Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inject payload's system store with proxy CA when specified #172

Merged
merged 2 commits into from
Aug 22, 2019
Merged

Inject payload's system store with proxy CA when specified #172

merged 2 commits into from
Aug 22, 2019

Conversation

stlaz
Copy link
Contributor

@stlaz stlaz commented Aug 9, 2019

/cc @enj @sttts

@openshift-ci-robot openshift-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 9, 2019
@enj
Copy link
Contributor

enj commented Aug 10, 2019

/hold

This looks weird to me. Please link me to the requirements for this.

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 10, 2019
@stlaz stlaz changed the title Inject payload's system store with proxy CA when specified WIP: Inject payload's system store with proxy CA when specified Aug 13, 2019
@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 13, 2019
@stlaz
Copy link
Contributor Author

stlaz commented Aug 13, 2019
edited

Adding WIP, this is needlessly complicated now, apparently the trusted-ca-bundle config map will always exist and should contain the CA bundle we need (if I get https://docs.google.com/document/d/1y0t0yEOSnKc4abxsjxEQjrFa1AP8iHcGyxlBpqGLO08/edit#heading=h.y6ieif41wmlc right), let's just use the sync logic we already have + getting the CM resourceVersion for deployment as added just lately and always mount the CM to the oauth-server pods

@openshift-ci-robot openshift-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 13, 2019
@stlaz
Copy link
Contributor Author

stlaz commented Aug 13, 2019

This PR will now be failing until something starts creating the trusted-ca-bundle configmap in the openshift-config-managed namespace.

I suspect the main blocker is https://github.com/openshift/cluster-network-operator/pull/274, although the configmap creation may eventually be done elsewhere.

stlaz
stlaz commented Aug 13, 2019
View reviewed changes
pkg/operator2/deployment.go Outdated Show resolved Hide resolved
@stlaz stlaz changed the title WIP: Inject payload's system store with proxy CA when specified Inject payload's system store with proxy CA when specified Aug 14, 2019
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 14, 2019
@stlaz
Copy link
Contributor Author

stlaz commented Aug 14, 2019

Added the injection for the operator as well, similarly to openshift/cluster-image-registry-operator#340 but without the optional mount. If the CM is supposed to be present, then why not fail if it isn't.

enj
enj suggested changes Aug 14, 2019
View reviewed changes
Copy link
Contributor

@enj enj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/hold

I do not think this will work.

manifests/03_configmap.yaml Outdated Show resolved Hide resolved
pkg/operator2/starter.go Outdated Show resolved Hide resolved
manifests/07_deployment.yaml Outdated Show resolved Hide resolved
manifests/07_deployment.yaml Outdated Show resolved Hide resolved
pkg/operator2/deployment.go Show resolved Hide resolved
pkg/operator2/deployment.go Outdated Show resolved Hide resolved
pkg/operator2/operator.go Outdated Show resolved Hide resolved
@danehans
Copy link

@stlaz now that [1] and [2] have merged, operators/operands requiring proxy support should no longer be blocked from implementing this feature.
 
[1] openshift/cluster-network-operator#271
[2] openshift/cluster-network-operator#274

@danehans
Copy link

Added the injection for the operator as well, similarly to openshift/cluster-image-registry-operator#340 but without the optional mount. If the CM is supposed to be present, then why not fail if it isn't.

@stlaz @bparees has suggested to make the ca bundle mount optional. He doesn't want an operator to fail to schedule, causing a domino effect of failures. Operator's can successfully start without the CA trust bundle and then restart when the bundle is available.

@stlaz stlaz force-pushed the mount_proxy_ca branch 5 times, most recently from af21cb5 to 03ebe5b Compare August 19, 2019 13:55
@stlaz
Copy link
Contributor Author

stlaz commented Aug 19, 2019

@danehans I made the CM optional, then. I don't think we'll need to restart the pod, we're dynamically reloading our transports for given CAs, I just added the reload for the system-default trust store, too.

enj
enj suggested changes Aug 20, 2019
View reviewed changes
Copy link
Contributor

@enj enj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mount the CA bundle at a standard path and have the operator use it where it needs to (route, OpenID, etc).

pkg/operator2/transport.go Outdated Show resolved Hide resolved
pkg/operator2/deployment.go Outdated Show resolved Hide resolved
manifests/07_deployment.yaml Outdated Show resolved Hide resolved
manifests/07_deployment.yaml Outdated Show resolved Hide resolved
@openshift-ci-robot openshift-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 20, 2019
@openshift-ci-robot openshift-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 20, 2019
@stlaz stlaz force-pushed the mount_proxy_ca branch 2 times, most recently from c2b376d to 4b95ae8 Compare August 20, 2019 12:05
@openshift-ci-robot openshift-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 20, 2019
@stlaz stlaz force-pushed the mount_proxy_ca branch 2 times, most recently from 86de23b to d37494f Compare August 20, 2019 14:38
enj
enj reviewed Aug 20, 2019
View reviewed changes
Copy link
Contributor

@enj enj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After these comments are addressed I am going to want to look at this more closely locally.

pkg/operator2/idp.go Outdated Show resolved Hide resolved
pkg/operator2/route.go Outdated Show resolved Hide resolved
pkg/operator2/operator.go Outdated Show resolved Hide resolved
pkg/operator2/operator.go Outdated Show resolved Hide resolved
@openshift-ci-robot openshift-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 21, 2019
@stlaz
Copy link
Contributor Author

stlaz commented Aug 21, 2019

/test e2e-aws

@stlaz
Insert trusted-ca-bundle from managed config NS into oauth-server tru…
dbd3427 
…st store

This uses the CVO to create and watch a CM in openshift-authentication
namespace, the name of the CM is prefixed in a way so that the config map's
resourceVersion is watched by the authn operator and oauth-server is reloaded
upon its change.
@stlaz
Inject operator's trust store with trusted-ca-bundle
df55535
@stlaz
Copy link
Contributor Author

stlaz commented Aug 21, 2019

/test e2e-aws-upgrade
aws problem

@danehans
Copy link

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Aug 21, 2019
@openshift-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danehans, stlaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@enj
Copy link
Contributor

enj commented Aug 21, 2019

Even with openshift/cluster-network-operator#296 in mind, I think this is fine.

/hold cancel

@openshift-ci-robot openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 21, 2019
@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-merge-robot openshift-merge-robot merged commit 546aca0 into openshift:master Aug 22, 2019
sttts
sttts reviewed Aug 28, 2019
View reviewed changes
manifests/03_configmap.yaml
annotations:
release.openshift.io/create-only: "true"
labels:
config.openshift.io/inject-trusted-cabundle: "true"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

won't CVO stomp this configmap after network operator added the CA ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same below of course

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@danehans ^^

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

presumably not, because of the create-only annotation...

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nvmd. The create-only label will make sure it is not overwritten.

sttts
sttts reviewed Aug 28, 2019
View reviewed changes
pkg/operator2/idp.go
@@ -343,3 +346,12 @@ func encodeOrDie(obj runtime.Object) []byte {
}
return bytes
}

func trustedCABytes() []byte {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are these additional to the system trust store? The file only includes some CAs, not all. Especially not possibly required intermediate ones.

sttts
sttts reviewed Aug 28, 2019
View reviewed changes
pkg/operator2/operator.go
trustedCABundleName = systemConfigPrefix + "trusted-ca-bundle"
trustedCABundleKey = "ca-bundle.crt"
trustedCABundleMountDir = "/etc/pki/ca-trust/extracted/pem"
trustedCABundleMountFile = "tls-ca-bundle.pem"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a plain yaml text file would me much more readable than 35 constansts.

sttts
sttts reviewed Aug 28, 2019
View reviewed changes
pkg/operator2/operator.go
@@ -525,7 +532,8 @@ func (c *authOperator) checkDeploymentReady(deployment *appsv1.Deployment, opera
func (c *authOperator) checkRouteHealthy(route *routev1.Route, routerSecret *corev1.Secret, ingress *configv1.Ingress) (ready bool, msg, reason string, err error) {
caData := routerSecretToCA(route, routerSecret, ingress)

rt, err := transportFor("", caData, nil, nil)
// merge trustedCA data with router cert in case TLS intercept proxy is in place
rt, err := transportFor("", append(caData, trustedCABytes()...), nil, nil)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this reads the file on every request, not good.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we sure these bytes always append cleanly, i.e. that we have a trailing newline in caData? Looks fragile.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ic, we probably reread to get the latest version (which can change in the background).

@deads2k
Copy link
Contributor

deads2k commented Aug 28, 2019

This appears to miss other usages. We should use the standard construction of proxies and simply get ourselves into the right shape. A fileobserver (not the watchdog, the other one) and the bash glue from OAS ought to get this into shape.

@sttts sttts mentioned this pull request Aug 29, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@squeed squeed squeed left review comments

@sttts sttts sttts left review comments

@danehans danehans danehans left review comments

@enj enj enj requested changes

Assignees

@danehans danehans

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
9 participants
@stlaz @enj @danehans @openshift-ci-robot @openshift-bot @deads2k @squeed @sttts @openshift-merge-robot