-
Notifications
You must be signed in to change notification settings - Fork 205
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
enable ssl/tls for tekton results db connections #3109
base: main
Are you sure you want to change the base?
Conversation
Skipping CI for Draft Pull Request. |
1d20dcb
to
07def20
Compare
Shouldn't you update the deploy.yaml files? This should only update the staging clusters right? |
How this PR relates to #3436 ? Are they related? Is there an order to be merged? |
Ah I missed it, I will update.
Yes
Ideally they should be merged together so that there is no dependency on each other. Let us discuss this in daily. |
yeah you need to pull the commit from #3436 into this PR we also need to discuss how the cert is injected here |
components/pipeline-service/base/certificates/tekton-results/tekton-results-db-ssl.yaml
Show resolved
Hide resolved
07def20
to
3cea633
Compare
3cea633
to
259f289
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
@@ -2,4 +2,4 @@ | |||
apiVersion: kustomize.config.k8s.io/v1beta1 | |||
kind: Kustomization | |||
resources: | |||
- https://github.com/openshift-pipelines/pipeline-service/operator/gitops/argocd/grafana/?ref=542db3fcc168c426d39dbed231a4230b101f8a2a | |||
- https://github.com/openshift-pipelines/pipeline-service/operator/gitops/argocd/grafana/?ref=5e38cd44d8455e77def659ea116a684c5cfa4320 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- https://github.com/openshift-pipelines/pipeline-service.git/developer/openshift/gitops/argocd/pipeline-service?ref=542db3fcc168c426d39dbed231a4230b101f8a2a | ||
- https://github.com/openshift-pipelines/pipeline-service.git/developer/openshift/gitops/argocd/pipeline-service-storage?ref=542db3fcc168c426d39dbed231a4230b101f8a2a | ||
- https://github.com/openshift-pipelines/pipeline-service.git/developer/openshift/gitops/argocd/pipeline-service?ref=5e38cd44d8455e77def659ea116a684c5cfa4320 | ||
- https://github.com/openshift-pipelines/pipeline-service.git/developer/openshift/gitops/argocd/pipeline-service-storage?ref=5e38cd44d8455e77def659ea116a684c5cfa4320 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -8,11 +8,12 @@ commonAnnotations: | |||
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true | |||
|
|||
resources: | |||
- https://github.com/openshift-pipelines/pipeline-service.git/operator/gitops/argocd/pipeline-service?ref=542db3fcc168c426d39dbed231a4230b101f8a2a | |||
- https://github.com/openshift-pipelines/pipeline-service.git/operator/gitops/argocd/pipeline-service?ref=5e38cd44d8455e77def659ea116a684c5cfa4320 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
259f289
to
5acc723
Compare
was about to ask @avinal if you ran https://github.com/redhat-appstudio/infra-deployments/blob/main/hack/generate-deploy-config.sh ... see you force-pushed something .. |
/lgtm |
Yes I ran the deploy.sh, you can see the changes in the respective deploy.yaml files. The kube lint was failing so I fixed that and pushed. |
/lgtm |
@avinal pipeline service is out of sync and degraded in the latest e2e run https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/redhat-appstudio_infra-deployments/3109/pull-ci-redhat-appstudio-infra-deployments-main-appstudio-e2e-tests/1774797750232158208 the api server deployment is not happy if you look at https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/redhat-appstudio_infra-deployments/3109/pull-ci-redhat-appstudio-infra-deployments-main-appstudio-e2e-tests/1774797750232158208/artifacts/appstudio-e2e-tests/gather-extra/artifacts/deployments.json :
for whatever reason I cannot find a watcher deployment. nor do I see watcher pods listed at https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/redhat-appstudio_infra-deployments/3109/pull-ci-redhat-appstudio-infra-deployments-main-appstudio-e2e-tests/1774797750232158208/artifacts/appstudio-e2e-tests/gather-extra/artifacts/pods/ I suspect you will need to run an |
5acc723
to
97b5194
Compare
New changes are detected. LGTM label has been removed. |
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: avinal, gabemontero The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@gabemontero I figured out the issue. The certs generation was not added in infra-deployments, I was not aware of the test flow, so I missed it. Xin helped me understand it. Now I have added the cert generation, it is mostly copy-paste from the pipeline-service, but a quick look would be great. |
1ffe89f
to
7e502d7
Compare
- Adds required YAML config for enabling db ssl connections - Uses public certificates for RDS available here: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.RegionCertificates - Enables dbssl for staging environment - Adds cert generation for development setup - Includes openshift-pipelines/pipeline-service#984 Signed-off-by: Avinal Kumar <avinal@redhat.com> rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED
7e502d7
to
0e3bab7
Compare
@avinal: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
@@ -5,6 +5,7 @@ main() { | |||
create_namespace | |||
create_db_secret | |||
create_s3_secret | |||
create_db_cert_secret_and_configmap |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok so the analogous items here like the db and s3 secrets are pulled from vault and external secrets for stage and prod @avinal , which is why it is OK that this script creates them for the developer overlay
but there is no analogous vault / external secret item for this public cert
so even though things are not right as I type, even if we got them right, this would only work for the developer overlay and not stage/prod
I think the solution @scoheb outlined in the email you sent, where it adds the public cert to the system root CA when building the image, is the way to go, at least short term, since we have a Dockerfile we can update in the results downstream fork.
Now, when we move to the openshift pipelines operator version of results, we'll have to see if that same approach works ...i.e. is there a Dockerfile somewhere in the CPaaS pipeline that would could do the analogous thing for.
From @scoheb email:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/hold
while this script ^^ has progressed us along, I don't think that can be the final solution.
@enarha FYI
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I realized that such a script could be moved to a Job
like what @Roming22 did for the chains secret over in https://github.com/openshift-pipelines/pipeline-service/blob/main/operator/gitops/argocd/pipeline-service/openshift-pipelines/chains-secrets-config.yaml#L46-L111
Now, I also know @enarha is hoping to rework how we do the chains secret (though I don't remember for sure if that rework included removing this Job)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am going through the mails and the threads. To summarize:
- The RDS public cert can be added to the Dockerfile itself, this is how we are already doing
- For development, we may want to use a Job, as we are doing in chains.
If that is all, we can proceed with the discussion.
the watcher and api server now come up with these changes, but the postgresql gitops application stays out of sync because of the cert related changes I'll attach a screen shot per discussion in email and slack, and with this solution not working for stage/prod, a pivot to changing the api server image to add the amazon cert to the root SA per pointer from @scoheb appears the be the path we need to take for the time being /hold |
Signed-off-by: Avinal Kumar avinal@redhat.com