Change a cluster's trust bundle #110
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Skipping CI for Draft Pull Request. |
omertuc
force-pushed
the
atb
branch
10 times, most recently
from
983b9ce to
a3696c7
Compare
|
/test baremetalds-sno-recert-cluster-rename |
|
/test baremetalds-sno-recert-cluster-rename |
mresvanis
reviewed
Mar 4, 2024
src/ocp_postprocess/additional_trust_bundle/filesystem_rename.rs
Outdated
Show resolved
Hide resolved
mresvanis
reviewed
Mar 4, 2024
mresvanis
reviewed
Mar 4, 2024
src/ocp_postprocess/additional_trust_bundle/filesystem_rename.rs
Outdated
Show resolved
Hide resolved
# Main change Support changing a cluster's additional trust bundle. Changes all locations where the additional trust bundle is stored in. If an existing trust bundle is not found, this will cause an error, as creating the relevant resources is beyond the scope of this tool. The trust bundle's validity will not be checked. When using a RECERT_CONFIG file, raw PEMS can be used instead of a path to a trust bundle file. When using this feature it is recommended to also run the `update-ca-trust` script after running recert to ensure that the trust bundle is properly updated in all locations. # Other changes * Created `./hack/` directory to store some certs used during `./run_seed.sh` * Deprecated --static-files and --static-dirs, which were used for both recert and rename. Now `--crypto-dir` and `--crypto-file` will be used for recert while `--cluster-customization-dir` and `--cluster-customization-file` will be used for rename (aka cluster customization). This was needed because /etc/pki is full of certs we discover and fail to process during recert, but we do need to process /etc/pki for editing the additional trust bundle cluster customization. Using `--additional-trust-bundle` along with `--static-*` will cause an error. The old behavior for `--static-files` and `--static-dirs` is maintained for backwards compatibility, but they cannot be used along with the new flags. * Made ConfigPath a less leaky abstraction for ClioPath and moved its relevant code to its own module `path` (under `config`) * Renamed many `cli_parse` functions to `parse` as those functions were used outside of CLI parsing as well (during config file parsing) * Refactored config parsing into topical functions because that functions was getting a bit too long
|
/lgtm I tested it with LCA |
|
/approve |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: mresvanis, omertuc The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
omertuc
added a commit
to omertuc/lifecycle-agent
that referenced
this pull request
May 11, 2024
Incomplete, still testing and need to add a bit more code # Background / Context Recert recently added ([1], [2]) some options that allow changing the cluster's trust bundle (it's recommended you read the PRs for more background about this). # Issue / Requirement / Reason for change The lifecycle-agent doesn't make use of the new options added to recert # Solution / Feature Overview Change the lifecycle-agent to use the new options added to recert # Implementation Details Multiple new fields have been added. - `AdditionalTrustBundle` in `SeedReconfiguration`. This represents the trust bundle to be used for seed-reconfiguration. This contains the user-ca-bundle contents, the proxy configmap name, and the proxy configmap contents. - `AdditionalTrustBundle` in `SeedClusterInfo`. This represents the state of the trust bundle in the seed cluster. This is simply booleans indicating the presence or lack there-of of the user-ca-bundle and the proxy configmap name (only if it actually has contents, a configmap with no contents is considered invalid OCP configuration). This is useful for when we want to verify that the seed is compatible with our desired `SeedReconfiguration`. - `RecertConfig` will now use the new `CryptoDirs` and `CryptoFiles` fields to specify the directories and files that should be considered part of the cluster's crypto material. Along with the `ClusterCustomizationDirs` and `ClusterCustomizationFiles` fields that specify the directories and files involved in cluster customization. Since these no longer overlap when it comes to customizing the trust bundle, we must use these new fields instead of the old common `StaticDirs` and `StaticFiles` fields. [1] rh-ecosystem-edge/recert#110 [2] rh-ecosystem-edge/recert#140
omertuc
added a commit
to omertuc/lifecycle-agent
that referenced
this pull request
May 12, 2024
Incomplete, still testing and need to add a bit more code # Background / Context Recert recently added ([1], [2]) some options that allow changing the cluster's trust bundle (it's recommended you read the PRs for more background about this). # Issue / Requirement / Reason for change The lifecycle-agent doesn't make use of the new options added to recert # Solution / Feature Overview Change the lifecycle-agent to use the new options added to recert # Implementation Details Multiple new fields have been added. - `AdditionalTrustBundle` in `SeedReconfiguration`. This represents the trust bundle to be used for seed-reconfiguration. This contains the user-ca-bundle contents, the proxy configmap name, and the proxy configmap contents. - `AdditionalTrustBundle` in `SeedClusterInfo`. This represents the state of the trust bundle in the seed cluster. This is simply booleans indicating the presence or lack there-of of the user-ca-bundle and the proxy configmap name (only if it actually has contents, a configmap with no contents is considered invalid OCP configuration). This is useful for when we want to verify that the seed is compatible with our desired `SeedReconfiguration`. - `RecertConfig` will now use the new `CryptoDirs` and `CryptoFiles` fields to specify the directories and files that should be considered part of the cluster's crypto material. Along with the `ClusterCustomizationDirs` and `ClusterCustomizationFiles` fields that specify the directories and files involved in cluster customization. Since these no longer overlap when it comes to customizing the trust bundle, we must use these new fields instead of the old common `StaticDirs` and `StaticFiles` fields. [1] rh-ecosystem-edge/recert#110 [2] rh-ecosystem-edge/recert#140
omertuc
added a commit
to omertuc/lifecycle-agent
that referenced
this pull request
May 12, 2024
Incomplete, still testing and need to add a bit more code # Background / Context Recert recently added ([1], [2]) some options that allow changing the cluster's trust bundle (it's recommended you read the PRs for more background about this). # Issue / Requirement / Reason for change The lifecycle-agent doesn't make use of the new options added to recert # Solution / Feature Overview Change the lifecycle-agent to use the new options added to recert # Implementation Details Multiple new fields have been added. - `AdditionalTrustBundle` in `SeedReconfiguration`. This represents the trust bundle to be used for seed-reconfiguration. This contains the user-ca-bundle contents, the proxy configmap name, and the proxy configmap contents. - `AdditionalTrustBundle` in `SeedClusterInfo`. This represents the state of the trust bundle in the seed cluster. This is simply booleans indicating the presence or lack there-of of the user-ca-bundle and the proxy configmap name (only if it actually has contents, a configmap with no contents is considered invalid OCP configuration). This is useful for when we want to verify that the seed is compatible with our desired `SeedReconfiguration`. - `RecertConfig` will now use the new `CryptoDirs` and `CryptoFiles` fields to specify the directories and files that should be considered part of the cluster's crypto material. Along with the `ClusterCustomizationDirs` and `ClusterCustomizationFiles` fields that specify the directories and files involved in cluster customization. Since these no longer overlap when it comes to customizing the trust bundle, we must use these new fields instead of the old common `StaticDirs` and `StaticFiles` fields. [1] rh-ecosystem-edge/recert#110 [2] rh-ecosystem-edge/recert#140
omertuc
added a commit
to omertuc/lifecycle-agent
that referenced
this pull request
May 12, 2024
Incomplete, still testing and need to add a bit more code # Background / Context Recert recently added ([1], [2]) some options that allow changing the cluster's trust bundle (it's recommended you read the PRs for more background about this). # Issue / Requirement / Reason for change The lifecycle-agent doesn't make use of the new options added to recert # Solution / Feature Overview Change the lifecycle-agent to use the new options added to recert # Implementation Details Multiple new fields have been added. - `AdditionalTrustBundle` in `SeedReconfiguration`. This represents the trust bundle to be used for seed-reconfiguration. This contains the user-ca-bundle contents, the proxy configmap name, and the proxy configmap contents. - `AdditionalTrustBundle` in `SeedClusterInfo`. This represents the state of the trust bundle in the seed cluster. This is simply booleans indicating the presence or lack there-of of the user-ca-bundle and the proxy configmap name (only if it actually has contents, a configmap with no contents is considered invalid OCP configuration). This is useful for when we want to verify that the seed is compatible with our desired `SeedReconfiguration`. - `RecertConfig` will now use the new `CryptoDirs` and `CryptoFiles` fields to specify the directories and files that should be considered part of the cluster's crypto material. Along with the `ClusterCustomizationDirs` and `ClusterCustomizationFiles` fields that specify the directories and files involved in cluster customization. Since these no longer overlap when it comes to customizing the trust bundle, we must use these new fields instead of the old common `StaticDirs` and `StaticFiles` fields. [1] rh-ecosystem-edge/recert#110 [2] rh-ecosystem-edge/recert#140
omertuc
added a commit
to omertuc/lifecycle-agent
that referenced
this pull request
May 12, 2024
Incomplete, still testing and need to add a bit more code # Background / Context Recert recently added ([1], [2]) some options that allow changing the cluster's trust bundle (it's recommended you read the PRs for more background about this). # Issue / Requirement / Reason for change The lifecycle-agent doesn't make use of the new options added to recert # Solution / Feature Overview Change the lifecycle-agent to use the new options added to recert # Implementation Details Multiple new fields have been added. - `AdditionalTrustBundle` in `SeedReconfiguration`. This represents the trust bundle to be used for seed-reconfiguration. This contains the user-ca-bundle contents, the proxy configmap name, and the proxy configmap contents. - `AdditionalTrustBundle` in `SeedClusterInfo`. This represents the state of the trust bundle in the seed cluster. This is simply booleans indicating the presence or lack there-of of the user-ca-bundle and the proxy configmap name (only if it actually has contents, a configmap with no contents is considered invalid OCP configuration). This is useful for when we want to verify that the seed is compatible with our desired `SeedReconfiguration`. - `RecertConfig` will now use the new `CryptoDirs` and `CryptoFiles` fields to specify the directories and files that should be considered part of the cluster's crypto material. Along with the `ClusterCustomizationDirs` and `ClusterCustomizationFiles` fields that specify the directories and files involved in cluster customization. Since these no longer overlap when it comes to customizing the trust bundle, we must use these new fields instead of the old common `StaticDirs` and `StaticFiles` fields. [1] rh-ecosystem-edge/recert#110 [2] rh-ecosystem-edge/recert#140
omertuc
added a commit
to omertuc/lifecycle-agent
that referenced
this pull request
May 13, 2024
Incomplete, still testing and need to add a bit more code # Background / Context Recert recently added ([1], [2]) some options that allow changing the cluster's trust bundle (it's recommended you read the PRs for more background about this). # Issue / Requirement / Reason for change The lifecycle-agent doesn't make use of the new options added to recert # Solution / Feature Overview Change the lifecycle-agent to use the new options added to recert # Implementation Details Multiple new fields have been added. - `AdditionalTrustBundle` in `SeedReconfiguration`. This represents the trust bundle to be used for seed-reconfiguration. This contains the user-ca-bundle contents, the proxy configmap name, and the proxy configmap contents. - `AdditionalTrustBundle` in `SeedClusterInfo`. This represents the state of the trust bundle in the seed cluster. This is simply booleans indicating the presence or lack there-of of the user-ca-bundle and the proxy configmap name (only if it actually has contents, a configmap with no contents is considered invalid OCP configuration). This is useful for when we want to verify that the seed is compatible with our desired `SeedReconfiguration`. - `RecertConfig` will now use the new `CryptoDirs` and `CryptoFiles` fields to specify the directories and files that should be considered part of the cluster's crypto material. Along with the `ClusterCustomizationDirs` and `ClusterCustomizationFiles` fields that specify the directories and files involved in cluster customization. Since these no longer overlap when it comes to customizing the trust bundle, we must use these new fields instead of the old common `StaticDirs` and `StaticFiles` fields. [1] rh-ecosystem-edge/recert#110 [2] rh-ecosystem-edge/recert#140
omertuc
added a commit
to omertuc/lifecycle-agent
that referenced
this pull request
May 15, 2024
# Background / Context Recert recently added ([1], [2]) some options that allow changing the cluster's trust bundle (it's recommended you read the PRs for more background about this). # Issue / Requirement / Reason for change The lifecycle-agent doesn't make use of the new options added to recert # Solution / Feature Overview Change the lifecycle-agent to use the new options added to recert # Implementation Details Multiple new fields have been added. - `AdditionalTrustBundle` in `SeedReconfiguration`. This represents the trust bundle to be used for seed-reconfiguration. This contains the user-ca-bundle contents, the proxy configmap name, and the proxy configmap contents. - `AdditionalTrustBundle` in `SeedClusterInfo`. This represents the state of the trust bundle in the seed cluster. This is simply booleans indicating the presence or lack there-of of the user-ca-bundle and the proxy configmap name (only if it actually has contents, a configmap with no contents is considered invalid OCP configuration). This is useful for when we want to verify that the seed is compatible with our desired `SeedReconfiguration`. - `RecertConfig` will now use the new `CryptoDirs` and `CryptoFiles` fields to specify the directories and files that should be considered part of the cluster's crypto material. Along with the `ClusterCustomizationDirs` and `ClusterCustomizationFiles` fields that specify the directories and files involved in cluster customization. Since these no longer overlap when it comes to customizing the trust bundle, we must use these new fields instead of the old common `StaticDirs` and `StaticFiles` fields. [1] rh-ecosystem-edge/recert#110 [2] rh-ecosystem-edge/recert#140
omertuc
added a commit
to omertuc/lifecycle-agent
that referenced
this pull request
May 15, 2024
# Background / Context Recert recently added ([1], [2]) some options that allow changing the cluster's trust bundle (it's recommended you read the PRs for more background about this). # Issue / Requirement / Reason for change The lifecycle-agent doesn't make use of the new options added to recert # Solution / Feature Overview Change the lifecycle-agent to use the new options added to recert # Implementation Details Multiple new fields have been added. - `AdditionalTrustBundle` in `SeedReconfiguration`. This represents the trust bundle to be used for seed-reconfiguration. This contains the user-ca-bundle contents, the proxy configmap name, and the proxy configmap contents. - `AdditionalTrustBundle` in `SeedClusterInfo`. This represents the state of the trust bundle in the seed cluster. This is simply booleans indicating the presence or lack there-of of the user-ca-bundle and the proxy configmap name (only if it actually has contents, a configmap with no contents is considered invalid OCP configuration). This is useful for when we want to verify that the seed is compatible with our desired `SeedReconfiguration`. - `RecertConfig` will now use the new `CryptoDirs` and `CryptoFiles` fields to specify the directories and files that should be considered part of the cluster's crypto material. Along with the `ClusterCustomizationDirs` and `ClusterCustomizationFiles` fields that specify the directories and files involved in cluster customization. Since these no longer overlap when it comes to customizing the trust bundle, we must use these new fields instead of the old common `StaticDirs` and `StaticFiles` fields. [1] rh-ecosystem-edge/recert#110 [2] rh-ecosystem-edge/recert#140
omertuc
added a commit
to omertuc/lifecycle-agent
that referenced
this pull request
May 15, 2024
# Background / Context Recert recently added ([1], [2]) some options that allow changing the cluster's trust bundle (it's recommended you read the PRs for more background about this). # Issue / Requirement / Reason for change The lifecycle-agent doesn't make use of the new options added to recert # Solution / Feature Overview Change the lifecycle-agent to use the new options added to recert # Implementation Details Multiple new fields have been added. - `AdditionalTrustBundle` in `SeedReconfiguration`. This represents the trust bundle to be used for seed-reconfiguration. This contains the user-ca-bundle contents, the proxy configmap name, and the proxy configmap contents. - `AdditionalTrustBundle` in `SeedClusterInfo`. This represents the state of the trust bundle in the seed cluster. This is simply booleans indicating the presence or lack there-of of the user-ca-bundle and the proxy configmap name (only if it actually has contents, a configmap with no contents is considered invalid OCP configuration). This is useful for when we want to verify that the seed is compatible with our desired `SeedReconfiguration`. - `RecertConfig` will now use the new `CryptoDirs` and `CryptoFiles` fields to specify the directories and files that should be considered part of the cluster's crypto material. Along with the `ClusterCustomizationDirs` and `ClusterCustomizationFiles` fields that specify the directories and files involved in cluster customization. Since these no longer overlap when it comes to customizing the trust bundle, we must use these new fields instead of the old common `StaticDirs` and `StaticFiles` fields. [1] rh-ecosystem-edge/recert#110 [2] rh-ecosystem-edge/recert#140
omertuc
added a commit
to omertuc/lifecycle-agent
that referenced
this pull request
May 22, 2024
# Background / Context Recert recently added ([1], [2]) some options that allow changing the cluster's trust bundle (it's recommended you read the PRs for more background about this). # Issue / Requirement / Reason for change The lifecycle-agent doesn't make use of the new options added to recert # Solution / Feature Overview Change the lifecycle-agent to use the new options added to recert # Implementation Details Multiple new fields have been added. - `AdditionalTrustBundle` in `SeedReconfiguration`. This represents the trust bundle to be used for seed-reconfiguration. This contains the user-ca-bundle contents, the proxy configmap name, and the proxy configmap contents. - `AdditionalTrustBundle` in `SeedClusterInfo`. This represents the state of the trust bundle in the seed cluster. This is simply booleans indicating the presence or lack there-of of the user-ca-bundle and the proxy configmap name (only if it actually has contents, a configmap with no contents is considered invalid OCP configuration). This is useful for when we want to verify that the seed is compatible with our desired `SeedReconfiguration`. - `RecertConfig` will now use the new `CryptoDirs` and `CryptoFiles` fields to specify the directories and files that should be considered part of the cluster's crypto material. Along with the `ClusterCustomizationDirs` and `ClusterCustomizationFiles` fields that specify the directories and files involved in cluster customization. Since these no longer overlap when it comes to customizing the trust bundle, we must use these new fields instead of the old common `StaticDirs` and `StaticFiles` fields. [1] rh-ecosystem-edge/recert#110 [2] rh-ecosystem-edge/recert#140
omertuc
added a commit
to omertuc/lifecycle-agent
that referenced
this pull request
May 27, 2024
# Background / Context Recert recently added ([1], [2]) some options that allow changing the cluster's trust bundle (it's recommended you read the PRs for more background about this). # Issue / Requirement / Reason for change The lifecycle-agent doesn't make use of the new options added to recert # Solution / Feature Overview Change the lifecycle-agent to use the new options added to recert # Implementation Details Multiple new fields have been added. - `AdditionalTrustBundle` in `SeedReconfiguration`. This represents the trust bundle to be used for seed-reconfiguration. This contains the user-ca-bundle contents, the proxy configmap name, and the proxy configmap contents. - `AdditionalTrustBundle` in `SeedClusterInfo`. This represents the state of the trust bundle in the seed cluster. This is simply booleans indicating the presence or lack there-of of the user-ca-bundle and the proxy configmap name (only if it actually has contents, a configmap with no contents is considered invalid OCP configuration). This is useful for when we want to verify that the seed is compatible with our desired `SeedReconfiguration`. - `RecertConfig` will now use the new `CryptoDirs` and `CryptoFiles` fields to specify the directories and files that should be considered part of the cluster's crypto material. Along with the `ClusterCustomizationDirs` and `ClusterCustomizationFiles` fields that specify the directories and files involved in cluster customization. Since these no longer overlap when it comes to customizing the trust bundle, we must use these new fields instead of the old common `StaticDirs` and `StaticFiles` fields. [1] rh-ecosystem-edge/recert#110 [2] rh-ecosystem-edge/recert#140
omertuc
added a commit
to omertuc/lifecycle-agent
that referenced
this pull request
May 27, 2024
# Background / Context Recert recently added ([1], [2]) some options that allow changing the cluster's trust bundle (it's recommended you read the PRs for more background about this). # Issue / Requirement / Reason for change The lifecycle-agent doesn't make use of the new options added to recert # Solution / Feature Overview Change the lifecycle-agent to use the new options added to recert # Implementation Details Multiple new fields have been added. - `AdditionalTrustBundle` in `SeedReconfiguration`. This represents the trust bundle to be used for seed-reconfiguration. This contains the user-ca-bundle contents, the proxy configmap name, and the proxy configmap contents. - `AdditionalTrustBundle` in `SeedClusterInfo`. This represents the state of the trust bundle in the seed cluster. This is simply booleans indicating the presence or lack there-of of the user-ca-bundle and the proxy configmap name (only if it actually has contents, a configmap with no contents is considered invalid OCP configuration). This is useful for when we want to verify that the seed is compatible with our desired `SeedReconfiguration`. - `RecertConfig` will now use the new `CryptoDirs` and `CryptoFiles` fields to specify the directories and files that should be considered part of the cluster's crypto material. Along with the `ClusterCustomizationDirs` and `ClusterCustomizationFiles` fields that specify the directories and files involved in cluster customization. Since these no longer overlap when it comes to customizing the trust bundle, we must use these new fields instead of the old common `StaticDirs` and `StaticFiles` fields. [1] rh-ecosystem-edge/recert#110 [2] rh-ecosystem-edge/recert#140
omertuc
added a commit
to omertuc/lifecycle-agent
that referenced
this pull request
May 28, 2024
# Background / Context Recert recently added ([1], [2]) some options that allow changing the cluster's trust bundle (it's recommended you read the PRs for more background about this). # Issue / Requirement / Reason for change The lifecycle-agent doesn't make use of the new options added to recert # Solution / Feature Overview Change the lifecycle-agent to use the new options added to recert # Implementation Details Multiple new fields have been added. - `AdditionalTrustBundle` in `SeedReconfiguration`. This represents the trust bundle to be used for seed-reconfiguration. This contains the user-ca-bundle contents, the proxy configmap name, and the proxy configmap contents. - `AdditionalTrustBundle` in `SeedClusterInfo`. This represents the state of the trust bundle in the seed cluster. This is simply booleans indicating the presence or lack there-of of the user-ca-bundle and the proxy configmap name (only if it actually has contents, a configmap with no contents is considered invalid OCP configuration). This is useful for when we want to verify that the seed is compatible with our desired `SeedReconfiguration`. - `RecertConfig` will now use the new `CryptoDirs` and `CryptoFiles` fields to specify the directories and files that should be considered part of the cluster's crypto material. Along with the `ClusterCustomizationDirs` and `ClusterCustomizationFiles` fields that specify the directories and files involved in cluster customization. Since these no longer overlap when it comes to customizing the trust bundle, we must use these new fields instead of the old common `StaticDirs` and `StaticFiles` fields. [1] rh-ecosystem-edge/recert#110 [2] rh-ecosystem-edge/recert#140
omertuc
added a commit
to omertuc/lifecycle-agent
that referenced
this pull request
May 29, 2024
# Background / Context Recert recently added ([1], [2]) some options that allow changing the cluster's trust bundle (it's recommended you read the PRs for more background about this). # Issue / Requirement / Reason for change The lifecycle-agent doesn't make use of the new options added to recert # Solution / Feature Overview Change the lifecycle-agent to use the new options added to recert # Implementation Details Multiple new fields have been added. - `AdditionalTrustBundle` in `SeedReconfiguration`. This represents the trust bundle to be used for seed-reconfiguration. This contains the user-ca-bundle contents, the proxy configmap name, and the proxy configmap contents. - `AdditionalTrustBundle` in `SeedClusterInfo`. This represents the state of the trust bundle in the seed cluster. This is simply booleans indicating the presence or lack there-of of the user-ca-bundle and the proxy configmap name (only if it actually has contents, a configmap with no contents is considered invalid OCP configuration). This is useful for when we want to verify that the seed is compatible with our desired `SeedReconfiguration`. - `RecertConfig` will now use the new `CryptoDirs` and `CryptoFiles` fields to specify the directories and files that should be considered part of the cluster's crypto material. Along with the `ClusterCustomizationDirs` and `ClusterCustomizationFiles` fields that specify the directories and files involved in cluster customization. Since these no longer overlap when it comes to customizing the trust bundle, we must use these new fields instead of the old common `StaticDirs` and `StaticFiles` fields. [1] rh-ecosystem-edge/recert#110 [2] rh-ecosystem-edge/recert#140
omertuc
added a commit
to omertuc/lifecycle-agent
that referenced
this pull request
May 30, 2024
# Background / Context Recert recently added ([1], [2]) some options that allow changing the cluster's trust bundle (it's recommended you read the PRs for more background about this). # Issue / Requirement / Reason for change The lifecycle-agent doesn't make use of the new options added to recert # Solution / Feature Overview Change the lifecycle-agent to use the new options added to recert # Implementation Details Multiple new fields have been added. - `AdditionalTrustBundle` in `SeedReconfiguration`. This represents the trust bundle to be used for seed-reconfiguration. This contains the user-ca-bundle contents, the proxy configmap name, and the proxy configmap contents. - `AdditionalTrustBundle` in `SeedClusterInfo`. This represents the state of the trust bundle in the seed cluster. This is simply booleans indicating the presence or lack there-of of the user-ca-bundle and the proxy configmap name (only if it actually has contents, a configmap with no contents is considered invalid OCP configuration). This is useful for when we want to verify that the seed is compatible with our desired `SeedReconfiguration`. - `RecertConfig` will now use the new `CryptoDirs` and `CryptoFiles` fields to specify the directories and files that should be considered part of the cluster's crypto material. Along with the `ClusterCustomizationDirs` and `ClusterCustomizationFiles` fields that specify the directories and files involved in cluster customization. Since these no longer overlap when it comes to customizing the trust bundle, we must use these new fields instead of the old common `StaticDirs` and `StaticFiles` fields. [1] rh-ecosystem-edge/recert#110 [2] rh-ecosystem-edge/recert#140
omertuc
added a commit
to omertuc/lifecycle-agent
that referenced
this pull request
May 30, 2024
# Background / Context Recert recently added ([1], [2]) some options that allow changing the cluster's trust bundle (it's recommended you read the PRs for more background about this). # Issue / Requirement / Reason for change The lifecycle-agent doesn't make use of the new options added to recert # Solution / Feature Overview Change the lifecycle-agent to use the new options added to recert # Implementation Details Multiple new fields have been added. - `AdditionalTrustBundle` in `SeedReconfiguration`. This represents the trust bundle to be used for seed-reconfiguration. This contains the user-ca-bundle contents, the proxy configmap name, and the proxy configmap contents. - `AdditionalTrustBundle` in `SeedClusterInfo`. This represents the state of the trust bundle in the seed cluster. This is simply booleans indicating the presence or lack there-of of the user-ca-bundle and the proxy configmap name (only if it actually has contents, a configmap with no contents is considered invalid OCP configuration). This is useful for when we want to verify that the seed is compatible with our desired `SeedReconfiguration`. - `RecertConfig` will now use the new `CryptoDirs` and `CryptoFiles` fields to specify the directories and files that should be considered part of the cluster's crypto material. Along with the `ClusterCustomizationDirs` and `ClusterCustomizationFiles` fields that specify the directories and files involved in cluster customization. Since these no longer overlap when it comes to customizing the trust bundle, we must use these new fields instead of the old common `StaticDirs` and `StaticFiles` fields. [1] rh-ecosystem-edge/recert#110 [2] rh-ecosystem-edge/recert#140
omertuc
added a commit
to omertuc/lifecycle-agent
that referenced
this pull request
May 31, 2024
# Background / Context Recert recently added ([1], [2]) some options that allow changing the cluster's trust bundle (it's recommended you read the PRs for more background about this). # Issue / Requirement / Reason for change The lifecycle-agent doesn't make use of the new options added to recert # Solution / Feature Overview Change the lifecycle-agent to use the new options added to recert # Implementation Details Multiple new fields have been added. - `AdditionalTrustBundle` in `SeedReconfiguration`. This represents the trust bundle to be used for seed-reconfiguration. This contains the user-ca-bundle contents, the proxy configmap name, and the proxy configmap contents. - `AdditionalTrustBundle` in `SeedClusterInfo`. This represents the state of the trust bundle in the seed cluster. This is simply booleans indicating the presence or lack there-of of the user-ca-bundle and the proxy configmap name (only if it actually has contents, a configmap with no contents is considered invalid OCP configuration). This is useful for when we want to verify that the seed is compatible with our desired `SeedReconfiguration`. - `RecertConfig` will now use the new `CryptoDirs` and `CryptoFiles` fields to specify the directories and files that should be considered part of the cluster's crypto material. Along with the `ClusterCustomizationDirs` and `ClusterCustomizationFiles` fields that specify the directories and files involved in cluster customization. Since these no longer overlap when it comes to customizing the trust bundle, we must use these new fields instead of the old common `StaticDirs` and `StaticFiles` fields. [1] rh-ecosystem-edge/recert#110 [2] rh-ecosystem-edge/recert#140
omertuc
added a commit
to omertuc/lifecycle-agent
that referenced
this pull request
May 31, 2024
# Background / Context Recert recently added ([1], [2]) some options that allow changing the cluster's trust bundle (it's recommended you read the PRs for more background about this). # Issue / Requirement / Reason for change The lifecycle-agent doesn't make use of the new options added to recert # Solution / Feature Overview Change the lifecycle-agent to use the new options added to recert # Implementation Details Multiple new fields have been added. - `AdditionalTrustBundle` in `SeedReconfiguration`. This represents the trust bundle to be used for seed-reconfiguration. This contains the user-ca-bundle contents, the proxy configmap name, and the proxy configmap contents. - `AdditionalTrustBundle` in `SeedClusterInfo`. This represents the state of the trust bundle in the seed cluster. This is simply booleans indicating the presence or lack there-of of the user-ca-bundle and the proxy configmap name (only if it actually has contents, a configmap with no contents is considered invalid OCP configuration). This is useful for when we want to verify that the seed is compatible with our desired `SeedReconfiguration`. - `RecertConfig` will now use the new `CryptoDirs` and `CryptoFiles` fields to specify the directories and files that should be considered part of the cluster's crypto material. Along with the `ClusterCustomizationDirs` and `ClusterCustomizationFiles` fields that specify the directories and files involved in cluster customization. Since these no longer overlap when it comes to customizing the trust bundle, we must use these new fields instead of the old common `StaticDirs` and `StaticFiles` fields. [1] rh-ecosystem-edge/recert#110 [2] rh-ecosystem-edge/recert#140
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Main change
Support changing a cluster's additional trust bundle. Changes all locations where the additional trust bundle is stored in.
If an existing trust bundle is not found, this will cause an error, as creating the relevant resources is beyond the scope of this tool.
The trust bundle's validity will not be checked. When using a RECERT_CONFIG file, raw PEMS can be used instead of a path to a trust bundle file.
When using this feature it is recommended to also run the
update-ca-trustscript after running recert to ensure that the trust bundle is properly updated in all locations.Other changes
Created
./hack/directory to store some certs used during./run_seed.shDeprecated --static-files and --static-dirs, which were used for both recert and rename. Now
--crypto-dirand--crypto-filewill be used for recert while--cluster-customization-dirand--cluster-customization-filewill be used for rename (aka cluster customization). This was needed because /etc/pki is full of certs we discover and fail to process during recert, but we do need to process /etc/pki for editing the additional trust bundle cluster customization. Using--additional-trust-bundlealong with--static-*will cause an error. The old behavior for--static-filesand--static-dirsis maintained for backwards compatibility, but they cannot be used along with the new flags.Made ConfigPath a less leaky abstraction for ClioPath and moved its relevant code to its own module
path(underconfig)Renamed many
cli_parsefunctions toparseas those functions were used outside of CLI parsing as well (during config file parsing)Refactored config parsing into topical functions because that functions was getting a bit too long