Skip to content

USHIFT-2455 USHIFT-2456 USHIFT-2457 USHIFT-2458: Introduce adding Custom CA certs for API endpoint #3130

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 11, 2024
Merged

USHIFT-2455 USHIFT-2456 USHIFT-2457 USHIFT-2458: Introduce adding Custom CA certs for API endpoint #3130

merged 4 commits into from
Apr 11, 2024

Conversation

eslutsky
Copy link
Contributor

No description provided.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Mar 10, 2024
@openshift-ci-robot
Copy link

openshift-ci-robot commented Mar 10, 2024
edited by openshift-ci bot
Loading

@eslutsky: This pull request references USHIFT-2458 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.16.0" version, but no target version was set.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 10, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Mar 10, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 10, 2024
@eslutsky eslutsky force-pushed the USHIFT-2458-Certs-RF-Tests branch 2 times, most recently from f93b3fe to 0871763 Compare March 13, 2024 08:55
@eslutsky eslutsky mentioned this pull request Mar 13, 2024
Closed
@eslutsky eslutsky changed the title USHIFT-2458: add custom certificate e2e tests USHIFT-2458: introduce custom certificates Mar 13, 2024
This was referenced Mar 13, 2024
Closed
Closed
@eslutsky eslutsky changed the title USHIFT-2458: introduce custom certificates USHIFT-2101: Introduce adding Custom CA certs for API endpoint Mar 13, 2024
@openshift-ci-robot
Copy link

openshift-ci-robot commented Mar 13, 2024
edited by openshift-ci bot
Loading

@eslutsky: This pull request references USHIFT-2101 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "4.16.0" version, but no target version was set.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@eslutsky eslutsky force-pushed the USHIFT-2458-Certs-RF-Tests branch from 0871763 to 4efac90 Compare March 13, 2024 15:34
@eslutsky
Copy link
Contributor Author

/test all

@eslutsky eslutsky force-pushed the USHIFT-2458-Certs-RF-Tests branch 3 times, most recently from 1dc3727 to d3208bc Compare March 14, 2024 14:06
@eslutsky
Copy link
Contributor Author

/test all

@eslutsky eslutsky force-pushed the USHIFT-2458-Certs-RF-Tests branch from d3208bc to fb4ee76 Compare March 27, 2024 15:35
@eslutsky
Copy link
Contributor Author

/test all

@eslutsky eslutsky force-pushed the USHIFT-2458-Certs-RF-Tests branch from fb4ee76 to 0aa849a Compare March 27, 2024 15:48
@eslutsky
Copy link
Contributor Author

/test all

@eslutsky eslutsky force-pushed the USHIFT-2458-Certs-RF-Tests branch from 0aa849a to c09851e Compare March 28, 2024 10:36
@eslutsky eslutsky marked this pull request as ready for review March 28, 2024 10:37
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 28, 2024
@eslutsky eslutsky changed the title USHIFT-2101: Introduce adding Custom CA certs for API endpoint WIP: USHIFT-2101: Introduce adding Custom CA certs for API endpoint Mar 28, 2024
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 28, 2024
@openshift-ci openshift-ci bot requested review from dhellmann and pliurh March 28, 2024 10:38
@eslutsky eslutsky force-pushed the USHIFT-2458-Certs-RF-Tests branch 4 times, most recently from 320ece3 to d20d640 Compare April 2, 2024 11:30
pmtk
pmtk reviewed Apr 2, 2024
View reviewed changes
Copy link
Member

@pmtk pmtk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just couple, rather minor, comments, but maybe someone more knowledgeable about certs could take a look

pkg/controllers/kube-apiserver.go
},
}
// prepend the named certs to the beginning of the slice (so it will take precedence for same SNI)
namedCerts = append(cert, namedCerts...)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, so that works functionally.

Just FYI: This is very inefficient. Go will check capacity of cert and since it's 1, it will allocate new slice. This will happen for all iterations of the loop. We don't expect huge amounts of data in the slice so it's "alright"

pacevedom
pacevedom reviewed Apr 2, 2024
View reviewed changes
@eslutsky eslutsky force-pushed the USHIFT-2458-Certs-RF-Tests branch from d20d640 to b511e24 Compare April 4, 2024 12:39
ggiguash
ggiguash suggested changes Apr 7, 2024
View reviewed changes
@eslutsky eslutsky force-pushed the USHIFT-2458-Certs-RF-Tests branch from b511e24 to a1fc792 Compare April 8, 2024 09:58
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 8, 2024
@eslutsky eslutsky force-pushed the USHIFT-2458-Certs-RF-Tests branch from a1fc792 to fe5539b Compare April 8, 2024 12:39
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 8, 2024
@eslutsky eslutsky force-pushed the USHIFT-2458-Certs-RF-Tests branch from fe5539b to a40e8fb Compare April 8, 2024 13:14
@eslutsky eslutsky requested a review from pacevedom April 9, 2024 07:45
@eslutsky eslutsky changed the title USHIFT-2101: Introduce adding Custom CA certs for API endpoint USHIFT-2455 USHIFT-2456 USHIFT-2457 USHIFT-2458: Introduce adding Custom CA certs for API endpoint Apr 9, 2024
@openshift-ci-robot
Copy link

openshift-ci-robot commented Apr 9, 2024
edited by openshift-ci bot
Loading

@eslutsky: This pull request references USHIFT-2458 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.16.0" version, but no target version was set.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

pmtk
pmtk reviewed Apr 11, 2024
View reviewed changes
pkg/cmd/init.go
@@ -408,6 +408,60 @@ func initKubeconfigs(
klog.Warningf("Unable to remove stale kubeconfigs: %v", err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just realized, do we cleanup stale kubeconfigs for NamedCertificates no longer present in the config?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes its taken cared before generating the kubeconfig by running cleanupStaleKubeconfigs, https://github.com/openshift/microshift/blob/main/pkg/cmd/init.go#L407

pmtk
pmtk reviewed Apr 11, 2024
View reviewed changes
pmtk
pmtk reviewed Apr 11, 2024
View reviewed changes
Copy link
Member

@pmtk pmtk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two minor things, otherwise it looks pretty good

@eslutsky eslutsky force-pushed the USHIFT-2458-Certs-RF-Tests branch from a40e8fb to 3acbfc1 Compare April 11, 2024 13:08
@pmtk
Copy link
Member

pmtk commented Apr 11, 2024

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Apr 11, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Apr 11, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: eslutsky, pmtk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Apr 11, 2024

@eslutsky: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot bot merged commit a372f80 into openshift:main Apr 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dhellmann dhellmann Awaiting requested review from dhellmann

@pliurh pliurh Awaiting requested review from pliurh

@pacevedom pacevedom Awaiting requested review from pacevedom

2 more reviewers

@pmtk pmtk pmtk left review comments

@ggiguash ggiguash ggiguash requested changes

Reviewers whose approvals may not affect merge requirements
Assignees

@pmtk pmtk

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@eslutsky @openshift-ci-robot @pmtk @pacevedom @ggiguash @openshift-merge-robot