OCPBUGS-6661, OCPBUGS-9464: Move mTLS CRL handling into the router, and fix accidental duplication of CRLs

[rfredette]

Fix #930 by pulling cluster-wide proxy configuration from proxies.config.openshift.io/cluster rather than the operator's environment

[openshift-ci-robot]

@rfredette: This pull request references Jira Issue OCPBUGS-9464, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.14.0) matches configured target version for branch (4.14.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lihongan

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Fix #930 by pulling cluster-wide proxy configuration from proxies.config.openshift.io/cluster rather than the operator's environment

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rfredette]

/retest

[rfredette]

/retest

[sferich888]

/label px-approved

[frobware]

/assign

[lihongan]

to refer https://issues.redhat.com/browse/OCPBUGS-6661

[frobware]

TestAWSELBConnectionIdleTimeout failed which is bug https://issues.redhat.com/browse/OCPBUGS-13810.

/test e2e-aws-operator

[rfredette]

Hit TestAWSELBConnectionIdleTimeout failure again.
/retest

[rfredette]

More TestAWSELBConnectionIdleTimeout failure
/retest

[lihongan]

built payload with this PR and tested in https proxy cluster, it works well.

$ oc get proxy cluster -oyaml | yq .spec
httpProxy: http://proxy-user1:[email protected]:3128
httpsProxy: https://proxy-user1:[email protected]:3130
noProxy: rhos-d.infra.xxx.com
trustedCA:
  name: user-ca-bundle

sh-4.4$ ls /etc/pki/ca-trust/extracted/pem/
tls-ca-bundle.pem


sh-4.4$ ls ../mtls/latest/ -lh
total 75M
-rw-r--r--. 1 1000610000 root 4.5K Jun  1 07:06 ca-bundle.pem
-rw-r--r--. 1 1000610000 root  75M Jun  1 07:06 crls.pem


$ oc get co/ingress
NAME      VERSION                                                AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
ingress   4.14.0-0.test-2023-06-01-015813-ci-ln-sxdb03k-latest   True        False         False      6h5m    

[lihongan]

/label qe-approved

[Miciah]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Miciah

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Miciah]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rfredette]

The latest force push removes the additional code for adding the trusted-ca bundle to the router pods. From testing, the only connections that should need the cluster-wide proxy are those for downloading CRLs, and the router does not support downloading CRLs via https. As such, additional code adding the trusted-ca bundle is unnecessary and will only serve to complicate backports.

[frobware]

/lgtm

[rfredette]

I've pushed the orphaned commit for trusted-ca bundle support to the branch rfredette/cluster-ingress-operator:router-https-proxy, but at this time there are no plans to try to merge it.

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 5725691 and 2 for PR HEAD ee58397 in total

[rfredette]

e2e-aws-operator appears to have passed, but must-gather failed?
/retest

[openshift-ci]

@rfredette: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-ci-robot]

@rfredette: Jira Issue OCPBUGS-9464: All pull requests linked via external trackers have merged:

• openshift/router#472
• openshift/cluster-ingress-operator#930
• openshift/cluster-ingress-operator#938
• openshift/cluster-ingress-operator#939

Jira Issue OCPBUGS-9464 has been moved to the MODIFIED state.

In response to this:

Fix #930 by pulling cluster-wide proxy configuration from proxies.config.openshift.io/cluster rather than the operator's environment

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.