Skip to content

[release-4.21] OCPBUGS-68364: InternalReleaseImage should use TLS certs #5495

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
openshift-cherrypick-robot wants to merge 3 commits into
base: release-4.21
Choose a base branch
from
Open

[release-4.21] OCPBUGS-68364: InternalReleaseImage should use TLS certs #5495

openshift-cherrypick-robot wants to merge 3 commits into from

Conversation

@openshift-cherrypick-robot
Copy link

@openshift-cherrypick-robot openshift-cherrypick-robot commented Dec 15, 2025

This is an automated cherry-pick of #5483

/assign andfasano

@andfasano
add tls certificate to InternalReleaseImage registry
f068443 
This patch injects the specific tls certificate generated by the installer into the IRI registry. It also adds the root CA certificate to all the master nodes, to allow pulling the images from other nodes registry
@andfasano
added tls cert to workers trust store
1ad0e72 
reviewed bootstrap/controller logic to allow generation and management of multiple machine configs
@andfasano
added OWNERS file
8db9681 
members of the agent team
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Dec 15, 2025
edited by openshift-ci bot
Loading

@openshift-cherrypick-robot: Ignoring requests to cherry-pick non-bug issues: AGENT-1391

Details

In response to this:

This is an automated cherry-pick of #5483

/assign andfasano

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Dec 15, 2025
Merged
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 15, 2025

@openshift-cherrypick-robot: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/bootstrap-unit 8db9681 link false /test bootstrap-unit
ci/prow/e2e-hypershift 8db9681 link true /test e2e-hypershift

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@andfasano
Copy link
Contributor

andfasano commented Dec 15, 2025

/retitle OCPBUGS-68364: InternalReleaseImage should use TLS certs

@openshift-ci openshift-ci bot changed the title [release-4.21] AGENT-1391: Use TLS cert for the InternalReleaseImage registry OCPBUGS-68364: InternalReleaseImage should use TLS certs Dec 15, 2025
@openshift-ci-robot openshift-ci-robot added the jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. label Dec 15, 2025
@andfasano
Copy link
Contributor

andfasano commented Dec 15, 2025

/retitle [release-4.21] OCPBUGS-68364: InternalReleaseImage should use TLS certs

@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Dec 15, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Dec 15, 2025

@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-68364, which is invalid:

  • release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
  • expected Jira Issue OCPBUGS-68364 to depend on a bug targeting a version in 4.22.0 and in one of the following states: MODIFIED, ON_QA, VERIFIED, but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This is an automated cherry-pick of #5483

/assign andfasano

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot changed the title OCPBUGS-68364: InternalReleaseImage should use TLS certs [release-4.21] OCPBUGS-68364: InternalReleaseImage should use TLS certs Dec 15, 2025
@andfasano
Copy link
Contributor

andfasano commented Dec 15, 2025

/jira refresh

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Dec 15, 2025

@andfasano: This pull request references Jira Issue OCPBUGS-68364, which is invalid:

  • expected Jira Issue OCPBUGS-68364 to depend on a bug targeting a version in 4.22.0 and in one of the following states: MODIFIED, ON_QA, VERIFIED, but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@zaneb zaneb added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Dec 15, 2025
yuqi-zhang
yuqi-zhang approved these changes Dec 19, 2025
View reviewed changes
Copy link
Contributor

@yuqi-zhang yuqi-zhang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/label backport-risk-assessed
/hold

This should be safe since it's behind a TP featuregate, and only affects clusters with IRI on. Leaving a hold based on our discussions in slack. Once we're comfortable with the backport, feel free to lift the hold.

@openshift-ci openshift-ci bot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. labels Dec 19, 2025
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Dec 19, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 19, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: openshift-cherrypick-robot, yuqi-zhang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yuqi-zhang yuqi-zhang yuqi-zhang approved these changes

@isabella-janssen isabella-janssen Awaiting requested review from isabella-janssen

Assignees

@rbbratta rbbratta

@eurijon eurijon

@lyman9966 lyman9966

@anuragthehatter anuragthehatter

@sergiordlr sergiordlr

@andfasano andfasano

@imatza-rh imatza-rh

@rioliu-rh rioliu-rh

@mhanss mhanss

@ptalgulk01 ptalgulk01

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.