Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-9177

Git resolver in Pipelines 1.19 does not respect custom certificates

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • Hide

      Release Note Text:
      Before this change, a regression caused the git resolver to no longer use the Openshift Proxy's custom-configured PKIs [1]. This could cause the git-resolver to be unable to resolve references to a self-hosted git provider. After this change, the Openshift Proxy's full CA-bundle is trusted by the system in all components, including the git resolver. The git resolver will now trust any certificates configured in the cluster custom PKI.


      [1] - https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/configuring_network_settings/configuring-a-custom-pki
      Show
      Release Note Text: Before this change, a regression caused the git resolver to no longer use the Openshift Proxy's custom-configured PKIs [1]. This could cause the git-resolver to be unable to resolve references to a self-hosted git provider. After this change, the Openshift Proxy's full CA-bundle is trusted by the system in all components, including the git resolver. The git resolver will now trust any certificates configured in the cluster custom PKI. [1] - https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/configuring_network_settings/configuring-a-custom-pki
    • Bug Fix
    • Proposed
    • Critical

      Description of problem:

      This is a follow-up Bug to SRVKP-8204.

      Self signed certificates are no longer respected by the git resolver in Pipelines 1.19, making resolving remote tasks from private/self-hosted git provider result in a failure to validate the self-signed certificate. There has already been a fix in SRVKP-8204, but it does not resolve the issue.

      Customer has upgraded to fixed version 1.19.3, still the git resolver fails to clone a task from a repository  (Bitbucket) host and task is still getting failed with the same error message:

       message: |-
      error requesting remote resource: error getting "Git" "mlcicd-test-pipelines-d/git-75339ea054fd31b81cfbf098ac4e8703": error resolving repository: git clone error: Cloning into '/tmp/example-acs-scan.git-3386689182'...
      fatal: unable to access 'https://bitbucket.example.com/scm/cnt/example-acs-scan.git/': SSL certificate problem: self-signed certificate in certificate chain: exit status 128

      The CA cert has been mounted to the `tekton-pipelines-remote-resolvers-0` pod.

      In order to validate the cert, we even manually tried to access the BitBucket instance with the same certificates and we were able to access it without any issues.

      We also confirmed that same certificates has also added to the Proxy config as well.

      It appears that, even with updated version 1.19.3, the Git resolver still does not respect the certificates.

      Prerequisites (if any, like setup, operators/versions):

      OpenShift Container Platform 4.18
      OpenShift Pipelines 1.19.3

      Steps to Reproduce

      1. Host a git repository at domain which uses a self-signed certificate (customer uses BitBucket)
      2. Create a repo in the repository which contains a pipeline yaml file
      3. In an Openshift cluster, configure the Openshift Proxy to use the self-signed cert following this documentation: https://github.com/openshift/openshift-docs/blob/a8269cf65696fbd08647c8f3b5d065d53a8a1f52/modules/certificate-injection-using-operators.adoc
      4. Install Openshift Pipelines in the cluster
      5. Create a PipelineRun which uses the git-resolver to pull the pipeline from the repository

      Actual results:

      The git-resolver fails because it cannot validate the repository certificate

       message: |-
      error requesting remote resource: error getting "Git" "mlcicd-test-pipelines-d/git-75339ea054fd31b81cfbf098ac4e8703": error resolving repository: git clone error: Cloning into '/tmp/example-acs-scan.git-3386689182'...
      fatal: unable to access 'https://bitbucket.example.com/scm/cnt/example-acs-scan.git/': SSL certificate problem: self-signed certificate in certificate chain: exit status 128

      Expected results:

      The git-resolver succeeds to pull the pipelinerun, validating the repository certificate using the certificate bundle mounted from the configmap "config-trusted-cabundle".

      Reproducibility (Always/Intermittent/Only Once):

      Always at customer

      Acceptance criteria: 

      Definition of Done:

      Build Details:

      Additional info (Such as Logs, Screenshots, etc):

      • Additional information is available in Support Case 04203034 or in the internal Google Drive (to be posted below)
      • The `tekton-pipelines-remote-resolvers-0` pod .yaml and logs, respective TaskRun .yaml, Proxy config and CA bundle are in the Google Drive.

              rh-ee-athorp Andrew Thorp
              rhn-support-skrenger Simon Krenger
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: