Closed carbonin closed 1 month ago
/test ?
@carbonin: The following commands are available to trigger required jobs:
/test e2e-agent-compact-ipv4
/test edge-assisted-operator-catalog-publish-verify
/test edge-ci-index
/test edge-e2e-ai-operator-ztp
/test edge-e2e-ai-operator-ztp-sno-day2-workers
/test edge-e2e-ai-operator-ztp-sno-day2-workers-late-binding
/test edge-e2e-metal-assisted
/test edge-e2e-metal-assisted-4-12
/test edge-e2e-metal-assisted-cnv-4-16
/test edge-e2e-metal-assisted-lvm
/test edge-e2e-metal-assisted-odf-4-16
/test edge-images
/test edge-lint
/test edge-subsystem-aws
/test edge-subsystem-kubeapi-aws
/test edge-unit-test
/test edge-verify-generated-code
/test images
/test mce-images
The following commands are available to trigger optional jobs:
/test e2e-agent-ha-dualstack
/test e2e-agent-sno-ipv6
/test edge-e2e-ai-operator-disconnected-capi
/test edge-e2e-ai-operator-ztp-3masters
/test edge-e2e-ai-operator-ztp-capi
/test edge-e2e-ai-operator-ztp-compact-day2-masters
/test edge-e2e-ai-operator-ztp-compact-day2-workers
/test edge-e2e-ai-operator-ztp-disconnected
/test edge-e2e-ai-operator-ztp-hypershift-zero-nodes
/test edge-e2e-ai-operator-ztp-multiarch-3masters-ocp
/test edge-e2e-ai-operator-ztp-multiarch-sno-ocp
/test edge-e2e-ai-operator-ztp-node-labels
/test edge-e2e-ai-operator-ztp-sno-day2-masters
/test edge-e2e-ai-operator-ztp-sno-day2-workers-ignitionoverride
/test edge-e2e-metal-assisted-4-13
/test edge-e2e-metal-assisted-4-14
/test edge-e2e-metal-assisted-4-15
/test edge-e2e-metal-assisted-4-16
/test edge-e2e-metal-assisted-bond
/test edge-e2e-metal-assisted-bond-4-14
/test edge-e2e-metal-assisted-day2
/test edge-e2e-metal-assisted-day2-arm-workers
/test edge-e2e-metal-assisted-day2-single-node
/test edge-e2e-metal-assisted-external
/test edge-e2e-metal-assisted-external-4-14
/test edge-e2e-metal-assisted-ipv4v6
/test edge-e2e-metal-assisted-ipv6
/test edge-e2e-metal-assisted-kube-api-late-binding-single-node
/test edge-e2e-metal-assisted-kube-api-late-unbinding-ipv4-single-node
/test edge-e2e-metal-assisted-kube-api-net-suite
/test edge-e2e-metal-assisted-mce-4-16
/test edge-e2e-metal-assisted-mce-sno-4-16
/test edge-e2e-metal-assisted-metallb
/test edge-e2e-metal-assisted-none
/test edge-e2e-metal-assisted-onprem
/test edge-e2e-metal-assisted-single-node
/test edge-e2e-metal-assisted-static-ip-suite
/test edge-e2e-metal-assisted-static-ip-suite-4-14
/test edge-e2e-metal-assisted-tang
/test edge-e2e-metal-assisted-tpmv2
/test edge-e2e-metal-assisted-upgrade-agent
/test edge-e2e-nutanix-assisted
/test edge-e2e-nutanix-assisted-2workers
/test edge-e2e-nutanix-assisted-4-14
/test edge-e2e-oci-assisted
/test edge-e2e-oci-assisted-4-14
/test edge-e2e-oci-assisted-iscsi
/test edge-e2e-vsphere-assisted
/test edge-e2e-vsphere-assisted-4-14
/test edge-e2e-vsphere-assisted-4-15
/test edge-e2e-vsphere-assisted-4-16
/test edge-e2e-vsphere-assisted-umn
/test okd-scos-images
/test push-pr-image
Use /test all
to run the following jobs that were automatically triggered:
pull-ci-openshift-assisted-service-master-e2e-agent-compact-ipv4
pull-ci-openshift-assisted-service-master-edge-ci-index
pull-ci-openshift-assisted-service-master-edge-e2e-ai-operator-disconnected-capi
pull-ci-openshift-assisted-service-master-edge-e2e-ai-operator-ztp
pull-ci-openshift-assisted-service-master-edge-e2e-ai-operator-ztp-capi
pull-ci-openshift-assisted-service-master-edge-e2e-metal-assisted
pull-ci-openshift-assisted-service-master-edge-images
pull-ci-openshift-assisted-service-master-edge-lint
pull-ci-openshift-assisted-service-master-edge-subsystem-aws
pull-ci-openshift-assisted-service-master-edge-subsystem-kubeapi-aws
pull-ci-openshift-assisted-service-master-edge-unit-test
pull-ci-openshift-assisted-service-master-edge-verify-generated-code
pull-ci-openshift-assisted-service-master-images
pull-ci-openshift-assisted-service-master-mce-images
/test edge-e2e-ai-operator-ztp-disconnected
@omertuc pinged you as this will likely also resolve https://issues.redhat.com/browse/ACM-12866 unless I'm misunderstanding the issue.
@carbonin: This pull request references Jira Issue OCPBUGS-27238, which is invalid:
Comment /jira refresh
to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.
The bug has been updated to refer to the pull request using the external bug tracker.
/jira refresh
@carbonin: This pull request references Jira Issue OCPBUGS-27238, which is invalid:
Comment /jira refresh
to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.
/jira refresh
@carbonin: This pull request references Jira Issue OCPBUGS-27238, which is valid.
Attention: Patch coverage is 76.19048%
with 15 lines
in your changes missing coverage. Please review.
Project coverage is 68.69%. Comparing base (
a969ac4
) to head (a9efb9b
). Report is 8 commits behind head on master.
Files | Patch % | Lines |
---|---|---|
...oller/controllers/agentserviceconfig_controller.go | 76.19% | 9 Missing and 6 partials :warning: |
This is great, thank you
Looks like the ztp job is failing with something cert related :worried:
message: "The Spec could not be synced due to backend error: failed to get release
image 'registry.build03.ci.openshift.org/ci-op-741s0081/release@sha256:6d80f695c4db0a6048613a25e7b9b0499efa90b236e0330292d559c68d5d5835'.
Please ensure the releaseImage field in ClusterImageSet 'openshift-v4.17' is
valid, (error: command 'oc adm release info -o template --template '{{.metadata.version}}'
--insecure=false registry.build03.ci.openshift.org/ci-op-741s0081/release@sha256:6d80f695c4db0a6048613a25e7b9b0499efa90b236e0330292d559c68d5d5835
--registry-config=/tmp/registry-config3793143290' exited with non-zero exit
code 1: \nerror: unable to read image registry.build03.ci.openshift.org/ci-op-741s0081/release@sha256:6d80f695c4db0a6048613a25e7b9b0499efa90b236e0330292d559c68d5d5835:
Get \"https://registry.build03.ci.openshift.org/v2/\": x509: certificate signed
by unknown authority\n)."
Looks like the cluster ca bundle didn't get filled into the config map
"apiVersion": "v1",
"data": {
"ca-bundle.crt": ""
},
"kind": "ConfigMap",
"metadata": {
"creationTimestamp": "2024-08-05T21:39:02Z",
"name": "assisted-trusted-ca-bundle",
"namespace": "assisted-installer",
"ownerReferences": [
{
"apiVersion": "agent-install.openshift.io/v1beta1",
"blockOwnerDeletion": true,
"controller": true,
"kind": "AgentServiceConfig",
"name": "agent",
"uid": "97c964bf-0ad5-475b-9bb1-9eb7d29b9da7"
}
],
"resourceVersion": "39147",
"uid": "a3890e40-b9c7-49d2-b2a5-b75d369bed8b"
}
},
{
"apiVersion": "v1",
"kind": "ConfigMap",
"metadata": {
"annotations": {
"config.openshift.io/inject-trusted-cabundle": "true"
},
"creationTimestamp": "2024-08-05T21:39:02Z",
"name": "cluster-trusted-ca-bundle",
"namespace": "assisted-installer",
"ownerReferences": [
{
"apiVersion": "agent-install.openshift.io/v1beta1",
"blockOwnerDeletion": true,
"controller": true,
"kind": "AgentServiceConfig",
"name": "agent",
"uid": "97c964bf-0ad5-475b-9bb1-9eb7d29b9da7"
}
],
"resourceVersion": "39144",
"uid": "02697385-7588-4f74-ad5c-95bdae743980"
}
},
:facepalm: It's a label, not an annotation
/test edge-e2e-ai-operator-ztp-disconnected
/retest
Can someone take a look at this one?
Maybe @omertuc or @CrystalChun ?
maybe we could include some doc
Yeah, you're probably right. I'll find a place for this.
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: carbonin, CrystalChun
The full list of commands accepted by this bot can be found here.
The pull request process is described here
/retest-required
Remaining retests: 0 against base HEAD 885904784c71d90ab4014c096e3348d08b174849 and 2 for PR HEAD a9efb9b8af3473a6a49acf662ae2a2ba59d98c8a in total
/retest-required
Remaining retests: 0 against base HEAD 84f998ead4061df0d401c72601878a3b89b33e71 and 1 for PR HEAD a9efb9b8af3473a6a49acf662ae2a2ba59d98c8a in total
@carbonin: The following test failed, say /retest
to rerun all failed tests or /retest-required
to rerun all mandatory failed tests:
Test name | Commit | Details | Required | Rerun command |
---|---|---|---|---|
ci/prow/edge-e2e-ai-operator-disconnected-capi | a9efb9b8af3473a6a49acf662ae2a2ba59d98c8a | link | false | /test edge-e2e-ai-operator-disconnected-capi |
Full PR test history. Your PR dashboard.
@carbonin: Jira Issue OCPBUGS-27238: All pull requests linked via external trackers have merged:
Jira Issue OCPBUGS-27238 has been moved to the MODIFIED state.
[ART PR BUILD NOTIFIER]
Distgit: ose-agent-installer-api-server This PR has been included in build ose-agent-installer-api-server-container-v4.17.0-202408091314.p0.gf40fe42.assembly.stream.el9. All builds following this will include this PR.
Previously when a user provided mirror registry certs the assisted-service pod would be deployed in such a way that those would be the only certs trusted by most commands running on the pod.
This would cause issues when, for example, the spoke cluster release image is mirrored internally, but the hub cluster image is not.
This was the case in https://issues.redhat.com/browse/OCPBUGS-27238 where assisted-service failed to pull the hub cluster release image because it didn't trust a certificate it otherwise should have.
To address this the infrastructure-operator creates a configmap which is annotated such that the cluster network operator will inject the public CA bundle into it as described in [1]. This content is then merged with the user-provided content (if any is provided) into a third configmap which is mounted into the assisted-service container.
[1] https://docs.openshift.com/container-platform/4.16/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki
List all the issues related to this PR
https://issues.redhat.com/browse/OCPBUGS-27238
What environments does this code impact?
How was this code tested?
Tested manually in a dev-scripts environment to see that the cert configmaps were created correctly. Relying on the CI disconnected job to test that case.
Checklist
docs
, README, etc)Reviewers Checklist