Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-v1.11] Trust manager integration #493

Merged
merged 18 commits into from
Jan 26, 2024
Merged

[release-v1.11] Trust manager integration #493

merged 18 commits into from
Jan 26, 2024

Conversation

pierDipi
Copy link
Member

No description provided.

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jan 17, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@pierDipi
Copy link
Member Author

/test 411-test-encryp-9732689-aws-ocp-411

@pierDipi
Copy link
Member Author

/test 414-test-encryp-9732689-aws-ocp-414

1 similar comment
@pierDipi
Copy link
Member Author

/test 414-test-encryp-9732689-aws-ocp-414

@pierDipi
Copy link
Member Author

/test 411-test-encryp-9732689-aws-ocp-411

@pierDipi
Copy link
Member Author

pierDipi commented Jan 22, 2024
edited
Loading 


/go/src/github.com/openshift-knative/serverless-operator/go.mod:5: unknown directive: toolchain

This needs openshift-knative/serverless-operator#2451

@pierDipi pierDipi force-pushed the trust-manager-integration-v1.11 branch from c32163c to 4af988a Compare January 22, 2024 15:46
@pierDipi
Copy link
Member Author

/test 414-test-encryp-9732689-aws-ocp-414
/test 411-test-encryp-9732689-aws-ocp-411

1 similar comment
@pierDipi
Copy link
Member Author

/test 414-test-encryp-9732689-aws-ocp-414
/test 411-test-encryp-9732689-aws-ocp-411

@pierDipi pierDipi force-pushed the trust-manager-integration-v1.11 branch from efa1aca to c6c1ee7 Compare January 23, 2024 14:00
@pierDipi
Copy link
Member Author

/test 414-test-encryp-9732689-aws-ocp-414
/test 411-test-encryp-9732689-aws-ocp-411

@pierDipi
Copy link
Member Author

/test 414-test-encryp-9732689-aws-ocp-414

@pierDipi
Copy link
Member Author

/test 411-test-encryp-9732689-aws-ocp-411

@pierDipi
Copy link
Member Author

/test ?

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jan 23, 2024

@pierDipi: The following commands are available to trigger required jobs:

  • /test 411-images
  • /test 411-test-conformance-aws-ocp-411
  • /test 411-test-e2e-aws-ocp-411
  • /test 411-test-encryp-9732689-aws-ocp-411
  • /test 411-test-reconciler-aws-ocp-411
  • /test 414-images
  • /test 414-test-conformance-aws-ocp-414
  • /test 414-test-e2e-aws-ocp-414
  • /test 414-test-encryp-9732689-aws-ocp-414
  • /test 414-test-reconciler-aws-ocp-414

Use /test all to run all jobs.

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@pierDipi
Copy link
Member Author

/test 414-test-encryp-9732689-aws-ocp-414

pierDipi added 10 commits January 23, 2024 17:51
@pierDipi
Label OpenShift CA trust bundle as Knative trust bundle
1562385 
Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
@pierDipi
Trust-manager integration (knative#7532)
36551d5 
* Trust-manager integration

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

* Add E2E tests

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

* Fix linter and format Go code

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

* Upgrade rekt

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

* Reference Eventing CA issuer in E2E tests

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

* Force GVK in sources when propagating trust bundle

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

* Format Go code

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

* SinkBinding reconciler needs to create/update/delete trust bundle configmaps

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

* Upgrade rekt deps

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

* Add Deployment volumes for SinkBinding tests

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

* Fix CA certs bundle and https endpoint assertions

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

* Pass TrustBundleConfigMapLister in PingSource runner

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

* Fix adapter create informer logic for trust bundle ConfigMaps

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

* Remove propagate configmaps in ContainerSource reconciler as is done in SB reconciler

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

* Inject trust bundles as volumes in sinkbinding reconciler

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

* Inject trust-bundle to SinkBinding subjects

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

* Fix lister ctx injection

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

---------

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
@pierDipi
Reload trust-bundle on new connections (knative#7567)
3a6bd20 
This allows administrators to dynamically add trust-bundles that
are picked by clients when connecting to new hosts.

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
@pierDipi
Actually run TLS tests
b5c2215 
Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
@pierDipi
Run generate-release
9772ab1 
Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
@pierDipi
Create trust bundle ConfigMap manually
d074127 
Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
@pierDipi
Assign global resync
7dceeb9 
Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
@pierDipi
Fix regex
7ea75fd 
Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
@pierDipi
User-provided issuers and CA certificate
ed2a2d2 
Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
@pierDipi
Fix configmap -> secret
da5b6ae 
Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
@pierDipi pierDipi force-pushed the trust-manager-integration-v1.11 branch from fc4872a to da5b6ae Compare January 23, 2024 16:51
@pierDipi
Copy link
Member Author

/test 414-test-encryp-9732689-aws-ocp-414
/test 411-test-encryp-9732689-aws-ocp-411

@pierDipi
Base64 decode CA certs
f2c792a 
Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
@pierDipi pierDipi force-pushed the trust-manager-integration-v1.11 branch from fbd86d0 to f2c792a Compare January 25, 2024 10:19
@pierDipi
Copy link
Member Author

/test 414-test-encryp-9732689-aws-ocp-414
/test 411-test-encryp-9732689-aws-ocp-411

@pierDipi
Remove install script
99aaa3d 
Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
@pierDipi
Copy link
Member Author

/test 414-test-encryp-9732689-aws-ocp-414
/test 411-test-encryp-9732689-aws-ocp-411

@pierDipi pierDipi mentioned this pull request Jan 25, 2024
Merged
@pierDipi
Use projected volumes
4310bfa 
Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
@pierDipi
Copy link
Member Author

/test 414-test-encryp-9732689-aws-ocp-414
/test 411-test-encryp-9732689-aws-ocp-411

@pierDipi pierDipi changed the title [WIP] [release-v1.11] Trust manager integration [release-v1.11] Trust manager integration Jan 25, 2024
@pierDipi pierDipi marked this pull request as ready for review January 25, 2024 15:49
@openshift-ci openshift-ci bot requested review from aliok and lberk January 25, 2024 15:49
@Cali0707
Copy link
Member

/cc @Cali0707

@openshift-ci openshift-ci bot requested a review from Cali0707 January 25, 2024 15:52
@Cali0707
Copy link
Member

/retest-required

matzew
matzew reviewed Jan 26, 2024
View reviewed changes
config/openshift-trusted-cabundle.yaml
@@ -21,3 +21,4 @@ metadata:
app.kubernetes.io/version: devel
app.kubernetes.io/name: knative-eventing
config.openshift.io/inject-trusted-cabundle: "true"
networking.knative.dev/trust-bundle: "true"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this just extra label, so that Knative can use the injected bits in addition ?

Copy link
Member Author

@pierDipi pierDipi Jan 26, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, so that we can move away from custom patches eventually

@pierDipi
Create bundle on install_serverless so it's always done
919a887 
Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
@pierDipi
Copy link
Member Author

/retest

@pierDipi pierDipi requested a review from matzew January 26, 2024 08:29
@pierDipi
Copy link
Member Author 

INFO[2024-01-26T08:34:00Z] Setting the cluster to Cincinnati instance: https://api.integration.openshift.com/api/upgrades_info/graph
{"component":"entrypoint","file":"k8s.io/test-infra/prow/entrypoint/run.go:169","func":"k8s.io/test-infra/prow/entrypoint.Options.ExecuteProcess","level":"error","msg":"Process did not finish before 2m0s timeout","severity":"error","time":"2024-01-26T08:29:04Z"}

/retest

@pierDipi
Copy link
Member Author

@matzew @Cali0707 all tests are passing now, I had to create the bundle on installation as TLS bundle tests are running in regular jobs as it's not behind feature flag

matzew
matzew approved these changes Jan 26, 2024
View reviewed changes
Copy link
Member

@matzew matzew left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@openshift-ci openshift-ci bot added the lgtm label Jan 26, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jan 26, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: matzew, pierDipi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit 8c8de08 into openshift-knative:release-v1.11 Jan 26, 2024
11 checks passed
@pierDipi pierDipi deleted the trust-manager-integration-v1.11 branch January 26, 2024 10:05
@pierDipi pierDipi mentioned this pull request Jan 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matzew matzew matzew approved these changes

@aliok aliok Awaiting requested review from aliok

@lberk lberk Awaiting requested review from lberk

@Cali0707 Cali0707 Awaiting requested review from Cali0707

Assignees

@matzew matzew

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pierDipi @Cali0707 @matzew @openshift-merge-robot