OCPBUGS-44637: Mount proxy certificate to node-joiner pod #1965
Conversation
When a proxy is configured with a self-signed certificate, the certificate needs to be made available to the node-joiner pod to allow it to communicate with the proxy. Previously, the certificate wasn't mounted to the node-joiner pod so that when the pod attempted to pull images through the proxy, it failed. Now the user-ca-bundle config map is copied to the node-joiner pod's namespace and the certificate is mounted and made available as /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem.
openshift-ci-robot
added
the
jira/valid-reference
|
@rwsu: This pull request references Jira Issue OCPBUGS-44637, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/invalid-bug
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rwsu The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/jira refresh |
openshift-ci-robot
added
jira/valid-bug
|
@rwsu: This pull request references Jira Issue OCPBUGS-44637, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
| Name: "user-ca-bundle", | ||
| MountPath: "/etc/pki/ca-trust/extracted/pem", | ||
| }) | ||
|
|
There was a problem hiding this comment.
Given that it seems the reasonable motivation for the issue, there is one point not clear to me: why the oc command must be responsible for extracting a certificate, and injecting it into the node-joiner container?
Couldn't be something directly managed by the node-joiner tool itself?
Personally I'd prefer to avoid having additional logic in the oc wrapper layer - if not the one just required the proper execution of the container (for the rest, the node-joiner must be able to work also on its own)
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci
bot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
openshift-ci
bot
removed
the
lifecycle/stale
|
@rwsu: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci
bot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
openshift-ci
bot
added
lifecycle/rotten
WalkthroughAdds support for copying cluster-wide user-ca-bundle ConfigMaps to the node-joiner pod for self-signed proxy scenarios. Includes new test coverage and refactors test infrastructure to inject additional runtime objects for testing proxy and ConfigMap handling. Changes
Estimated code review effort🎯 4 (Complex) | ⏱️ ~50 minutes
✨ Finishing touches
🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (2)
pkg/cli/admin/nodeimage/create.go (1)
801-871: CA bundle propagation is correct; consider idempotence and multi‑container robustnessThe new logic to:
- gate on
HTTPProxy/HTTPSProxy,- copy
user-ca-bundlefromopenshift-config,- mount it as
tls-ca-bundle.pemunder/etc/pki/ca-trust/extracted/pem,matches the documented proxy + user CA flow and should address image pulls behind a self-signed proxy.
A couple of robustness tweaks you might consider:
- ConfigMap creation idempotence
Ifuser-ca-bundlealready exists in the node-joiner namespace (e.g., leftover from a previous run),Createwill fail. TreatingIsAlreadyExists(err)as non-fatal would make this code resilient to partial cleanup or concurrent invocations:cmClient := o.Client.CoreV1().ConfigMaps(o.nodeJoinerNamespace.GetName()) _, err = cmClient.Create(ctx, cm, metav1.CreateOptions{}) if err != nil { if kapierrors.IsAlreadyExists(err) { klog.V(2).Infof("user-ca-bundle already present in %s namespace", o.nodeJoinerNamespace.GetName()) // fall through to volume wiring } else { klog.V(2).Infof("Error writing user-ca-bundle to %s namespace: %v", o.nodeJoinerNamespace.GetName(), err) return err } }
- Future sidecars
The volumeMount is added only topod.Spec.Containers[0]. That’s fine with the current single-container pod, but if a sidecar is ever added that also needs proxy access, it will miss the CA bundle. A small helper that appends the volumeMount to all containers would future‑proof this.pkg/cli/admin/nodeimage/create_test.go (1)
233-281: Strengthen the user‑CA bundle test with path/key assertionsThe new test:
"node-joiner pod should mount user-ca-bundle as a volume if it is available and a proxy is configured"correctly verifies that:
- the pod spec includes a
Volumenameduser-ca-bundle, and- container 0 has a
VolumeMountfor that volume.To better guard the regression this PR is fixing, consider tightening the assertions to also check:
- the
Volume’sConfigMapsource hasName == "user-ca-bundle"and anItemsentry mappingKey: "ca-bundle.crt"toPath: "tls-ca-bundle.pem", and- the
VolumeMount’sMountPathequals/etc/pki/ca-trust/extracted/pem.That way, any accidental change to the key, filename, or mount path (which are critical for the CA trust flow) will be caught by this test.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting
📒 Files selected for processing (3)
pkg/cli/admin/nodeimage/create.go(1 hunks)pkg/cli/admin/nodeimage/create_test.go(7 hunks)pkg/cli/admin/nodeimage/monitor_test.go(1 hunks)
🧰 Additional context used
📓 Path-based instructions (1)
**
⚙️ CodeRabbit configuration file
-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.
Files:
pkg/cli/admin/nodeimage/create.gopkg/cli/admin/nodeimage/monitor_test.gopkg/cli/admin/nodeimage/create_test.go
🔇 Additional comments (2)
pkg/cli/admin/nodeimage/monitor_test.go (1)
87-87: UpdatedcreateFakescall wiring looks correctPassing
nilfor the newclientObjshook matches the updated helper signature and is appropriate here since the monitor tests don’t require extra cluster objects.pkg/cli/admin/nodeimage/create_test.go (1)
134-148: Refactored test wiring between core client and config client looks consistentThe introduction of:
configObjects func(string, string) []runtime.Objectin the test case struct, and- the updated
createFakes(t, podName, clientObjs)helper that seeds the core client,cleanly separates:
- core client objects (e.g., the
user-ca-bundleConfigMap viatc.objects→ passed intocreateFakes→fake.NewSimpleClientset), from- config client objects (e.g.,
ClusterVersion,Proxyviatc.configObjects→configv1fake.NewSimpleClientset).This mirrors how production code uses the two clients and ensures:
- the “missing cluster connection” case is driven by omitting
ClusterVersioninconfigObjects, and- proxy-related tests see
configv1.Proxyonly through the config client.The updated
createFakesimplementation correctly:
- derives the repo/digest from the fake registry and passes them into
clientObjs, and- seeds the fake core client with those runtime.Objects before attaching the pod-creation reactor.
This restructuring looks sound and keeps tests maintainable as more config-side objects are introduced.
Also applies to: 152-161, 166-187, 193-232, 283-287, 291-305, 592-604
|
/remove-lifecycle stale |
5 participants
When a proxy is configured with a self-signed certificate, the certificate needs to be made available to the node-joiner pod to allow it to communicate with the proxy.
It is assumed that the proxy certificate is configured in the cluster proxy spec as
The certificate is stored in a config map named "user-ca-bundle" in the "openshift-config" namespace in a file named ca-bundle.crt.
If the certificate is included in the additionalTrustBundle field in install-config.yaml prior to cluster installation, the proxy and user-ca-bundle is automatically configured as illustrated
above.
Previously, the certificate wasn't mounted to the node-joiner pod so that when the pod attempted to pull images through the proxy, it failed.
Now the user-ca-bundle config map is copied to the node-joiner pod's namespace and the certificate is mounted and made available as /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem.