Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1895053: Instruct builds to optionally mount trusted CAs #154

Merged
merged 2 commits into from Mar 27, 2021
Merged

Bug 1895053: Instruct builds to optionally mount trusted CAs #154

merged 2 commits into from Mar 27, 2021

Conversation

adambkaplan
Copy link
Contributor

@adambkaplan adambkaplan commented Jan 4, 2021
edited

Set the BUILD_MOUNT_ETC_PKI_CATRUST environment variable in build
containers if a build needs the cluster trust bundle mounted into build
processes. The builder process needs to read this env var and add
/etc/pki/ca-trust as a transient bind mount for buildah.

@openshift-ci-robot
Copy link
Contributor

@adambkaplan: This pull request references Bugzilla bug 1895053, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.7.0) matches configured target release for branch (4.7.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1895053: Generate mounts.conf for every build

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels Jan 4, 2021
@adambkaplan adambkaplan changed the title Bug 1895053: Generate mounts.conf for every build WIP - Bug 1895053: Generate mounts.conf for every build Jan 4, 2021
@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 4, 2021
@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 4, 2021
@adambkaplan adambkaplan mentioned this pull request Jan 4, 2021
Merged
@adambkaplan
bump(github.com/openshift/api):
6b19027 
- Add MountTrustedCA field to builds
@openshift-ci-robot
Copy link
Contributor

@adambkaplan: This pull request references Bugzilla bug 1895053, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.8.0) matches configured target release for branch (4.8.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

WIP - Bug 1895053: Generate mounts.conf for every build

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@adambkaplan adambkaplan changed the title WIP - Bug 1895053: Generate mounts.conf for every build Bug 1895053: Instruct builds to optionally mount trusted CAs Feb 23, 2021
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 23, 2021
@adambkaplan adambkaplan mentioned this pull request Feb 23, 2021
Merged
@adambkaplan
Copy link
Contributor Author

/hold

Needs openshift/openshift-apiserver#185 to merge first

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 24, 2021
@adambkaplan
Copy link
Contributor Author

/retest

1 similar comment
@adambkaplan
Copy link
Contributor Author

/retest

@adambkaplan
Copy link
Contributor Author

/hold cancel

@openshift-ci-robot openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 16, 2021
@adambkaplan
Copy link
Contributor Author

/assign @coreydaley

/cc @otaviof @gabemontero @alicerum

@adambkaplan
Copy link
Contributor Author

/bugzilla cc-qa

@openshift-ci-robot
Copy link
Contributor

@adambkaplan: This pull request references Bugzilla bug 1895053, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.8.0) matches configured target release for branch (4.8.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

Requesting review from QA contact:
/cc @wewang58

In response to this:

/bugzilla cc-qa

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

coreydaley
coreydaley requested changes Mar 17, 2021
View reviewed changes
Copy link
Member

@coreydaley coreydaley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a couple of small things

pkg/build/controller/strategy/util.go Outdated
@@ -289,6 +289,15 @@ func addOutputEnvVars(buildOutput *corev1.ObjectReference, output *[]corev1.EnvV
return nil
}

// addTrustedCAMountEnvVar sets the BUILD_MOUNT_ETC_PKI_CATRUST environment variable if the build
// pod needs the CA trust bundle (`/etc/pki/ca-trust`) mounted into build processes.
func addTrustedCAMountEnvVar(mountTrustedCA *bool, output *[]corev1.EnvVar) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that the name output is confusing here, since it is not strictly an output, how about something like envVars?

pkg/build/controller/strategy/util.go Outdated
@@ -289,6 +289,15 @@ func addOutputEnvVars(buildOutput *corev1.ObjectReference, output *[]corev1.EnvV
return nil
}

// addTrustedCAMountEnvVar sets the BUILD_MOUNT_ETC_PKI_CATRUST environment variable if the build
// pod needs the CA trust bundle (`/etc/pki/ca-trust`) mounted into build processes.
func addTrustedCAMountEnvVar(mountTrustedCA *bool, output *[]corev1.EnvVar) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just a nit, i think this is cleaner/easier to read

if mountTrustedCA != nil {
	*output = append(*output, corev1.EnvVar{Name: "BUILD_MOUNT_ETC_PKI_CATRUST", Value: strconv.FormatBool(*mountTrustedCA)})
}

@adambkaplan
Bug 1895053: Instruct builds to optionally mount trusted CAs
63f49f7 
Set the `BUILD_MOUNT_ETC_PKI_CATRUST` environment variable in build
containers if a build needs the cluster trust bundle mounted into build
processes. The builder process needs to read this env var and add
`/etc/pki/ca-trust` as a transient bind mount for buildah.
@coreydaley
Copy link
Member

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Mar 17, 2021
@openshift-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: adambkaplan, coreydaley

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coreydaley
Copy link
Member

/retest

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

7 similar comments
@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-merge-robot openshift-merge-robot merged commit 0158a49 into openshift:master Mar 27, 2021
@openshift-ci-robot
Copy link
Contributor

@adambkaplan: Some pull requests linked via external trackers have merged:

The following pull requests linked via external trackers have not merged:

These pull request must merge or be unlinked from the Bugzilla bug in order for it to move to the next state. Once unlinked, request a bug refresh with /bugzilla refresh.

Bugzilla bug 1895053 has not been moved to the MODIFIED state.

In response to this:

Bug 1895053: Instruct builds to optionally mount trusted CAs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot mentioned this pull request Apr 18, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coreydaley coreydaley coreydaley requested changes

@smarterclayton smarterclayton Awaiting requested review from smarterclayton

@soltysh soltysh Awaiting requested review from soltysh

@alicerum alicerum Awaiting requested review from alicerum

@gabemontero gabemontero Awaiting requested review from gabemontero

@otaviof otaviof Awaiting requested review from otaviof

@wewang58 wewang58 Awaiting requested review from wewang58

Assignees

@coreydaley coreydaley

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@adambkaplan @openshift-ci-robot @coreydaley @openshift-bot @openshift-merge-robot