Bug 1786314 - [IPI][OSP] Install fails on OpenStack with self-signed certs unless the node running the installer has the CA cert in its system trusts
Summary: [IPI][OSP] Install fails on OpenStack with self-signed certs unless the node ...
Keywords:
Status: ASSIGNED
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
: 4.5.0
Assignee: Mike Fedosin
QA Contact: David Sanz
URL: https://issues.redhat.com/browse/OSAS...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-12-24 10:56 UTC by David Sanz
Modified: 2020-02-28 07:54 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)

Description David Sanz 2019-12-24 10:56:12 UTC
Description of problem:

When installing OSP16 with self-signed certs, OSPd generates a clouds.yaml file with cacert parameter like:

clouds:
  overcloud:
    auth:
        auth_url: https://10.0.0.101:13000
        password: admin
        project_domain_name: Default
        project_name: admin
        user_domain_name: Default
        username: admin
    cacert: /etc/pki/ca-trust/source/anchors/undercloud-cacert.pem
    identity_api_version: '3'

Using this clouds.yaml generated by OSP16 installer cannot be used to install OCP 4.3:

# ./openshift-install create cluster
FATAL failed to fetch Terraform Variables: failed to load asset "Install Config": invalid "install-config.yaml" file: [platform.openstack.externalNetwork: Internal error: could not retrieve valid networks, platform.openstack.computeFlavor: Internal error: could not retrieve valid flavors, platform.openstack.trunkSupport: Internal error: could not retrieve networking extension aliases, platform.openstack.octaviaSupport: Internal error: could not retrieve service catalog] 

If cacert file is imported on the system and cacert parameter is removed from the clouds.yaml file, installer works.

Version-Release number of the following components:
# ./openshift-install version
./openshift-install v4.3.0
built from commit 93c78d09ed9e2badb4bf5dab708152fe6b3b6602
release image registry.svc.ci.openshift.org/ocp/release@sha256:4cb1574385e4dfcb9342f4041eb674b3df51e31e6294ba433ce814c1b864dc86

How reproducible:

Steps to Reproduce:
1.Install OSP16 using OSPd with self-signed SSL
2.Get clouds.yaml file generated by OSPd and use it to install OCP

Actual results:
OCP is not installed but clouds.yaml is valid and can be used to execute openstack commands

Expected results:
OCP gets clouds.yaml file and checks cacert parameter


Additional info:
Please attach logs from ansible-playbook with the -vvv flag

Comment 2 Eric Duen 2020-01-03 21:10:11 UTC
David see comment #1 for question

Comment 6 Martin André 2020-02-04 14:20:17 UTC
This is currently documented as a known limitation in the upstream docs: https://github.com/openshift/installer/blob/8c55eae/docs/user/openstack/README.md#self-signed-openstack-ca-certificates

The workaround is to add the CA cert to the trusts of the node running the installer:

sudo cp ca.crt.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract
 
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html/director_installation_and_usage/appe-ssltls_certificate_configuration#Adding_the_Certificate_Authority_to_Clients

Comment 7 Martin André 2020-02-20 15:38:00 UTC
Re-targeting to 4.5, because it's not blocking 4.4.


Note You need to log in before you can comment on or make changes to this bug.