NO-ISSUE: Handle service-ca cert availability/rotation #436
Conversation
There is problem when the service-ca certificate is not available at pod start. This is an issue because the SystemCertPool is created from SSL_CERT_DIR, which may include the empty service-ca. The SystemCertPool is never regenerated during the lifetime of the program execution, so it will never get updated when the service-ca is filled. Thus, we need to use --pull-cas-dir to reference the CAs that we want to use. This will also allow OLMv1 to reload the service-ca when it is reloaded (after 2 years, mind you). Removing the SSL_CERT_DIR setting, and adding the --pull-cas-dir flag ought to be equivalent to what we have now (i.e. SSL_CERT_DIR and no --pull-cas-dir), except that rotation will be handled better. Signed-off-by: Todd Short <[email protected]>
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: tmshort The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/payload-aggregate openshift-e2e-aws-techpreview 5 |
|
@tmshort: trigger 0 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command |
|
/payload-aggregate ci/prow/openshift-e2e-aws-techpreview 5 |
|
/payload-aggregate periodic-ci-openshift-release-master-ci-4.20-e2e-aws-ovn-techpreview 10 |
|
@tmshort: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/ba047b60-79db-11f0-821b-e294e8e344e7-0 |
tmshort
changed the title
|
@tmshort: This pull request explicitly references no jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/valid-reference
|
@camilamacedo86: This PR was included in a payload test run from #430
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/84478cd0-79f7-11f0-868c-f17f1c5c9461-0 |
|
/test openshift-e2e-aws-techpreview |
|
/test openshift-e2e-aws-techpreview |
|
/test openshift-e2e-aws-techpreview |
|
/test openshift-e2e-aws-techpreview |
|
@tmshort: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/test openshift-e2e-aws-techpreview |
|
Neither of the 6th runs of openshift-e2e-aws openshift-e2e-aws-techpreview had the problem indicator (i.e. empty service-ca), so they need to be run again anyways. |
openshift-merge-bot
bot
merged commit 1a9f810
into
openshift:main
|
[ART PR BUILD NOTIFIER] Distgit: ose-olm-operator-controller |
|
[ART PR BUILD NOTIFIER] Distgit: ose-olm-catalogd |
There is a problem when the service-ca certificate is not available at pod start. This is an issue because the SystemCertPool is created from SSL_CERT_DIR, which may include the empty service-ca. The SystemCertPool is never regenerated during the lifetime of the program execution, so it will never get updated when the service-ca is filled. Thus, we need to use --pull-cas-dir to reference the CAs that we want to use. This will also allow OLMv1 to reload the service-ca when it is reloaded (after 2 years, mind you). Removing the SSL_CERT_DIR setting, and adding the --pull-cas-dir flag ought to be equivalent to what we have now (i.e. SSL_CERT_DIR and no --pull-cas-dir), except that rotation will be handled better.