Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add temporary hack to copy service ca to cluster nodes #72

Merged
merged 1 commit into from
Nov 22, 2018
Merged

add temporary hack to copy service ca to cluster nodes #72

merged 1 commit into from
Nov 22, 2018

Conversation

bparees
Copy link
Contributor

@bparees bparees commented Nov 20, 2018
edited
Loading

This is a temporary hack to ensure the service-ca (which signs the registry service) gets copied to the host nodes.

In the future this needs to be replaced/enhanced in such a way that

  1. it needs less privileges(probably)
  2. should use the base image from the release, not centos
  3. the image-registry operator reports on the state of the daemonset as part of the registry operator status
  4. we also copy down additional CAs that are configured in the cluster that represent other registries the nodes may need to pull from. (ie image.config.openshift.io's additionalCA configmap)

@openshift-ci-robot openshift-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 20, 2018
@bparees
Copy link
Contributor Author

bparees commented Nov 20, 2018

@derekwaynecarr @mrunalp ptal

@bparees
Copy link
Contributor Author

bparees commented Nov 20, 2018

@dmage @legionus fyi

@bparees
Copy link
Contributor Author

bparees commented Nov 20, 2018

/retest

mrunalp
mrunalp reviewed Nov 20, 2018
View reviewed changes
deploy/08-ca-daemonset.yaml Outdated
- "/bin/sh"
args:
- "-c"
- "mkdir /etc/docker/certs.d/image-registry.openshift-image-registry.svc.cluster.local:5000; cp /tmp/serviceca/service-ca.crt /etc/docker/certs.d/image-registry.openshift-image-registry.svc.cluster.local:5000; sleep 60"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what is the sleep for?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so the pod dies every minute and restarts, which will cause it to pick up any change to the CA in the configmap and re-copy it.

@bparees bparees added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 21, 2018
@openshift-ci-robot openshift-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 21, 2018
@bparees
Copy link
Contributor Author

bparees commented Nov 21, 2018

@ironcladlou fyi this (temporarily) fixes the CA trust issue for the registry.

@smarterclayton not sure who's around who can review this, maybe you can?

@bparees bparees removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 21, 2018
@smarterclayton
Copy link
Contributor

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Nov 21, 2018
@openshift-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bparees, smarterclayton

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [bparees,smarterclayton]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

2 similar comments
@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-merge-robot openshift-merge-robot merged commit 1500c64 into openshift:master Nov 22, 2018
@wking wking mentioned this pull request Dec 9, 2018
Closed
@bparees bparees deleted the ca branch December 11, 2018 16:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mrunalp mrunalp mrunalp left review comments

@legionus legionus Awaiting requested review from legionus

@smarterclayton smarterclayton Awaiting requested review from smarterclayton

Assignees

@smarterclayton smarterclayton

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@bparees @smarterclayton @openshift-ci-robot @openshift-bot @mrunalp @openshift-merge-robot