Description of problem:
In Bug #1826183, builds were updated to mount the contents of /etc/pki/ca-trust into the build from the build container. The build container, in turn, merged the admin-provided "extra" trust bundle with the default RHEL trust store.
This proved problematic because Docker strategy builds could not modify content or directory permissions in `/etc/pki/ca-trust` and have those changes persist into the resulting image. In more than one case this broke the build of OpenShift components. As a result, the mounting of `/etc/pki/ca-trust` is reverted via Bug #1891759, which will be backported to 4.6.z.
Builds need to allow developers to opt into mounting the cluster wide trust bundle.
Version-Release number of selected component (if applicable): 4.7.0
How reproducible: Always
Steps to Reproduce:
1. Run a build which downloads content through an HTTPS, man-in-the-middle proxy
2. Observe result.
With the changes in Bug #1891759, build should fail because HTTPS content is not trusted.
Builds can succeed if the cluster-wide trust bundle is mounted in via an option in the BuildConfig.
*** Bug 1914001 has been marked as a duplicate of this bug. ***
Is there any workaround currently for this? Currently, the customer can not proceed with the project because the build fails.
Another FSI customer is experiencing this which is delaying their adoption/movement to OCP 4.5.
Appreciate if anyone can share known workarounds.
(In reply to aygarg from comment #13)
> Hello Team,
> Is there any workaround currently for this? Currently, the customer can not
> proceed with the project because the build fails.
> Ayush Garg
Can someone please share any possible workarounds?
To work around this issue, users need to do the following:
1. Create an emtpy ConfigMap in the build's namespace with the label `config.openshift.io/inject-trusted-cabundle="true"` . For this example I'll name it "trusted-cabundle", though it can be named anything as long as it is a valid ConfigMap name:
2. Add the ConfigMap as a Docker strategy build input , and have a Dockerfile copy the `ca-bundle.crt` file to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`.
3. In the BuildConfig's Docker strategy options, ensure `SkipLayers` is set for the image optimization policy. This ensures that the layers of the build are squashed and the cluster's trust bundle doesn't leak into the output container image .
Below is an example of how to effectively run a Ruby-based s2i build via the Docker strategy, using an in-line Dockerfile.
... # info to git source
destinationDir: trusted-cabundle # this is relative to the build root directory
COPY . .
# Back up the image trust bundle and override it with the cluster provided bundle
RUN cp /etc/pki/ca-trust-extracted/pem/tls-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem.bak && \
cp -f trusted-cabundle/ca-bundle.crt /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem && \
chown root:root /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
# Change back to the default s2i image user to run the assemble script
# Change back to the root user to restore the trust bundle
RUN mv -f /etc/pki/ca-trust-extracted/pem/tls-ca-bundle.pem.bak /etc/pki/ca-trust-extracted/pem/tls-ca-bundle
# Make run the default command as user 1001
# SkipLayers ensures that the cluster trust bundle doesn't leak into the resulting container image
Thanks Rolfe. Perfect. I have modified the RN text. It looks so much better now. Appreciate the help and suggestion.
Adam and Wewang, please review and approve the updated Doc Text field, above. Thanks.
Approved doc text @Srivaralakshmi, need i change something in the bug?
Doc text LGTM
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.