Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix custom CA certificates for task/web/migration #1846

Merged
merged 2 commits into from
Jun 6, 2024
Merged

Fix custom CA certificates for task/web/migration #1846

merged 2 commits into from
Jun 6, 2024

Conversation

JoelKle
Copy link
Contributor

@JoelKle JoelKle commented Apr 30, 2024

SUMMARY

This PR fixes the usage of custom CA certificates in the migration job and improves the existing implementation in the task & web deployment.
During the upgrade to awx 24.0.0, a new pod is created for migration. This pod doesnt contain the custom ca certificate and fails when using external postgres with verify enabled.

PR fixes: #1782
Follow up / Improves: #1800

ISSUE TYPE
  • Bug, Docs Fix or other nominal change
ADDITIONAL INFORMATION

This PR is based on the great work of @YassineFadhlaoui in #1782 (comment) and @akkaba23 in #1800 (comment)

The following has changed:

  • Added a new init container init-bundle-ca-trust to the task + web deployment and to the migration job

    • the init container runs the update-ca-trust extract if bundle_ca_crt is set.
    • I've added a new init container for the following reasons:
      • this init container need to run before all other init containers
      • only this init container requires runAsUser: 0

  • Removed the update-ca-trust command from the init container init-receptor because it will run once in the new init container init-bundle-ca-trust

  • Removed the mounting of the volume {{ ansible_operator_meta.name }}-bundle-cacert from containers that really do not need it

  • Added the whole bundle_ca_crt logic to the migration job

I've successfully tested that change during my upgrade from awx-operator v2.12.1 to v2.15.0

This was referenced Apr 30, 2024
Closed
Closed
@akkaba23
Copy link

Thank you for the nice work done on this PR @JoelKle .

@JoelKle
Copy link
Contributor Author

JoelKle commented May 7, 2024

@rooftopcellist @fosterseth Could you have a look on this PR? Thx :)

rooftopcellist
rooftopcellist reviewed May 15, 2024
View reviewed changes
roles/installer/templates/deployments/web.yaml.j2 Outdated
Comment on lines 88 to 90
securityContext:
runAsUser: 0
runAsGroup: 0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JoelKle This will break on Openshift. Can we template this in only if is_k8s=true?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did update-ca-trust extract require more permissions than just update-ca-trust? I am trying to understand why the securityContext bit was added.

Copy link
Contributor Author

@JoelKle JoelKle May 16, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed the whole securityContext block from this PR. Now the init-container behaves as before.
@rooftopcellist Is this fine for you?

TL;DR
Withouth the runAsUser: 0 parameter the init-container runs the update-ca-trust command as uid=1000(awx) gid=0(root). That means the files in the folder /etc/pki/ca-trust/extracted are owned by awx:root
With the runAsUser: 0 parameter all files are owned by root:root which is more accurate.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The update-ca-trust extract behaves the same as withouth the extract. However with the extract the command may print more warnings, ...
Check the manpage of update-ca-trust extract > "COMMANDS"

@JoelKle JoelKle requested a review from rooftopcellist May 16, 2024 13:34
@JoelKle
Copy link
Contributor Author

JoelKle commented Jun 3, 2024

@rooftopcellist Are there any other blocker for you?

@rooftopcellist
Copy link
Member

rooftopcellist commented Jun 3, 2024
edited
Loading

@JoelKle thanks for following up, and sorry for the delay here. Could you please rebase to resolve the conflicts? We'll see if CI passes on the run kicked off by pushing the rebased branch.

I just checked the CI failure, and it looks like it was flake, so once rebased I think we will be good.

JoelKle added 2 commits June 4, 2024 08:47
@JoelKle
Fix bundle_ca_crt for task/web/migration
9a9a785 
- added a new init container init-bundle-ca-trust
- added volume ca-trust-extracted to the migration job
- added volume ca-trust-extracted to the init container init-database
- removed volume bundle-ca from all follow-up containers
@JoelKle
remove securityContext for init-bundle-ca-trust
6819830
@JoelKle
Copy link
Contributor Author

JoelKle commented Jun 4, 2024

@rooftopcellist Rebase done. Look like the CI run needs your approval?

@rooftopcellist rooftopcellist enabled auto-merge (squash) June 6, 2024 02:56
@rooftopcellist rooftopcellist merged commit c696eda into ansible:devel Jun 6, 2024
7 checks passed
@JoelKle JoelKle deleted the fix/bundle_ca branch June 6, 2024 06:08
@ppmathis ppmathis mentioned this pull request Oct 26, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rooftopcellist rooftopcellist rooftopcellist approved these changes

Assignees
No one assigned
Labels
community
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AWX database migration job fail when using custom CA certificate
3 participants
@JoelKle @akkaba23 @rooftopcellist