feat(RELEASE-1191): use prod umb in stage configmaps #206
Conversation
Signed-off-by: Johnny Bieren <[email protected]>
| @@ -13,9 +13,9 @@ data: | |||
| SIG_KEY_ID: "4096R/37036783 SHA-256" | |||
| SIG_KEY_NAME: "redhate2etesting" | |||
| SSL_CERT_FILE_NAME: "hacbs-signing-pipeline.pem" | |||
| SSL_CERT_SECRET_NAME: "hacbs-signing-pipeline-staging-certs" | |||
| SSL_CERT_SECRET_NAME: "hacbs-signing-pipeline-certs" | |||
There was a problem hiding this comment.
I do not think these certs work with PYXIS_URL: "https://pyxis.stage.engineering.redhat.com"
There was a problem hiding this comment.
This line https://github.com/hacbs-release/app-interface-deployments/blob/main/internal-services/catalog/sign-image-pipeline.yaml#L62 says that the SSL_CERT_SECRET_NAME is for umb, that is why I guess it should be updated. So this is actually for pyxis? Happy to update if I guessed wrong
There was a problem hiding this comment.
@mmalina you don't know the answer to this do you?
There was a problem hiding this comment.
Hmm, it's weird, but AFAICS, the same key+cert is used for both umb and pyxis? If that's the case, then you will need to modify the secrets to contain separate key+cert values for umb and pyxis, because umb will always be prod, but pyxis will be prod vs stage.
Here's why I think the same one is used for both:
The set-env task is here: https://gitlab.cee.redhat.com/signing/hacbs-signing-pipeline/-/blob/main/ansible/roles/hacbs-signing-pipeline/templates/openshift/templates/signing-pipeline-stage-template.yml?ref_type=heads
It returns:
- ssl_cert_secret_name
- ssl_key_file_name
- ssl_cert_file_name
All of them taken from the secret passed to the pipeline.
request-signature uses these to set two env vars: UMB_CERT_PATH, UMB_KEY_PATH
- the umb env vars are read here: https://github.com/redhat-openshift-ecosystem/operator-pipelines/blob/main/operator-pipeline-images/operatorcert/umb.py#L113
upload-signature uses these to set two env vars: PYXIS_CERT_PATH, PYXIS_KEY_PATH
There was a problem hiding this comment.
I pinged Ales Raszka to take a look. He should be back next week (Monday is public holiday in CZ, so on Tuesday).
There was a problem hiding this comment.
Hey, @mmalina is right. The pipeline uses a single cert for both Pyxis and UMB authentication. If you have multiple certs you will need update the pipeline to server your needs. Other alternative is to request a Pyxis and UMB permission for a single service account represented by the one cert.
There was a problem hiding this comment.
@mmalina is there a ticket for switching to use our copy of the pipeline (maybe it is already done)? It seems like this would be blocked on that then
There was a problem hiding this comment.
Here's the Jira: https://issues.redhat.com/browse/RELEASE-1207
But we had an open question about whether or not to also have our own copy of the tasks, not just the pipeline. I think this is a good enough reason to also have a copy of the tasks so that we can modify them to support different credentials for pyxis and umb. I am adding a comment there.
There was a problem hiding this comment.
Update: The request-signature and upload-signature actually each need just one secret each (to access umb and pyxis, respectively). So we would only need to modify the set-env task.
There was a problem hiding this comment.
Keep in mind for RELEASE-1192, we also have these https://gitlab.cee.redhat.com/releng/konflux-release-data/-/tree/main/tenants-config/cluster/stone-prod-p02/managed/rhtap-releng-tenant/cm?ref_type=heads
Thanks, did not know about those. I will update those the same way I do these once it is decided how these should be updated |
Based on https://github.com/hacbs-release/app-interface-deployments/blob/main/internal-services/catalog/sign-image-pipeline.yaml#L62, it seems the UMB_ and SSL_ variables relate to the UMB authentication, so I removed the staging values from those in the configmaps that were using the stage umb url