Skip to content

Analyze Resource | Fix CA Changes (To Use Unsecured Agent)#2015

Open
shirady wants to merge 1 commit into
noobaa:masterfrom
shirady:analyze-resource-tls
Open

Analyze Resource | Fix CA Changes (To Use Unsecured Agent)#2015
shirady wants to merge 1 commit into
noobaa:masterfrom
shirady:analyze-resource-tls

Conversation

@shirady

@shirady shirady commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Describe the Problem

While I worked on another feature, I noticed an error in the setup when using s3-compatible (OBM COS) with the changes that were made regarding the TLS (noobaa/noobaa-core#9395).

Explain the changes

  1. Add automountServiceAccountToken: false in the analyze resource job.
  2. Clean up the env NODE_EXTRA_CA_CERTS as it is not used in noobaa-core anymore.

Issues:

  1. Before the change, I noticed that in IBM COS, it had an error: self-signed certificate in certificate chain.
  2. After the change, all the tests are passing. The explanation for this (using AI):

With automountServiceAccountToken: false:

  • service-ca.crt is not mounted → INTERNAL_CA_CERTS read fails → no CA loaded
  • No OCP CA bundle on this job either → EXTERNAL_CA_CERTS also missing
  • https_agent.options.ca is empty → get_unsecured_agent skips TLS verification for non-AWS endpoints
    That matches block-store agents, which also set automountServiceAccountToken: false and therefore never see service-ca.crt.

reference:
https://github.com/noobaa/noobaa-core/blob/646bdc10b8565d4486becda601642eb7cb753ce0/src/util/http_utils.js#L39-L40

Testing Instructions:

  1. Use the Simple Jenkins Deploy with OCP deployed with ODF (includes NooBaa).
  2. Use the CLI and run: nb diagnostics analyze backingstore noobaa-default-backing-store -n openshift-storage (expect all tests to pass).
  • Doc added/updated
  • Tests added

Summary by CodeRabbit

  • Bug Fixes

    • Disabled automatic service account token mounting for resource analysis jobs to enhance security.
  • Chores

    • Simplified environment variable handling by removing unnecessary certificate configuration while preserving proxy settings for resource analysis operations.

Signed-off-by: shirady <57721533+shirady@users.noreply.github.com>
@shirady shirady self-assigned this Jul 9, 2026
@shirady
shirady requested a review from jackyalbo July 9, 2026 13:05
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6a56c76f-93d5-4341-9f12-da6352d79bcb

📥 Commits

Reviewing files that changed from the base of the PR and between 384b8be and c9ec3fa.

📒 Files selected for processing (3)
  • deploy/job_analyze_resource.yml
  • pkg/bundle/deploy.go
  • pkg/diagnostics/analyze.go

📝 Walkthrough

Walkthrough

The analyze-resource Kubernetes Job manifest is updated to disable automatic service account token mounting and to stop propagating the NODE_EXTRA_CA_CERTS environment variable. The embedded bundle copy of this manifest and the Go code that sets job network environment variables are updated to match.

Changes

Analyze Job hardening and env var removal

Layer / File(s) Summary
Job manifest update
deploy/job_analyze_resource.yml
Adds automountServiceAccountToken: false to the pod spec and removes the NODE_EXTRA_CA_CERTS env var from the container.
Embedded bundle sync
pkg/bundle/deploy.go
Updates the SHA256 checksum and applies the same automountServiceAccountToken: false addition and NODE_EXTRA_CA_CERTS removal to the embedded Job YAML template.
Job env propagation logic
pkg/diagnostics/analyze.go
setNetworkEnvsInJob no longer copies NODE_EXTRA_CA_CERTS from the core container, retaining only HTTP_PROXY, HTTPS_PROXY, and NO_PROXY.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Poem

A hop, a skip, a tightened token gate,
No extra certs to propagate,
Three proxy vars remain in tow,
The job runs lean, the bundle in sync,
This bunny nods and taps its paw — 🐇✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title is relevant and summarizes the CA-related analyze resource change, though it is slightly wordy.
Description check ✅ Passed The description matches the template well and includes the problem, changes, issues, and testing instructions.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant