Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: linking mounted certificates from '/var/run/secrets/kubernetes.io/serviceaccount' to '/$HOME/.config/containers/certs.d' before podman login #851

Merged
merged 3 commits into from
Jul 7, 2023
Merged

feat: linking mounted certificates from '/var/run/secrets/kubernetes.io/serviceaccount' to '/$HOME/.config/containers/certs.d' before podman login #851

merged 3 commits into from
Jul 7, 2023

Conversation

ibuziuk
Copy link
Member

@ibuziuk ibuziuk commented Jul 3, 2023
edited
Loading

What does this PR do?

Linking mounted certificates from '/var/run/secrets/kubernetes.io/serviceaccount' to '/$HOME/.config/containers/certs.d' before podman login

What issues does this PR fix or reference?

eclipse-che/che#22140

Is it tested? How?

Install Eclipse Che and replace the dashboard image related to the PR

spec:
  components:
    dashboard:
      deployment:
        containers:
          - image: quay.io/eclipse/che-dashboard:pr-851

Create an empty workspace, open the terminal, and execute podman pull image-registry.openshift-image-registry.svc:5000/openshift/cli:latest

image

N.B. symbolic links for ca.crt and service-ca.crt are in the $HOME/.config/containers/certs.d/image-registry.openshift-image-registry.svc:5000 folder

Release Notes

Docs PR

Related info - https://manpages.ubuntu.com/manpages/impish/man5/containers-certs.d.5.html

@ibuziuk ibuziuk requested review from akurinnoy and olexii4 as code owners July 3, 2023 13:18
@che-bot
Copy link
Contributor

che-bot commented Jul 3, 2023

Click here to review and test in web IDE: Contribute

@che-bot
Copy link
Contributor

che-bot commented Jul 3, 2023

Click here to review and test in web IDE: Contribute

@che-bot
Copy link
Contributor

che-bot commented Jul 3, 2023

Click here to review and test in web IDE: Contribute

@github-actions
Copy link

github-actions bot commented Jul 3, 2023

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-851

1 similar comment
@github-actions
Copy link

github-actions bot commented Jul 3, 2023

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-851

@che-bot
Copy link
Contributor

che-bot commented Jul 4, 2023

Click here to review and test in web IDE: Contribute

@ibuziuk ibuziuk mentioned this pull request Jul 4, 2023
Closed
@github-actions
Copy link

github-actions bot commented Jul 4, 2023

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-851

@tolusha
Copy link
Contributor

tolusha commented Jul 5, 2023

Strange, I can't pull the image

$ podman pull image-registry.openshift-image-registry.svc:5000/openshift/cli:latest
Trying to pull image-registry.openshift-image-registry.svc:5000/openshift/cli:latest...
Error: initializing source docker://image-registry.openshift-image-registry.svc:5000/openshift/cli:latest: reading manifest latest in image-registry.openshift-image-registry.svc:5000/openshift/cli: authentication required

$ ls $HOME/.config/containers/certs.d/image-registry.openshift-image-registry.svc:5000 -l
total 0
lrwxrwxrwx. 1 user root 52 Jul  5 08:29 ca.crt -> /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
lrwxrwxrwx. 1 user root 60 Jul  5 08:29 service-ca.crt -> /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt

 % oc describe -n eclipse-che deployments.apps che-dashboard | grep Image    
    Image:      quay.io/eclipse/che-dashboard:pr-851

@tolusha
Copy link
Contributor

tolusha commented Jul 5, 2023
edited
Loading 

$ podman login -u $(oc whoami) -p $(oc whoami -t) image-registry.openshift-image-registry.svc:5000
Error: logging into "image-registry.openshift-image-registry.svc:5000": invalid username/password
$ oc whoami
kube:admin
$ oc whoami -t
<REDACTED  TOKEN>
projects $ podman login -u kubeadmin -p $(oc whoami -t) image-registry.openshift-image-registry.svc:5000
Login Succeeded!

@ibuziuk
feat: linking mounted certificates from '/var/run/secrets/kubernetes.…
27bf41e 
…io/serviceaccount' to '/$HOME/.config/containers/certs.d' before podman login

Signed-off-by: Ilya Buziuk <[email protected]>
@che-bot
Copy link
Contributor

che-bot commented Jul 5, 2023

Click here to review and test in web IDE: Contribute

@ibuziuk
Copy link
Member Author

ibuziuk commented Jul 5, 2023

@tolusha nice catch, handling special case for kube:admin as part of the script

@github-actions
Copy link

github-actions bot commented Jul 5, 2023

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-851

@tolusha
Copy link
Contributor

tolusha commented Jul 5, 2023

I spotted another problem while testing with ClusterBot

$ podman pull image-registry.openshift-image-registry.svc:5000/openshift/cli:latest
Trying to pull image-registry.openshift-image-registry.svc:5000/openshift/cli:latest...
Getting image source signatures
Copying blob f76613a56453 done  
Copying blob 97da74cc6d8f done  
Copying blob fd8b2f4b006c done  
Copying blob d8190195889e done  
Copying blob 34a8ab31a72c done  
ERRO[0003] While applying layer: ApplyLayer stdout:  stderr: potentially insufficient UIDs or GIDs available in user namespace (requested 0:5 for /usr/bin/write): Check /etc/subuid and /etc/subgid if configured locally and run podman-system-migrate: lchown /usr/bin/write: invalid argument exit status 1 
Error: writing blob: adding layer with blob "sha256:97da74cc6d8fa5d1634eb1760fd1da5c6048619c264c23e62d75f3bf6b8ef5c4": ApplyLayer stdout:  stderr: potentially insufficient UIDs or GIDs available in user namespace (requested 0:5 for /usr/bin/write): Check /etc/subuid and /etc/subgid if configured locally and run podman-system-migrate: lchown /usr/bin/write: invalid argument exit status 1

@ibuziuk
Copy link
Member Author

ibuziuk commented Jul 5, 2023

hmm, did a test on a fresh hypershift cluster and with kube:admin got the following error during image pulling:

Trying to pull image-registry.openshift-image-registry.svc:5000/openshift/cli:latest...
Getting image source signatures
Copying blob 97da74cc6d8f done  
Copying blob f76613a56453 done  
Copying blob 97da74cc6d8f done  
Copying blob f76613a56453 done  
Copying blob d8190195889e done  
Copying blob fd8b2f4b006c done  
Copying blob 34a8ab31a72c done  
Error: writing blob: adding layer with blob "sha256:97da74cc6d8fa5d1634eb1760fd1da5c6048619c264c23e62d75f3bf6b8ef5c4": ApplyLayer stdout:  stderr: potentially insufficient UIDs or GIDs available in user namespace (requested 0:5 for /usr/bin/write): Check /etc/subuid and /etc/subgid if configured locally and run podman-system-migrate: lchown /usr/bin/write: invalid argument exit status 1

podman system migrate [1] helps and we can technically add it to the script @l0rd @benoitf wdyt? I have not seen this error before

cpp-hello-world $ podman system migrate
cpp-hello-world $ podman pull image-registry.openshift-image-registry.svc:5000/openshift/cli:latest
Trying to pull image-registry.openshift-image-registry.svc:5000/openshift/cli:latest...
Getting image source signatures
Copying blob f76613a56453 done  
Copying blob d8190195889e done  
Copying blob fd8b2f4b006c done  
Copying blob 34a8ab31a72c done  
Copying blob 97da74cc6d8f done  
Copying config e549ba58b9 done  
Writing manifest to image destination
Storing signatures
e549ba58b9b7399c7ad652a904174db32f02ed5105fde374c9ac377643ef1ea3
cpp-hello-world $ podman images
REPOSITORY                                                      TAG         IMAGE ID      CREATED     SIZE
image-registry.openshift-image-registry.svc:5000/openshift/cli  latest      e549ba58b9b7  8 days ago  539 MB
cpp-hello-world $

[1] https://docs.podman.io/en/latest/markdown/podman-system-migrate.1.html

@ibuziuk ibuziuk requested review from l0rd, benoitf and tolusha July 5, 2023 12:03
@che-bot
Copy link
Contributor

che-bot commented Jul 5, 2023

Click here to review and test in web IDE: Contribute

@github-actions
Copy link

github-actions bot commented Jul 5, 2023

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-851

@ibuziuk
Copy link
Member Author

ibuziuk commented Jul 6, 2023

@tolusha with the recent changes the image pulling should work with both hypershift / aws, and rosa. I believe the previous issue was related to $USER env var.

@openshift-ci openshift-ci bot added lgtm and removed lgtm labels Jul 6, 2023
@che-bot
Copy link
Contributor

che-bot commented Jul 6, 2023

Click here to review and test in web IDE: Contribute

@openshift-ci openshift-ci bot added the lgtm label Jul 6, 2023
@github-actions
Copy link

github-actions bot commented Jul 6, 2023

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-851

@openshift-ci openshift-ci bot removed the lgtm label Jul 6, 2023
@che-bot
Copy link
Contributor

che-bot commented Jul 6, 2023

Click here to review and test in web IDE: Contribute

@github-actions
Copy link

github-actions bot commented Jul 6, 2023

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-851

@openshift-ci
Copy link

openshift-ci bot commented Jul 6, 2023

@ibuziuk: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/v11-dashboard-happy-path a768d3b link true /test v11-dashboard-happy-path

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@ibuziuk ibuziuk requested a review from dmytro-ndp July 6, 2023 13:34
dmytro-ndp
dmytro-ndp approved these changes Jul 7, 2023
View reviewed changes
Copy link
Contributor

@dmytro-ndp dmytro-ndp left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checked with Eclipse Che Next + quay.io/eclipse/che-dashboard:pr-851

Following test scenario from PR description, image-registry.openshift-image-registry.svc:5000/openshift/cli:latest had been pulled correctly from within Empty workspace and spring-petclinic workspace using tools container, being logged into the Eclipse Che as user with and without cluster admin rights:
Screenshot from 2023-07-07 16-57-14

IMHO, with that results PR has satisfied DoD of fixing issue eclipse-che/che#22140

Well done, @ibuziuk !

@openshift-ci openshift-ci bot added the lgtm label Jul 7, 2023
@openshift-ci
Copy link

openshift-ci bot commented Jul 7, 2023

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dmytro-ndp, ibuziuk, l0rd, tolusha

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ibuziuk ibuziuk merged commit bb522b3 into main Jul 7, 2023
@ibuziuk ibuziuk deleted the che-22140 branch July 7, 2023 14:24
@devstudio-release
Copy link

Build 3.8 :: dashboard_3.x/284: Console, Changes, Git Data

@devstudio-release
Copy link

Build 3.8 :: sync-to-downstream_3.x/3745: Console, Changes, Git Data

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tolusha tolusha tolusha approved these changes

@dmytro-ndp dmytro-ndp dmytro-ndp approved these changes

@l0rd l0rd l0rd approved these changes

@akurinnoy akurinnoy Awaiting requested review from akurinnoy akurinnoy is a code owner

@olexii4 olexii4 Awaiting requested review from olexii4 olexii4 is a code owner

@benoitf benoitf Awaiting requested review from benoitf

Assignees

@l0rd l0rd

@dmytro-ndp dmytro-ndp

@tolusha tolusha

Labels
lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@ibuziuk @che-bot @tolusha @devstudio-release @l0rd @dmytro-ndp