Bug 1794313

Summary: Some cluster operators fail to come up because RHV CA is not trusted by a pod
Product: OpenShift Container Platform Reporter: Jan Zmeskal <jzmeskal>
Component: InstallerAssignee: Roy Golan <rgolan>
Installer sub component: OpenShift on RHV QA Contact: Jan Zmeskal <jzmeskal>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: high CC: jcall
Version: 4.4   
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1811760 (view as bug list) Environment:
Last Closed: 2020-07-13 17:13:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1811760    

Description Jan Zmeskal 2020-01-23 09:25:30 UTC 
Description of problem:
If you don't specify "ovirt_insecure: true" in your oVirt credentials config, the installation will eventually fail apparently because machine-controller container (and maybe some others as well) does not trust engine's CA. Even though the CA is trusted by the bastion's operating system.

Version-Release number of the following components:
./openshift-install version
./openshift-install unreleased-master-2320-g6791d02a6fadedd44f9263fb72f9f65dbd51bfe0-dirty
built from commit 6791d02a6fadedd44f9263fb72f9f65dbd51bfe0
release image registry.svc.ci.openshift.org/ovirt/ovirt-release@sha256:c46483c4bfd9418226d3bbf46e15b7905dfefcccfe899b652db3a8c88b522b96

How reproducible:
I tried it only once but I believe this behaviour is consistent.

Steps to Reproduce:
1. Make sure your bastion machine (the one from where you conduct the installation) trusts your engine's CA. If your engine is your bastion, then it's easy as running this:
ln -sf /etc/pki/ovirt-engine/ca.pem /etc/pki/ca-trust/source/anchors/ && update-ca-trust

2. Now just follow the installation steps with one specific. When you're setting up your ovirt credentials file, completely omit the line that says "ovirt_insecure: true". It should default to false. Mine looks like this:
cat ~/.ovirt/ovirt-config.yaml 
ovirt_url: https://<engine_fqdn>/ovirt-engine/api
ovirt_username: admin@internal
ovirt_password: <pass>

3. Try to install OCP4 and monitor the progress.

Actual results:
The installation got pretty far and most of the cluster operators came up, not all though: http://pastebin.test.redhat.com/828699
Also workers nodes were not created. 

Expected results:
The installation is finished successfully. 

Additional info:
openshift-install output: http://pastebin.test.redhat.com/828698 
Logs from authentication: http://pastebin.test.redhat.com/828702 
Logs from console: http://pastebin.test.redhat.com/828704           
Logs from ingress: http://pastebin.test.redhat.com
Logs from monitoring: http://pastebin.test.redhat.com/828707/828706
oc get pods -n openshift-machine-api: http://pastebin.test.redhat.com/828772
cluster-autoscaler-operator: http://pastebin.test.redhat.com/828766 
machine-api-operator: http://pastebin.test.redhat.com/828770
And most importantly here's the error message about untrusted CA:
machine-api-controllers: http://pastebin.test.redhat.com/828779 http://pastebin.test.redhat.com/828768
Comment 4 Jan Zmeskal 2020-03-19 13:27:59 UTC 
Verified with openshift-install-linux-4.5.0-0.nightly-2020-03-19-042419

Verification steps:
1. Create /root/.ovirt/ovirt-config.yaml with following content:

ovirt_url: https://<engine_fqdn>/ovirt-engine/api
ovirt_username: admin@internal
ovirt_password: "<pass>"
ovirt_ca_bundle: |-
  -----BEGIN CERTIFICATE-----
<CA gibberish>
  -----END CERTIFICATE-----

2. Prepare valid install-config.yaml and copy it to install-dir
3. Run openshift-install create cluster --dir=install-dir
Comment 6 errata-xmlrpc 2020-07-13 17:13:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409