Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added ability to trust a custom bundle CA #401

Merged
merged 1 commit into from
Jun 18, 2021
Merged

Added ability to trust a custom bundle CA #401

merged 1 commit into from
Jun 18, 2021

Conversation

tchellomello
Copy link
Contributor

Fixes: #376

This PR introduces the initContainer to prepare the RHEL PKI for the sub-containers used in AWX. This approach allows having the update-trust-ca executed one instead for each container via lifecycle.

See the #376 for the full testing report

Creating secret:

$ cat Toca_ROOT_CA.crt  Toca_Intermediate_CA.crt  > /tmp/bundle-ca.crt
$ kubectl create secret generic  awx-ssl-ca-custom  --from-file=bundle-ca.crt=/tmp/bundle-ca.crt

Modifying awx spec:

apiVersion: awx.ansible.com/v1beta1
kind: AWX
....
spec:
  bundle_cacert_secret: awx-ssl-ca-custom
....

Result:

(py39) mdemello@storm ~> kubectl iexec awx /bin/bash                                                                                                                                                                                     00:53:40
Namespace: default | Pod: ✔ awx-ssl-ca-6cccf6577d-jzrk9
Container: ✔ awx-ssl-ca-task
bash-4.4$ ls -la /etc/pki/ca-trust/source/anchors/bundle-ca.crt 
-rw-r--r--. 1 root root 4086 Jun 11 04:51 /etc/pki/ca-trust/source/anchors/bundle-ca.crt

@tchellomello tchellomello requested review from shanemcd, Spredzy and rooftopcellist and removed request for shanemcd June 15, 2021 19:14
rooftopcellist
rooftopcellist reviewed Jun 15, 2021
View reviewed changes
roles/installer/defaults/main.yml
@@ -111,6 +111,8 @@ redis_image: docker.io/redis
redis_image_version: latest
postgres_image: postgres
postgres_image_version: 12
init_container_image: quay.io/centos/centos
Copy link
Member

@rooftopcellist rooftopcellist Jun 15, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with the approach of this PR, and it works, but is using this image OK? @wenottingham @Spredzy

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would assume in other places this would be overriden. @tchellomello ?

Copy link
Contributor Author

@tchellomello tchellomello Jun 16, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes @wenottingham. The variables init_container_image and init_container_image_version can be overriden.

rooftopcellist
rooftopcellist approved these changes Jun 17, 2021
View reviewed changes
Copy link
Member

@rooftopcellist rooftopcellist left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After rebasing, this looks good to me. Nice work @tchellomello !

@tchellomello tchellomello merged commit d6d3988 into ansible:devel Jun 18, 2021
@tchellomello tchellomello deleted the custom-ca branch June 18, 2021 16:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wenottingham wenottingham wenottingham left review comments

@shanemcd shanemcd shanemcd approved these changes

@rooftopcellist rooftopcellist rooftopcellist approved these changes

@Spredzy Spredzy Awaiting requested review from Spredzy

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add private CAs to the containers
4 participants
@tchellomello @shanemcd @wenottingham @rooftopcellist