-
Notifications
You must be signed in to change notification settings - Fork 266
*: fix cert and env binding for k8s-node-boostrapper #2757
Conversation
As written in #2460, all tests fail because
|
c6eb280
to
c830fc0
Compare
ok to test |
@@ -24,6 +25,7 @@ ExecStartPre=/usr/bin/docker run --rm \ | |||
-v /etc/coreos:/etc/coreos:ro \ | |||
-v /etc/torcx:/etc/torcx \ | |||
-v /etc/kubernetes:/etc/kubernetes \ | |||
-v /etc/ssl:/etc/ssl:ro \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Turns out this needs to be /etc/ssl/certs/ca-certificates.crt
The go binary can't read all the certs it needs the cert bundle specifically.
We need /etc/ssl/certs/ca-certificates.crt as opposed to /usr/share/certs/ca-certificates.crt as we need to be able to trust certificates that are added to the bundle at install time. The /usr/share/cert I think is immutable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change was cherry-picked from your PR. Should I make that change for you?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need to change the cert path.
ping @coresolve |
This change adds a bindmount of /etc/ssl It will also load /etc/profile.env into the env to The /etc/profile.env file is populated by ignition based on: https://tinyurl.com/zme96wx that we can operate in proxy environments.
The change looks good. I think I am still trying to figure out where to get the proxy env vars from. I was using /etc/profile.env because of this guidance: With this doc floating around I think we need to agree on an approach. |
ExecStartPre=/usr/bin/docker run --rm \ | ||
--env-file /etc/profile.env \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be bettre to use --env HTTP_PROXY --env NO_PROXY
(and any other proxy-related variables; those are the ones the go stdlib understands iirc)?
The profile.env
file is meant for full shell parsing and for interactive user shells, so it's perfectly possible a user will, for valid reasons, have set it to include more complex statements than docker's --env-file
may understand.
Minimizing the set of environment variables getting passed through is also good from a security perspective.
With the --env
suggestion above, using a dropin for specifically this service or globally via /etc/systemd/system.conf.d/
should work, and it won't require touching anything in the default case since docker doesn't error if an --env
value doesn't exist.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the problem tho is that the docker container needs the env vars. I am fine with pointing at a diff file. In most cases I am blindly expecting the env vars in /etc/profile.env to apply cleanly here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this makes sense. Basically extend the k8s-node-bootstrapper.service with the proxy vars and feed them in with --env
This is probably cleaner cause the --env-file
doesn't have to exist.
This is planned to be superseded by forthcoming PRs. |
Cherry-pick #2460 into track-1
Fixes: https://jira.coreos.com/browse/INST-859
cc @lucab @crawford @coresolve