Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proxied Cluster Support #57

Open
gabemontero opened this issue Mar 4, 2020 · 12 comments
Open

Proxied Cluster Support #57

gabemontero opened this issue Mar 4, 2020 · 12 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@gabemontero
Copy link
Member

today openshift build v1 can obtain certs for the global proxy and ensure they are available to the build process

ultimately buildv2 should have some form of this

it very well might make sense for DEVEX to help abstact out logic used for build v1 for use by buildv2 .... https://github.com/gabemontero/obu is a prototype of such an endeavor

@gabemontero gabemontero added the buildv1 Items with this label somehow pertain to getting equivalent buildv1 function in buildv2 label Mar 9, 2020
@sbose78
Copy link
Member

sbose78 commented Mar 12, 2020

today openshift build v1 can obtain certs for the global proxy

Could this be put in a secret and linked to the service account which runs the builds?

@gabemontero
Copy link
Member Author

today openshift build v1 can obtain certs for the global proxy

Could this be put in a secret and linked to the service account which runs the builds?

No that only works with auth @sbose78 not for certs

So what you'll see for the default certs in buildv1 are that configmaps are created to house certs for

  • the internal image registry
  • global proxy

I've captured the mechanics of what build v2 will need in obu .... see https://github.com/gabemontero/obu/blob/master/pkg/cmd/cli/cmd/global_proxy_config.go

So ultimately, before calling buildah, you can

  • set envs as needed
  • get the cert data stored in the workspace somewhere and then use the --cert-dir option for buildah

Presumably the other build tools also consume the well known proxy env vars and have analogous options to --cert-dir

@otaviof
Copy link
Member

otaviof commented Mar 18, 2020

What would be the format to specify the proxy settings? Should we expose as a dedicated attribute in Build or are we interested to allow users to control the environment variables?

@gabemontero
Copy link
Member Author

In build v1 we did not surface proxy related items explicitly in the API @otaviof . The build controller just has to always set the env's on the build pod and mount the CA from the config map in the build pod in order for builds to work correctly when OpenShift's global proxy was in play.

The obu link in my previous comment shows how to retrieve that information.

@sbose78
Copy link
Member

sbose78 commented May 10, 2020

@gabemontero The snippet is really helpful, thank you!

A related topic: Where are the trusted CA certs stored in OpenShift / Kubernetes ?

@gabemontero
Copy link
Member Author

@gabemontero The snippet is really helpful, thank you!

A related topic: Where are the trusted CA certs stored in OpenShift / Kubernetes ?

Specific to openshift global proxy, the CAs are in a well known configmap, and there is a seperate controller that can inject those CAs into any CM in any namespace if that CM has a certain label.

In general, CAs are stored in either configmaps or secrets which are mounted in a pod.

By default, the CA for talking to the apiserver is included with the serviceaccount mount for any pod (i.e. every pod has an SA associated with it, and the auth token from that SA is included in the mount, along with the namespace the SA is from (and the pod is running in), the CA for the apiserver.

@adambkaplan adambkaplan added kind/feature Categorizes issue or PR as related to a new feature. and removed buildv1 Items with this label somehow pertain to getting equivalent buildv1 function in buildv2 labels Oct 29, 2020
@adambkaplan
Copy link
Member

Tekton may support this feature upstream - it's possible with the right configuration we get this for free.

@adambkaplan adambkaplan added this to the release-v1.0.0 milestone Oct 29, 2020
@adambkaplan adambkaplan changed the title global proxy support and build v2 Proxied Cluster Support Nov 10, 2020
@qu1queee
Copy link
Contributor

@gabemontero this issue seems to cover two pieces:

  1. Via the usage of ENV variables in the Build, to allow users to define a certificate path, e.g. by passing it into buildah --cert-dir
  2. Support mounting a configmap map in the Build pod, that maps to the above certificate path(one specified by an env variable).

Both points are supposed to apply for certificates for a container registry and for something very Openshift specific(a.k.a global proxy).

We already have issues to address 1) (see #48) and 2) (see #224). This issue is marked for v1.0.0 release, but seems to be not very clear what exactly needs to be done here, assuming most of the missing pieces are already available in other issues.

Opinions?

@gabemontero
Copy link
Member Author

Your point 1 is not quite right @qu1queee

The env vars are first and foremost for defining the http/https proxy and no proxy env vars so that tools like git perform the necessary changes in their remote interactions.

I agree on your points about #48 and #224 are generic alternatives.

Though it can also be said that proxies are a common enough fact of life for our users that some additional, directed application of #48 and #224 on a global scale based on the presence of a global proxy for a customer could aid cluster administrators. The TEP's in upstream tekton in fact could more or less be categorized along these lines (as is the proxy specific support we provide in openshift).

To that this could be another "keep an item open to monitor tekton in this space" tracker.

If we went down that path, what to do with the fact that this has been assigned to the 1.0.0 GA milestone? I would agree that upstream trackers like this should not necessarily be included in that milestone.

Unless @sbose78 @siamaksade @adambkaplan disagree, I'm good with moving it out of that milestone.

@qu1queee
Copy link
Contributor

@gabemontero ok, +1 on removing this from 1.0.0

@sbose78
Copy link
Member

sbose78 commented Jan 18, 2021

We do need to verify that standard ways of passing proxy information is respected by the image build operation in a way agnostic to the distribution of Kubernetes.

Example:

  • Globally, the build operation should respect http_proxy env vars ( and other similar ones )
  • Globally, the build operation should respect the existence of a proxy certificate in a standard location ( configmap ).
  • Globally, Our build tools/strategies should be made aware of the above information.

Additionally, there could be Build-specific proxy information that could be passed using env vars and volumes in the spec.

I would like to keep this issue around to ensure we at least validate & document how to use global and local proxy information for Builds in Shipwright - even if we don't necessarily have to do anything explicitly :)

Let me know, @qu1queee .

@qu1queee qu1queee removed this from the release-v1.0.0 milestone Jan 25, 2021
SaschaSchwarze0 pushed a commit to SaschaSchwarze0/build that referenced this issue Mar 5, 2021
Add support to --chown flag to ADD command (Issue shipwright-io#57)
@gabemontero
Copy link
Member Author

We do need to verify that standard ways of passing proxy information is respected by the image build operation in a way agnostic to the distribution of Kubernetes.

Example:

* Globally, the build operation should respect http_proxy env vars ( and other similar ones )

* Globally, the build operation should respect the existence of a proxy certificate in a standard location ( configmap ).

* Globally, Our build tools/strategies should be made aware of the above information.

A bit of an update on this one since @sbose78 last check in beginning of this year (no 9 months ago)

Once both are in place, we can see about say a blog post to introduce the connect with proxy topic, along with probably some additions to our existing API obj markdowns.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Development

No branches or pull requests

5 participants