Add DataImportCron CronJobs Proxy support #2455
Conversation
kubevirt-bot
added
release-note
| } | ||
| container.VolumeMounts = append(container.VolumeMounts, vm) | ||
| volumes = append(volumes, createConfigMapVolume(ProxyCertVolName, volName)) | ||
| } else { |
There was a problem hiding this comment.
why? nobody said you must have any of the Proxy params set. Similar logic to to the import controller.
| addEnvVarFromImportProxyConfig := func(varName string) { | ||
| if value, err := GetImportProxyConfig(cdiConfig, varName); err == nil { | ||
| addEnvVar(varName, value) | ||
| } else { |
There was a problem hiding this comment.
okay so we knowingly throw away the err from GetImportProxyConfig, just double checking we're okay with that
There was a problem hiding this comment.
same answer as above.
| digest, err := importer.GetImageDigest(url, accessKey, secretKey, certDir, insecureTLS) | ||
| allCertDir, err := importer.CreateCertificateDir(certDir) | ||
| if err != nil { | ||
| os.Exit(1) |
There was a problem hiding this comment.
maybe log the err so we can debug these (couple more of these down the file)
I see we already use log.Fatalf which prints + os.Exits in here so should be fine?
| @@ -58,6 +64,8 @@ func main() { | |||
| if err != nil { | |||
| log.Fatalf("Failed BuildConfigFromFlags, kubeURL %s configPath %s: %v", kubeURL, configPath, err) | |||
| } | |||
| cfg.TLSClientConfig = rest.TLSClientConfig{Insecure: true} | |||
There was a problem hiding this comment.
hmm which change in your PR now requires this?
this is just about the cdi client that we use to get stuff (not the polling), why do we have to go insecure?
There was a problem hiding this comment.
The CronJob containerized poller app runs in CDI namespace, and it tries to Get/Update() DataImportCron which is in another namespace, so when proxy is configured, Get/Update() fail on certificate issues unless we configure TLS appropriately. Maybe Insecure: true is not the best idea here, but I have no idea how to use the certs dir for setting TLSClientConfig. wdyt?
There was a problem hiding this comment.
AFAIK, under the hood, it should respect proxy env vars so not sure what goes wrong
containerized-data-importer/vendor/k8s.io/client-go/rest/config.go
Lines 137 to 142 in 206c77a
TLSClientConfig instance ourselves?
There was a problem hiding this comment.
ok, but what would you append?
There was a problem hiding this comment.
hmm if it was erroring on x509 I think
https://github.com/kubernetes/apiserver/blob/25ccbfa75c69642e44ac9be141e3bacc7edb3879/pkg/util/webhook/client.go#L136-L140 could work, or something nicer like placing the cert in the golang "respected" path https://go.dev/src/crypto/x509/root_linux.go
There was a problem hiding this comment.
Nice and clean
Just making sure here: the reason we don't care about proxying the k8s API calls is that it's somehow taken care of in another internal k8s layer?
There was a problem hiding this comment.
We have no good reason to proxy the 2 k8s get/update calls here. Do we?
There was a problem hiding this comment.
No the assumption is that the proxy is on the edge of the cluster (aka stuff that tries to go outside of the cluster). I see no use case where it makes sense to proxy traffic inside the cluster.
There was a problem hiding this comment.
Yeah reading the openshift proxy docs they back that statement by calling it the cluster-wide egress proxy
| @@ -1259,7 +1247,7 @@ func makeImporterContainerSpec(image, verbose, pullPolicy string) *corev1.Contai | |||
| } | |||
| } | |||
|
|
|||
| func createProxyConfigMapVolume(certVolName, objRef string) corev1.Volume { | |||
| func createConfigMapVolume(certVolName, objRef string) corev1.Volume { | |||
Signed-off-by: Arnon Gilboa <[email protected]>
arnongilboa
force-pushed
the
dic_cronjob_proxy_support
branch
from
206c77a to
ca4c990
Compare
|
/retest |
| }, | ||
| }, | ||
| TTLSecondsAfterFinished: &ttlSecondsAfterFinished, | ||
| BackoffLimit: &backoffLimit, | ||
| TTLSecondsAfterFinished: pointer.Int32(3), |
There was a problem hiding this comment.
So this was 0 before, it is now 3, any reason it changed?
tests/import_proxy_test.go
Outdated
| dvName := "" | ||
| Eventually(func() string { | ||
| cron, err = f.CdiClient.CdiV1beta1().DataImportCrons(ns).Get(context.TODO(), cronName, metav1.GetOptions{}) | ||
| dvName = cron.Status.CurrentImports[0].DataVolumeName |
There was a problem hiding this comment.
Can cron.Status.CurrentImports ever have length 0? if so this will not work maybe check to ensure the length > 0 before looking up the name
Also does it make sense to combine these two eventually into one? its looking up the same object just different fields.
| @@ -58,6 +64,8 @@ func main() { | |||
| if err != nil { | |||
| log.Fatalf("Failed BuildConfigFromFlags, kubeURL %s configPath %s: %v", kubeURL, configPath, err) | |||
| } | |||
| cfg.TLSClientConfig = rest.TLSClientConfig{Insecure: true} | |||
There was a problem hiding this comment.
Yes leaving this like this is an immediate CVE, so lets not do that. It looks like TLSClientConfig has a CAData []byte field where you should be able to load the appropriate CA data (from the directory), might have to append the standard CA bundle together with the added CA bundle.
tests/import_proxy_test.go
Outdated
| Expect(err).ToNot(HaveOccurred()) | ||
|
|
||
| By("Checking the importer pod information in the proxy log to verify if the requests were proxied") | ||
| verifyImporterPodInfoInProxyLogs(f, url, registryUserAgent, now, BeTrue) |
There was a problem hiding this comment.
You can't use this function the way it is. This functions looks for the importer pod (which we know works already). We are interested in the poller working properly. So you have to either modify this function to pass in the prefix for the pod to look for, or use some other method of finding the poller pod.
Signed-off-by: Arnon Gilboa <[email protected]>
There was a problem hiding this comment.
Three things for the unit test:
- You modified the successful history and failed history counts, can you ensure they are what we expect.
- You verified the env variables are set when the proxy has a value, can you also verify they are NOT set when the proxy does not have a value?
- Also please verify that the extra volume is NOT set when the caProxy value is empty. It is possible to have a proxy but not need a custom CA since the CA of the proxy is signed by a known CA
arnongilboa
force-pushed
the
dic_cronjob_proxy_support
branch
from
d9f78d0 to
76b56ea
Compare
Signed-off-by: Arnon Gilboa <[email protected]>
arnongilboa
force-pushed
the
dic_cronjob_proxy_support
branch
from
76b56ea to
aa983d8
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: awels The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubevirt-bot
added
the
approved
|
/cherrypick release-v1.55 |
|
@awels: new pull request created: #2459 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@arnongilboa: new pull request could not be created: failed to create pull request against kubevirt/containerized-data-importer#release-v1.55 from head kubevirt-bot:cherry-pick-2455-to-release-v1.55: status code 422 not one of [201], body: {"message":"Validation Failed","errors":[{"resource":"PullRequest","code":"custom","message":"A pull request already exists for kubevirt-bot:cherry-pick-2455-to-release-v1.55."}],"documentation_url":"https://docs.github.com/rest/reference/pulls#create-a-pull-request"} In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cherrypick release-v1.49 |
|
@arnongilboa: #2455 failed to apply on top of branch "release-v1.49": In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Manual backport of kubevirt#2455 Signed-off-by: Arnon Gilboa <[email protected]>
Manual backport of #2455 Signed-off-by: Arnon Gilboa <[email protected]> Signed-off-by: Arnon Gilboa <[email protected]>
Signed-off-by: Arnon Gilboa [email protected]
What this PR does / why we need it:
Use proxy certificates when creating DataImportCron CronJobs, so the pods won't fail on certificate issues when proxy is configured.
cdi-source-update-pollerwas also fixed to use the proxy certificates.Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Release note: