Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mount CA bundles in Tekton components as well #648

Merged
merged 1 commit into from
Mar 4, 2022
Merged

Mount CA bundles in Tekton components as well #648

merged 1 commit into from
Mar 4, 2022

Conversation

concaf
Copy link
Contributor

@concaf concaf commented Mar 3, 2022
edited
Loading

Changes

Prior to this commit, the CA bundles were:

  • mounted inside containers
  • exposed via VolumeMounts and SSL_CERT_DIR
    only in TaskRun pods via pkg/reconciler/proxy/proxy.go but were not
    exposed in Tekton components controllers like pipelines, triggers and
    chains via pkg/reconciler/openshift/common/cabundle.go.

This meant that these Tekton components could not talk to internal
OpenShift services or to hosts for which users added certificates to the
cluster via CA bundles.

One case where this is a problem is when the Chains controller wants to
pull images from the internal OpenShift registry to sign and then push
the signatures, attestations back to it since it does not have access to
the Service CA Bundle.

This commit abstracts away the exposure of certificates via Volumes,
VolumeMounts and SSL_CERT_DIR in pkg/reconciler/common/certificates.go
and makes this behavior the same for both TaskRuns and controllers which
want to mount these certificates.

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

See the contribution guide for more details.

NONE

@tekton-robot tekton-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels Mar 3, 2022
@tekton-robot tekton-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Mar 3, 2022
@tekton-robot
Copy link
Contributor

The following is the coverage report on the affected files.
Say /test pull-tekton-operator-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/common/certificates.go Do not exist 0.0%
pkg/reconciler/openshift/common/cabundle.go 67.5% 77.3% 9.8

@concaf concaf force-pushed the concaf/fix/ssl-certs-components branch from 3640c35 to 76b1431 Compare March 4, 2022 07:46
@tekton-robot
Copy link
Contributor

The following is the coverage report on the affected files.
Say /test pull-tekton-operator-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/common/certificates.go Do not exist 0.0%
pkg/reconciler/openshift/common/cabundle.go 67.5% 77.3% 9.8

@concaf concaf force-pushed the concaf/fix/ssl-certs-components branch from 76b1431 to 8a95b19 Compare March 4, 2022 08:07
@tekton-robot
Copy link
Contributor

The following is the coverage report on the affected files.
Say /test pull-tekton-operator-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/common/certificates.go Do not exist 0.0%
pkg/reconciler/openshift/common/cabundle.go 67.5% 77.3% 9.8
pkg/reconciler/proxy/proxy.go 11.2% 3.7% -7.6

@concaf
Copy link
Contributor Author

concaf commented Mar 4, 2022

/retest

@concaf concaf force-pushed the concaf/fix/ssl-certs-components branch from 8a95b19 to be51c09 Compare March 4, 2022 09:16
@tekton-robot
Copy link
Contributor

The following is the coverage report on the affected files.
Say /test pull-tekton-operator-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/common/certificates.go Do not exist 0.0%
pkg/reconciler/openshift/common/cabundle.go 67.5% 77.3% 9.8
pkg/reconciler/proxy/proxy.go 11.2% 3.7% -7.6

@concaf concaf force-pushed the concaf/fix/ssl-certs-components branch from be51c09 to 0fef2a0 Compare March 4, 2022 11:40
@concaf
Mount CA bundles in Tekton components as well
d538041 
Prior to this commit, the CA bundles were:
- mounted inside containers
- exposed via VolumeMounts and SSL_CERT_DIR
only in TaskRun pods via `pkg/reconciler/proxy/proxy.go` but were not
exposed in Tekton components controllers like pipelines, triggers and
chains via `pkg/reconciler/openshift/common/cabundle.go`.

This meant that these Tekton components could not talk to internal
OpenShift services or to hosts for which users added certificates to the
cluster via CA bundles.

One case where this is a problem is when the Chains controller wants to
pull images from the internal OpenShift registry to sign and then push
the signatures, attestations back to it since it does not have access to
the Service CA Bundle.

This commit abstracts away the exposure of certificates via Volumes,
VolumeMounts and SSL_CERT_DIR in `pkg/reconciler/common/certificates.go`
and makes this behavior the same for both TaskRuns and controllers which
want to mount these certificates.
@concaf concaf force-pushed the concaf/fix/ssl-certs-components branch from 0fef2a0 to d538041 Compare March 4, 2022 11:40
@concaf concaf changed the title Mount certs in component controllers as well Mount CA bundles in Tekton components as well Mar 4, 2022
@tekton-robot tekton-robot added release-note-none Denotes a PR that doesnt merit a release note. and removed release-note Denotes a PR that will be considered when it comes time to generate release notes. labels Mar 4, 2022
@concaf concaf marked this pull request as ready for review March 4, 2022 11:41
@tekton-robot tekton-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 4, 2022
@tekton-robot
Copy link
Contributor

The following is the coverage report on the affected files.
Say /test pull-tekton-operator-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/common/certificates.go Do not exist 0.0%
pkg/reconciler/openshift/common/cabundle.go 67.5% 77.3% 9.8
pkg/reconciler/proxy/proxy.go 11.2% 3.7% -7.6

@sm43
Copy link
Member

sm43 commented Mar 4, 2022

LGTM :)

@tekton-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 4, 2022
@nikhil-thomas
Copy link
Member

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Mar 4, 2022
@tekton-robot tekton-robot merged commit b1d7404 into tektoncd:main Mar 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vdemeester vdemeester vdemeester approved these changes

@piyush-garg piyush-garg Awaiting requested review from piyush-garg

@pradeepitm12 pradeepitm12 Awaiting requested review from pradeepitm12

Assignees

@nikhil-thomas nikhil-thomas

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesnt merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@concaf @tekton-robot @sm43 @nikhil-thomas @vdemeester