MGMT-20207: avoid adding system CA bundle to AdditionalTrustBundle #7448
Conversation
openshift-ci-robot
added
the
jira/valid-reference
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
@danielerez: This pull request references MGMT-20207 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Skipping CI for Draft Pull Request. |
openshift-ci
bot
added
size/M
|
/test all |
danielerez
force-pushed
the
user-registry-ca-bundle
branch
from
488e114 to
3228d83
Compare
|
@danielerez: This pull request references MGMT-20207 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/test all |
|
/cc @carbonin |
|
/retest |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #7448 +/- ##
==========================================
+ Coverage 67.26% 67.29% +0.02%
==========================================
Files 334 334
Lines 42265 42309 +44
==========================================
+ Hits 28431 28470 +39
- Misses 11261 11265 +4
- Partials 2573 2574 +1
🚀 New features to boost your workflow:
|
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
/retest |
| @@ -129,6 +130,19 @@ var _ = Describe("Generator tests", func() { | |||
| res := m.IsMirrorRegistriesConfigured() | |||
| Expect(res).Should(Equal(true)) | |||
| }) | |||
|
|
|||
| It("returns true when only the system CA exists (and registry.conf has mirrors)", func() { | |||
There was a problem hiding this comment.
I don't understand this test. Why is there a conditional and why does IsMirrorRegistriesConfigured have anything to do with the system CA, shouldn't it be based on the user one?
There was a problem hiding this comment.
Oh, that's just for testing the fallback: https://github.com/openshift/assisted-service/pull/7448/files#diff-7cc7e8a2e1a64d1393f8dfcf02e682c3286f987e2391b11f9a2b05919912be54R65
I.e. to ensure we use common.SystemCertificateBundlePath when m.MirrorRegistriesCertificatePath doesn't exist. I can check the GetMirrorCA func directly if it's clearer.
(Added it here just since IsMirrorRegistriesConfigured is calling GetMirrorCA first)
The condition is only to avoid writing to the local common.SystemCertificateBundlePath.
There was a problem hiding this comment.
Okay, but for this test we should know if the file is going to exist or not and expect a result accordingly. I'm just saying that there shouldn't be a conditional in the test around the Expect lines.
There was a problem hiding this comment.
Yeah, fair enough. So added a new set of tests for GetMirrorCA.
danielerez
force-pushed
the
user-registry-ca-bundle
branch
from
3228d83 to
d2837d1
Compare
openshift-ci
bot
added
size/L
pkg/mirrorregistries/generator.go
Outdated
| bytes, err := m.fileReader(m.MirrorRegistriesCertificatePath) | ||
| if err != nil { | ||
| // fallback to tls-ca-bundle.pem (used by ABI) | ||
| return m.fileReader(common.SystemCertificateBundlePath) |
There was a problem hiding this comment.
Instead of injecting the reader function, can we set this path on the struct?
It will be less likely to confuse folks in the future that don't know why this fileReader exists
There was a problem hiding this comment.
Sure, good idea.
When generating the install config, it should not include the entire system CA bundle. I.e. when setting the AdditionalTrustBundle[1]. However, when using a mirror regsitry (e.g. with MirrorRegistryRef[2] in ASC), the installConfigBuilder is adding the content of tls-ca-bundle.pem[3]. This pem file is created[4] by ASC controller, and includes the full system CA bundle since the bundle[5] is injected into 'cluster-trusted-ca-bundle'. Therefore, the suggestion solution is to create a separate pem file just for the certificates specified in MirrorRegistryRef. I.e. generate a new 'user-registry-ca-bundle.pem' file, that will be included as part of AdditionalTrustBundle. These certificates will propagate into the 'user-ca-bundle' CM during cluster installation. This will ensure that 'user-ca-bundle' CM indeed includes only custom certificates mandatory for the user, instead of the system CA bundle. Note: as backwards compatibility, for flows as ABI, we keep a fallback to the current behaviour (i.e. include 'tls-ca-bundle.pem' only when 'user-registry-ca-bundle.pem' doesn't exist). [1] https://github.com/openshift/assisted-service/blob/40ab10db5e872e519ab0a97e82fc318423feeaba/internal/installcfg/builder/builder.go#L275 [2] https://github.com/openshift/assisted-service/blob/cb169a2d2c97bb3dccd06ad4b75f2937e01f78f4/vendor/github.com/openshift/assisted-service/api/v1beta1/agentserviceconfig_types.go#L82 [3] https://github.com/openshift/assisted-service/blob/a1c3229afee1f0f774b286283fb0d0098b9eac03/internal/common/common.go#L35 [4] https://github.com/openshift/assisted-service/blob/341f9860c455cccc42741f350024d05aa72755f8/internal/controller/controllers/agentserviceconfig_controller.go#L1848 [5] https://github.com/openshift/assisted-service/blob/341f9860c455cccc42741f350024d05aa72755f8/internal/controller/controllers/agentserviceconfig_controller.go#L1059
danielerez
force-pushed
the
user-registry-ca-bundle
branch
from
d2837d1 to
c99b438
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: carbonin, danielerez The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/cherry-pick release-ocm-2.12 |
|
@danielerez: once the present PR merges, I will cherry-pick it on top of In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/cherry-pick release-ocm-2.13 |
|
@danielerez: once the present PR merges, I will cherry-pick it on top of In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
1 similar comment
|
/retest |
1 similar comment
|
/retest |
|
@giladravid16 @pastequo Do you have an idea why these 2 konflux jobs are not triggering for a long time ? |
|
@danielerez: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
When generating the install config, it should not include the entire system CA bundle. I.e. when setting the AdditionalTrustBundle[1]. However, when using a mirror regsitry (e.g. with MirrorRegistryRef[2] in ASC), the installConfigBuilder is adding the content of tls-ca-bundle.pem[3]. This pem file is created[4] by ASC controller, and includes the full system CA bundle since the bundle[5] is injected into 'cluster-trusted-ca-bundle'.
Therefore, the suggestion solution is to create a separate pem file just for the certificates specified in MirrorRegistryRef. I.e. generate a new 'user-registry-ca-bundle.pem' file, that will be included as part of AdditionalTrustBundle. These certificates will propagate into the 'user-ca-bundle' CM during cluster installation.
This will ensure that 'user-ca-bundle' CM indeed includes only custom certificates mandatory for the user, instead of the system CA bundle.
Note: as backwards compatibility, for flows like ABI, we keep a fallback to the current behaviour (i.e. include 'tls-ca-bundle.pem' only when 'user-registry-ca-bundle.pem' doesn't exist).
[1]
assisted-service/internal/installcfg/builder/builder.go
Line 275 in 40ab10d
[2]
assisted-service/vendor/github.com/openshift/assisted-service/api/v1beta1/agentserviceconfig_types.go
Line 82 in cb169a2
[3] https://github.com/openshift/assisted-service/blob/a1c3229afee1f0f774b286283fb0d0098b9eac03/internal/common/common.go#L35
[4]
assisted-service/internal/controller/controllers/agentserviceconfig_controller.go
Line 1848 in 341f986
[5]
assisted-service/internal/controller/controllers/agentserviceconfig_controller.go
Line 1059 in 341f986
List all the issues related to this PR
What environments does this code impact?
How was this code tested?
Checklist
docs, README, etc)Reviewers Checklist