Skip to content

OCPCLOUD-3347: tls: use centralized TLS profile (unrevert)#292

Open
damdo wants to merge 3 commits intoopenshift:mainfrom
damdo:use-centralized-tls-profile-2
Open

OCPCLOUD-3347: tls: use centralized TLS profile (unrevert)#292
damdo wants to merge 3 commits intoopenshift:mainfrom
damdo:use-centralized-tls-profile-2

Conversation

@damdo
Copy link
Member

@damdo damdo commented Feb 25, 2026

Unrevert of the revert #291, to reintroduce #286

--

Start using centralized TLS profile fetched from the APIServer configuration.
Remove kube-rbac-proxy

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Feb 25, 2026
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Feb 25, 2026
edited by openshift-ci bot
Loading

@damdo: This pull request references OCPCLOUD-3347 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Unrevert of the revert #291, to reintroduce #286

--

Start using centralized TLS profile fetched from the APIServer configuration.
Remove kube-rbac-proxy

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@damdo damdo requested a review from RadekManak February 25, 2026 19:33
@damdo
Copy link
Member Author

damdo commented Feb 25, 2026

/hold

For HCP to sort out the RBAC permission issue

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 25, 2026
@openshift-ci openshift-ci bot requested review from nrb and theobarberbany February 25, 2026 19:33
@damdo
Copy link
Member Author

damdo commented Feb 25, 2026

/cc @neisw @bryan-cox

@openshift-ci openshift-ci bot requested review from bryan-cox and neisw February 25, 2026 19:33
damdo
damdo commented Feb 25, 2026
View reviewed changes
Copy link
Member Author

@damdo damdo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 25, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: damdo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 25, 2026
@damdo damdo force-pushed the use-centralized-tls-profile-2 branch from 2458331 to 357265a Compare February 25, 2026 19:51
@sjenning
Copy link
Contributor

sjenning commented Feb 25, 2026

/hold

until the hypershift presubmit jobs are in place openshift/release#75309

@damdo
Copy link
Member Author

damdo commented Feb 26, 2026

/retest

@damdo
Copy link
Member Author

damdo commented Feb 26, 2026

/testwith openshift/cluster-machine-approver/main/e2e-hypershift-aks openshift/hypershift#7802

@damdo
Copy link
Member Author

damdo commented Feb 26, 2026

/testwith openshift/cluster-machine-approver/main/e2e-hypershift-aws openshift/hypershift#7802

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 26, 2026

@damdo: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-hypershift-aws 357265a link true /test e2e-hypershift-aws
ci/prow/e2e-aws-capi-techpreview 357265a link true /test e2e-aws-capi-techpreview
ci/prow/e2e-hypershift-aks 357265a link true /test e2e-hypershift-aks

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@sjenning
Copy link
Contributor

sjenning commented Feb 26, 2026

Seems it is still failing

https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-machine-approver/292/pull-ci-openshift-cluster-machine-approver-main-e2e-hypershift-aws/2026910449928245248/artifacts/e2e-hypershift-aws/hypershift-aws-run-e2e-external/artifacts/TestCreateCluster/namespaces/e2e-clusters-mn452-create-cluster-bxhgg/core/pods/logs/machine-approver-75cf8896f4-6tr6c-machine-approver-previous.log

F0226 07:08:51.113286       1 main.go:161] unable to get TLS profile from API server: failed to get APIServer "/cluster": apiservers.config.openshift.io "cluster" not found

@jmencak
Copy link

jmencak commented Mar 11, 2026
edited
Loading

Seems it is still failing

https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_cluster-machine-approver/292/pull-ci-openshift-cluster-machine-approver-main-e2e-hypershift-aws/2026910449928245248/artifacts/e2e-hypershift-aws/hypershift-aws-run-e2e-external/artifacts/TestCreateCluster/namespaces/e2e-clusters-mn452-create-cluster-bxhgg/core/pods/logs/machine-approver-75cf8896f4-6tr6c-machine-approver-previous.log

F0226 07:08:51.113286       1 main.go:161] unable to get TLS profile from API server: failed to get APIServer "/cluster": apiservers.config.openshift.io "cluster" not found

In HyperShift, shouldn't we be querying the HostedCluster object instead of the APIServer one? At least the enhancement seems to suggest that for SLOs.

Edit: Saying that, using APIServer object from the hosted cluster in HyperShift works just fine for my use case and the implementation is simpler than trying to find the HostedCluster object as suggested by the the enhancement.

@openshift-merge-robot
Copy link
Contributor

openshift-merge-robot commented Mar 11, 2026

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RadekManak RadekManak Awaiting requested review from RadekManak

@nrb nrb Awaiting requested review from nrb

@theobarberbany theobarberbany Awaiting requested review from theobarberbany

@bryan-cox bryan-cox Awaiting requested review from bryan-cox

@neisw neisw Awaiting requested review from neisw

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@damdo @openshift-ci-robot @sjenning @jmencak @openshift-merge-robot