New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 2003657: Respect user defined proxy's CA cert #495
Bug 2003657: Respect user defined proxy's CA cert #495
Conversation
@tremes: This pull request references Bugzilla bug 2003657, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/bugzilla refresh |
@tremes: This pull request references Bugzilla bug 2003657, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
No GitHub users were found matching the public email listed for the QA contact in Bugzilla (dmisharo@redhat.com), skipping review request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've checked the code and discussed it a bit, but I didn't have time to test it locally yet, so I'm not giving a definitive approval at the moment. Sorry, but the process is quite complicated and I didn't have enough time today.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have tested the provided image on a testing cluster in combination with the mitmproxy
and I was able to see that IO has successfully detected the proxy cetrificate and that it was correctly uploading archives.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: natiiix, tremes The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
4 similar comments
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
@tremes: All pull requests linked via external trackers have merged: Bugzilla bug 2003657 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This checks if some proxy is defined for the Insights Operator and if so then:
clusterProxy.Spec.TrustedCA.Name
to get the name of the config map with the CA certopenshift-config
namespacesca-bundle.crt
key from the config mapinsightsclient
How to reproduce
It's quite easy to reproduce the actual problem (you can set some proxy in the cluster-wide proxy and observe the IO error), but it's a bit difficult to verify that this fix works. You can check the https://access.redhat.com/articles/4740031. In general you need to do the following:
mitmproxy-ca-cert.pem
from the mitmproxy container (seeoc exec -n mitmproxy mitmproxy cat /root/.mitmproxy/mitmproxy-ca-cert.pem > /tmp/mitmproxy-ca-cert.pem
(It happened that the mitmproxy container was sometimes killed in my case. Note that you have to extract the cert again in such case!)openshift-config
namespace containing the cert (seeoc create cm user-ca-bundle -n openshift-config --from-file=ca-bundle.crt=/tmp/mitmproxy-ca-cert.pem
spec.TrustedCA
to point to the new config map (seeoc patch proxy cluster --type=json -p '[{"op":"add","path":"/spec/trustedCA","value":{"name":"user-ca-bundle"}}]'
)The IO upload should work fine and it should be visible in the mitmproxy log. Image containing this fix is available at quay.io/tremes/respect_proxy_ca
Categories
Sample Archive
No new data
Documentation
No doc update
Unit Tests
No test. We can think of some integration tests, but we would probably need to deploy mitmproxy container.
Privacy
Yes. There are no sensitive data in the newly collected information.
Changelog
Breaking Changes
No
References
https://issues.redhat.com/browse/???
https://bugzilla.redhat.com/show_bug.cgi?id=2003657 (originally reported in https://bugzilla.redhat.com/show_bug.cgi?id=1995937)