MCO-552: implement the ability for the MCO to handle image registry certificates

[cdoern]

- What I did

The MCO can now manage image registry certs

1. the MCO reads from image.config.openshift.io/cluster and looks for additionalTrustedCA, which is a user specified additional registry

2. the MCO reads from openshift-config-managed/image-registry-ca configmap which is to be created and managed by the image registry operator

3. the MCO creates and writes to an additional openshift-config-managed/merged-trusted-image-registry-cas configmap with the combined data

4. we write this all to disk in the daemon as we now do with other certificates. These paths follow: /etc/docker/certs.d/<CONFIGMAP_KEY>/ca.crt format

- How to verify it

oc describe controllerconfig to see the data from the CMs

ssh into the node and check out /etc/docker/certs.d to see if the files propagate.

- Description for the changelog

The MCO now supports managing image registry certificates and writes them to disk.

[cdoern]

I have tested this locally, so I am not making this as a draft PR as it works well in its current state!

[openshift-ci-robot]

@cdoern: This pull request references MCO-552 which is a valid jira issue.

In response to this:

- What I did

The MCO can now manage image registry certs

1. the MCO reads from image.config.openshift.io/cluster and looks for additionalTrustedCA, which is a user specified additional registry

2. the MCO reads from openshift-config-managed/image-registry-ca configmap which is to be created and managed by the image registry operator

3. the MCO creates and writes to an additional openshift-config-managed/merged-trusted-image-registry-cas configmap with the combined data

4. we write this all to disk in the daemon as we now do with other certificates. These paths follow: /etc/docker/certs.d/<CONFIGMAP_KEY>/ca.crt format

- How to verify it

oc describe controllerconfig to see the data from the CMs

ssh into the node and check out /etc/docker/certs.d to see if the files propagate.

- Description for the changelog

The MCO now supports managing image registry certificates and writes them to disk.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[cdoern]

/jira-refresh

[yuqi-zhang]

Generally makes sense! some questions:

[cdoern]

/hold

[yuqi-zhang]

Some additional comments/nits below, mostly makes sense functionality wise (pending conversation with IR team)

[cdoern]

/retest-required

[qJkee]

/retest-required

[cdoern]

/retest-required

[cdoern]

/retest-required

[cdoern]

/retest-required

[cdoern]

/retest-required

[cdoern]

/retest-required

[cdoern]

/payload-job periodic-ci-openshift-hypershift-release-4.14-periodics-e2e-aws-ovn-conformance

[openshift-ci]

@cdoern: trigger 1 job(s) for the /payload-(job|aggregate) command

• periodic-ci-openshift-hypershift-release-4.14-periodics-e2e-aws-ovn-conformance

See details on https://pr-payload-tests.ci.openshift.org/runs/ci/65544ba0-2fea-11ee-80f1-4de9f10a5544-0

[rioliu-rh]

/hold

[rioliu-rh]

verification for bundle delete

• create new user bundle

openssl x509 -in mco_test_ca.pem -noout -subject -issuer -dates
subject=C = US, ST = CA, O = Redhat, CN = MCO, emailAddress = mco-qe@redhat.com
issuer=C = US, ST = CA, O = Redhat, CN = MCO, emailAddress = mco-qe@redhat.com
notBefore=Aug  1 02:29:47 2023 GMT
notAfter=Jun  9 02:29:47 2033 GMT

oc create cm mco-crt-test -n openshift-config --from-file=mco_test_ca.pem
configmap/mco-crt-test created

oc patch image.config.openshift.io/cluster --type merge -p '{"spec": {"additionalTrustedCA": {"name": "mco-crt-test"}}}'
image.config.openshift.io/cluster patched

oc get controllerconfig -o jsonpath='{.items[*].status.controllerCertificates[?(@.bundleFile=="mco_test_ca.pem")]}' | jq
{
  "bundleFile": "mco_test_ca.pem",
  "notAfter": "2033-06-09 02:29:47 +0000 UTC",
  "notBefore": "2023-08-01 02:29:47 +0000 UTC",
  "signer": "CN=MCO,O=Redhat,ST=CA,C=US,1.2.840.113549.1.9.1=#0c116d636f2d7165407265646861742e636f6d",
  "subject": "CN=MCO,O=Redhat,ST=CA,C=US,1.2.840.113549.1.9.1=#0c116d636f2d7165407265646861742e636f6d"
}

debug node/ci-ln-mfzgvs2-72292-s5vrz-worker-a-5vcfz -- chroot /host stat /etc/docker/certs.d/mco_test_ca.pem/ca.crt
  File: /etc/docker/certs.d/mco_test_ca.pem/ca.crt
  Size: 2000      	Blocks: 8          IO Block: 4096   regular file
Device: 804h/2052d	Inode: 72169537    Links: 1
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:etc_t:s0
Access: 2023-08-01 02:44:36.473825173 +0000
Modify: 2023-08-01 02:44:30.297836938 +0000
Change: 2023-08-01 02:44:30.299836934 +0000
 Birth: 2023-08-01 02:44:30.297836938 +0000

• delete this user bundle

oc delete cm/mco-crt-test -n openshift-config
configmap "mco-crt-test" deleted

oc patch image.config.openshift.io/cluster --type merge -p '{"spec": {"additionalTrustedCA": {"name": ""}}}'
image.config.openshift.io/cluster patched

oc get controllerconfig -o jsonpath='{.items[*].status.controllerCertificates[?(@.bundleFile=="mco_test_ca.pem")]}' | jq
>> empty

oc get image.config.openshift.io/cluster -o jsonpath='{.spec}'
{"additionalTrustedCA":{"name":""}}%

• check bundle file exists on cluster node

for node in $(node -o name);do echo;echo $node;debug $node -- chroot /host stat /etc/docker/certs.d/mco_test_ca.pem;done

node/ci-ln-mfzgvs2-72292-s5vrz-master-0
stat: cannot statx '/etc/docker/certs.d/mco_test_ca.pem': No such file or directory
error: non-zero exit code from debug container

node/ci-ln-mfzgvs2-72292-s5vrz-master-1
stat: cannot statx '/etc/docker/certs.d/mco_test_ca.pem': No such file or directory
error: non-zero exit code from debug container

node/ci-ln-mfzgvs2-72292-s5vrz-master-2
stat: cannot statx '/etc/docker/certs.d/mco_test_ca.pem': No such file or directory
error: non-zero exit code from debug container

node/ci-ln-mfzgvs2-72292-s5vrz-worker-a-5vcfz
stat: cannot statx '/etc/docker/certs.d/mco_test_ca.pem': No such file or directory
error: non-zero exit code from debug container

node/ci-ln-mfzgvs2-72292-s5vrz-worker-b-zln7h
stat: cannot statx '/etc/docker/certs.d/mco_test_ca.pem': No such file or directory
error: non-zero exit code from debug container

node/ci-ln-mfzgvs2-72292-s5vrz-worker-c-dgxgd
stat: cannot statx '/etc/docker/certs.d/mco_test_ca.pem': No such file or directory
error: non-zero exit code from debug container

@cdoern please confirm thanks

[cdoern]

@rioliu-rh looks good! Thank you

[rioliu-rh]

/unhold
/label qe-approved

[rioliu-rh]

/retest-required

[yuqi-zhang]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cdoern, yuqi-zhang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [cdoern,yuqi-zhang]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 9c50df6 and 2 for PR HEAD 81136ed in total

[cdoern]

/test e2e-hypershift

[openshift-ci]

@cdoern: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-aws-ovn	81136ed	link	false	/test okd-scos-e2e-aws-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[yuqi-zhang]

/override ci/prow/e2e-hypershift

Overriding the hypershift test since:

1. it has passed on the current PR
2. it has been failing consistently today
3. this PR is important for the IR team as well for 4.14

[openshift-ci]

@yuqi-zhang: Overrode contexts on behalf of yuqi-zhang: ci/prow/e2e-hypershift

In response to this:

/override ci/prow/e2e-hypershift

Overriding the hypershift test since:

1. it has passed on the current PR
2. it has been failing consistently today
3. this PR is important for the IR team as well for 4.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[yuqi-zhang]

/test e2e-aws-ovn-upgrade