the guest cluster:

$ oc get cm --selector=config.openshift.io/inject-trusted-cabundle=true -A
NAMESPACE                                NAME                DATA   AGE
openshift-apiserver-operator             trusted-ca-bundle   0      5h39m
openshift-authentication-operator        trusted-ca-bundle   0      5h39m
openshift-cloud-credential-operator      cco-trusted-ca      0      5h39m
openshift-cluster-node-tuning-operator   trusted-ca          0      5h39m
openshift-image-registry                 trusted-ca          0      5h39m
openshift-ingress-operator               trusted-ca          0      5h39m
openshift-insights                       trusted-ca-bundle   0      5h39m
openshift-machine-api                    cbo-trusted-ca      0      5h40m
openshift-machine-api                    mao-trusted-ca      0      5h40m

Any thoughts on that, and review of the changes so far would be welcome, thanks!

[sjenning]

untracked files detected: M hack/app-sre/saas_template.yaml

API changes require make verify to update generated files. This isn't the best. I opened a PR for an update make target #976.

[hardys]

This is closer, the hypershift operator can now start consuming a release image from a local self-signed mirror, but I need to also wire in the trusted-ca-bundle to the CPO

[hardys]

This is now working - tested with this dev-scripts branch (None platform)

Hypershift was installed using a local release image, now that the user CA is wired into the pods that use the registryclient all pods start up OK

hypershift install --hypershift-image virthost.ostest.test.metalkube.org:5000/hypershift:latest --additional-trust-bundle user-ca-bundle

The cluster was then deployed like:

hypershift create cluster none --etcd-storage-class local-storage --ssh-key /home/shardy/.ssh/id_rsa.pub --name shtest --node-pool-replicas 2 --render --additional-trust-bundle user-ca-bundle --control-plane-operator-image virthost.ostest.test.metalkube.org:5000/hypershift:latest --release-image virthost.ostest.test.metalkube.org:5000/localimages/local-release-image:latest --pull-secret /home/shardy/dev-scripts/ocp/ostest/hypershift/pull_secret.json

Note --render was used to enable addition of the ICSP config as follows (in future adding a CLI option for this would be nice):

  imageContentSources:
  - mirrors:
    - virthost.ostest.test.metalkube.org:5000/localimages/local-release-image
    source: registry.ci.openshift.org/ocp/release
  - mirrors:
    - virthost.ostest.test.metalkube.org:5000/localimages/local-release-image
    source: registry.ci.openshift.org/ocp/4.11-2022-03-04-042425

This results in a working cluster, with the expected ICSP and two nodes were joined and pulled their images correctly from the mirror:

$ oc get imageContentSourcePolicy -o yaml
apiVersion: v1
items:
- apiVersion: operator.openshift.io/v1alpha1
  kind: ImageContentSourcePolicy
  metadata:
    creationTimestamp: "2022-03-14T16:26:07Z"
    generation: 1
    labels:
      hypershift.io/managed: "true"
      machineconfiguration.openshift.io/role: worker
    name: cluster
    resourceVersion: "1037"
    uid: c12eeccd-0d07-4686-bcfb-c0254d563632
  spec:
    repositoryDigestMirrors:
    - mirrors:
      - virthost.ostest.test.metalkube.org:5000/localimages/local-release-image
      source: registry.ci.openshift.org/ocp/release
    - mirrors:
      - virthost.ostest.test.metalkube.org:5000/localimages/local-release-image
      source: registry.ci.openshift.org/ocp/4.11-2022-03-04-042425
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

$ oc version
Client Version: 4.11.0-0.ci-2022-03-04-042425
Server Version: 4.11.0-0.ci-2022-03-04-042425
Kubernetes Version: v1.23.3-2001+7478cf2c86c567-dirty

$ oc get nodes
NAME                 STATUS   ROLES    AGE     VERSION
hypershiftworker-0   Ready    worker   9m18s   v1.23.3+7478cf2
hypershiftworker-1   Ready    worker   9m18s   v1.23.3+7478cf2

This still needs some tests/docs but otherwise ready for review :)

[hardys]

/retitle Add support for AdditionalTrustBundle

[csrwng]

@hardys thank you so much for working on this. It looks good to me. Just a couple of nits.

[hardys]

/hold the CI failures are real

{"level":"error","ts":"2022-03-15T16:54:22Z","logger":"controller.hostedcluster","msg":"Reconciler error","reconciler group":"hypershift.openshift.io","reconciler kind":"HostedCluster","name":"example-lswql","namespace":"e2e-clusters-jqm87","error":"failed to get hostedcluster AdditionalTrustBundle ConfigMap : ConfigMap \"\" not found","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/hypershift/vendor/sigs.k8s.io

[hardys]

/hold cancel

[hardys]

@csrwng this is ready for another review pass when you get some time, thanks!

[csrwng]

@hardys looks like the verify is complaining about:

cmd/install/assets/hypershift_operator.go:418:40: k8s.io/api/core/v1.LocalObjectReference composite literal uses unkeyed fields

Other than that lgtm

[hardys]

@hardys looks like the verify is complaining about:

cmd/install/assets/hypershift_operator.go:418:40: k8s.io/api/core/v1.LocalObjectReference composite literal uses unkeyed fields

Other than that lgtm

Thanks I thought I fixed that in my latest push (previously I missed the Name in the LocalObjectReference) but will try to figure out why it's still failing as it's working fine locally now

[hardys]

/retest

[36mINFO�[0m[2022-03-25T11:37:25Z] Resolved source https://github.com/openshift/hypershift to main@339bea98, merging: #972 5b3d5162 @hardys 

Looks like it may be from before the push as the head of the branch is now 8fd5d43

[csrwng]

/lgtm

[csrwng]

/approve

[csrwng]

/retest-required

[openshift-ci]

@hardys: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-nested	8fd5d43	link	false	/test e2e-aws-nested

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[hardys]

/test capi-provider-agent-sanity

[csrwng]

/approve
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: csrwng, hardys

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [csrwng]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment