This repository has been archived by the owner on May 6, 2022. It is now read-only.
Switch to wget for integration apiserver checks #1384
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
cncf-cla: yes
The NSS encryption library does not allow a CA to be used with the
extended key usage present, at least in the way we are currently doing
so. The generated self signed certificates extension section looks like:
...
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:127.0.0.1, IP Address:127.0.0.1
Testing with the extended key usage removed allows curl to work, but
simply switching to wget will allow integration tests to work on Fedora
immediately.
Related issue: kubernetes/client-go#311
(Also make sure when testing new certificates to delete certificates
previously generated in .var/run/kubernetes-service-catalog/. Existing
certificates are not overwritten if they already exist.)
jpeeler
force-pushed
the
nss-workaround
branch
from
f0d8dba to
df246be
Compare
|
This breaks on a default Mac install. |
|
Do we need to make the tool conditional based on OS?
…On Tue, Oct 17, 2017 at 5:22 PM, Scott Nichols ***@***.***> wrote:
This breaks on a default Mac install.
<snip>
Waiting for API Server to be available...
Timed-out waiting for API Server
+ wget --ca-certificate ~/go/src/github.com/kubernetes-incubator/service-catalog/.var/run/kubernetes-service-catalog/apiserver.crt https://localhost:32784
~/go/src/github.com/kubernetes-incubator/service-catalog/contrib/hack/start-server.sh: line 60: wget: command not found
Cleaning up
make: *** [test-integration] Error 127
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#1384 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAWXmEoPYbcpakN9Q2vcrbjh1MWJ0RS-ks5stRqLgaJpZM4P4sNF>
.
|
|
If the certificate usage restriction was dropped (kubernetes/client-go#311) this wouldn't be a problem. Sounds like for now it needs to be made conditional though. |
jpeeler
pushed a commit
to jpeeler/service-catalog
that referenced
this pull request
Nov 17, 2017
…etired#1384)" This reverts commit 11f18f3. Fedora ended up switching back to OpenSSL, so there's no reason to use wget over curl anymore. Apologies about the switching around, had no idea the change was coming. Closes kubernetes-retired#1418
kibbles-n-bytes
pushed a commit
that referenced
this pull request
Jan 4, 2018
jberkhahn
pushed a commit
to jberkhahn/service-catalog
that referenced
this pull request
Jan 17, 2018
…etired#1384)" (kubernetes-retired#1585) This reverts commit 11f18f3. Fedora ended up switching back to OpenSSL, so there's no reason to use wget over curl anymore. Apologies about the switching around, had no idea the change was coming. Closes kubernetes-retired#1418
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Read the commit for some more details. Essentially not all distros use the same encryption libraries and curl was failing validation in Fedora.