Add support for custom proxy ca #1293
Conversation
|
Skipping CI for Draft Pull Request. |
coleenquadros
added
do-not-merge/hold
and removed
do-not-merge/work-in-progress
dco-signoff: yes
labels
coleenquadros
changed the title
coleenquadros
changed the title
|
/test test-unit |
There was a problem hiding this comment.
I don't understand why we need isCustomCA if we already have a ToUploadCA field that is being passed to the MTLSTransport function.
Particularly what confuses me is that the logic is almost the same, only differing that if using a custom CA for proxy purposes we're getting it from an environment variable instead of file.
Could we standardise on one of the approaches to simplify the code and configuration? In both cases, a custom CA cert is passed.
I would say we can always read it from a file, as it is how it already works.
On a side note: SonarCloud complains that only about 50% of new code is being tested and the quality gate wants at least 70% of test coverage. Can you have a look at this, please?
|
@douglascamata From the diff in the PR in the open-cluster-management/api here the CABundle is provided as []byte and not file path/name - And metricsclient in MCO reads from the file thats why I added the flag to check for CustomCA-> |
Yep, I understood this. I believe this adds extra complications, because both are custom CAs: the custom CA is needed to properly verify a server's certificate. The only difference between the two scenarios is that:
So I believe we should reuse the same mechanism for these two scenarios. Also, the filesystem approach has a big advantage: it's a file, which can be mounted from a secret/configmap. This means it can be managed by an operator and automatically reloaded without a restart of the collector if it ever changes. In fact, for the no-proxy scenario we already managed the certificate ourselves. For the proxy scenario, an operator like |
|
Me and @coleenquadros had a chat and agreed that the idea I proposed seems difficult to introduce in the current codebase, even though it might seem like the right way to do it. So we will follow with the approach that she started and only change the logic inside the metrics collectors to always prefer the CA bundle in the |
coleenquadros
force-pushed
the
add_proxy_ca
branch
from
ace3bd4 to
80d4dff
Compare
There was a problem hiding this comment.
It looks good to me. But let's allow some time for QA to confirm this.
Ideally I would love the proxy scenario to be part of the tests in the repository itself to ensure a tight feedback loop while working on the proxy features, but I understand that it's not easy to replicate the scenario.
coleenquadros
force-pushed
the
add_proxy_ca
branch
from
565f21c to
ef0ddab
Compare
|
/retest-required |
Signed-off-by: Coleen Iona Quadros <[email protected]>
coleenquadros
force-pushed
the
add_proxy_ca
branch
from
6d2e4c3 to
ac6b2a3
Compare
Signed-off-by: Coleen Iona Quadros <[email protected]>
coleenquadros
force-pushed
the
add_proxy_ca
branch
from
695fde6 to
7b36a30
Compare
|
|
@coleenquadros: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
metrics pushed successfully from managed cluster with custom-ca bundle on QE test set up - logs |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: coleenquadros, douglascamata, subbarao-meduri The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
* add support for proxy ca Signed-off-by: Coleen Iona Quadros <[email protected]> * refactor proxy ca parsing Signed-off-by: Coleen Iona Quadros <[email protected]> --------- Signed-off-by: Coleen Iona Quadros <[email protected]>
* add support for proxy ca * refactor proxy ca parsing --------- Signed-off-by: Coleen Iona Quadros <[email protected]>
https://issues.redhat.com/browse/RHOBS-950
This PR contains -
observability-managed-cluster-certsand pick up the env variable containing cert when setting up MTLS transport and add it to the cert pool.