Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1943558

Summary: [assisted operator] Assisted Service pod unable to reach self signed local registry in disco environement
Product: OpenShift Container Platform Reporter: Chad Crum <ccrum>
Component: assisted-installerAssignee: yevgeny shnaidman <yshnaidm>
assisted-installer sub component: Deployment Operator QA Contact: Chad Crum <ccrum>
Status: CLOSED ERRATA Docs Contact:
Severity: urgent    
Priority: urgent CC: alazar, aos-bugs, asegurap, bjacot, ccrum, fpercoco, keyoung, mhrivnak, ohochman
Version: 4.8Keywords: Triaged
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: x86_64   
OS: Linux   
Whiteboard: AI-Team-Core
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 22:56:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Richard Su 2021-04-30 14:25:59 UTC 
Hi Chad,

In Steps to Reproduce (1), did you add the self-signed certificate to the additionalTrustBundle: as noted in [2].

And did that create a user-ca-bundle config map in the openshift-config namespace?

If yes, then what do you think about having the assisted-service operator look for either the user-ca-bundle config map or the config map through the injection method described in [3]. If it finds a config map containing the self-signed certificate, the controller will then mount it as volume to /etc/pki/ca-trust/extracted/pem.

[2] https://docs.openshift.com/container-platform/4.6/installing/installing_bare_metal_ipi/ipi-install-installation-workflow.html#modify-the-install-config-yaml-file-to-use-the-disconnected-registry-optional

[3] https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/networking/configuring-a-custom-pki#certificate-injection-using-operators_configuring-a-custom-pki
Comment 2 Michael Hrivnak 2021-04-30 14:50:43 UTC 
This feature is still WIP. It should land here: https://github.com/openshift/assisted-service/pull/1595
Comment 3 Chad Crum 2021-05-04 12:55:23 UTC 
Looks like the pr merged - I'll run through testing it today.
Comment 4 Chad Crum 2021-05-04 13:35:33 UTC 
By the way the operator.md is not correct - I opened https://bugzilla.redhat.com/show_bug.cgi?id=1956822 to correct
Comment 5 Ronnie Lazar 2021-05-10 11:05:27 UTC 
Isn't this a dupe of https://bugzilla.redhat.com/show_bug.cgi?id=1956937?
Comment 6 Flavio Percoco 2021-05-10 12:54:26 UTC 
*** Bug 1955322 has been marked as a duplicate of this bug. ***
Comment 7 Chad Crum 2021-05-10 14:13:53 UTC 
I validated that I can set a disconnected registry ca using this commit [1].

I'm able to deploy assisted service using the mirror registry change included in the above commit [2].


[1] https://github.com/openshift/assisted-service/commit/d42b8c859f82eb4938142dd0ca32d7357df435af

[2] https://github.com/openshift/assisted-service/blob/master/docs/operator.md#mirror-registry-configuration
Comment 8 Chad Crum 2021-05-10 14:15:57 UTC 
This bz is related to https://bugzilla.redhat.com/show_bug.cgi?id=1956937 (Which I also updated)
Comment 11 errata-xmlrpc 2021-07-27 22:56:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438