Load system cert pool for image push to accommodate direct cloud storage access by jkyros · Pull Request #3067 · openshift/machine-config-operator

jkyros · 2022-04-06T16:03:16Z

Something changed in openshift last week to where after about 20 minutes or so of the cluster being up, requests to/for images start getting forwarded directly to the cloud storage endpoint (signed by aws/google/whoever) intead of being proxied by the cluster (endpoint signed by our cluster signer).

This should have been fine, and probably was fine everywhere else, except for our hacky scratch image push, where we weren't loading the SystemCertPool, which meant we couldn't verify those cloud provider certificates.

We only loaded one of our cluster signer certificates because we didn't know we would ever be talking to the clouds directly (and, well, we weren't until other non-MCO changes last week).

This loads the SystemCertPool so we can verify those cloud certificates instead of failing with x509 errors.

There is an issue where after some period of time,(usually around 20 minutes of the cluster being up) the requests to images start getting forwarded directly to the cloud storage buckets wherethey reside. Those endpoints present certificates that are signed by the cloud provider (e.g. amazon,google,microsoft,etc) and not by our cluster certificates. We did not previously load the system cert pool, so those requests would fail. This makes sure we also load our system cert pool so we can verify those certificates and don't fail with x509 errors when we attempt to communicate with the registry.

mkenigs · 2022-04-06T16:14:20Z

/lgtm

cgwalters · 2022-04-06T16:34:48Z

Excellent commit message!

yuqi-zhang · 2022-04-06T16:41:16Z

Just to make sure, this only affects master branch? (Since whatever changed presumably only in 4.11)

yuqi-zhang · 2022-04-06T19:02:40Z

Ah oops this is against layering
/approve

openshift-ci · 2022-04-06T19:03:13Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jkyros, mkenigs, yuqi-zhang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [yuqi-zhang]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

jkyros · 2022-04-06T19:25:28Z

/retest-required

openshift-bot · 2022-04-06T20:03:49Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2022-04-06T20:16:46Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

mkenigs · 2022-04-06T21:23:03Z

/retest-required

openshift-bot · 2022-04-07T02:31:52Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2022-04-07T02:43:54Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2022-04-07T05:44:51Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2022-04-07T06:46:55Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2022-04-07T12:38:07Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2022-04-07T13:29:52Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-bot · 2022-04-07T14:22:00Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-ci · 2022-04-07T15:10:51Z

@jkyros: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-op-single-node	`7d8d6b8`	link	false	`/test e2e-gcp-op-single-node`
ci/prow/e2e-gcp-single-node	`7d8d6b8`	link	false	`/test e2e-gcp-single-node`
ci/prow/e2e-aws-upgrade	`7d8d6b8`	link	false	`/test e2e-aws-upgrade`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

openshift-bot · 2022-04-07T15:26:54Z

/retest-required

Please review the full test history for this PR and help us cut down flakes.

openshift-ci Bot requested review from cheesesashimi and yuqi-zhang April 6, 2022 16:03

openshift-ci Bot assigned mkenigs Apr 6, 2022

openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Apr 6, 2022

openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 6, 2022

openshift-merge-robot merged commit 9602871 into openshift:layering Apr 7, 2022

Conversation

jkyros commented Apr 6, 2022

Uh oh!

mkenigs commented Apr 6, 2022

Uh oh!

cgwalters commented Apr 6, 2022

Uh oh!

yuqi-zhang commented Apr 6, 2022

Uh oh!

yuqi-zhang commented Apr 6, 2022

Uh oh!

openshift-ci Bot commented Apr 6, 2022

Uh oh!

jkyros commented Apr 6, 2022

Uh oh!

openshift-bot commented Apr 6, 2022

Uh oh!

openshift-bot commented Apr 6, 2022

Uh oh!

mkenigs commented Apr 6, 2022

Uh oh!

openshift-bot commented Apr 7, 2022

Uh oh!

openshift-bot commented Apr 7, 2022

Uh oh!

openshift-bot commented Apr 7, 2022

Uh oh!

openshift-bot commented Apr 7, 2022

Uh oh!

openshift-bot commented Apr 7, 2022

Uh oh!

openshift-bot commented Apr 7, 2022

Uh oh!

openshift-bot commented Apr 7, 2022

Uh oh!

openshift-ci Bot commented Apr 7, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-bot commented Apr 7, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

openshift-ci Bot commented Apr 7, 2022 •

edited

Loading