Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an automatically generated Ignition provisioning token #4372

Closed
wants to merge 1 commit into from
Closed

Add an automatically generated Ignition provisioning token #4372

wants to merge 1 commit into from

Conversation

cgwalters
Copy link
Member

Part of implementing: openshift/enhancements#443

The installer generates a random token (~password) and injects
it into the Ignition pointer configuration and as a secret into the
cluster.

The MCO will check it.

@cgwalters cgwalters mentioned this pull request Nov 12, 2020
Closed
@openshift-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign abhinavdahiya after the PR has been reviewed.
You can assign the PR to them by writing /assign @abhinavdahiya in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cgwalters cgwalters mentioned this pull request Nov 12, 2020
Closed
@cgwalters cgwalters force-pushed the provisioning-secret branch 2 times, most recently from a5e1247 to a73c780 Compare November 13, 2020 00:21
cgwalters added a commit to cgwalters/machine-config-operator that referenced this pull request Nov 13, 2020
@cgwalters
MCS: Validate provisioning token
193679e 
Implements: openshift/enhancements#443
Requires: openshift/installer#4372

Basically we need to protect the Ignition config since it
contains secrets (pull secret, kubeconfig) and we can't rely
solely on network firewalling in all cases.

The installer will generate a secret into both the pointer
config and as a secret in our namespace, the MCS checks it.
@cgwalters
Copy link
Member Author

Hmm...not sure what's up with that e2e-aws run. I can't find a must-gather or extracted cluster logs in the artifacts?
/test e2e-aws

staebler
staebler reviewed Nov 13, 2020
View reviewed changes
pkg/asset/cluster/cluster.go Outdated Show resolved Hide resolved
pkg/asset/ignition/machine/node.go Outdated Show resolved Hide resolved
pkg/asset/ignition/provisioningtoken.go Outdated Show resolved Hide resolved
@cgwalters cgwalters force-pushed the provisioning-secret branch 2 times, most recently from fe01475 to 03782ab Compare November 13, 2020 18:15
@cgwalters
Copy link
Member Author

cgwalters commented Nov 13, 2020
edited
Loading

Hmm I'm confused the contexts say "Job failed" yet it looks like e.g. the gofmt and unit contexts succeeded?

Nevermind, should be fixed.

@cgwalters
Add an automatically generated Ignition provisioning token
6ab9032 
Part of implementing: openshift/enhancements#443

The installer generates a random token (~password) and injects
it into the Ignition pointer configuration and as a secret into the
cluster.

The MCO will check it.
staebler
staebler reviewed Nov 13, 2020
View reviewed changes
Copy link
Contributor

@staebler staebler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

/hold
on approval of the enhancement

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 13, 2020
@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Nov 13, 2020
@cgwalters
Copy link
Member Author

/retest

@openshift-merge-robot
Copy link
Contributor

@cgwalters: The following tests failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/prow/e2e-openstack 6ab9032 link /test e2e-openstack
ci/prow/e2e-aws 6ab9032 link /test e2e-aws
ci/prow/e2e-ovirt 6ab9032 link /test e2e-ovirt
ci/prow/e2e-aws-workers-rhel7 6ab9032 link /test e2e-aws-workers-rhel7
ci/prow/e2e-libvirt 6ab9032 link /test e2e-libvirt
ci/prow/e2e-aws-upgrade 6ab9032 link /test e2e-aws-upgrade
ci/prow/e2e-crc 6ab9032 link /test e2e-crc
ci/prow/openstack-manifests 6ab9032 link /test openstack-manifests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 14, 2021

@cgwalters: The following test failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/prow/openstack-manifests 6ab9032 link /test openstack-manifests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@openshift-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci-robot openshift-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 14, 2021
@jstuever
Copy link
Contributor

/uncc

@openshift-ci-robot openshift-ci-robot removed the request for review from jstuever April 19, 2021 21:38
@openshift-bot
Copy link
Contributor

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

@openshift-ci openshift-ci bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels May 19, 2021
@openshift-bot
Copy link
Contributor

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jun 19, 2021

@openshift-bot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot closed this Jun 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@staebler staebler staebler left review comments

@jhixson74 jhixson74 Awaiting requested review from jhixson74

Assignees

@staebler staebler

Labels
do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm Indicates that a PR is ready to be merged. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@cgwalters @openshift-ci-robot @openshift-merge-robot @openshift-bot @jstuever @staebler