-
Notifications
You must be signed in to change notification settings - Fork 408
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MCO-1273: OCB respects proxy configuration in Controller Config #4599
base: master
Are you sure you want to change the base?
Conversation
@RishabhSaini: This pull request references MCO-1273 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Skipping CI for Draft Pull Request. |
@RishabhSaini: This pull request references MCO-1273 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: RishabhSaini The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test all |
@RishabhSaini: This pull request references MCO-1273 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
and pushing to the image registry
/test all |
/test unit |
/test e2e-hypershift |
@RishabhSaini: This pull request references MCO-1273 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
While working on this issue I realized Sergio wrote:
Hence the solution I see is to have a Informer/Lister for the Proxy CR as a part of the Build Controller. It will have an |
Just to clarify, this is the same If so we can probably just leverage that instead of having to add an additional configmap watcher. I am curious if:
|
89c7b09
to
c3de47b
Compare
@RishabhSaini: This pull request references MCO-1273 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/test bootstrap-unit |
c92f2c5
to
739a3e2
Compare
What is the elegant way of adding a CA root certificate to the unprivileged Buildah Container? The problem of respecting the proxy configuration in on-cluster builds here is two fold:
The
The problem is in the first case where the |
ed29b52
to
6d130a8
Compare
Within the Cluster Network Operator, exists logic within the ProxyConfig Controller to essentially merge the system trust bundles and proxy trust bundles into one ConfigMap with the name The question now remain is when should this config map with the labels be created so the Cluster Network Operator can help populate it. |
Hmm, is there a reason why we just wouldn't always want it (i.e. make it a baked manifest)? We technically don't need it if on-cluster layering isn't in use, but (1) we're moving towards always relying on OCL, and (2) it's harmless if it's not used. |
bf34bba
to
621f441
Compare
@jlebon If the Manifest is baked in to the MCO Image, if the Proxy CR is edited to modify the cert, would the manifest be needed to change as well? Another caveat that I have noticed:
Hence using the ConfigMap CA Injector only allows modifying the tls-ca-bundle.pem and not ca-bundle.trust.crt. Both of which might be needed to contain the proxy root ca certs, when establishing an egress connection ( This is a problem that |
system wide trust store buildah-build: Add the mounted additional-trust-bundle to the build context of buildah build_controller: Stored Additional Trust Bundle as a ConfigMap image_build_request: Add the Additional Trust Bundle Config Map as a volume to the Buildah pod and mount it When using a cluster wide Proxy Configuration, the trustedCA needs to be added to the system wide trust store in /etc/pki/ca-trust/source, hence enabling a use case where self-signed certificates are used to download a package from a YUM repo. It will be successfully validated by DNF using the proxy.
@RishabhSaini: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Closes: MCO-1273
- What I did
Added support for proxy configuration specified in the Controller Config to the buildah-build scripts
- How to verify it
Add a network policy to only allow egress through the proxy
Trigger a build by creating a MOSC (Containerfile can contain
rpm-ostree install cowsay
)MOSB succeeds
- Description for the changelog
OCB respects proxy configuration in Controller Config