Description of problem: In Bug #1826183, builds were updated to mount the contents of /etc/pki/ca-trust into the build from the build container. The build container, in turn, merged the admin-provided "extra" trust bundle with the default RHEL trust store. This proved problematic because Docker strategy builds could not modify content or directory permissions in `/etc/pki/ca-trust` and have those changes persist into the resulting image. In more than one case this broke the build of OpenShift components. As a result, the mounting of `/etc/pki/ca-trust` is reverted via Bug #1891759, which will be backported to 4.6.z. Builds need to allow developers to opt into mounting the cluster wide trust bundle. Version-Release number of selected component (if applicable): 4.7.0 How reproducible: Always Steps to Reproduce: 1. Run a build which downloads content through an HTTPS, man-in-the-middle proxy 2. Observe result. Actual results: With the changes in Bug #1891759, build should fail because HTTPS content is not trusted. Expected results: Builds can succeed if the cluster-wide trust bundle is mounted in via an option in the BuildConfig. Additional info: https://bugzilla.redhat.com/show_bug.cgi?id=1826183 https://bugzilla.redhat.com/show_bug.cgi?id=1891759
*** Bug 1914001 has been marked as a duplicate of this bug. ***
Hello Team, Is there any workaround currently for this? Currently, the customer can not proceed with the project because the build fails. Regards, Ayush Garg
Hello Team Another FSI customer is experiencing this which is delaying their adoption/movement to OCP 4.5. Appreciate if anyone can share known workarounds. Many thanks Joseph
(In reply to aygarg from comment #13) > Hello Team, > > Is there any workaround currently for this? Currently, the customer can not > proceed with the project because the build fails. > > Regards, > Ayush Garg Can someone please share any possible workarounds?
To work around this issue, users need to do the following: 1. Create an emtpy ConfigMap in the build's namespace with the label `config.openshift.io/inject-trusted-cabundle="true"` [1]. For this example I'll name it "trusted-cabundle", though it can be named anything as long as it is a valid ConfigMap name: ```yaml kind: ConfigMap apiVersion: v1 metadata: labels: config.openshift.io/inject-trusted-cabundle: "true" name: trusted-cabundle data: {} ``` 2. Add the ConfigMap as a Docker strategy build input [2], and have a Dockerfile copy the `ca-bundle.crt` file to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`. 3. In the BuildConfig's Docker strategy options, ensure `SkipLayers` is set for the image optimization policy. This ensures that the layers of the build are squashed and the cluster's trust bundle doesn't leak into the output container image [3]. Below is an example of how to effectively run a Ruby-based s2i build via the Docker strategy, using an in-line Dockerfile. ```yaml kind: BuildConfig apiVerion: build.openshift.io/v1 metadata: ... spec: source: git: ... # info to git source configMaps: - configMap: name: trusted-cabundle destinationDir: trusted-cabundle # this is relative to the build root directory dockerfile: | FROM ruby:latest COPY . . USER root # Back up the image trust bundle and override it with the cluster provided bundle RUN cp /etc/pki/ca-trust-extracted/pem/tls-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem.bak && \ cp -f trusted-cabundle/ca-bundle.crt /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem && \ chown root:root /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem # Change back to the default s2i image user to run the assemble script USER 1001 RUN /usr/libexec/s2i/assemble # Change back to the root user to restore the trust bundle USER root RUN mv -f /etc/pki/ca-trust-extracted/pem/tls-ca-bundle.pem.bak /etc/pki/ca-trust-extracted/pem/tls-ca-bundle # Make run the default command as user 1001 USER 1001 CMD /usr/libexec/s2i/run strategy: dockerStrategy: from: kind: ImageStreamTag name: ruby:latest namespace: openshift # SkipLayers ensures that the cluster trust bundle doesn't leak into the resulting container image imageOptimizationPolicy: SkipLayers ``` [1] https://docs.openshift.com/container-platform/4.7/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki [2] https://docs.openshift.com/container-platform/4.7/cicd/builds/creating-build-inputs.html#builds-adding-input-secrets-configmaps_creating-build-inputs [3] https://docs.openshift.com/container-platform/4.7/cicd/builds/build-strategies.html#builds-strategy-docker-squash-layers_build-strategies
Thanks Rolfe. Perfect. I have modified the RN text. It looks so much better now. Appreciate the help and suggestion.
Adam and Wewang, please review and approve the updated Doc Text field, above. Thanks.
Approved doc text @Srivaralakshmi, need i change something in the bug?
Doc text LGTM
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438