Bug 2049169
| Summary: | oVirt CSI driver should use the trusted CA bundle when cluster proxy is configured | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Jan Safranek <jsafrane> |
| Component: | Storage | Assignee: | Jan Safranek <jsafrane> |
| Storage sub component: | Operators | QA Contact: | Wei Duan <wduan> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | high | ||
| Priority: | unspecified | ||
| Version: | 4.10 | ||
| Target Milestone: | --- | ||
| Target Release: | 4.11.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-08-10 10:46:22 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2050118 | ||
|
Description
Jan Safranek
2022-02-01 17:01:04 UTC
Verified pass on 4.11.0-0.nightly-2022-04-07-053433 with following steps: 1. Check the proxy and user-ca-bundle $ oc get proxy cluster -o yaml spec: httpProxy: http://10.37.141.131:3128 noProxy: localhost,example.com,oauth-openshift.apps.ge3n1.ocp.rhev.lab.eng.brq.redhat.com trustedCA: name: user-ca-bundle status: httpProxy: http://10.37.141.131:3128 noProxy: .cluster.local,.svc,10.0.0.0/16,10.128.0.0/14,127.0.0.1,172.30.0.0/16,api-int.ge3n1.ocp.rhev.lab.eng.brq.redhat.com,example.com,localhost,oauth-openshift.apps.ge3n1.ocp.rhev.lab.eng.brq.redhat.com 2. Check user-ca-bundle content # oc -n openshift-config get cm user-ca-bundle -o yaml apiVersion: v1 data: ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIEJjCCAw6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCVVMx 3. The user-ca-bundle content in following configmap # oc -n openshift-cluster-csi-drivers get cm ovirt-csi-driver-trusted-ca-bundle -o yaml | grep "MIIEJjCCAw6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCVVMx" MIIEJjCCAw6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCVVMx 4. Check CSI pod: # oc -n openshift-cluster-csi-drivers get pod ovirt-csi-driver-controller-78b8cb7586-9xs44 -o yaml - name: HTTP_PROXY value: http://10.37.141.131:3128 - name: NO_PROXY value: .cluster.local,.svc,10.0.0.0/16,10.128.0.0/14,127.0.0.1,172.30.0.0/16,api-int.ge3n1.ocp.rhev.lab.eng.brq.redhat.com,example.com,localhost,oauth-openshift.apps.ge3n1.ocp.rhev.lab.eng.brq.redhat.com volumeMounts: - mountPath: /etc/pki/ca-trust/extracted/pem name: non-standard-root-system-trust-ca-bundle readOnly: true 5. Check inside the pod the user-ca-bundle content is included in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem file sh-4.4# grep "MIIEJjCCAw6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCVVMx" /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem MIIEJjCCAw6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCVVMx 6. Check CSI provisioning works. # oc get pvc,pod NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE persistentvolumeclaim/mypvc-test Bound pvc-51da5357-c38d-4ad2-b7b2-bb9f7caab8b1 20Gi RWO ovirt-csi-sc 47s NAME READY STATUS RESTARTS AGE pod/mypod-test 1/1 Running 0 47s Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069 |