Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds Trust Bundle Publishing to Proxy Controller #271

Merged
merged 1 commit into from
Aug 16, 2019
Merged

Adds Trust Bundle Publishing to Proxy Controller #271

merged 1 commit into from
Aug 16, 2019

Conversation

danehans
Copy link
Contributor

@danehans danehans commented Aug 2, 2019
edited

Depends on #245

  • Reconcile "openshift-config-managed/trusted-ca-bundle" ConfigMap object.
  • Validate Data of "openshift-config-managed/user-ca-bundle" ConfigMap object.
  • Validate cluster-network-operator's system trust bundle as valid certificate(s).
  • Merge user/system trust bundles.
  • Create/update "openshift-config-managed/trusted-ca-bundle" ConfigMap object.
  • Godocs

Jira: SDN-501

PTAL @squeed @danwinship @dcbw @bparees @JacobTanenbaum

@openshift-ci-robot openshift-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 2, 2019
@danehans danehans force-pushed the ca_bundle_controller branch 2 times, most recently from 1cddc5c to d333e71 Compare August 2, 2019 17:23
@openshift-ci-robot openshift-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 2, 2019
@danehans danehans changed the title WIP: Adds Trust Bundle Publisher Controller Adds Trust Bundle Publisher Controller Aug 2, 2019
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 2, 2019
squeed
squeed reviewed Aug 5, 2019
View reviewed changes
pkg/controller/trustbundle-publisher/controller.go Outdated
// encoded certificates, embeds the merged byte slice into a configmap
// named "proxy-ca-bundle" in namespace "openshift-config-managed" and
// returns the configmap.
func (r *ConfigMapReconciler) ensureMergedConfigMap(additionalData, systemData []byte) (*corev1.ConfigMap, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it a problem if the additional CA is already present in the system trust? Will that break expectations?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's just going to result in 2 copies of that cert in the bundle, right?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup. The question is: does that break anything? Does the bundle need to be unique? (I have no idea)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'd be surprised but it would definitely be a good thing to test.

@openshift-ci-robot openshift-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 5, 2019
@danehans danehans mentioned this pull request Aug 6, 2019
Merged
3 tasks
JacobTanenbaum added a commit to JacobTanenbaum/cluster-network-operator that referenced this pull request Aug 6, 2019
@JacobTanenbaum
added names from openshift#271
4597336
JacobTanenbaum added a commit to JacobTanenbaum/cluster-network-operator that referenced this pull request Aug 6, 2019
@JacobTanenbaum
added validation from openshift#271
1780b39
@danehans danehans mentioned this pull request Aug 7, 2019
Merged
3 tasks
JacobTanenbaum added a commit to JacobTanenbaum/cluster-network-operator that referenced this pull request Aug 8, 2019
@JacobTanenbaum
added names from openshift#271
0a0947c
JacobTanenbaum added a commit to JacobTanenbaum/cluster-network-operator that referenced this pull request Aug 8, 2019
@JacobTanenbaum
added validation from openshift#271
fcadcdc
@openshift-ci-robot openshift-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 8, 2019
bparees
bparees reviewed Aug 8, 2019
View reviewed changes
pkg/controller/proxyconfig/controller.go Outdated

// Reconcile expects request to refer to a proxy object named "cluster"
// in the default namespace or to a configmap object named
// "user-ca-bundle" in namespace "openshift-config-managed", and will
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this comment is wrong... i'd expect this controller to be watching 3 things:

  1. the trust-bundle configmap in openshift-config-managed (this CM has a fixed name), because you need to stomp it back to the correct value if it gets updated by something else
  2. the additional CA bundle configmap in the openshift-config namespace (this configmap name can change, so you need to detect if it changes, by watching the proxy config resource), because if the bundle changes, you need to re-merge the values w/ the system values and publish it to the CM in (1).
  3. the proxyconfig resource (so you can determine the name of the configmap in (2) and perform the merge action on it)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bparees see #271 (comment)

@openshift-ci-robot openshift-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 8, 2019
@danehans danehans force-pushed the ca_bundle_controller branch 2 times, most recently from 2960d45 to 2a0c159 Compare August 14, 2019 17:24
bparees
bparees requested changes Aug 14, 2019
View reviewed changes
pkg/controller/proxyconfig/controller.go Show resolved Hide resolved
pkg/names/names.go Outdated Show resolved Hide resolved
pkg/names/names.go Outdated Show resolved Hide resolved
@bparees
Copy link

bparees commented Aug 14, 2019

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Aug 14, 2019
@danehans
Copy link
Contributor Author

/test e2e-aws-upgrade

@danehans danehans mentioned this pull request Aug 14, 2019
Merged
@danehans
Copy link
Contributor Author

/test e2e-aws-upgrade

@awgreene awgreene mentioned this pull request Aug 15, 2019
Merged
@jmrodri jmrodri mentioned this pull request Aug 15, 2019
Merged
@openshift-ci-robot openshift-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed lgtm Indicates that a PR is ready to be merged. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Aug 15, 2019
@bparees
Copy link

bparees commented Aug 15, 2019

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Aug 15, 2019
@knobunc
Copy link
Contributor

knobunc commented Aug 15, 2019

/approve

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 15, 2019
@danehans
Copy link
Contributor Author

danehans commented Aug 15, 2019
edited

aws-e2e-upgrade job failure due to:
Aug 15 20:45:11.316 E clusterversion/version changed Failing to True: ClusterOperatorDegraded: Cluster operator network is reporting a failure: failed to generate system trust bundle configmap ’openshift-config-managed/trusted-ca-bundle (failed to validate trust bundle /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem: certificate is not a CA certificate: <nil>).

I found that /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem contains a certificate with serial # 9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57 that does not contain CA: True. This is because the CA field was introduced in v3 of x509 and the offending cert is v1.

I am removing the following from CertificateData in validation/trustbundle.go:

if !cert.IsCA {
    return nil, nil, fmt.Errorf("certificate is not a CA certificate: %v", err)
}

@openshift-ci-robot openshift-ci-robot removed the lgtm Indicates that a PR is ready to be merged. label Aug 15, 2019
@danehans danehans mentioned this pull request Aug 16, 2019
Merged
@bparees
Copy link

bparees commented Aug 16, 2019

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Aug 16, 2019
@openshift-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bparees, danehans, knobunc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit 273dbd7 into openshift:master Aug 16, 2019
@danehans danehans mentioned this pull request Aug 16, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wking wking wking left review comments

@squeed squeed squeed left review comments

@bparees bparees bparees requested changes

@JacobTanenbaum JacobTanenbaum Awaiting requested review from JacobTanenbaum

Assignees

@bparees bparees

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@danehans @bparees @knobunc @openshift-ci-robot @wking @squeed @openshift-merge-robot