Bug 1839896 (OCPRHV-80-4.5)

Summary: OCPRHV-80: RFE: Installer automatically import CA Cert from Engine
Product: OpenShift Container Platform Reporter: Douglas Schilling Landgraf <dougsland>
Component: InstallerAssignee: Douglas Schilling Landgraf <dougsland>
Installer sub component: OpenShift on RHV QA Contact: Guilherme Santos <gdeolive>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: medium Keywords: UpcomingRelease
Version: 4.5   
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
URL: https://issues.redhat.com/browse/OCPRHV-80
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1850707 (view as bug list) Environment:
Last Closed: 2020-10-27 16:01:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1846366, 1850723    
Bug Blocks: 1850707    

Description Douglas Schilling Landgraf 2020-05-25 21:22:30 UTC 
Description of problem:

Currently the installer ask user to copy/past the CA Cert from engine.

From:
---------
https://docs.openshift.com/container-platform/4.4/installing/installing_rhv/installing-rhv-default.html#installing-rhv-setting-up-ca-certificate_installing-rhv-default


e. For oVirt’s CA bundle, if you entered Yes for the preceding question, copy the certificate content from /etc/pki/ca-trust/source/anchors/ca.pem and paste it here. Then, press Enter twice. Otherwise, if you entered No for the preceding question, this question does not appear.



What's expected?
-----------------------
Installer should be able to download the cert and import if users decide to import it.
Comment 2 Douglas Schilling Landgraf 2020-05-27 12:19:27 UTC 
Setting Target Release to make installer bot happy.

@dougsland: This pull request references Bugzilla bug 1839896, which is invalid:

expected the bug to target the "4.5.0" release, but it targets "---" instead
Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.
Comment 7 Douglas Schilling Landgraf 2020-06-15 14:56:23 UTC 
Just a note: 

   The OpenShift installer do not allow us to use sudo command. Based on that, we cannot write a helper to import any cert to customers in their system. Instead, we will load the cert from Engine into the http request or just use non ssl connection.
In fact, no need to ask users copy/past the cert.
Comment 8 Douglas Schilling Landgraf 2020-06-15 15:01:00 UTC 
Setting no doc but we depend on:
OCPRHV-175: [Docs]: Update IPI install documentation
https://bugzilla.redhat.com/show_bug.cgi?id=1846320
Comment 9 Guilherme Santos 2020-07-22 13:14:43 UTC 
Verified on:
4.6.0-0.nightly-2020-07-22-074636

Steps:
1. guarantee there is no engine CA certificate imported in the machine beforehand:
# rm /etc/pki/ca-trust/source/anchors/ca.pem
2. # openshift-install create cluster --log-level=debug --dir=resources

Results:
Installation succeeded and no message asking for the CA certificate
Comment 11 errata-xmlrpc 2020-10-27 16:01:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196