-
Notifications
You must be signed in to change notification settings - Fork 118
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DEVEXP-403: Mount cluster trusted CA to image registry operator #340
DEVEXP-403: Mount cluster trusted CA to image registry operator #340
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/assign @bparees
manifests/04-ca-proxy.yaml
Outdated
kind: ConfigMap | ||
metadata: | ||
annotations: | ||
config.openshift.io/inject-proxy-cabundle: "true" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I noticed in https://github.com/openshift/cluster-image-registry-operator/blob/master/manifests/04-ca-config.yaml#L5-L6 that we are not marking the other CA ConfigMap as "create only" via the annotation release.openshift.io/create-only: "true"
. Is this right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems wrong to me, yet i don't see that CM getting stomped by the CVO. Perhaps the CVO does not stomp configmaps back to empty?
@deads2k @abhinavdahiya ? (tldr: we have a CM being created in the manifest for service CAs. It's not marked create-only, but it seems to be working ok, the service-ca gets injected and the value doesn't seem to be getting stomped back out).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(after looking at a cluster i think it is getting stomped and then re-injected. though i'm a little surprised that isn't causing rollouts of the registry operator so we should probably confirm the registry operator is actually doing the right thing when the service ca changes. In this case the cert doesn't actually change, but it's presumably flapping back and forth between not existing and existing, in the CM)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was able to dig deeper on this - there are three separate control loops that are modifying the serviceca ConfigMap:
- The CVO
- The ca-configmap-injector
- The image registry operator itself - https://github.com/openshift/cluster-image-registry-operator/blob/master/pkg/resource/serviceca.go#L52-L62
Will fix this in a separate PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good catch on (3). seems like we should not need that generator at all?
for (1) we should just set the create-only annotation on the CM.
manifests/07-operator.yaml
Outdated
volumes: | ||
- name: proxyca | ||
configMap: | ||
name: proxyca |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't block mounting the specific ca-bundle.crt
path.
manifests/07-operator.yaml
Outdated
@@ -53,3 +53,10 @@ spec: | |||
value: "cluster-image-registry-operator" | |||
- name: IMAGE | |||
value: docker.io/openshift/origin-docker-registry:latest | |||
volumeMounts: | |||
- name: proxyca | |||
mountPath: /etc/pki/ca-trust/source/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pretty sure the bundle you're trying to overwrite is this one:
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
but i guess i'm not positive which one golang is actually reading since there is also:
/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
but it should be one of those two (there are various symlinks that point to those 2 files)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've called this out in the proxy design doc. Will the operator container need to run update-ca-trust extract
before it begins?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i would not expect so, no. pretty sure update-ca-trust extract is what produces those bundles.
the other bit of this should be some logic in the operator itself to watch the mounted file. If it changes, the operator should die (so it gets restarted). (The file on disk will change if the configmap content changes). |
08e9fa9
to
029e67b
Compare
@ricardomaraschini you and I will work on a follow-up PR to do this. @bparees this PR will also stage the proxy CA that will be mounted into the registry itself - I assume we can use the same ConfigMap for both as long as the volume mounts are read-only. |
i'm not entirely sure what you mean, but the CM that's being annotated for proxy-ca injection needs to be used only for the proxy-ca, in the same way that CMs annotated for service-ca injection are used only for that. They can't have multiple writers. |
My intent is that we only have one CM for the proxy ca (rename this I assume we don't need to mount this into the nodeca daemonset, and that another operator will be responsible for this. |
yes mounting it in two different pods should be fine.
would be good to confirm with @mrunalp how they are handling it(not on this thread please) but i believe the intent is for the MCO to get the trusted CAs onto the nodes and CRIO should just pick it up from there. |
|
Huzzah! No trust = no AWS storage (though we separately trust the apiserver?):
|
Should |
If we use VPC endpoints for s3, then yes. Otherwise no - iirc traffic to s3 by default routes over the public internet. Is our proxy controller smart enough to detect this? fyi @openshift/openshift-team-network-edge |
171bced
to
44ea4a5
Compare
/hold Blocked by openshift/cluster-network-operator#274 |
name: trusted-ca | ||
optional: true | ||
items: | ||
- key: ca-bundle.crt |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bparees this uses the optional mount and overwrites the filename.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does "optional" apply to the keys as well as the configmap itself?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bparees I can confirm it does. If the key is not present, the pod is still scheduled (and in my testing had lots of unknown CA errors).
44ea4a5
to
de4fd43
Compare
* Injects the cluster proxy CA into /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem * Tell the CVO to only create the trusted-ca ConfigMap
de4fd43
to
a505e00
Compare
/hold cancel Once openshift/cluster-network-operator#274 this should work! |
@adambkaplan openshift/cluster-network-operator#271 is also needed, but should merge tomorrow. |
/retest |
@adambkaplan openshift/cluster-network-operator#271 has merged. |
/test e2e-aws |
/test e2e-aws /test e2e-aws-image-registry /test e2e-aws-operator /test e2e-aws-upgrade |
|
/retest |
/lgtm |
/retest Please review the full test history for this PR and help us cut down flakes. |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adambkaplan, bparees, ricardomaraschini The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Injects the cluster proxy CA into
/etc/pki/ca-trust/source/ca-bundle.crt