Update CA Cert Conditional #12572
Update CA Cert Conditional #12572
Conversation
|
Skipping CI for Draft Pull Request. |
alyssacgoins
force-pushed
the
ca_cert_conditional
branch
2 times, most recently
from
a3ef196 to
930b21b
Compare
|
|
||
| setCABundle := false | ||
| if common.GetCaBundleSecretName() != "" && (c.mlPipelineTLSEnabled || common.GetMetadataTLSEnabled()) { | ||
| if common.GetCaBundleSecretName() != "" || c.mlPipelineTLSEnabled || common.GetMetadataTLSEnabled() { |
There was a problem hiding this comment.
I think we still need to guarantee that the secret name is set.
| if common.GetCaBundleSecretName() != "" || c.mlPipelineTLSEnabled || common.GetMetadataTLSEnabled() { | |
| if common.GetCaBundleSecretName() != "" { |
| } | ||
| // If the apiserver is TLS-enabled, add the custom CA bundle to the executor. | ||
| if common.GetCaBundleSecretName() != "" && (c.mlPipelineTLSEnabled || common.GetMetadataTLSEnabled()) { | ||
| if common.GetCaBundleSecretName() != "" || c.mlPipelineTLSEnabled || common.GetMetadataTLSEnabled() { |
There was a problem hiding this comment.
I think we still need to guarantee that the secret name is set.
| if common.GetCaBundleSecretName() != "" || c.mlPipelineTLSEnabled || common.GetMetadataTLSEnabled() { | |
| if common.GetCaBundleSecretName() != "" { |
hbelmiro
left a comment
hbelmiro
left a comment
There was a problem hiding this comment.
We should do the same in backend/src/v2/compiler/argocompiler/dag.go and backend/src/v2/compiler/argocompiler/importer.go.
alyssacgoins
force-pushed
the
ca_cert_conditional
branch
from
3827a61 to
f17feda
Compare
alyssacgoins
force-pushed
the
ca_cert_conditional
branch
from
f17feda to
1f9e91d
Compare
| volumeSource.Secret = &k8score.SecretVolumeSource{SecretName: caBundleSecretName} | ||
| } else if caBundleConfigMapName != "" { | ||
| caBundleConfigMapKey := common.GetCaBundleConfigMapKey() | ||
| if caBundleConfigMapKey == "" { |
There was a problem hiding this comment.
I think we should align the behavior between Secret and ConfigMap such that:
- Prefer Secret over ConfigMap (like your code)
- We have one configuration option of
CABUNDLE_KEY_NAMEthat applies to both Secret and ConfigMap. - If
CABUNDLE_KEY_NAMEis not set, then don't setSubPathon either the Secret or ConfigMap (matches existing Secret behavior).
alyssacgoins
force-pushed
the
ca_cert_conditional
branch
from
1f9e91d to
0a96f60
Compare
alyssacgoins
force-pushed
the
ca_cert_conditional
branch
3 times, most recently
from
1beaca0 to
90a3f40
Compare
| return GetStringConfigWithDefault(CaBundleSecretName, "") | ||
| } | ||
|
|
||
| func GetCaBundleConfigMapKey() string { |
There was a problem hiding this comment.
| func GetCaBundleConfigMapKey() string { | |
| func GetCABundleKey() string { |
alyssacgoins
force-pushed
the
ca_cert_conditional
branch
from
90a3f40 to
d1f64ae
Compare
| caBundleKeyName := common.GetCABundleKey() | ||
| volumeMount := k8score.VolumeMount{Name: "custom-ca", MountPath: common.CABundleDir} | ||
| if caBundleKeyName != "" { | ||
| volumeMount.SubPath = caBundleKeyName |
There was a problem hiding this comment.
I don't think this logic is quite right. I think we want to do something like this instead where the key can change but the mounted path is always the same. Consider using a constant variable for ca.crt.
diff --git a/backend/src/v2/compiler/argocompiler/common.go b/backend/src/v2/compiler/argocompiler/common.go
index 8e4c8e081..6112679e3 100644
--- a/backend/src/v2/compiler/argocompiler/common.go
+++ b/backend/src/v2/compiler/argocompiler/common.go
@@ -58,12 +58,32 @@ func ConfigureCustomCABundle(tmpl *wfapi.Template) {
caBundleSecretName := common.GetCaBundleSecretName()
caBundleConfigMapName := common.GetCaBundleConfigMapName()
volumeSource := k8score.VolumeSource{}
+ caBundleKeyName := common.GetCABundleKey()
+ if caBundleKeyName == "" {
+ caBundleKeyName = "ca.crt"
+ }
// CABUNDLE_SECRET_NAME is prioritized above CABUNDLE_CONFIGMAP_NAME.
if caBundleSecretName != "" { // nolint:gocritic // ifElseChain is preferred here for clarity over a switch
- volumeSource.Secret = &k8score.SecretVolumeSource{SecretName: caBundleSecretName}
+ volumeSource.Secret = &k8score.SecretVolumeSource{
+ SecretName: caBundleSecretName,
+ Items: []k8score.KeyToPath{
+ {
+ Key: caBundleKeyName,
+ Path: "ca.crt",
+ },
+ },
+ }
} else if caBundleConfigMapName != "" {
- volumeSource.ConfigMap = &k8score.ConfigMapVolumeSource{LocalObjectReference: k8score.LocalObjectReference{Name: caBundleConfigMapName}}
+ volumeSource.ConfigMap = &k8score.ConfigMapVolumeSource{
+ LocalObjectReference: k8score.LocalObjectReference{Name: caBundleConfigMapName},
+ Items: []k8score.KeyToPath{
+ {
+ Key: caBundleKeyName,
+ Path: "ca.crt",
+ },
+ },
+ }
} else {
glog.Error("Neither CABUNDLE_SECRET_NAME nor CABUNDLE_CONFIGMAP_NAME is set. Failed to configure custom CA bundle.")
return
@@ -75,13 +95,8 @@ func ConfigureCustomCABundle(tmpl *wfapi.Template) {
tmpl.Volumes = append(tmpl.Volumes, volume)
// If CABUNDLE_KEY_NAME is set, set its value to the VolumeMount subpath.
- caBundleKeyName := common.GetCABundleKey()
volumeMount := k8score.VolumeMount{Name: "custom-ca", MountPath: common.CABundleDir}
- if caBundleKeyName != "" {
- volumeMount.SubPath = caBundleKeyName
- }
tmpl.Container.VolumeMounts = append(tmpl.Container.VolumeMounts, volumeMount)
-
}
// addExitTask adds an exit lifecycle hook to a task if exitTemplate is not empty.
Signed-off-by: alyssacgoins <agoins@redhat.com>
alyssacgoins
force-pushed
the
ca_cert_conditional
branch
from
d1f64ae to
a5a226e
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mprahl The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| { | ||
| compilerOptions: argocompiler.Options{CacheDisabled: true}, | ||
| envVars: map[string]string{"PIPELINE_RUN_AS_USER": "1001", "PIPELINE_LOG_LEVEL": "3"}, | ||
| pipelineFilePaths: []string{filepath.Join(pipelineFilesRootDir, pipelineDirectory, "run_as_user_cache_disabled.yaml")}, |
There was a problem hiding this comment.
I am confused about this, why do you need a separate yaml? can the existing pipelines not run as a user and with a different log level? if so, we can always set the required values in the expected compiled workflow object
There was a problem hiding this comment.
A separate YAML is necessary because the environment variables update the contents of the YAML - for example, the variable PIPELINE_RUN_AS_USER adds securityContext: runAsUser: 1001 to the compiled workflow. But we can't update the general YAML with this specialized case, because then the test cases with no env variables set will fail.
There was a problem hiding this comment.
in that case, we can check if we need to update or not based on the environment variable
| envVars: map[string]string{"PIPELINE_RUN_AS_USER": "1001", "PIPELINE_LOG_LEVEL": "3"}, | ||
| compilerOptions: argocompiler.Options{CacheDisabled: false}, | ||
| envVars: map[string]string{"PIPELINE_RUN_AS_USER": "1001", "PIPELINE_LOG_LEVEL": "3"}, | ||
| pipelineFilePaths: []string{filepath.Join(pipelineFilesRootDir, pipelineDirectory, "run_as_user_cache_enabled.yaml")}, |
There was a problem hiding this comment.
Addressed above ^
4 participants
Description of your changes:
Update the CA cert logic on driver/launcher so that if
CABUNDLE_SECRET_NAMEis set, even if pod-to-pod TLS is not enabled, the cert will be passed into the launcher.backend/test/compiler/argo_ginkgo_test.gois updated to fix env var testing, in order to validate the change above.Checklist: