fix(repo-server): Fix SystemCATrust for RHEL 9 (WIP)#1123
fix(repo-server): Fix SystemCATrust for RHEL 9 (WIP)#1123olivergondza wants to merge 1 commit intoredhat-developer:masterfrom
Conversation
The hardcoded image url caused the tests to pass despite the desired image have changed. Signed-off-by: Oliver Gondža <ogondza@gmail.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
|
||
| update-ca-trust | ||
| # Specifying the explicit location to turn on the container-aware behavior | ||
| update-ca-trust extract --output /etc/pki/ca-trust/extracted |
There was a problem hiding this comment.
This is the actual fix for the bug. The --output option causes update-ca-trust not to assume it is run as root. Ref.: https://bugzilla.redhat.com/show_bug.cgi?id=2241240
| "cat", caBundlePath, | ||
| "bash", "-c", | ||
| // Ubuntu or RHEL location | ||
| "cat /etc/ssl/certs/ca-certificates.crt || cat /etc/ssl/certs/ca-bundle.crt", |
There was a problem hiding this comment.
Done this way, so tests are easier to sync in the future - no difference between operators on this line.
|
|
||
| if !fixture.EnvNonOLM() { | ||
| image = "registry.redhat.io/openshift-gitops-1/argocd-rhel8" | ||
| imageVersion = "sha256:8a0544c14823492165550d83a6d8ba79dd632b46144d3fdcb543793726111d76" |
There was a problem hiding this comment.
The very culprit of the bug. The rhel8 I hard-coded here prevented our quality gates to spot incompatibility with rhel9, so this passed nicely during CI and QE, but failed spectacularly in production using RHEL 9.
| } | ||
|
|
||
| // fetchArgoCDComponentImage pulls image url to discover its current location | ||
| func fetchArgoCDComponentImage() string { |
There was a problem hiding this comment.
@jgwest, @anandf, @svghadi, I would welcome your opinions here. This pulls the bleeding-edge image location for repo-server (quay.io/redhat-user-workloads/rh-openshift-gitops-tenant/argocd-rhel9 ATM), so the tests can use it's main tags for this.
There are several competing conditions that let me do things this way:
- This feature requires RHEL image to function. Tests against the Ubuntu images would force the tests to be skipped / not verify production-like use-case.
- We want CI/QE to use OS/RPM versions that are as close to production as possible.
- Hardcoding image url & sha can backfire - again.
What is ultimately desirable, is to run this with whatever RHEL based argocd images is the operator bundled with*, or the latest ones.
*) As I think of this, current impl does not fulfill this criteria. Is there a way to query what image will the operator use to deploy argo components, and inject this only if it is not /.*rhel.*/? thx
olivergondza
changed the title
|
@olivergondza: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
1 participant
The hardcoded image url caused the tests to pass despite the desired image have changed.
What type of PR is this?
/kind bug
What does this PR do / why we need it:
Have you updated the necessary documentation?
Which issue(s) this PR fixes:
https://redhat.atlassian.net/browse/GITOPS-9511
Test acceptance criteria:
How to test changes / Special notes to the reviewer: