DEVEXP-403: Mount cluster trusted CA to image registry operator

[adambkaplan]

Injects the cluster proxy CA into /etc/pki/ca-trust/source/ca-bundle.crt

[adambkaplan]

/assign @bparees

/cc @ricardomaraschini @coreydaley

[adambkaplan]

I noticed in https://github.com/openshift/cluster-image-registry-operator/blob/master/manifests/04-ca-config.yaml#L5-L6 that we are not marking the other CA ConfigMap as "create only" via the annotation release.openshift.io/create-only: "true". Is this right?

[bparees]

It seems wrong to me, yet i don't see that CM getting stomped by the CVO. Perhaps the CVO does not stomp configmaps back to empty?

@deads2k @abhinavdahiya ? (tldr: we have a CM being created in the manifest for service CAs. It's not marked create-only, but it seems to be working ok, the service-ca gets injected and the value doesn't seem to be getting stomped back out).

[bparees]

(after looking at a cluster i think it is getting stomped and then re-injected. though i'm a little surprised that isn't causing rollouts of the registry operator so we should probably confirm the registry operator is actually doing the right thing when the service ca changes. In this case the cert doesn't actually change, but it's presumably flapping back and forth between not existing and existing, in the CM)

[adambkaplan]

I was able to dig deeper on this - there are three separate control loops that are modifying the serviceca ConfigMap:

1. The CVO
2. The ca-configmap-injector
3. The image registry operator itself - https://github.com/openshift/cluster-image-registry-operator/blob/master/pkg/resource/serviceca.go#L52-L62

Will fix this in a separate PR

[bparees]

good catch on (3). seems like we should not need that generator at all?

for (1) we should just set the create-only annotation on the CM.

[adambkaplan]

Don't block mounting the specific ca-bundle.crt path.

[bparees]

pretty sure the bundle you're trying to overwrite is this one:
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

but i guess i'm not positive which one golang is actually reading since there is also:
/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt

but it should be one of those two (there are various symlinks that point to those 2 files)

[adambkaplan]

I've called this out in the proxy design doc. Will the operator container need to run update-ca-trust extract before it begins?

[bparees]

i would not expect so, no. pretty sure update-ca-trust extract is what produces those bundles.

[bparees]

the other bit of this should be some logic in the operator itself to watch the mounted file. If it changes, the operator should die (so it gets restarted).

(The file on disk will change if the configmap content changes).

[adambkaplan]

the other bit of this should be some logic in the operator itself to watch the mounted file. If it changes, the operator should die (so it gets restarted).

@ricardomaraschini you and I will work on a follow-up PR to do this.

@bparees this PR will also stage the proxy CA that will be mounted into the registry itself - I assume we can use the same ConfigMap for both as long as the volume mounts are read-only.

[bparees]

@bparees this PR will also stage the proxy CA that will be mounted into the registry itself - I assume we can use the same ConfigMap for both as long as the volume mounts are read-only.

i'm not entirely sure what you mean, but the CM that's being annotated for proxy-ca injection needs to be used only for the proxy-ca, in the same way that CMs annotated for service-ca injection are used only for that. They can't have multiple writers.

[adambkaplan]

i'm not entirely sure what you mean, but the CM that's being annotated for proxy-ca injection needs to be used only for the proxy-ca,

My intent is that we only have one CM for the proxy ca (rename this trusted-ca?). This ConfigMap will be mounted into the registry operator as well as the registry pod - hence read-only mounting.

I assume we don't need to mount this into the nodeca daemonset, and that another operator will be responsible for this.

[bparees]

My intent is that we only have one CM for the proxy ca (rename this trusted-ca?). This ConfigMap will be mounted into the registry operator as well as the registry pod - hence read-only mounting.

yes mounting it in two different pods should be fine.

I assume we don't need to mount this into the nodeca daemonset, and that another operator will be responsible for this.

would be good to confirm with @mrunalp how they are handling it(not on this thread please) but i believe the intent is for the MCO to get the trusted CAs onto the nodes and CRIO should just pick it up from there.

[mrunalp]

would be good to confirm with @mrunalp how they are handling it(not on this thread please) but i believe the intent is for the MCO to get the trusted CAs onto the nodes and CRIO should just pick it up from there.
Yes, that's how it will work for CRI-O 👍

[adambkaplan]

Huzzah! No trust = no AWS storage (though we separately trust the apiserver?):

 {
            "apiVersion": "config.openshift.io/v1",
            "kind": "ClusterOperator",
            "metadata": {
                "creationTimestamp": "2019-08-01T15:58:23Z",
                "generation": 1,
                "name": "image-registry",
                "resourceVersion": "12484",
                "selfLink": "/apis/config.openshift.io/v1/clusteroperators/image-registry",
                "uid": "30c468a5-b475-11e9-a066-0afad4972984"
            },
            "spec": {},
            "status": {
                "conditions": [
                    {
                        "lastTransitionTime": "2019-08-01T15:58:23Z",
                        "message": "The deployment does not exist",
                        "reason": "DeploymentNotFound",
                        "status": "False",
                        "type": "Available"
                    },
                    {
                        "lastTransitionTime": "2019-08-01T15:58:23Z",
                        "message": "Unable to apply resources: unable to sync storage configuration: RequestError: send request failed\ncaused by: Head https://image-registry-us-east-1-ciop5nrpdzv2f0b2b5wzf6-30d741eeb47511.s3.amazonaws.com/: x509: certificate signed by unknown authority",
                        "reason": "Error",
                        "status": "True",
                        "type": "Progressing"
                    },
                    {
                        "lastTransitionTime": "2019-08-01T15:58:23Z",
                        "status": "False",
                        "type": "Degraded"
                    }
                ],
                "extension": null
            }
        },

[danehans]

Should s3.amazonaws.com be added to noProxy for aws installs?

[adambkaplan]

Should s3.amazonaws.com be added to noProxy for aws installs?

If we use VPC endpoints for s3, then yes. Otherwise no - iirc traffic to s3 by default routes over the public internet.

Is our proxy controller smart enough to detect this?

fyi @openshift/openshift-team-network-edge

[adambkaplan]

/hold

Blocked by openshift/cluster-network-operator#274

[adambkaplan]

@bparees this uses the optional mount and overwrites the filename.

[bparees]

does "optional" apply to the keys as well as the configmap itself?

[adambkaplan]

@bparees I can confirm it does. If the key is not present, the pod is still scheduled (and in my testing had lots of unknown CA errors).

[adambkaplan]

/hold cancel

Once openshift/cluster-network-operator#274 this should work!

[danehans]

@adambkaplan openshift/cluster-network-operator#271 is also needed, but should merge tomorrow.

[danehans]

/retest

[danehans]

@adambkaplan openshift/cluster-network-operator#271 has merged.

[danehans]

fail [k8s.io/kubernetes/test/e2e/framework/framework.go:338]: Aug 16 19:37:17.100: Couldn't delete ns: "e2e-test-build-webhooks-9brtm": namespace e2e-test-build-webhooks-9brtm was not deleted with limit: timed out waiting for the condition, namespace is empty but is not yet removed (&errors.errorString{s:"namespace e2e-test-build-webhooks-9brtm was not deleted with limit: timed out waiting for the condition, namespace is empty but is not yet removed"})

/test e2e-aws

[adambkaplan]

/test e2e-aws

/test e2e-aws-image-registry

/test e2e-aws-operator

/test e2e-aws-upgrade

[danehans]

level=error msg="Error: Error creating S3 bucket: TooManyBuckets: You have attempted to create more buckets than allowed"
/test e2e-aws
/test e2e-aws-image-registry
/test e2e-aws-upgrade

[adambkaplan]

/retest

[bparees]

/lgtm

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[ricardomaraschini]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: adambkaplan, bparees, ricardomaraschini

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [adambkaplan,bparees]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment