-
Epic
-
Resolution: Unresolved
-
Critical
-
None
-
Shipwright proxy settings
-
To Do
-
SECFLOWOTL-28 - Openshift Builds in clusters with restricted networks
-
0% To Do, 25% In Progress, 75% Done
Goal
As an admin, I want Builds to use the global proxy settings configured for OpenShift, so that I don't have to configure proxy for each individual build.
Problem
OpenShift provides a way for admins to define cluster-wide proxy settings however it is up to each operator to make sure these settings consumed and removed the burden from the admin to re-configure proxy for each service.
Why is this important?
To enable customers to use global proxy settings with Builds
Dependencies
- OLM
- OpenShift cluster configurations
- OpenShift Pipelines
Prioritized epics + deliverables (in scope / not in scope)
- Add proxy settings to Builds.
- Support for general additional certificate authority to clone source, download artifacts - out of scope
- Support for registry-specific additional CAs to pull container images from private registries - out of scope
Estimate (XS, S, M, L, XL, XXL):
Previous Work:
- OLM proxy reconciliation
https://github.com/operator-framework/operator-lifecycle-manager/blob/master/doc/contributors/design-proposals/operator-config.md#openshift-specific-implementation - OpenShift configuration for proxy environment variables, additional CAs
- OpenShift configuration for image registry certificate authorities
- OpenShift Pipelines support for injecting Proxy information to Tekton containers: doc
- OLM infrastructure annotations
Open Questions:
- Does OpenShift automatically set the *_PROXY environment variables in all pods if there is a cluster-wide proxy present? No, but OpenShift Pipelines does this for Tekton pods!
- For the cluster-wide trust certificate - should we continue to rely on OpenShift's mechanism for generating a trust bundle, or should we move customers towards using cert-manager instead? Out of scope.
- For private image registry certificates - same as above. Use OpenShift's existing mechanism, or move customers to cert-manager? Out of scope.
- is documented by
-
RHDEVDOCS-6207 Builds for OpenShift: Enable Proxy Awareness
- Pull Request Sent
- is related to
-
BUILD-1152 Support self-signed certificates in builds
- New
-
SRVKP-2702 Use podTemplates for proxy configs
- New
- links to