MCO-1273: OCB respects proxy configuration in Controller Config

pkg/controller/build/assets/Containerfile.on-cluster-build-template

@@ -10,6 +10,8 @@ COPY ./machineconfig/machineconfig.json.gz /tmp/machineconfig.json.gz
 RUN mkdir -p /etc/machine-config-daemon && \
 	cat /tmp/machineconfig.json.gz | base64 -d | gunzip - > /etc/machine-config-daemon/currentconfig
 
+COPY ./tls-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+
 {{if .MachineOSConfig.Spec.BuildInputs.BaseOSExtensionsImagePullspec}}
 # Pull our extensions image. Not sure yet what / how this should be wired up
 # though. Ideally, I'd like to use some Buildah tricks to have the extensions

pkg/controller/build/assets/buildah-build.sh

@@ -10,6 +10,10 @@ ETC_PKI_RPM_GPG_MOUNTPOINT="${ETC_PKI_RPM_GPG_MOUNTPOINT:-}"
 ETC_YUM_REPOS_D_MOUNTPOINT="${ETC_YUM_REPOS_D_MOUNTPOINT:-}"
 MAX_RETRIES="${MAX_RETRIES:-3}"
 
+export HTTP_PROXY="${HTTP_PROXY:-}"
+export HTTPS_PROXY="${HTTPS_PROXY:-}"
+export NO_PROXY="${NO_PROXY:-}"
+
 # Retry a command up to a specific number of times until it exits successfully.
 # Adapted from https://gist.github.com/sj26/88e1c6584397bb7c13bd11108a579746
 function retry {
@@ -33,16 +37,20 @@ build_context="$HOME/context"
 # Create a directory to hold our build context.
 mkdir -p "$build_context/machineconfig"
 
-# Copy the Dockerfile and Machineconfigs from configmaps into our build context.
+# Copy the Dockerfile, Machineconfigs and AdditionalTrustBundle from configmaps into our build context.
 cp /tmp/dockerfile/Dockerfile "$build_context"
 cp /tmp/machineconfig/machineconfig.json.gz "$build_context/machineconfig/"
+cp /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem "$build_context"
 
 build_args=(
 	--log-level=DEBUG
 	--storage-driver vfs
 	--authfile="$BASE_IMAGE_PULL_CREDS"
 	--tag "$TAG"
 	--file="$build_context/Dockerfile"
+	--build-arg HTTP_PROXY="$HTTP_PROXY"
+	--build-arg HTTPS_PROXY="$HTTPS_PROXY"
+	--build-arg NO_PROXY="$NO_PROXY"
 )
 
 mount_opts="z,rw"

pkg/controller/build/build_controller.go

@@ -922,6 +922,13 @@ func (ctrl *Controller) getImagesConfig() (*ctrlcommon.Images, error) {
 func (ctrl *Controller) prepareForBuild(mosb *mcfgv1alpha1.MachineOSBuild, mosc *mcfgv1alpha1.MachineOSConfig) (ImageBuildRequest, error) {
 	ibr := newImageBuildRequestFromBuildInputs(mosb, mosc)
 
+	cc, err := ctrl.ccLister.Get(ctrlcommon.ControllerConfigName)
+	if err != nil {
+		return ibr, fmt.Errorf("could not get controller config: %w", err)
+	}
+
+	ibr.Proxy = cc.Spec.Proxy
+
 	imagesConfig, err := ctrl.getImagesConfig()
 	if err != nil {
 		return ibr, fmt.Errorf("could not get images.json config: %w", err)

pkg/controller/build/image_build_request.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 	"text/template"
 
+	configv1 "github.com/openshift/api/config/v1"
 	mcfgv1 "github.com/openshift/api/machineconfiguration/v1"
 	mcfgv1alpha1 "github.com/openshift/api/machineconfiguration/v1alpha1"
 	ctrlcommon "github.com/openshift/machine-config-operator/pkg/controller/common"
@@ -51,6 +52,8 @@ type ImageBuildRequest struct {
 	HasEtcYumReposDConfigs bool
 	// Has /etc/pki/rpm-gpg configs
 	HasEtcPkiRpmGpgKeys bool
+	// Proxy Configurations
+	Proxy *configv1.ProxyStatus
 }
 
 // Constructs a simple ImageBuildRequest.
@@ -171,6 +174,12 @@ func (i ImageBuildRequest) toBuildPod() *corev1.Pod {
 // the official Buildah image.
 // nolint:dupl // I don't want to deduplicate this yet since there are still some unknowns.
 func (i ImageBuildRequest) toBuildahPod() *corev1.Pod {
+	var httpProxy, httpsProxy, noProxy string
+	if i.Proxy != nil {
+		httpProxy = i.Proxy.HTTPProxy
+		httpsProxy = i.Proxy.HTTPSProxy
+		noProxy = i.Proxy.NoProxy
+	}
 	env := []corev1.EnvVar{
 		// How many times the build / push steps should be retried. In the future,
 		// this should be wired up to the MachineOSConfig or other higher-level
@@ -214,6 +223,18 @@ func (i ImageBuildRequest) toBuildahPod() *corev1.Pod {
 			Name:  "BUILDAH_ISOLATION",
 			Value: "chroot",
 		},
+		{
+			Name:  "HTTP_PROXY",
+			Value: httpProxy,
+		},
+		{
+			Name:  "HTTPS_PROXY",
+			Value: httpsProxy,
+		},
+		{
+			Name:  "NO_PROXY",
+			Value: noProxy,
+		},
 	}
 
 	var uid int64 = 1000
@@ -235,6 +256,10 @@ func (i ImageBuildRequest) toBuildahPod() *corev1.Pod {
 			Name:      "dockerfile",
 			MountPath: "/tmp/dockerfile",
 		},
+		{
+			Name:      "openshift-config-managed-trusted-ca-bundle",
+			MountPath: "/etc/pki/ca-trust/extracted/pem",
+		},
 		{
 			Name:      "base-image-pull-creds",
 			MountPath: "/tmp/base-image-pull-creds",
@@ -273,6 +298,18 @@ func (i ImageBuildRequest) toBuildahPod() *corev1.Pod {
 				},
 			},
 		},
+		{
+			// Provides the trusted-ca-bundle (merge of system and proxy trust bundle extracted)
+			Name: "openshift-config-managed-trusted-ca-bundle",
+			VolumeSource: corev1.VolumeSource{
+				ConfigMap: &corev1.ConfigMapVolumeSource{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: ctrlcommon.TrustedCABundleConfigMapName,
+					},
+					Items: []corev1.KeyToPath{{Key: "ca-bundle.crt", Path: "tls-ca-bundle.pem"}},
+				},
+			},
+		},
 		{
 			// Provides the credentials needed to pull the base OS image.
 			Name: "base-image-pull-creds",

pkg/controller/common/constants.go

@@ -95,4 +95,6 @@ const (
 	MachineConfigOperatorImagesConfigMapName string = "machine-config-operator-images"
 	// The name of the machine-config-osimageurl ConfigMap.
 	MachineConfigOSImageURLConfigMapName string = "machine-config-osimageurl"
+	// The name of the openshift-config-managed-trusted-ca-bundle ConfigMap.
+	TrustedCABundleConfigMapName string = "openshift-config-managed-trusted-ca-bundle"
 )

pkg/operator/sync.go

@@ -574,6 +574,30 @@ func (optr *Operator) syncRenderConfig(_ *renderConfig, _ *configv1.ClusterOpera
 				return fmt.Errorf("configmap %s/%s doesn't have a valid PEM bundle", "openshift-config", proxy.Spec.TrustedCA.Name)
 			}
 			trustBundle = append(trustBundle, proxyTrustBundle...)
+
+			// Ensure the extracted and merged(system+proxy) trusted CA bundles for the system exists as a ConfigMap
+			_, err = optr.kubeClient.CoreV1().ConfigMaps(ctrlcommon.MCONamespace).Get(context.TODO(), ctrlcommon.TrustedCABundleConfigMapName, metav1.GetOptions{})
+			if err != nil && apierrors.IsNotFound(err) {
+				// Relies on ConfigMap CA Injector from the Cluster Network Operator to populate the ca-bundle.crt
+				// field with the merged system and proxy trust bundles
+				openshiftConfigManagedTrustedCABundle := &corev1.ConfigMap{
+					ObjectMeta: metav1.ObjectMeta{
+						Namespace: ctrlcommon.MCONamespace,
+						Name:      ctrlcommon.TrustedCABundleConfigMapName,
+						Labels: map[string]string{
+							"config.openshift.io/inject-trusted-cabundle": "true",
+						},
+					},
+				}
+				_, err = optr.kubeClient.CoreV1().ConfigMaps(ctrlcommon.MCONamespace).Create(context.TODO(), openshiftConfigManagedTrustedCABundle, metav1.CreateOptions{})
+				if err != nil {
+					return fmt.Errorf("could not create %s configmap: %w", openshiftConfigManagedTrustedCABundle.Name, err)
+				}
+
+			}
+			if err != nil {
+				return fmt.Errorf("could not get %s configmap: %w", ctrlcommon.TrustedCABundleConfigMapName, err)
+			}
 		}
 	}
 	spec.AdditionalTrustBundle = trustBundle