Bug 1900138

Summary: [OCP on RHV] Remove insecure mode from the installer
Product: OpenShift Container Platform Reporter: Janos Bonic <jpasztor>
Component: InstallerAssignee: Gal Zaidman <gzaidman>
Installer sub component: OpenShift on RHV QA Contact: Guilherme Santos <gdeolive>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: unspecified CC: gzaidman, mgold, pelauter
Version: 4.7   
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Deprecated Functionality
Doc Text:
This change removes support for the insecure mode from the oVirt installer. Previously, when no certificate could be obtained from the oVirt engine the installer would proceed without certificate verification. Due to recent improvements this is no longer a valid use case and is being deprecated. The user is instead presented with a message explaining the situation and linking to the to-be-written documentation. If the user wants to use insecure mode they have to create a file named ~/.ovirt/ovirt-config.yaml with the following contents before running the installer: ovirt_url: https://ovirt.example.com/ovirt-engine/api ovirt_fqdn: ovirt.example.com ovirt_pem_url: "" ovirt_username: admin@internal ovirt_password: super-secret-password ovirt_insecure: true
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 15:35:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1895874    
Bug Blocks:    

Description Janos Bonic 2020-11-20 22:39:14 UTC 
This change proposes dropping support for "insecure" mode on RHV from the installer as #1895874 / PR #4387 adds support for a user friendly way to accept certificates.

Steps required for this change:

1. Close #1857945 / PR #4400 unmerged
2. Merge #1895874 / PR #4387
3. Write and publish documentation that explains this change and how to enable insecure mode by creating an ovirt-config.yaml manually.
4. Cap code paths that lead to the insecure mode and add a message with a link to the documentation.
5. Test all certificate-related installer paths to make sure that certificates are properly stored in ovirt-config.yaml

Impact on customers:

This change is expected to have minimal customer impact as the certificate confirmation gives them an easy way to download and trust certificates.

Reason for this change:

Supporting "insecure" mode does not represent the best practices (using encryption) and should not be readily offered to users. With the improvements to the installer flow it is not expected to affect customers.

References:

PR #4387 adding support for storing certificates in ovirt-config.yaml: https://github.com/openshift/installer/pull/4387
PR #4400 (to be closed) adding confirmation to using insecure mode: https://github.com/openshift/installer/pull/4400
Comment 1 Gal Zaidman 2020-11-22 08:31:11 UTC 
@Peter Lauterbach Can you look at this proposal
Comment 2 Janos Bonic 2020-11-23 10:45:50 UTC 
@Gal Zaidman this BZ has been created after a discussion with Peter. See https://bugzilla.redhat.com/show_bug.cgi?id=1857945#c9
Comment 3 Janos Bonic 2020-11-23 12:32:48 UTC 
Proposed
Comment 4 Janos Bonic 2020-11-23 14:20:05 UTC 
@Gal please review
Comment 7 michal 2021-01-14 12:36:57 UTC 
verify on: 
rhv 4.4.4.7
openshift - ./openshift-install 4.7.0-0.nightly-2021-01-12-150634

steps:
1) before installation add 'ovirt_insecure: true' field to ovirt-config.yaml file
2) install ocp
3) make sure the installation work good

results:
installation complete without any errors
Comment 9 errata-xmlrpc 2021-02-24 15:35:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633
Comment 10 Red Hat Bugzilla 2023-09-15 00:51:34 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days