Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-8349

Test Git resolver does not respect custom certificates in 1.19

XMLWordPrintable

    • 1
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide
      Before this change, a regression caused the git resolver to no longer use the Openshift Proxy's custom-configured PKIs [1]. This could cause the git-resolver to be unable to resolve references to a self-hosted git provider. After this change, the Openshift Proxy's full CA-bundle is trusted by the system in all components, including the git resolver. The git resolver will now trust any certificates configured in the cluster custom PKI.


      [1] - https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/configuring_network_settings/configuring-a-custom-pki
      Show
      Before this change, a regression caused the git resolver to no longer use the Openshift Proxy's custom-configured PKIs [1]. This could cause the git-resolver to be unable to resolve references to a self-hosted git provider. After this change, the Openshift Proxy's full CA-bundle is trusted by the system in all components, including the git resolver. The git resolver will now trust any certificates configured in the cluster custom PKI. [1] - https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/configuring_network_settings/configuring-a-custom-pki
    • Bug Fix
    • Proposed
    • 2

      Description of problem:

      Self signed certificates are no longer respected by the git resolver in 1.19, making resolving remote tasks from private/self-hosted git provider result in a failure to validate the self-signed certificate.

      Prerequisites (if any, like setup, operators/versions):

      Steps to Reproduce

      1. Host gitea at domain which uses a self-signed certificate
      2. Create a repo in gitea which contains a pipeline yaml file
      3. In an Openshift cluster, configure the Openshift Proxy to use the self-signed cert following this documentation: https://github.com/openshift/openshift-docs/blob/a8269cf65696fbd08647c8f3b5d065d53a8a1f52/modules/certificate-injection-using-operators.adoc
      4.  Install Openshift Pipelines in the cluster
      5. Create a PipelineRun which uses the git-resolver to pull the pipeline from gitea

      Actual results:

      The git-resolver fails because it cannot validate gitea's certificate

      Expected results:

      The git-resolver succeeds to pull the pipelinerun, validating gitea's certificate using the certificate bundle mounted from the configmap config-trusted-cabundle

      Reproducibility (Always/Intermittent/Only Once): Always

      Acceptance criteria: 

       

      Definition of Done:

      Build Details:

      Additional info (Such as Logs, Screenshots, etc):

       

       *

              rhn-support-jgarg Jayesh Garg
              rh-ee-athorp Andrew Thorp
              Jayesh Garg Jayesh Garg
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: