Bug 2006013

Summary: Clarification on additionalTrustBundle parameter which doesn't work as expected
Product: OpenShift Container Platform Reporter: aygarg
Component: DocumentationAssignee: Chinmayi Chandrasekhar <cchandra>
Status: CLOSED CURRENTRELEASE QA Contact: Gaoyun Pei <gpei>
Severity: low Docs Contact: Latha S <lmurthy>
Priority: medium    
Version: 4.6CC: aos-bugs, bpickard, gpei, jokerman, kgarriso, lmurthy, mkrejci, sdodson, wking
Target Milestone: ---   
Target Release: 4.6.z   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-16 16:48:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description aygarg 2021-09-20 17:05:11 UTC 
Description of problem:
As per the documentation if we add the custom CA certificates in the install-config.yaml file using "additionalTrustBundle" parameter then the installer program creates a configmap containing that certificate and add it to the proxy.
--> https://docs.openshift.com/container-platform/4.8/networking/configuring-a-custom-pki.html#installation-configure-proxy_configuring-a-custom-pki

However, in my testing for a customer's use-case, I added the "additionalTrustBundle" parameter only for a custom CA that needs to be trusted and avoided the "proxy" parameter since the proxy wasn't required. Later on, I found that the config map with name "user-ca-bundle" was created by the installer inside "openshift-config" namespace but the proxy CRD wasn't having the configmap name under the "trustedCA" section and hence the CA certificate wasn't added over the nodes.

Version-Release number of selected component (if applicable):
❯ ./oc version
Client Version: 4.8.9
Server Version: 4.8.9
Kubernetes Version: v1.21.1+9807387


How reproducible:
Everytimeme

Steps to Reproduce:
1. Add a custom CA in the install-config.yaml file using "additionalTrustBundle" parameter and don't add the proxy parameter.
2. Deploy the cluster and check if configmap "user-ca-bundle" created or not inside "openshift-config" namespace.
3. Check "oc get proxy/cluster -o yaml", it won't be containing the configmap name under "trustedCA".

Actual results:
The proxy CRD wasn't referencing the configmap name under "trustedCA" post-installation when the custom CA was added in the install-config.yaml using "additionalTrustBundle" parameter without proxy.

Expected results:
The configmap name must get referenced in "trustedCA" field for Proxy.


Additional info:
I am not sure if this is the expected behavior and the configmap name will be referenced in "trustedCA" field for Proxy only if the proxy parameters were also added in the install-config.yaml file. If this is the expected behavior then it would be really great for more information on why is this so.



❯ cat install-config.yaml
apiVersion: v1
baseDomain: ayush.com
additionalTrustBundle: |
  -----BEGIN CERTIFICATE-----
  MIIC1zCCAb+gAwIBAgIUAyyEn70rv8PRBvjegOO5Sr5gfxgwDQYJKoZIhvcNAQEL
  BQAwEzERMA8GA1UEAwwIY3VzdG9tQ0EwHhcNMjEwOTIwMTIwNjQwWhcNMjUwOTE5
  MTIwNjQwWjATMREwDwYDVQQDDAhjdXN0b21DQTCCASIwDQYJKoZIhvcNAQEBBQAD
  ggEPADCCAQoCggEBAMVy7fa8Jrz/r1R2QEw3Yzv6myLH7srVfochk7I5ZkstMFXd
  HfVWRYmFuGWNFLHridzoW6/Kis79WDS9cNCH4KAkthuZ6l2xx8WyRePZRTLo5Sdq
  yRI8I1id25kc11/JOZy6Y04flX7ugDrWwkZFXRBoWk+YWvmxrFcGuRLWEh1oIBi7
  Xo2eO2EAuFccf+gsEz/DjYO+GAd2NjBqCwQ3c/YaKtlB5CgEO/g/ghOmOQdWHFFJ
  pR817MHeoUsmhFmy6vEc3A/xYhku8+qLsVbc+0kP84llV++mIFe7ytotNAt4Px6O
  ePyTqnituwIK3tdHsbO408D5KSUNHRYtGmWWIWMCAwEAAaMjMCEwDgYDVR0PAQH/
  BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFfs7cL4
  4PSMTOrV7u/en1OQ67+frsc7vlN2Ze/tuCCI/XbvsqSuN7hAuhNfUd18iEbsfAZM
  YySHb4cq+ndcHnhJzJryWpJ8XiaaOLtln/MNCMAGPV2qvbJfr7YEUgECegxM93Wi
  mxysgIu5NBWDrx9kq/e0lt12V5V0cO6qByCBGqYRMpVaDMix4TUiC/XfKYr/ae0A
  zh1RU2H22p90KyiP0nlnEEOG6WBM7HK/7mROWBaJcdZS9HWV6Z+Fs1uzoBYYA570
  4JxpzwRP9FyyLj02I05H2utmSwQRqWh0Hkbdng6JPlos2pkhyzIHXd25pUV/1X80
  YygKuTHdaaJ/5J4=
  -----END CERTIFICATE-----
compute:
- architecture: amd64
  hyperthreading: Enabled
  name: worker
  platform:
...
...
...


❯ oc get cm user-ca-bundle -oyaml -n openshift-config
apiVersion: v1
data:
  ca-bundle.crt: |
    -----BEGIN CERTIFICATE-----
    MIIC1zCCAb+gAwIBAgIUAyyEn70rv8PRBvjegOO5Sr5gfxgwDQYJKoZIhvcNAQEL
    BQAwEzERMA8GA1UEAwwIY3VzdG9tQ0EwHhcNMjEwOTIwMTIwNjQwWhcNMjUwOTE5
    MTIwNjQwWjATMREwDwYDVQQDDAhjdXN0b21DQTCCASIwDQYJKoZIhvcNAQEBBQAD
    ggEPADCCAQoCggEBAMVy7fa8Jrz/r1R2QEw3Yzv6myLH7srVfochk7I5ZkstMFXd
    HfVWRYmFuGWNFLHridzoW6/Kis79WDS9cNCH4KAkthuZ6l2xx8WyRePZRTLo5Sdq
    yRI8I1id25kc11/JOZy6Y04flX7ugDrWwkZFXRBoWk+YWvmxrFcGuRLWEh1oIBi7
    Xo2eO2EAuFccf+gsEz/DjYO+GAd2NjBqCwQ3c/YaKtlB5CgEO/g/ghOmOQdWHFFJ
    pR817MHeoUsmhFmy6vEc3A/xYhku8+qLsVbc+0kP84llV++mIFe7ytotNAt4Px6O
    ePyTqnituwIK3tdHsbO408D5KSUNHRYtGmWWIWMCAwEAAaMjMCEwDgYDVR0PAQH/
    BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFfs7cL4
    4PSMTOrV7u/en1OQ67+frsc7vlN2Ze/tuCCI/XbvsqSuN7hAuhNfUd18iEbsfAZM
    YySHb4cq+ndcHnhJzJryWpJ8XiaaOLtln/MNCMAGPV2qvbJfr7YEUgECegxM93Wi
    mxysgIu5NBWDrx9kq/e0lt12V5V0cO6qByCBGqYRMpVaDMix4TUiC/XfKYr/ae0A
    zh1RU2H22p90KyiP0nlnEEOG6WBM7HK/7mROWBaJcdZS9HWV6Z+Fs1uzoBYYA570
    4JxpzwRP9FyyLj02I05H2utmSwQRqWh0Hkbdng6JPlos2pkhyzIHXd25pUV/1X80
    YygKuTHdaaJ/5J4=
    -----END CERTIFICATE-----
kind: ConfigMap
metadata:
  creationTimestamp: "2021-09-20T12:16:32Z"
  managedFields:
  - apiVersion: v1
    fieldsType: FieldsV1
    fieldsV1:
      f:data:
        .: {}
        f:ca-bundle.crt: {}
    manager: cluster-bootstrap
    operation: Update
    time: "2021-09-20T12:16:32Z"
  name: user-ca-bundle
  namespace: openshift-config
  resourceVersion: "1377"
  uid: 514d07c4-7494-4c55-a38c-88953b6ef4cc


❯ oc get proxy/cluster -o yaml                       
apiVersion: config.openshift.io/v1
kind: Proxy
metadata:
  creationTimestamp: "2021-09-20T12:16:09Z"
  generation: 1
  managedFields:
  - apiVersion: config.openshift.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:spec:
        .: {}
        f:trustedCA:
          .: {}
          f:name: {}
      f:status: {}
    manager: cluster-bootstrap
    operation: Update
    time: "2021-09-20T12:16:09Z"
  name: cluster
  resourceVersion: "675"
  uid: ef42f2f1-74ad-4b30-8da5-7e2db5b6e09e
spec:
  trustedCA:
    name: ""
status: {}
Comment 1 W. Trevor King 2021-09-24 17:49:07 UTC 
(In reply to aygarg from comment #0)
> However, in my testing for a customer's use-case, I added the
> "additionalTrustBundle" parameter only for a custom CA that needs to be
> trusted and avoided the "proxy" parameter since the proxy wasn't required.

Previous report of this as surprising behavior in bug 1771564, which we'd addressed by landing installer-side docs [1]:

  If `additionalTrustBundle` and at least one `proxy` setting are configured, the `cluster` Proxy object will be configured with `trustedCA` referencing the additional trust bundle.

But I don't see similar wording in openshift-docs, in either of the two locations I'd expect to mention it [2,3].  I'm moving this bug to docs so they can add similar wording in their more official, more discoverable repository.  And I'm moving the version back to 4.6 (our oldest, currently-supported version) because this is how the installer has always treated this property.

[1]: https://github.com/openshift/installer/pull/3039/files
[2]: https://github.com/openshift/openshift-docs/blame/2ff0a7d0016de46dbca9e09de952c5794e7249a8/modules/installation-configure-proxy.adoc#L114-L121
[3]: https://github.com/openshift/openshift-docs/blame/2ff0a7d0016de46dbca9e09de952c5794e7249a8/modules/installation-configuration-parameters.adoc#L445
Comment 3 W. Trevor King 2021-10-01 23:09:18 UTC 
Bug 2009629 is also up in this space, and may result in refined suggestions for install-config for transparent proxies.  The installer's doc string quoted in comment 1 would still apply, so I don't think this doc work needs to block on bug 2009629, but it might be worth giving some time for bug 2009629 to reach consensus before moving on the docs front.
Comment 4 Chinmayi Chandrasekhar 2021-10-26 14:52:57 UTC 
PR: https://github.com/openshift/openshift-docs/pull/37992