Bug 1808286
Summary: | Ignition can not handle multiple CAs in one caReference | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | weiwei jiang <wjiang> | |
Component: | RHCOS | Assignee: | Sohan Kunkerkar <skunkerk> | |
Status: | CLOSED ERRATA | QA Contact: | Michael Nguyen <mnguyen> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 4.4 | CC: | bbreard, bgilbert, dustymabe, imcleod, jlebon, jligon, miabbott, nstielau, smilner | |
Target Milestone: | --- | |||
Target Release: | 4.6.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | If docs needed, set a value | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1842538 (view as bug list) | Environment: | ||
Last Closed: | 2020-10-27 15:55:31 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1842538 |
Description
weiwei jiang
2020-02-28 07:33:28 UTC
(In reply to weiwei jiang from comment #0) > Actual results: > [ 8.197779] ignition[1073]: GET > http://169.254.169.254/openstack/latest/user_data: attempt #5 > > [ 9.003506] ignition[1073]: GET result: OK > > [ 9.032773] ignition[1073]: Adding "Installer-QE-CA" to list of CAs > [ 9.034710] ignition[1073]: GET > https://10.8.100.190:13292/v2/images/e838663c-cc1c-4e8c-8593-5d8992e62439/ > file: attempt #1 > [ 62.119530] ignition[1073]: GET error: Get > https://10.8.100.190:13292/v2/images/e838663c-cc1c-4e8c-8593-5d8992e62439/ > file: x509: certificate signed by unknown authority This looks like it may be that Ignition does not have the CA cert provided early enough to fetch the next files it needs. You should be able to provide CA certs to Ignition itself via the `security.tls.certificateAuthorities` section of the Ignition config. https://github.com/coreos/ignition/blob/spec2x/doc/configuration-v2_2.md ``` { "ignition": { "config": {}, "security": { "tls": { "certificateAuthorities": [ { "source": "http://some.example.com/path/to/cacert.pem", "verification": {} }, { "source": "http://some.example.com/path/to/anothercacert.pem", "verification": {} } ] } }, "timeouts": {}, "version": "2.2.0" }, ... ``` See also https://bugzilla.redhat.com/show_bug.cgi?id=1735192 where the use of self-signed certs in OSP is discussed at length. (In reply to Micah Abbott from comment #2) > (In reply to weiwei jiang from comment #0) > > Actual results: > > [ 8.197779] ignition[1073]: GET > > http://169.254.169.254/openstack/latest/user_data: attempt #5 > > > > [ 9.003506] ignition[1073]: GET result: OK > > > > [ 9.032773] ignition[1073]: Adding "Installer-QE-CA" to list of CAs > > [ 9.034710] ignition[1073]: GET > > https://10.8.100.190:13292/v2/images/e838663c-cc1c-4e8c-8593-5d8992e62439/ > > file: attempt #1 > > [ 62.119530] ignition[1073]: GET error: Get > > https://10.8.100.190:13292/v2/images/e838663c-cc1c-4e8c-8593-5d8992e62439/ > > file: x509: certificate signed by unknown authority > > This looks like it may be that Ignition does not have the CA cert provided > early enough to fetch the next files it needs. > > You should be able to provide CA certs to Ignition itself via the > `security.tls.certificateAuthorities` section of the Ignition config. > > https://github.com/coreos/ignition/blob/spec2x/doc/configuration-v2_2.md > > ``` > { > "ignition": { > "config": {}, > "security": { > "tls": { > "certificateAuthorities": [ > { > "source": "http://some.example.com/path/to/cacert.pem", > "verification": {} > }, > { > "source": "http://some.example.com/path/to/anothercacert.pem", > "verification": {} > } > ] > } > }, > "timeouts": {}, > "version": "2.2.0" > }, > ... > ``` > > See also https://bugzilla.redhat.com/show_bug.cgi?id=1735192 where the use > of self-signed certs in OSP is discussed at length. Yes when we split the ca-bundle to multiple caReference, then work well. But does that mean we do not support a ca-bundle in a single certificateAuthorities? any docs? (In reply to weiwei jiang from comment #3) > (In reply to Micah Abbott from comment #2) > > (In reply to weiwei jiang from comment #0) > > > Actual results: > > > [ 8.197779] ignition[1073]: GET > > > http://169.254.169.254/openstack/latest/user_data: attempt #5 > > > > > > [ 9.003506] ignition[1073]: GET result: OK > > > > > > [ 9.032773] ignition[1073]: Adding "Installer-QE-CA" to list of CAs > > > [ 9.034710] ignition[1073]: GET > > > https://10.8.100.190:13292/v2/images/e838663c-cc1c-4e8c-8593-5d8992e62439/ > > > file: attempt #1 > > > [ 62.119530] ignition[1073]: GET error: Get > > > https://10.8.100.190:13292/v2/images/e838663c-cc1c-4e8c-8593-5d8992e62439/ > > > file: x509: certificate signed by unknown authority > > > > This looks like it may be that Ignition does not have the CA cert provided > > early enough to fetch the next files it needs. > > > > You should be able to provide CA certs to Ignition itself via the > > `security.tls.certificateAuthorities` section of the Ignition config. > > > > https://github.com/coreos/ignition/blob/spec2x/doc/configuration-v2_2.md > > > > ``` > > { > > "ignition": { > > "config": {}, > > "security": { > > "tls": { > > "certificateAuthorities": [ > > { > > "source": "http://some.example.com/path/to/cacert.pem", > > "verification": {} > > }, > > { > > "source": "http://some.example.com/path/to/anothercacert.pem", > > "verification": {} > > } > > ] > > } > > }, > > "timeouts": {}, > > "version": "2.2.0" > > }, > > ... > > ``` > > > > See also https://bugzilla.redhat.com/show_bug.cgi?id=1735192 where the use > > of self-signed certs in OSP is discussed at length. > > Yes when we split the ca-bundle to multiple caReference, then work well. > But does that mean we do not support a ca-bundle in a single > certificateAuthorities? > any docs? or does that means we also need split for a certificate chain? Micah has started an upstream discussion on this at https://github.com/coreos/ignition/issues/931. It doesn't seem like a regression (and from upstream discussions, might end up being NOTABUG). My suggestion is to retarget this for 4.4.z or 4.5.0. We are unlikely to have this behavior changed in the 4.4 time frame. The current suggestion is to split the certificate bundle into separate entries. Please see the upstream issue for additional context. The upstream discussion has progressed towards supporting the use of bundled CAs in Ignition, but it is unlikely we will have this support for 4.5 Currently, there is no 4.6 Target Release for BZ, but that would be the earliest we could deliver the requested functionality. Note that https://github.com/coreos/ignition/pull/968 is for Ignition spec 3, and will need to be backported to the spec2x branch. spec2x backport - https://github.com/coreos/ignition/pull/983 Fixed in ignition-0.35.1-13.rhaos4.6.gitb4d18ad.el8 Using the changes to `kola` from @arithx in https://bugzilla.redhat.com/show_bug.cgi?id=1842538#c6, I was able to verify the fix in RHCOS 46.82.202006190240-0 ``` $ bin/kola run -d -b rhcos --ignition-version v2 -p aws --aws-region us-east-1 --aws-ami ami-0139896443a30a831 --aws-profile openshift-dev coreos.ignition.security.* 2020-06-19T21:34:26Z cli: Started logging at level DEBUG 2020-06-19T21:34:26Z cli: Started logging at level DEBUG === RUN coreos.ignition.security.tls.bundle === RUN coreos.ignition.security.tls 2020-06-19T21:34:38Z platform/api/aws: created security group sg-047c385f99203a67f --- PASS: coreos.ignition.security.tls.bundle (198.01s) cluster.go:141: Signature ok cluster.go:141: subject=CN = 172.31.52.86 cluster.go:141: Getting Private key cluster.go:141: Signature ok cluster.go:141: subject=CN = 172.31.52.86 cluster.go:141: Getting Private key --- PASS: coreos.ignition.security.tls (174.50s) PASS, output in _kola_temp/aws-2020-06-19-1734-3381068 ``` Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196 |