Add Trusted CA Bundle to Build Controller

[adambkaplan]

Read CA bundle from disk so it can be mounted into build pods.

[adambkaplan]

/hold

Waiting on api and client-go to settle down.

[adambkaplan]

@bparees ptal

[adambkaplan]

Main challenge is that if we mount the CAs by their ConfigMap key, we need to know which CAs we have prior to creating the build pod. My approach is to generate the CA data first, then pass the keys of the CA files into the build pod.

[adambkaplan]

UPDATE: If a ConfigMap is mounted with Items, it will only mount the keys referenced in the Items list. We will be mounting the service-signing-cert by referencing it's key, since we are relying on the kubelet to hold off creating the container until the cert is injected. Therefore, we must also reference the additional trusted CA by key name.

[adambkaplan]

Failing with a warning here if the CA bundle can't be found.

TODOs:

1. Don't log if the error is a NotFound error?
2. Validate the data is PEM-encoded?

[bparees]

this seems like a lot of extra logic when in the end we only have a single key and bundle we care about.

ultimately (when all the pieces are in place) i expect the configmap to have at most two keys:

1. additionalCAs (optional)
2. serviceCA

and we know that if (1) is going to be present, it will be populated when we create the configmap, so you don't have to do anything special in terms of specifically referencing mounting the key for (1) when you setup the configmap volume. You only need to do that for (2).

[bparees]

we should not have to read this data on every build. If the data changes we should expect the operator to restart the controller, so we can read it once during controller startup.

[smarterclayton]

/refresh

[adambkaplan]

UPDATE: If a ConfigMap is mounted with Items, it will only mount the keys referenced in the Items list. We will be mounting the service-signing-cert by referencing it's key, since we are relying on the kubelet to hold off creating the container until the cert is injected. Therefore, we must also reference the additional trusted CA by key name.

[adambkaplan]

/hold cancel

@bparees one question re: failure modes reading the CA bundle.

[adambkaplan]

/retest

[adambkaplan]

bump @bparees

[bparees]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: adambkaplan, bparees

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/build/OWNERS [bparees]
• pkg/cmd/OWNERS [bparees]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@adambkaplan: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/openshift-jenkins/extended_builds	e09dfaa	link	/test extended_builds
ci/openshift-jenkins/extended_image_ecosystem	e09dfaa	link	/test extended_image_ecosystem
ci/prow/e2e-gcp-crio	b4a6cad	link	/test e2e-gcp-crio

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.