Skip to content

OSASINFRA-3731: openstack: Consume CA cert from CCO secret #557

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-bot merged 9 commits into from
Apr 10, 2025
Merged

OSASINFRA-3731: openstack: Consume CA cert from CCO secret #557

openshift-merge-bot merged 9 commits into from
Apr 10, 2025

Conversation

@stephenfin
Copy link
Contributor

@stephenfin stephenfin commented Feb 19, 2025
edited
Loading

In openshift/cloud-credential-operator/pull/780, we have added the ability for cloud-credential-operator to consume a CA cert from the root credentials secret and to include in the credentials secrets it provisions.
In openshift/installer/pull/9194, we have modified the Installer to start setting this field where necessary.

Adapt the assets for both the openstack-cinder and openstack-manila CSI drivers to start consuming this field, where present. We maintain fallbacks for the previous locations of the cert for now, but these can be removed in the next release.

This needs wait for the CCO change to be approved before we merge this.

/hold

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 19, 2025
edited by openshift-ci bot
Loading

@stephenfin: This pull request references OSASINFRA-3731 which is a valid jira issue.

In response to this:

In github.com/openshift/cloud-credential-operator/pull/780, we have added the ability for cloud-credential-operator to consume a CA cert from the root credentials secret and to include in the credentials secrets it provisions.
In github.com/openshift/installer/pull/9194, we have modified the Installer to start setting this field where necessary.

Adapt the assets for both the openstack-cinder and openstack-manila CSI drivers to start consuming this field, where present. We maintain fallbacks for the previous locations of the cert for now, but these can be removed in the next release.

This ideally will wait for the CCO change to be approved before we merge this.

/hold

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Feb 19, 2025
@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 19, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 19, 2025
edited by openshift-ci bot
Loading

@stephenfin: This pull request references OSASINFRA-3731 which is a valid jira issue.

In response to this:

In openshift/cloud-credential-operator/pull/780, we have added the ability for cloud-credential-operator to consume a CA cert from the root credentials secret and to include in the credentials secrets it provisions.
In openshift/installer/pull/9194, we have modified the Installer to start setting this field where necessary.

Adapt the assets for both the openstack-cinder and openstack-manila CSI drivers to start consuming this field, where present. We maintain fallbacks for the previous locations of the cert for now, but these can be removed in the next release.

This ideally will wait for the CCO change to be approved before we merge this.

/hold

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

stephenfin added a commit to shiftstack/csi-operator that referenced this pull request Feb 19, 2025
@stephenfin
openstack-manila: Consume CA cert from credentials secret (controller)
a4e3819 
Do what we previously did for the openstack-cinder controller but for
the openstack-manila controller. In effect, we're really just reflecting
the changes made in cluster-storage-operator in [1]. However, we do need
to add some logic to detect where we are consuming our CA cert from so
that we can match forthcoming changes to our assets.

While here, we also replace use of the deprecated `ioutil.ReadFile`
function in favour of its suggested replacement, `os.ReadFile` [2].
We also replace use of `os.IsNotExist` in favour of its suggested
replacement, `errors.Is(err, fs.ErrNotExist)` [3].

[1] github.com/openshift/cluster-storage-operator/pull/557
[2] https://pkg.go.dev/io/ioutil#ReadFile
[3] https://pkg.go.dev/os#IsNotExist

Signed-off-by: Stephen Finucane <[email protected]>
@stephenfin stephenfin mentioned this pull request Feb 19, 2025
Open
1 task
@EmilienM
Copy link
Member

EmilienM commented Feb 19, 2025

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 19, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Mar 12, 2025
edited by openshift-ci bot
Loading

@stephenfin: This pull request references OSASINFRA-3731 which is a valid jira issue.

In response to this:

In openshift/cloud-credential-operator/pull/780, we have added the ability for cloud-credential-operator to consume a CA cert from the root credentials secret and to include in the credentials secrets it provisions.
In openshift/installer/pull/9194, we have modified the Installer to start setting this field where necessary.

Adapt the assets for both the openstack-cinder and openstack-manila CSI drivers to start consuming this field, where present. We maintain fallbacks for the previous locations of the cert for now, but these can be removed in the next release.

This needs wait for the CCO change to be approved before we merge this.

/hold

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Mar 12, 2025
stephenfin added a commit to shiftstack/csi-operator that referenced this pull request Mar 12, 2025
@stephenfin
openstack-manila: Consume CA cert from credentials secret (controller)
e875ea1 
Do what we previously did for the openstack-cinder controller but for
the openstack-manila controller. In effect, we're really just reflecting
the changes made in cluster-storage-operator in [1]. However, we do need
to add some logic to detect where we are consuming our CA cert from so
that we can match forthcoming changes to our assets.

While here, we also replace use of the deprecated `ioutil.ReadFile`
function in favour of its suggested replacement, `os.ReadFile` [2].
We also replace use of `os.IsNotExist` in favour of its suggested
replacement, `errors.Is(err, fs.ErrNotExist)` [3].

[1] github.com/openshift/cluster-storage-operator/pull/557
[2] https://pkg.go.dev/io/ioutil#ReadFile
[3] https://pkg.go.dev/os#IsNotExist

Signed-off-by: Stephen Finucane <[email protected]>
stephenfin added a commit to shiftstack/csi-operator that referenced this pull request Mar 12, 2025
@stephenfin
openstack-manila: Consume CA cert from credentials secret (controller)
9d1fcea 
Do what we previously did for the openstack-cinder controller but for
the openstack-manila controller. In effect, we're really just reflecting
the changes made in cluster-storage-operator in [1]. However, we do need
to add some logic to detect where we are consuming our CA cert from so
that we can match forthcoming changes to our assets.

While here, we also replace use of the deprecated `ioutil.ReadFile`
function in favour of its suggested replacement, `os.ReadFile` [2].
We also replace use of `os.IsNotExist` in favour of its suggested
replacement, `errors.Is(err, fs.ErrNotExist)` [3].

[1] github.com/openshift/cluster-storage-operator/pull/557
[2] https://pkg.go.dev/io/ioutil#ReadFile
[3] https://pkg.go.dev/os#IsNotExist

Signed-off-by: Stephen Finucane <[email protected]>
stephenfin added a commit to shiftstack/csi-operator that referenced this pull request Mar 13, 2025
@stephenfin
openstack-manila: Consume CA cert from credentials secret (controller)
7aa9bc9 
Do what we previously did for the openstack-cinder controller but for
the openstack-manila controller. In effect, we're really just reflecting
the changes made in cluster-storage-operator in [1]. However, we do need
to add some logic to detect where we are consuming our CA cert from so
that we can match forthcoming changes to our assets.

While here, we also replace use of the deprecated `ioutil.ReadFile`
function in favour of its suggested replacement, `os.ReadFile` [2].
We also replace use of `os.IsNotExist` in favour of its suggested
replacement, `errors.Is(err, fs.ErrNotExist)` [3].

[1] github.com/openshift/cluster-storage-operator/pull/557
[2] https://pkg.go.dev/io/ioutil#ReadFile
[3] https://pkg.go.dev/os#IsNotExist

Signed-off-by: Stephen Finucane <[email protected]>
@EmilienM
Copy link
Member

EmilienM commented Mar 15, 2025

/retest

@EmilienM
Copy link
Member

EmilienM commented Mar 17, 2025

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 17, 2025
@EmilienM EmilienM mentioned this pull request Mar 17, 2025
Merged
4 tasks
@MaysaMacedo
Copy link
Contributor

MaysaMacedo commented Mar 17, 2025

/test hypershift-e2e-openstack-csi-manila

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 17, 2025

@MaysaMacedo: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

/test e2e-aws-csi

/test e2e-aws-ovn-upgrade

/test e2e-azure-csi

/test e2e-azure-file-csi

/test e2e-gcp-csi

/test e2e-vsphere-csi

/test hypershift-aws-e2e-external

/test hypershift-e2e-aks

/test images

/test okd-scos-images

/test unit

/test verify

/test verify-deps

/test verify-kustomize-assets

The following commands are available to trigger optional jobs:

/test e2e-aws-ovn

/test e2e-azure-manual-oidc

/test e2e-azure-ovn

/test e2e-gcp-manual-oidc

/test e2e-gcp-ovn

/test e2e-ibmcloud-csi

/test e2e-openstack

/test e2e-openstack-cinder-csi

/test e2e-openstack-manila-csi

/test e2e-openstack-parallel

/test e2e-ovn-vsphere

/test hypershift-e2e-openstack-aws-csi-cinder

/test hypershift-e2e-openstack-aws-csi-manila

/test okd-scos-e2e-aws-ovn

/test security

Use /test all to run the following jobs that were automatically triggered:

pull-ci-openshift-cluster-storage-operator-main-e2e-aws-csi

pull-ci-openshift-cluster-storage-operator-main-e2e-aws-ovn-upgrade

pull-ci-openshift-cluster-storage-operator-main-e2e-azure-csi

pull-ci-openshift-cluster-storage-operator-main-e2e-azure-file-csi

pull-ci-openshift-cluster-storage-operator-main-e2e-gcp-csi

pull-ci-openshift-cluster-storage-operator-main-e2e-gcp-manual-oidc

pull-ci-openshift-cluster-storage-operator-main-e2e-ibmcloud-csi

pull-ci-openshift-cluster-storage-operator-main-e2e-openstack

pull-ci-openshift-cluster-storage-operator-main-e2e-openstack-parallel

pull-ci-openshift-cluster-storage-operator-main-e2e-vsphere-csi

pull-ci-openshift-cluster-storage-operator-main-hypershift-aws-e2e-external

pull-ci-openshift-cluster-storage-operator-main-hypershift-e2e-aks

pull-ci-openshift-cluster-storage-operator-main-images

pull-ci-openshift-cluster-storage-operator-main-okd-scos-e2e-aws-ovn

pull-ci-openshift-cluster-storage-operator-main-okd-scos-images

pull-ci-openshift-cluster-storage-operator-main-security

pull-ci-openshift-cluster-storage-operator-main-unit

pull-ci-openshift-cluster-storage-operator-main-verify

pull-ci-openshift-cluster-storage-operator-main-verify-deps

pull-ci-openshift-cluster-storage-operator-main-verify-kustomize-assets

In response to this:

/test hypershift-e2e-openstack-csi-manila

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@MaysaMacedo
Copy link
Contributor

MaysaMacedo commented Mar 17, 2025

/test hypershift-e2e-openstack-aws-csi-manila hypershift-e2e-openstack-aws-csi-cinder

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 17, 2025

@MaysaMacedo: No presubmit jobs available for openshift/cluster-storage-operator@main

In response to this:

/test hypershift-e2e-openstack-aws-csi-manila hypershift-e2e-openstack-aws-csi-cinder

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@stephenfin
Copy link
Contributor Author

stephenfin commented Mar 27, 2025

/unhold

openshift/cloud-credential-operator#780 is merged

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 27, 2025
@stephenfin
Copy link
Contributor Author

stephenfin commented Mar 28, 2025

/cc @jsafrane
/cc @gnufied

@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 4, 2025
@stephenfin
openstack-cinder: Move definition of cacert volume
fe1dc14 
As noted inline, the definition in the base asset was only used in the
generated standalone asset, so it actually belongs in the standalone
patch. This has no impact on the generated assets.

Signed-off-by: Stephen Finucane <[email protected]>
@stephenfin
openstack-cinder: Make CA cert mount read-only
7b1da41 
Signed-off-by: Stephen Finucane <[email protected]>
@stephenfin
openstack-cinder: Better name for cloud credentials
cd68a20 
This at least tells you what the secret is for.

Signed-off-by: Stephen Finucane <[email protected]>
@stephenfin
openstack-cinder: Rename cacert mount
1238fb4 
This is going to be superseded in a coming change. Rename it in
preparation.

Signed-off-by: Stephen Finucane <[email protected]>
@stephenfin
openstack-cinder: Consume CA cert from credentials secret
5e6cd73 
cloud-credential-operator now supports deploying the CA cert to the
secrets it generates, which means we can start consuming it from there
rather than from configuration.

Signed-off-by: Stephen Finucane <[email protected]>
@stephenfin
openstack-manila: Make credential, CA cert mounts read-only
ef884e0 
Signed-off-by: Stephen Finucane <[email protected]>
@stephenfin
openstack-manila: Prefer strategic merge
70a7c06 
It's easier to understand and consistent with openstack-cinder. The only
changes to the generated assets are to do with ordering (i.e.
irrelevant).

Signed-off-by: Stephen Finucane <[email protected]>
@stephenfin
openstack-manila: Rename cacert mount
a0bc516 
This is going to be superseded in a coming change. Rename it in
preparation.

Signed-off-by: Stephen Finucane <[email protected]>
@stephenfin
openstack-manila: Consume CA cert from credentials secret
b8ee279 
As we did for openstack-cinder before, now do for openstack-manila. We
also strip some trailing slashes from volumes mounts: they're
unnecessary.

Signed-off-by: Stephen Finucane <[email protected]>
@stephenfin
Copy link
Contributor Author

stephenfin commented Apr 8, 2025

More conflicts due to #564. Here is the diff this time. Again, nothing unexpected:

❯ git diff shiftstack/OSASINFRA-3731 -- assets/csidriveroperators/openstack-*
diff --git assets/csidriveroperators/openstack-cinder/base/07_deployment.yaml assets/csidriveroperators/openstack-cinder/base/07_deployment.yaml
index 4be82a70..3a986090 100644
--- assets/csidriveroperators/openstack-cinder/base/07_deployment.yaml
+++ assets/csidriveroperators/openstack-cinder/base/07_deployment.yaml
@@ -58,6 +58,8 @@ spec:
         - name: legacy-cacert
           mountPath: /etc/kubernetes/static-pod-resources/configmaps/cloud-config
           readOnly: true
+        - name: tmp
+          mountPath: /tmp
         name: openstack-cinder-csi-driver-operator
         resources:
           requests:
@@ -65,6 +67,7 @@ spec:
             memory: 50Mi
         terminationMessagePolicy: FallbackToLogsOnError
         securityContext:
+          readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
           capabilities:
             drop:
@@ -86,6 +89,9 @@ spec:
                 items:
                 - key: clouds.yaml
                   path: clouds.yaml
+      - name: tmp
+        emptyDir:
+          medium: Memory
       securityContext:
         runAsNonRoot: true
         seccompProfile:
diff --git assets/csidriveroperators/openstack-cinder/hypershift/mgmt/deployment.patch.yaml assets/csidriveroperators/openstack-cinder/hypershift/mgmt/deployment.patch.yaml
index 53dadb60..a259f998 100644
--- assets/csidriveroperators/openstack-cinder/hypershift/mgmt/deployment.patch.yaml
+++ assets/csidriveroperators/openstack-cinder/hypershift/mgmt/deployment.patch.yaml
@@ -55,6 +55,8 @@ spec:
             - mountPath: /etc/guest-kubeconfig
               name: guest-kubeconfig
           terminationMessagePolicy: FallbackToLogsOnError
+          securityContext:
+            readOnlyRootFilesystem: false
       priorityClassName: hypershift-control-plane
       volumes:
         # This is the legacy location of the CA cert. The cert is now provided
diff --git assets/csidriveroperators/openstack-cinder/hypershift/mgmt/generated/apps_v1_deployment_openstack-cinder-csi-driver-operator.yaml assets/csidriveroperators/openstack-cinder/hypershift/mgmt/generated/apps_v1_deployment_openstack-cinder-csi-driver-operator.yaml
index 7ef7f055..5379ad70 100644
--- assets/csidriveroperators/openstack-cinder/hypershift/mgmt/generated/apps_v1_deployment_openstack-cinder-csi-driver-operator.yaml
+++ assets/csidriveroperators/openstack-cinder/hypershift/mgmt/generated/apps_v1_deployment_openstack-cinder-csi-driver-operator.yaml
@@ -88,6 +88,7 @@ spec:
           capabilities:
             drop:
             - ALL
+          readOnlyRootFilesystem: false
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
         - mountPath: /etc/guest-kubeconfig
@@ -98,6 +99,8 @@ spec:
         - mountPath: /etc/kubernetes/static-pod-resources/configmaps/cloud-config
           name: legacy-cacert
           readOnly: true
+        - mountPath: /tmp
+          name: tmp
       priorityClassName: hypershift-control-plane
       securityContext:
         runAsNonRoot: true
@@ -140,3 +143,6 @@ spec:
               - key: clouds.yaml
                 path: clouds.yaml
               name: openstack-cloud-credentials
+      - emptyDir:
+          medium: Memory
+        name: tmp
diff --git assets/csidriveroperators/openstack-cinder/standalone/generated/apps_v1_deployment_openstack-cinder-csi-driver-operator.yaml assets/csidriveroperators/openstack-cinder/standalone/generated/apps_v1_deployment_openstack-cinder-csi-driver-operator.yaml
index fcaa937d..e7e7ff0e 100644
--- assets/csidriveroperators/openstack-cinder/standalone/generated/apps_v1_deployment_openstack-cinder-csi-driver-operator.yaml
+++ assets/csidriveroperators/openstack-cinder/standalone/generated/apps_v1_deployment_openstack-cinder-csi-driver-operator.yaml
@@ -57,6 +57,7 @@ spec:
           capabilities:
             drop:
             - ALL
+          readOnlyRootFilesystem: true
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
         - mountPath: /etc/openstack
@@ -65,6 +66,8 @@ spec:
         - mountPath: /etc/kubernetes/static-pod-resources/configmaps/cloud-config
           name: legacy-cacert
           readOnly: true
+        - mountPath: /tmp
+          name: tmp
       nodeSelector:
         node-role.kubernetes.io/master: ""
       priorityClassName: system-cluster-critical
@@ -101,3 +104,6 @@ spec:
               - key: clouds.yaml
                 path: clouds.yaml
               name: openstack-cloud-credentials
+      - emptyDir:
+          medium: Memory
+        name: tmp
diff --git assets/csidriveroperators/openstack-manila/base/07_deployment.yaml assets/csidriveroperators/openstack-manila/base/07_deployment.yaml
index a51fd006..b24e5533 100644
--- assets/csidriveroperators/openstack-manila/base/07_deployment.yaml
+++ assets/csidriveroperators/openstack-manila/base/07_deployment.yaml
@@ -61,12 +61,15 @@ spec:
         - name: legacy-cacert
           mountPath: /etc/openstack-ca
           readOnly: true
+        - name: tmp
+          mountPath: /tmp
         resources:
           requests:
             memory: 50Mi
             cpu: 10m
         terminationMessagePolicy: FallbackToLogsOnError
         securityContext:
+          readOnlyRootFilesystem: true
           allowPrivilegeEscalation: false
           capabilities:
             drop:
@@ -88,6 +91,9 @@ spec:
                 items:
                 - key: clouds.yaml
                   path: clouds.yaml
+      - name: tmp
+        emptyDir:
+          medium: Memory
       securityContext:
         runAsNonRoot: true
         seccompProfile:
diff --git assets/csidriveroperators/openstack-manila/hypershift/mgmt/deployment.patch.yaml assets/csidriveroperators/openstack-manila/hypershift/mgmt/deployment.patch.yaml
index 7c23aa8e..8f4beef3 100644
--- assets/csidriveroperators/openstack-manila/hypershift/mgmt/deployment.patch.yaml
+++ assets/csidriveroperators/openstack-manila/hypershift/mgmt/deployment.patch.yaml
@@ -55,6 +55,8 @@ spec:
           - mountPath: /etc/guest-kubeconfig
             name: guest-kubeconfig
         terminationMessagePolicy: FallbackToLogsOnError
+        securityContext:
+          readOnlyRootFilesystem: false
       priorityClassName: hypershift-control-plane
       volumes:
         - name: guest-kubeconfig
diff --git assets/csidriveroperators/openstack-manila/hypershift/mgmt/generated/apps_v1_deployment_manila-csi-driver-operator.yaml assets/csidriveroperators/openstack-manila/hypershift/mgmt/generated/apps_v1_deployment_manila-csi-driver-operator.yaml
index a4e1818f..00d2d72a 100644
--- assets/csidriveroperators/openstack-manila/hypershift/mgmt/generated/apps_v1_deployment_manila-csi-driver-operator.yaml
+++ assets/csidriveroperators/openstack-manila/hypershift/mgmt/generated/apps_v1_deployment_manila-csi-driver-operator.yaml
@@ -90,6 +90,7 @@ spec:
           capabilities:
             drop:
             - ALL
+          readOnlyRootFilesystem: false
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
         - mountPath: /etc/guest-kubeconfig
@@ -100,6 +101,8 @@ spec:
         - mountPath: /etc/openstack-ca
           name: legacy-cacert
           readOnly: true
+        - mountPath: /tmp
+          name: tmp
       priorityClassName: hypershift-control-plane
       securityContext:
         runAsNonRoot: true
@@ -142,3 +145,6 @@ spec:
               - key: clouds.yaml
                 path: clouds.yaml
               name: openstack-cloud-credentials
+      - emptyDir:
+          medium: Memory
+        name: tmp
diff --git assets/csidriveroperators/openstack-manila/standalone/generated/openshift-cluster-csi-drivers_apps_v1_deployment_manila-csi-driver-operator.yaml assets/csidriveroperators/openstack-manila/standalone/generated/openshift-cluster-csi-drivers_apps_v1_deployment_manila-csi-driver-operator.yaml
index 82931d96..3089e5ed 100644
--- assets/csidriveroperators/openstack-manila/standalone/generated/openshift-cluster-csi-drivers_apps_v1_deployment_manila-csi-driver-operator.yaml
+++ assets/csidriveroperators/openstack-manila/standalone/generated/openshift-cluster-csi-drivers_apps_v1_deployment_manila-csi-driver-operator.yaml
@@ -59,6 +59,7 @@ spec:
           capabilities:
             drop:
             - ALL
+          readOnlyRootFilesystem: true
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
         - mountPath: /etc/openstack
@@ -67,6 +68,8 @@ spec:
         - mountPath: /etc/openstack-ca
           name: legacy-cacert
           readOnly: true
+        - mountPath: /tmp
+          name: tmp
       nodeSelector:
         node-role.kubernetes.io/master: ""
       priorityClassName: system-cluster-critical
@@ -103,3 +106,6 @@ spec:
               - key: clouds.yaml
                 path: clouds.yaml
               name: openstack-cloud-credentials
+      - emptyDir:
+          medium: Memory
+        name: tmp

@stephenfin
Copy link
Contributor Author

stephenfin commented Apr 9, 2025

/retest

Not related to these changes, but might as well while we wait.

@stephenfin
Copy link
Contributor Author

stephenfin commented Apr 9, 2025
edited
Loading

The ci/prow/okd-scos-e2e-aws-ovn job is failing due to:

: [sig-arch] Only known images used by tests

{  Cluster accessed images that were not mirrored to the testing repository or already part of the cluster, see test/extended/util/image/README.md in the openshift/origin repo:

registry.redhat.io/rhel8/mysql-80:latest from pods:
  namespace/e2e-test-oc-builds-kqzg7 node/ip-10-0-67-57.us-west-1.compute.internal pod/database-584dd8b688-wzm5v hmsg/996a5f96f2

The ci/prow/e2e-ibmcloud-csi job is failing due to quotas issues:

level=error msg=---
level=error msg=id: terraform-a85fd660
level=error msg=summary: "[ERROR] Error while creating VPC {\n    \"Message\": \"Creating a
level=error msg=new VPC
level=error msg=  will put the user over quota. Allocated: 20, Requested: 1, Quota: 20\",\n    \"StatusCode\":
level=error msg=  400,\n    \"Result\": {\n        \"errors\": [\n            {\n                \"code\":
level=error msg=  \"over_quota\",\n                \"message\": \"Creating a new VPC will put the
level=error msg=  user over quota. Allocated: 20, Requested: 1, Quota: 20\",\n                \"more_info\":
level=error msg=  \"https://cloud.ibm.com/docs/vpc?topic=vpc-quotas\"\n            }\n        ],\n
level=error msg=  \       \"trace\": \"55e04dac-26ba-4591-9608-83bff021270a\"\n    },\n    \"Error\":
level=error msg=  {\n        \"Summary\": \"Creating a new VPC will put the user over quota. Allocated:
level=error msg=  20, Requested: 1, Quota: 20\",\n        \"Component\": {\n            \"Name\":
level=error msg=  \"github.com/IBM/vpc-go-sdk\",\n            \"Version\": \"0.65.0\"\n        },\n
level=error msg=  \       \"Severity\": \"error\",\n        \"Function\": \"vpcv1.(*VpcV1).CreateVPC\"\n
level=error msg=  \   }\n}\n "
level=error msg=severity: error
level=error msg=resource: ibm_is_vpc
level=error msg=operation: create
level=error msg=component:
level=error msg=  name: github.com/IBM-Cloud/terraform-provider-ibm
level=error msg=  version: 1.77.0-beta0
level=error msg=---

Clearly neither are anything to do with this PR.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Apr 9, 2025

@stephenfin: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-ibmcloud-csi b8ee279 link false /test e2e-ibmcloud-csi
ci/prow/okd-scos-e2e-aws-ovn b8ee279 link false /test okd-scos-e2e-aws-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@gnufied
Copy link
Member

gnufied commented Apr 9, 2025

/lgtm
/approve

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Apr 9, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Apr 9, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gnufied, stephenfin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 9, 2025
@itzikb
Copy link

itzikb commented Apr 10, 2025

/label qe-approved

@openshift-ci openshift-ci bot added the qe-approved Signifies that QE has signed off on this PR label Apr 10, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Apr 10, 2025
edited by openshift-ci bot
Loading

@stephenfin: This pull request references OSASINFRA-3731 which is a valid jira issue.

In response to this:

In openshift/cloud-credential-operator/pull/780, we have added the ability for cloud-credential-operator to consume a CA cert from the root credentials secret and to include in the credentials secrets it provisions.
In openshift/installer/pull/9194, we have modified the Installer to start setting this field where necessary.

Adapt the assets for both the openstack-cinder and openstack-manila CSI drivers to start consuming this field, where present. We maintain fallbacks for the previous locations of the cert for now, but these can be removed in the next release.

This needs wait for the CCO change to be approved before we merge this.

/hold

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-merge-bot openshift-merge-bot bot merged commit 678bf4a into openshift:main Apr 10, 2025
19 of 21 checks passed
@openshift-bot
Copy link
Contributor

openshift-bot commented Apr 10, 2025

[ART PR BUILD NOTIFIER]

Distgit: cluster-storage-operator
This PR has been included in build ose-cluster-storage-operator-container-v4.19.0-202504100822.p0.g678bf4a.assembly.stream.el9.
All builds following this will include this PR.

@stephenfin stephenfin deleted the OSASINFRA-3731 branch April 10, 2025 10:04
stephenfin added a commit to shiftstack/csi-operator that referenced this pull request Apr 11, 2025
@stephenfin
openstack-manila: Consume CA cert from credentials secret (controller)
2ab019e 
Do what we previously did for the openstack-cinder controller but for
the openstack-manila controller. In effect, we're really just reflecting
the changes made in cluster-storage-operator in [1]. However, we do need
to add some logic to detect where we are consuming our CA cert from so
that we can match forthcoming changes to our assets.

While here, we also replace use of the deprecated `ioutil.ReadFile`
function in favour of its suggested replacement, `os.ReadFile` [2].
We also replace use of `os.IsNotExist` in favour of its suggested
replacement, `errors.Is(err, fs.ErrNotExist)` [3].

[1] github.com/openshift/cluster-storage-operator/pull/557
[2] https://pkg.go.dev/io/ioutil#ReadFile
[3] https://pkg.go.dev/os#IsNotExist

Signed-off-by: Stephen Finucane <[email protected]>
stephenfin added a commit to shiftstack/csi-operator that referenced this pull request Jun 24, 2025
@stephenfin
openstack-manila: Consume CA cert from credentials secret (controller)
4cb9b04 
Do what we previously did for the openstack-cinder controller but for
the openstack-manila controller. In effect, we're really just reflecting
the changes made in cluster-storage-operator in [1]. However, we do need
to add some logic to detect where we are consuming our CA cert from so
that we can match forthcoming changes to our assets.

While here, we also replace use of the deprecated `ioutil.ReadFile`
function in favour of its suggested replacement, `os.ReadFile` [2].
We also replace use of `os.IsNotExist` in favour of its suggested
replacement, `errors.Is(err, fs.ErrNotExist)` [3].

[1] github.com/openshift/cluster-storage-operator/pull/557
[2] https://pkg.go.dev/io/ioutil#ReadFile
[3] https://pkg.go.dev/os#IsNotExist

Signed-off-by: Stephen Finucane <[email protected]>
stephenfin added a commit to shiftstack/csi-operator that referenced this pull request Sep 8, 2025
@stephenfin
openstack-manila: Consume CA cert from credentials secret (controller)
0b2d16a 
Do what we previously did for the openstack-cinder controller but for
the openstack-manila controller. In effect, we're really just reflecting
the changes made in cluster-storage-operator in [1]. However, we do need
to add some logic to detect where we are consuming our CA cert from so
that we can match forthcoming changes to our assets.

While here, we also replace use of the deprecated `ioutil.ReadFile`
function in favour of its suggested replacement, `os.ReadFile` [2].
We also replace use of `os.IsNotExist` in favour of its suggested
replacement, `errors.Is(err, fs.ErrNotExist)` [3].

[1] github.com/openshift/cluster-storage-operator/pull/557
[2] https://pkg.go.dev/io/ioutil#ReadFile
[3] https://pkg.go.dev/os#IsNotExist

Signed-off-by: Stephen Finucane <[email protected]>
stephenfin added a commit to shiftstack/csi-operator that referenced this pull request Oct 30, 2025
@stephenfin
openstack-manila: Consume CA cert from credentials secret (controller)
61c8118 
Do what we previously did for the openstack-cinder controller but for
the openstack-manila controller. In effect, we're really just reflecting
the changes made in cluster-storage-operator in [1]. However, we do need
to add some logic to detect where we are consuming our CA cert from so
that we can match forthcoming changes to our assets.

While here, we also replace use of the deprecated `ioutil.ReadFile`
function in favour of its suggested replacement, `os.ReadFile` [2].
We also replace use of `os.IsNotExist` in favour of its suggested
replacement, `errors.Is(err, fs.ErrNotExist)` [3].

[1] github.com/openshift/cluster-storage-operator/pull/557
[2] https://pkg.go.dev/io/ioutil#ReadFile
[3] https://pkg.go.dev/os#IsNotExist

Signed-off-by: Stephen Finucane <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gnufied gnufied gnufied left review comments

@bertinatto bertinatto Awaiting requested review from bertinatto

@EmilienM EmilienM Awaiting requested review from EmilienM

@jsafrane jsafrane Awaiting requested review from jsafrane

Assignees

@gnufied gnufied

@EmilienM EmilienM

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. qe-approved Signifies that QE has signed off on this PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@stephenfin @openshift-ci-robot @EmilienM @MaysaMacedo @gnufied @itzikb @openshift-bot @openshift-merge-robot