Fix/openshift cli and summon tls error #144
Conversation
|
I have disabled the OCP_ NEXT param in the jenkins file. That will be handled by this repo: https://github.com/conjurinc/openshift-next-suite-test See the results of my full run of the test suite: https://jenkins.conjur.net/blue/organizations/jenkins/conjurdemos--kubernetes-conjur-demo/detail/fix%2Fopenshift-cli-and-summon-tls-error/1/pipeline/ |
There was a problem hiding this comment.
PR looking good. Left some comments and suggestions.
I understand that the earlier commits were experimental. As the PR is nearing approval I think it's worth revisiting the commit history and potentially reducing the commits into logical wholes. Happy to chat git rebase -i ...
codihuston
force-pushed
the
fix/openshift-cli-and-summon-tls-error
branch
3 times, most recently
from
91df3e0 to
925768a
Compare
|
@rpothier Sorry for the superfluous review request, Kumbi is on it--I didn't see if my original request had gone through. Hey @doodlesbykumbi, I went ahead and cleaned up the commits a bit. Please let me know if that is adequate. Tests are running now. Thanks! |
codihuston
force-pushed
the
fix/openshift-cli-and-summon-tls-error
branch
from
925768a to
c56170e
Compare
|
I went ahead and re-confirmed that tests against The test currently running now will not test against this cluster. |
There was a problem hiding this comment.
@codihuston Thanks for addressing those earlier comments. Left 2 comments. The PR is currently at 5 commits, I think we could potentially reduce it all to a single (if not 2) logical commit/s.
codihuston
force-pushed
the
fix/openshift-cli-and-summon-tls-error
branch
from
c56170e to
d03483d
Compare
|
Added a comment on the mysql template, see d03483d. Ready for re-review =). |
codihuston
force-pushed
the
fix/openshift-cli-and-summon-tls-error
branch
2 times, most recently
from
1abf9ae to
8ac2ebd
Compare
|
Comments revisited and resolved. One of the test stages is failing due to a rate-limit from docker for this image: |
codihuston
force-pushed
the
fix/openshift-cli-and-summon-tls-error
branch
2 times, most recently
from
0af1f1a to
d7eece8
Compare
|
@doodlesbykumbi Hi Kumbi. As we discussed, I've added some logic to build out a custom mysql image based on I have also reduced everything into one commit. Looks like all of the tests have green lights. While these tests include the openshift (next) cluster, jenkins should not include that cluster in future instances. See Jenkinsfile. |
There was a problem hiding this comment.
Thanks @codihuston. This is looking great. We just need to make sure the Secretless backend doesn't also hit the Docker pull limits. Otherwise, everything looks good.
codihuston
force-pushed
the
fix/openshift-cli-and-summon-tls-error
branch
from
d7eece8 to
2520300
Compare
Testing in openshift (next) led to discovery of a change in TLS version support between RHEL, mysql, and Connector/J (spring boot in test apps). We are using a newer mysql image for the test apps so that there is no discrepancy between TLS versions for direct mysql connections.
- for openshift only, the public centos/mysql-80-centos7 image is rebuilt, retagged, and pushed to our openshift registry in the ci pipeline
- bump test summon apps to centos/mysql-80-centos7 for direct connections because the latest version of the test app. This is because to carry on supporting `centos/mysql-57-centos7` it would require special changes to the DB_URL secret stored in Conjur only for MySQL (which we're opting against due to complexity), in order to avoid the TLS version mismatch issues.
- still use centos/mysql-57-centos7 for connections through secretless because it doesn't have the TLS version mismatch issue, but has an issue with centos/mysql-80-centos7 due to lack of support for new authentication mechanism from MySQL 8.0.
- secretless image path pointed to docker.io explicitly; openshift is unable to pull without this
OpenShift CLI issues resolved:
- openshift cli 3.* threw errors when testing in the oc (next) cluster. This has been resolved by updating the cli to 4.8.2 when testing against this cluster
> Note: the openshift cli v4.8.2 does not support old secrets API any longer
codihuston
force-pushed
the
fix/openshift-cli-and-summon-tls-error
branch
from
2520300 to
677ceaa
Compare
|
Mysql v5.7 is tagged and pushed to our openshift registry in attempt to circumvent docker hub rate-limits as well. See this pipeline. Note that I just re-ran the pipeline while enabling the Please verify my approach to injecting images into the k8s/openshift templates here: injection of the templated values, particularly for k8s. Thanks! |
|
Thanks @codihuston. Approved and merged. |
Hello, this PR resolves the following:
Issues with Openshift (Next)
ImagePullBackOfferror when pulling secretless-broker. This was resolved by explicitly specifying the full docker domain name. See7_app_deploy.shsecretsapi to generate and use image pull secretsReferences regarding MySQL TLS support:
All tests are green now =) (previously OpenShift (Next) and the MySQL tests were failing across all of OpenShift).