Bug 1810980

Summary: Explain better how to handle self signed CA for glance (bootstrap Ignition file in Glance)
Product: OpenShift Container Platform Reporter: bart
Component: InstallerAssignee: Pierre Prinetti <pprinett>
Installer sub component: OpenShift on OpenStack QA Contact: David Sanz <dsanzmor>
Status: CLOSED DUPLICATE Docs Contact:
Severity: unspecified    
Priority: unspecified CC: m.andre, pprinett
Version: 4.4   
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-12 15:32:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description bart 2020-03-06 10:48:14 UTC 
Description of problem:
https://github.com/openshift/installer/blob/master/docs/user/openstack/install_upi.md

Lists OpenStack Glance as an option to help inject the bootstrap ignition file. However, some openstack installation run TLS with self-signed certs. This will prevent the CoreOS bootstrap machine to bootstrap.
Without knowing this the person deploying will wait forever for the api to come up.
We should at least list this as remark. 

Use OpenStack Glance making sure the CoreOS can use it via HTTP, or via HTTPS if it has a trusted CA. An untrusted CA (self signed) should either injected in the ignition file or added to the CoreOS image via other means.