This bug was initially created as a copy of Bug #1773419

I am copying this bug because: We'd like to have release notes added which point to this as a known issue with a workaround of specifying an empty installer proxy config. This will be addressed in a later release as an enhancement.



Description of problem:
The "OpenShift Cluster Version Operator (CVO)" doesn't mount the ssl certificates from the host (masters) correctly. This means if you are using an MITM proxy checking for new cluster versions fails with: "x509: certificate signed by unknown authority"

I looked into it deeper and I realized that the CVO only mounts /etc/ssl/certs from the host, however the certificates are a symlink on the host: /etc/ssl/certs/ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

So it just ends up using the certificates bundled with the CVO, instead of any customized certificates from the host (master).

I updated the cluster-version-operator and also mounted in /etc/pki as readonly and then it could download version updates correctly.

How reproducible:

Prerequisites:
MITM internet via a transparent proxy (explicit proxy probably has the same problem)

Steps to Reproduce:
1. Prepare an env
2. In the install-config.yaml configure your MITM CA cert in "additionalTrustBundle"
3. In the "Proxy" config (can be done in the manifest before the cluster is deployed) ensure spec.trustedCA.name = "user-ca-bundle"
4. Version updates in the "Cluster Settings" part of the console will say that "Update Status" is "Failing" or "Failed" or something to that effect.

Actual results:

"Update Status" says Failed and it won't let you upgrade your cluster.

Expected results:

"Update Status" says "Up to date" or offers an upgrade.