Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OSASINFRA-3747: Prefer CA cert from credentials secret #1190

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

OSASINFRA-3747: Prefer CA cert from credentials secret #1190

wants to merge 1 commit into from

Conversation

stephenfin
Copy link

@stephenfin stephenfin commented Mar 12, 2025
edited
Loading

In openshift/cloud-credential-operator/pull/780, we have added the ability for cloud-credential-operator to consume a CA cert from the root credentials secret and to include in the credentials secrets it provisions.
In openshift/installer/pull/9194, we have modified the Installer to start setting this field where necessary.

Adapt cluster-image-registry-operator to allow it to start consuming the CA cert from this place. We maintain fallbacks for the previous locations of the cert for now, but these can be removed in the next release.

Dependencies:

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Mar 12, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Mar 12, 2025
edited by openshift-ci bot
Loading

@stephenfin: This pull request references OSASINFRA-3747 which is a valid jira issue.

In response to this:

In openshift/cloud-credential-operator/pull/780, we have added the ability for cloud-credential-operator to consume a CA cert from the root credentials secret and to include in the credentials secrets it provisions.
In openshift/installer/pull/9194, we have modified the Installer to start setting this field where necessary.

Adapt cluster-image-registry-operator to allow it to start consuming the CA cert from this place. We maintain fallbacks for the previous locations of the cert for now, but these can be removed in the next release.

This needs wait for the CCO change to be approved before we merge this.

/hold

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 12, 2025
@EmilienM
Copy link
Member

/retest

@EmilienM
Copy link
Member

/test unit

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Mar 17, 2025

@EmilienM: No presubmit jobs available for openshift/cluster-image-registry-operator@main

In response to this:

/test unit

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Mar 27, 2025
edited by openshift-ci bot
Loading

@stephenfin: This pull request references OSASINFRA-3747 which is a valid jira issue.

In response to this:

In openshift/cloud-credential-operator/pull/780, we have added the ability for cloud-credential-operator to consume a CA cert from the root credentials secret and to include in the credentials secrets it provisions.
In openshift/installer/pull/9194, we have modified the Installer to start setting this field where necessary.

Adapt cluster-image-registry-operator to allow it to start consuming the CA cert from this place. We maintain fallbacks for the previous locations of the cert for now, but these can be removed in the next release.

Dependencies:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Mar 27, 2025
edited by openshift-ci bot
Loading

@stephenfin: This pull request references OSASINFRA-3747 which is a valid jira issue.

In response to this:

In openshift/cloud-credential-operator/pull/780, we have added the ability for cloud-credential-operator to consume a CA cert from the root credentials secret and to include in the credentials secrets it provisions.
In openshift/installer/pull/9194, we have modified the Installer to start setting this field where necessary.

Adapt cluster-image-registry-operator to allow it to start consuming the CA cert from this place. We maintain fallbacks for the previous locations of the cert for now, but these can be removed in the next release.

Dependencies:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Sorry, something went wrong.

@stephenfin
OSASINFRA-3747: Prefer CA cert from credentials secret

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
Loading
Loading status checks…
32c6df7 
Signed-off-by: Stephen Finucane <[email protected]>
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Mar 27, 2025

@stephenfin: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/okd-scos-e2e-aws-ovn 32c6df7 link false /test okd-scos-e2e-aws-ovn
ci/prow/e2e-hypershift 32c6df7 link true /test e2e-hypershift

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

mandre
mandre reviewed Mar 31, 2025
View reviewed changes
Copy link
Member

@mandre mandre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps add a log message when it falls back to the old method? Actually, might not be super important if we plan on removing the fallback in next version. I'm fine either way.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 31, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Mar 31, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mandre, stephenfin
Once this PR has been reviewed and has the lgtm label, please assign flavianmissi for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mandre mandre

@flavianmissi flavianmissi

@ricardomaraschini ricardomaraschini

Assignees

@mandre mandre

Labels
do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@stephenfin @openshift-ci-robot @EmilienM @mandre