OCP4: Optimize ingress trusted ca remediation #12268
Conversation
|
Start a new ephemeral environment with changes proposed in this pull request: Fedora Environment Oracle Linux 8 Environment |
|
/test e2e-aws-ocp4-pci-dss |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
|
/test 4.15-e2e-aws-ocp4-moderate |
Let's optimize how we run test remediation for ingress cert, we will fetech default self sign CA used by ingress operator, and then makes it as trusted CA, and then in ingress cert remediation we will make a copy of self generated ingress wildcard cert, and then use it as the default cert. It seems like the router-certs-default is being removed when custom cert is configured.
|
/test 4.15-e2e-aws-ocp4-moderate |
|
@Vincent056: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Code Climate has analyzed commit 04482c9 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.4% (0.0% change). View more on Code Climate. |
|
Looks like both CI rehearsals failed resolving images. Likely unrelated to this change. |
| oc create secret tls router-certs-default-duplicate --cert=/tmp/ingress-tls.crt --key=/tmp/ingress-tls.key -n openshift-ingress | ||
|
|
||
| # Update the defaultCertificate to point to the new secret. This is effectively the remediation we're checking for. | ||
| # Note: we are using an existing default secret name for testing, so it won't cause any subsequent failures on testing routes. |
There was a problem hiding this comment.
nit: I don't think this note is accurate anymore since we're not using router-certs-default, is it?
I'm ok updating this in a separate PR if we don't have a reason to respin this patch.
There was a problem hiding this comment.
Thanks for finding a better solution here.
To summarize, we're using a different config map, but it contains the same certificate as the trusted-ca-bundle, then updating the trustedCA to use the new config map, which should be enough for the check to pass on subsequent scans.
|
Kicking this through since we go at least one clean CI run that has been failing in the past with this issue. |
Let's optimize how we test remediation for ingress cert, we will fetch the default self-sign CA used by the ingress operator and then make it as trusted CA, and then in ingress cert remediation we will make a copy of self-generated ingress wildcard cert, and then use it as the default cert. It looks like the router-certs-default is removed when a custom cert is configured.
https://docs.openshift.com/container-platform/4.16/security/certificate_types_descriptions/ingress-certificates.html#location