Bug 1895053
| Summary: | Allow builds to optionally mount in cluster trust stores | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Adam Kaplan <adam.kaplan> |
| Component: | Build | Assignee: | Adam Kaplan <adam.kaplan> |
| Status: | CLOSED ERRATA | QA Contact: | wewang <wewang> |
| Severity: | high | Docs Contact: | Srivaralakshmi Ramani <srr> |
| Priority: | unspecified | ||
| Version: | 4.7 | CC: | aos-bugs, aygarg, gmontero, jtejal, sjenning, srr, wewang, xiuwang |
| Target Milestone: | --- | ||
| Target Release: | 4.8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: |
[discrete]
[id="ocp-4-8-builds-mount-custom-pki-ca"]
==== Mount custom PKI certificate authorities
Previously, builds could not use the cluster PKI certificate authorities that were sometimes required to access corporate artifact repositories. Now, you can configure the `BuildConfig` object to mount cluster custom PKI certificate authorities by setting `mountTrustedCA` to `true`.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-07-27 22:34:10 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1913325 | ||
| Bug Blocks: | |||
|
Description
Adam Kaplan
2020-11-05 16:25:30 UTC
*** Bug 1914001 has been marked as a duplicate of this bug. *** Hello Team, Is there any workaround currently for this? Currently, the customer can not proceed with the project because the build fails. Regards, Ayush Garg Hello Team Another FSI customer is experiencing this which is delaying their adoption/movement to OCP 4.5. Appreciate if anyone can share known workarounds. Many thanks Joseph (In reply to aygarg from comment #13) > Hello Team, > > Is there any workaround currently for this? Currently, the customer can not > proceed with the project because the build fails. > > Regards, > Ayush Garg Can someone please share any possible workarounds? To work around this issue, users need to do the following:
1. Create an emtpy ConfigMap in the build's namespace with the label `config.openshift.io/inject-trusted-cabundle="true"` [1]. For this example I'll name it "trusted-cabundle", though it can be named anything as long as it is a valid ConfigMap name:
```yaml
kind: ConfigMap
apiVersion: v1
metadata:
labels:
config.openshift.io/inject-trusted-cabundle: "true"
name: trusted-cabundle
data: {}
```
2. Add the ConfigMap as a Docker strategy build input [2], and have a Dockerfile copy the `ca-bundle.crt` file to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`.
3. In the BuildConfig's Docker strategy options, ensure `SkipLayers` is set for the image optimization policy. This ensures that the layers of the build are squashed and the cluster's trust bundle doesn't leak into the output container image [3].
Below is an example of how to effectively run a Ruby-based s2i build via the Docker strategy, using an in-line Dockerfile.
```yaml
kind: BuildConfig
apiVerion: build.openshift.io/v1
metadata:
...
spec:
source:
git:
... # info to git source
configMaps:
- configMap:
name: trusted-cabundle
destinationDir: trusted-cabundle # this is relative to the build root directory
dockerfile: |
FROM ruby:latest
COPY . .
USER root
# Back up the image trust bundle and override it with the cluster provided bundle
RUN cp /etc/pki/ca-trust-extracted/pem/tls-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem.bak && \
cp -f trusted-cabundle/ca-bundle.crt /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem && \
chown root:root /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
# Change back to the default s2i image user to run the assemble script
USER 1001
RUN /usr/libexec/s2i/assemble
# Change back to the root user to restore the trust bundle
USER root
RUN mv -f /etc/pki/ca-trust-extracted/pem/tls-ca-bundle.pem.bak /etc/pki/ca-trust-extracted/pem/tls-ca-bundle
# Make run the default command as user 1001
USER 1001
CMD /usr/libexec/s2i/run
strategy:
dockerStrategy:
from:
kind: ImageStreamTag
name: ruby:latest
namespace: openshift
# SkipLayers ensures that the cluster trust bundle doesn't leak into the resulting container image
imageOptimizationPolicy: SkipLayers
```
[1] https://docs.openshift.com/container-platform/4.7/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki
[2] https://docs.openshift.com/container-platform/4.7/cicd/builds/creating-build-inputs.html#builds-adding-input-secrets-configmaps_creating-build-inputs
[3] https://docs.openshift.com/container-platform/4.7/cicd/builds/build-strategies.html#builds-strategy-docker-squash-layers_build-strategies
Thanks Rolfe. Perfect. I have modified the RN text. It looks so much better now. Appreciate the help and suggestion. Adam and Wewang, please review and approve the updated Doc Text field, above. Thanks. Approved doc text @Srivaralakshmi, need i change something in the bug? Doc text LGTM Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438 |