New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MCO-552: implement the ability for the MCO to handle image registry certificates #3770
Conversation
I have tested this locally, so I am not making this as a draft PR as it works well in its current state! |
@cdoern: This pull request references MCO-552 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/jira-refresh |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally makes sense! some questions:
/hold |
040e7c3
to
9a16cf6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some additional comments/nits below, mostly makes sense functionality wise (pending conversation with IR team)
/retest-required |
1 similar comment
/retest-required |
/retest-required |
1 similar comment
/retest-required |
/retest-required |
Signed-off-by: Charlie Doern <cdoern@redhat.com>
/retest-required |
1 similar comment
/retest-required |
/payload-job periodic-ci-openshift-hypershift-release-4.14-periodics-e2e-aws-ovn-conformance |
@cdoern: trigger 1 job(s) for the /payload-(job|aggregate) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/65544ba0-2fea-11ee-80f1-4de9f10a5544-0 |
/hold |
verification for bundle delete
openssl x509 -in mco_test_ca.pem -noout -subject -issuer -dates
subject=C = US, ST = CA, O = Redhat, CN = MCO, emailAddress = mco-qe@redhat.com
issuer=C = US, ST = CA, O = Redhat, CN = MCO, emailAddress = mco-qe@redhat.com
notBefore=Aug 1 02:29:47 2023 GMT
notAfter=Jun 9 02:29:47 2033 GMT
oc create cm mco-crt-test -n openshift-config --from-file=mco_test_ca.pem
configmap/mco-crt-test created
oc patch image.config.openshift.io/cluster --type merge -p '{"spec": {"additionalTrustedCA": {"name": "mco-crt-test"}}}'
image.config.openshift.io/cluster patched
oc get controllerconfig -o jsonpath='{.items[*].status.controllerCertificates[?(@.bundleFile=="mco_test_ca.pem")]}' | jq
{
"bundleFile": "mco_test_ca.pem",
"notAfter": "2033-06-09 02:29:47 +0000 UTC",
"notBefore": "2023-08-01 02:29:47 +0000 UTC",
"signer": "CN=MCO,O=Redhat,ST=CA,C=US,1.2.840.113549.1.9.1=#0c116d636f2d7165407265646861742e636f6d",
"subject": "CN=MCO,O=Redhat,ST=CA,C=US,1.2.840.113549.1.9.1=#0c116d636f2d7165407265646861742e636f6d"
}
debug node/ci-ln-mfzgvs2-72292-s5vrz-worker-a-5vcfz -- chroot /host stat /etc/docker/certs.d/mco_test_ca.pem/ca.crt
File: /etc/docker/certs.d/mco_test_ca.pem/ca.crt
Size: 2000 Blocks: 8 IO Block: 4096 regular file
Device: 804h/2052d Inode: 72169537 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Context: system_u:object_r:etc_t:s0
Access: 2023-08-01 02:44:36.473825173 +0000
Modify: 2023-08-01 02:44:30.297836938 +0000
Change: 2023-08-01 02:44:30.299836934 +0000
Birth: 2023-08-01 02:44:30.297836938 +0000
oc delete cm/mco-crt-test -n openshift-config
configmap "mco-crt-test" deleted
oc patch image.config.openshift.io/cluster --type merge -p '{"spec": {"additionalTrustedCA": {"name": ""}}}'
image.config.openshift.io/cluster patched
oc get controllerconfig -o jsonpath='{.items[*].status.controllerCertificates[?(@.bundleFile=="mco_test_ca.pem")]}' | jq
>> empty
oc get image.config.openshift.io/cluster -o jsonpath='{.spec}'
{"additionalTrustedCA":{"name":""}}%
for node in $(node -o name);do echo;echo $node;debug $node -- chroot /host stat /etc/docker/certs.d/mco_test_ca.pem;done
node/ci-ln-mfzgvs2-72292-s5vrz-master-0
stat: cannot statx '/etc/docker/certs.d/mco_test_ca.pem': No such file or directory
error: non-zero exit code from debug container
node/ci-ln-mfzgvs2-72292-s5vrz-master-1
stat: cannot statx '/etc/docker/certs.d/mco_test_ca.pem': No such file or directory
error: non-zero exit code from debug container
node/ci-ln-mfzgvs2-72292-s5vrz-master-2
stat: cannot statx '/etc/docker/certs.d/mco_test_ca.pem': No such file or directory
error: non-zero exit code from debug container
node/ci-ln-mfzgvs2-72292-s5vrz-worker-a-5vcfz
stat: cannot statx '/etc/docker/certs.d/mco_test_ca.pem': No such file or directory
error: non-zero exit code from debug container
node/ci-ln-mfzgvs2-72292-s5vrz-worker-b-zln7h
stat: cannot statx '/etc/docker/certs.d/mco_test_ca.pem': No such file or directory
error: non-zero exit code from debug container
node/ci-ln-mfzgvs2-72292-s5vrz-worker-c-dgxgd
stat: cannot statx '/etc/docker/certs.d/mco_test_ca.pem': No such file or directory
error: non-zero exit code from debug container @cdoern please confirm thanks |
@rioliu-rh looks good! Thank you |
/unhold |
/retest-required |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cdoern, yuqi-zhang The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test e2e-hypershift |
@cdoern: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/override ci/prow/e2e-hypershift Overriding the hypershift test since:
|
@yuqi-zhang: Overrode contexts on behalf of yuqi-zhang: ci/prow/e2e-hypershift In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test e2e-aws-ovn-upgrade |
a341b03
into
openshift:master
These had snuck in back in 80e7b4d (keep track of certs in ControllerConfigStatus, 2023-06-20, openshift#3756), 81136ed (implement the ability for the MCO to handle image registry certificates, 2023-06-27, openshift#3770), and similar. Having the same package imported under multiple names doesn't have any functional impact, but it's less confusing to read if the package is refered to with a consistent prefix. This commit addresses all the duplicates turned up with: $ git grep -c '"github.com/openshift/api/machineconfiguration/v1"' | grep '[.]go:' | grep -v 'vendor/\|:1$'
These had snuck in back in 80e7b4d (keep track of certs in ControllerConfigStatus, 2023-06-20, openshift#3756), 81136ed (implement the ability for the MCO to handle image registry certificates, 2023-06-27, openshift#3770), and similar. Having the same package imported under multiple names doesn't have any functional impact, but it's less confusing to read if the package is refered to with a consistent prefix. This commit addresses all the duplicates turned up with: $ git grep -c '"github.com/openshift/api/machineconfiguration/v1"' | grep '[.]go:' | grep -v 'vendor/\|:1$'
These had snuck in back in 80e7b4d (keep track of certs in ControllerConfigStatus, 2023-06-20, openshift#3756), 81136ed (implement the ability for the MCO to handle image registry certificates, 2023-06-27, openshift#3770), and similar. Having the same package imported under multiple names doesn't have any functional impact, but it's less confusing to read if the package is refered to with a consistent prefix. This commit addresses all the duplicates turned up with: $ git grep -c '"github.com/openshift/api/machineconfiguration/v1"' | grep '[.]go:' | grep -v 'vendor/\|:1$'
- What I did
The MCO can now manage image registry certs
the MCO reads from image.config.openshift.io/cluster and looks for additionalTrustedCA, which is a user specified additional registry
the MCO reads from openshift-config-managed/image-registry-ca configmap which is to be created and managed by the image registry operator
the MCO creates and writes to an additional openshift-config-managed/merged-trusted-image-registry-cas configmap with the combined data
we write this all to disk in the daemon as we now do with other certificates. These paths follow: /etc/docker/certs.d/<CONFIGMAP_KEY>/ca.crt format
- How to verify it
oc describe controllerconfig to see the data from the CMs
ssh into the node and check out /etc/docker/certs.d to see if the files propagate.
- Description for the changelog
The MCO now supports managing image registry certificates and writes them to disk.