-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API-1789: update-tls-artifacts: ondisk metadata updates, techpreview data and required tests #28868
base: master
Are you sure you want to change the base?
Conversation
/payload-job periodic-ci-openshift-release-master-ci-4.17-e2e-aws-ovn periodic-ci-openshift-release-master-ci-4.17-e2e-azure-ovn periodic-ci-openshift-release-master-ci-4.17-e2e-gcp-ovn periodic-ci-openshift-release-master-nightly-4.17-e2e-metal-ipi-ovn-bm periodic-ci-openshift-release-master-nightly-4.17-e2e-vsphere-ovn-serial periodic-ci-openshift-release-master-nightly-4.17-e2e-aws-ovn-single-node |
Skipping CI for Draft Pull Request. |
@vrutkovs: trigger 6 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/4af16a50-275a-11ef-81fb-0bb21a10eda8-0 |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: vrutkovs The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
db67ecf
to
ffd18d4
Compare
/payload-job periodic-ci-openshift-release-master-ci-4.17-e2e-aws-ovn periodic-ci-openshift-release-master-ci-4.17-e2e-azure-ovn periodic-ci-openshift-release-master-ci-4.17-e2e-gcp-ovn periodic-ci-openshift-release-master-nightly-4.17-e2e-metal-ipi-ovn-bm periodic-ci-openshift-release-master-nightly-4.17-e2e-vsphere-ovn-serial periodic-ci-openshift-release-master-nightly-4.17-e2e-aws-ovn-single-node |
@vrutkovs: trigger 6 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/ff288a00-27b7-11ef-992a-c878d15d4ad3-0 |
1d7ad2e
to
c2f208d
Compare
fe80539
to
a61b9db
Compare
@vrutkovs: This pull request explicitly references no jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
a61b9db
to
bebb467
Compare
Job Failure Risk Analysis for sha: bebb467
|
bebb467
to
936d5f6
Compare
Job Failure Risk Analysis for sha: 936d5f6
|
) | ||
} | ||
} | ||
if currCertKeyPair.OnDiskLocation != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know how stable the API is yet, but would it make sense to have a discriminated union for artifact locations? If both or neither location field is nil, the interpretation is ambiguous and probably indicates an error. This looks like if both location fields are nil, the entry is ignored, and if both are non-nil, the presence of an on-disk location is ignored.
The certKeyInfo and certificateAuthorityBundleInfo fields seem to be independent of location, why are they fields of the location types instead of sibling fields to location?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know how stable the API is yet
Feel free to suggest changes - these annotations are not widely used outside of control group, so now is a good time to improve them.
This looks like if both location fields are nil, the entry is ignored
We'll need to throw an error when this happens - TLS artifact is useless if we can't trace it back to an object or file.
and if both are non-nil, the presence of an on-disk location is ignored.
Correct - cluster objects are preferred as they can be annotated. Ondisk only certificates need to have their metadata set in origin repo here
@@ -73,12 +73,12 @@ func (o annotationRequirement) generateInspectionMarkdown(pkiInfo *certs.PKIRegi | |||
|
|||
for i := range pkiInfo.CertKeyPairs { | |||
curr := pkiInfo.CertKeyPairs[i] | |||
if curr.InClusterLocation == nil { | |||
certKeyInfo := GetCertKeyPairInfo(curr) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Similar comment about the API shape here. This looks like it's working around the fact that "info" lives inside "location". Does it need to be that way?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
API can be changed, yes. TLS artifact locations are being backfilled with matching info here to build reports easier but it could as well be the other way around
owner := curr.InClusterLocation.CertKeyInfo.OwningJiraComponent | ||
regenerates, _ := AnnotationValue(curr.InClusterLocation.CertKeyInfo.SelectedCertMetadataAnnotations, o.GetAnnotationName()) | ||
owner := certKeyInfo.OwningJiraComponent | ||
regenerates, _ := AnnotationValue(certKeyInfo.SelectedCertMetadataAnnotations, o.GetAnnotationName()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does the regenerates
identifier here and below pre-date making this check parameterized by o.annotationName
?
Could there ever be a case where the empty string is a valid value for some required annotation? Why is this checking for the empty string value instead of annotation presence?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea, in description case we want to check both - mark it as a violation when its either not set or empty (currently we have a mix of both).
Other requirements may want to consider empty string as valid
continue | ||
} | ||
owner := curr.InClusterLocation.CABundleInfo.OwningJiraComponent | ||
regenerates, _ := AnnotationValue(curr.InClusterLocation.CABundleInfo.SelectedCertMetadataAnnotations, o.GetAnnotationName()) | ||
owner := caBundleInfo.OwningJiraComponent |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note to me: Empty owner is validated separately.
- [Unknown (9)](#Unknown-9) | ||
- [Certificates (3)](#Certificates-3) | ||
- [Certificate Authority Bundles (6)](#Certificate-Authority-Bundles-6) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
New generated markdown for file-based certs and CA bundles here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated
tls/descriptions/descriptions.md
Outdated
- [Unknown (9)](#Unknown-9) | ||
- [Certificates (3)](#Certificates-3) | ||
- [Certificate Authority Bundles (6)](#Certificate-Authority-Bundles-6) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
9978da3
to
0db71c2
Compare
Job Failure Risk Analysis for sha: 0db71c2
|
@@ -14,17 +14,17 @@ const UnknownOwner = "Unknown" | |||
|
|||
var ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am afraid that I am missing the point.
Isn't /var/lib/kubelet/pki/kubelet-client-current.pem covered as a on-disk cert?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, good catch - we don't scan this directory. So far its limited to this list
0db71c2
to
4f1b3c5
Compare
Job Failure Risk Analysis for sha: 4f1b3c5
|
ccdf266
to
9391486
Compare
Job Failure Risk Analysis for sha: 9391486
|
b60b6bc
to
abdb681
Compare
Job Failure Risk Analysis for sha: abdb681
|
abdb681
to
af1abdc
Compare
Job Failure Risk Analysis for sha: af1abdc
|
0564ca6
to
4b43858
Compare
@vrutkovs: This pull request references API-1789 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
4b43858
to
02d2902
Compare
02d2902
to
11b058c
Compare
@vrutkovs: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Looking at https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/28868/pull-ci-openshift-origin-master-e2e-agnostic-ovn-cmd/1828381245009039360, do we already know why "all tls artifacts must be registered" and "all registered tls artifacts must have no metadata violation regressions" flaked? Presumably something broke during the BeforeAll node. |
OK, seems like this is just what the test report looks like when we make a Ginkgo spec flake directly, and the spec isn't actually being run twice. |
make TLS artifacts tests requiredmoving this to new PR so that it would be easier to revert/reapplyTODO:
/etc/kubernetes/ca.crt
?