Description of problem: If you don't specify "ovirt_insecure: true" in your oVirt credentials config, the installation will eventually fail apparently because machine-controller container (and maybe some others as well) does not trust engine's CA. Even though the CA is trusted by the bastion's operating system. Version-Release number of the following components: ./openshift-install version ./openshift-install unreleased-master-2320-g6791d02a6fadedd44f9263fb72f9f65dbd51bfe0-dirty built from commit 6791d02a6fadedd44f9263fb72f9f65dbd51bfe0 release image registry.svc.ci.openshift.org/ovirt/ovirt-release@sha256:c46483c4bfd9418226d3bbf46e15b7905dfefcccfe899b652db3a8c88b522b96 How reproducible: I tried it only once but I believe this behaviour is consistent. Steps to Reproduce: 1. Make sure your bastion machine (the one from where you conduct the installation) trusts your engine's CA. If your engine is your bastion, then it's easy as running this: ln -sf /etc/pki/ovirt-engine/ca.pem /etc/pki/ca-trust/source/anchors/ && update-ca-trust 2. Now just follow the installation steps with one specific. When you're setting up your ovirt credentials file, completely omit the line that says "ovirt_insecure: true". It should default to false. Mine looks like this: cat ~/.ovirt/ovirt-config.yaml ovirt_url: https://<engine_fqdn>/ovirt-engine/api ovirt_username: admin@internal ovirt_password: <pass> 3. Try to install OCP4 and monitor the progress. Actual results: The installation got pretty far and most of the cluster operators came up, not all though: http://pastebin.test.redhat.com/828699 Also workers nodes were not created. Expected results: The installation is finished successfully. Additional info: openshift-install output: http://pastebin.test.redhat.com/828698 Logs from authentication: http://pastebin.test.redhat.com/828702 Logs from console: http://pastebin.test.redhat.com/828704 Logs from ingress: http://pastebin.test.redhat.com Logs from monitoring: http://pastebin.test.redhat.com/828707/828706 oc get pods -n openshift-machine-api: http://pastebin.test.redhat.com/828772 cluster-autoscaler-operator: http://pastebin.test.redhat.com/828766 machine-api-operator: http://pastebin.test.redhat.com/828770 And most importantly here's the error message about untrusted CA: machine-api-controllers: http://pastebin.test.redhat.com/828779 http://pastebin.test.redhat.com/828768
Verified with openshift-install-linux-4.5.0-0.nightly-2020-03-19-042419 Verification steps: 1. Create /root/.ovirt/ovirt-config.yaml with following content: ovirt_url: https://<engine_fqdn>/ovirt-engine/api ovirt_username: admin@internal ovirt_password: "<pass>" ovirt_ca_bundle: |- -----BEGIN CERTIFICATE----- <CA gibberish> -----END CERTIFICATE----- 2. Prepare valid install-config.yaml and copy it to install-dir 3. Run openshift-install create cluster --dir=install-dir
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409