Bug 1807103 - Disconnected Installation of 4.3.x fails when using a self signed certificate and additionalTrustBundle in install-config.yaml
Summary: Disconnected Installation of 4.3.x fails when using a self signed certificat...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.3.z
Hardware: x86_64
OS: Linux
high
urgent
Target Milestone: ---
: 4.5.0
Assignee: Joseph Callen
QA Contact: Johnny Liu
URL:
Whiteboard:
Depends On:
Blocks: 1807202
TreeView+ depends on / blocked
 
Reported: 2020-02-25 15:33 UTC by Jay Cromer
Modified: 2023-09-07 22:03 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1807202 (view as bug list)
Environment:
Last Closed: 2020-07-13 17:21:14 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
domain.crt (1.30 KB, text/plain)
2020-02-25 16:43 UTC, Jay Cromer
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github openshift installer pull 3186 0 None closed Bug 1807103: additionalTrustBundle IsCA check to warn instead of drop 2021-02-09 10:01:25 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-07-13 17:21:40 UTC

Description Jay Cromer 2020-02-25 15:33:39 UTC
Description of problem:
When attempting a disconnected Baremetal IPI installation of 4.3.x using a self signed certificate and specifying additionalTrustBundle in install-config.yaml, installation fails.

Version-Release number of the following components:

How reproducible:
Every time.

Steps to Reproduce:
1. Include self signed certificate data in additionalTrustBundle section of install-config.yaml.
2. Run openshift-baremetal-install create manifests
3. Attempt deployment using openshift-baremetal-install create cluster

Actual results:
user-ca-bundle-config.yaml manifest file generated during create manfiest process does not include cert data.

apiVersion: v1
data:
  ca-bundle.crt:""
kind: ConfigMap
metadata:
  creationTimestamp: null
  name: user-ca-bundle
  namespace: openshift-config

Expected results:

ca-bundle.crt should contain certificate info supplied in additionalTrustBundle section of install-config.yaml

Additional info:

Comment 1 Amit Ugol 2020-02-25 15:42:54 UTC
Please set severity.

Comment 2 Steve Reichard 2020-02-25 15:46:00 UTC
Marked urgent - install at customer fails

Comment 3 Stephen Benjamin 2020-02-25 16:00:26 UTC
additionalTrustBundle isn't a baremetal platform option, this should get looked at by the installer team

Comment 4 W. Trevor King 2020-02-25 16:06:48 UTC
We only inform the Proxy config object of the additionalTrustBundle ConfigMap if you also set a proxy property. Docs around this landed in [1].  Dup of bug 1771564.

[1]: https://github.com/openshift/installer/pull/3039

*** This bug has been marked as a duplicate of bug 1771564 ***

Comment 5 Mark McLoughlin 2020-02-25 16:15:57 UTC
FWIW, from bz #1771564:

> If a user supplies additionalTrustedCAs in the install-config, but does not supply any other proxy configuration (proxy hostname, no_proxy domains), the installer copies the supplied CAs into a user-ca-bundle CM in the openshift-config namespace, but it does not link that CM into the proxy config resource via the "proxy.spec.trustedCA" field.

This does not sound like what Jay describes. He says his CAs did not get copied into the user-ca-bundle.

Comment 6 Jay Cromer 2020-02-25 16:20:36 UTC
Correct, there is no proxy used here.

Comment 7 W. Trevor King 2020-02-25 16:33:52 UTC
> He says his CAs did not get copied into the user-ca-bundle.

Can you attach the CA that did not get copied?  There may have been issues in the past about forwarding v1 X.509 certs (although looking through the installer history I can't find a reference).

Comment 8 Jay Cromer 2020-02-25 16:43:40 UTC
Created attachment 1665699 [details]
domain.crt

Cert as requested.

Comment 11 Johnny Liu 2020-02-28 10:56:10 UTC
Verified this bug with 4.5.0-0.ci-2020-02-28-072816, and PASS.

[root@preserve-jialiu-ansible ~]# rm -rf demo7/*
[root@preserve-jialiu-ansible ~]# cp ipi_template/install-config.yaml.aws.cert_v1 demo7/install-config.yaml
[root@preserve-jialiu-ansible ~]# vim ipi_template/install-config.yaml.aws.cert_v1
[root@preserve-jialiu-ansible ~]# openshift-install create manifests --dir demo7
INFO Credentials loaded from the "default" profile in file "/root/.aws/credentials" 
INFO Consuming Install Config from target directory 
WARNING Certificate A51A09B49BAD8014 from additionalTrustBundle is x509 v1 
[root@preserve-jialiu-ansible ~]# cat demo7/manifests/user-ca-bundle-config.yaml
apiVersion: v1
data:
  ca-bundle.crt: |
    -----BEGIN CERTIFICATE-----
    MIIDqDCCApACCQClGgm0m62AFDANBgkqhkiG9w0BAQsFADCBlTELMAkGA1UEBhMC
    VVMxEDAOBgNVBAgMB0Zsb3JpZGExDjAMBgNVBAcMBVRhbXBhMQ8wDQYDVQQKDAZq
    dGNsYWIxDjAMBgNVBAsMBW15bGFiMR8wHQYDVQQDDBYqLm9jcDRsYWIuanRjbGFi
    Lm15bGFiMSIwIAYJKoZIhvcNAQkBFhNqYXljcm9tZXJAZ21haWwuY29tMB4XDTIw
    MDIxMTAwMDQxN1oXDTIxMDYyNTAwMDQxN1owgZUxCzAJBgNVBAYTAlVTMRAwDgYD
    VQQIDAdGbG9yaWRhMQ4wDAYDVQQHDAVUYW1wYTEPMA0GA1UECgwGanRjbGFiMQ4w
    DAYDVQQLDAVteWxhYjEfMB0GA1UEAwwWKi5vY3A0bGFiLmp0Y2xhYi5teWxhYjEi
    MCAGCSqGSIb3DQEJARYTamF5Y3JvbWVyQGdtYWlsLmNvbTCCASIwDQYJKoZIhvcN
    AQEBBQADggEPADCCAQoCggEBAMTObEZSGb2tvneTPHylmfe8pqyYZSUMKQNSnQtG
    JUee8ws61p7V/zG/OpkBWw9GgEik1TGyGVGJ3RkN2BGK8DMWaM4LJhcAnyrMnXf+
    l1DtCzl0isW0c5M7Ax1e+V1y/GQiy7Kcy4lcX2h5ZOUygtehvT9Fyil5Zfrwx3Yn
    e22CT6POnRvzMIskBg5KrXBR5hIRJ1bcoXP1EkIKWe2JLNxqtTJqguqjmv3TWODv
    s552XbCtZVn8fxXmufCFVNMQzPhkB7s6XAXW+IRR2YexgxIFbic8IYOf3L7a2B5W
    dwOiwG7pVoE2jt7/MZCUmyAy2PS/Y+KNmT+BkqObGYo+L2UCAwEAATANBgkqhkiG
    9w0BAQsFAAOCAQEAtqD3p6ExrxiUyM2XdfcF6rdBSjz2aml3YPSJkheBS9QP1x22
    Fs3SJoWrTiqMwJ6Hz/agH5Umd8WPsQLjQekFdqOwvlwtaPKQcbuXd94XcwKF42E2
    ka7FLIq82QcVf1fWhL5yLfOj3035NlnR8E+gLS4+7rtOgwZk81jVQet1c0fLjWVn
    r+n91+7JlsFF9phYafSNtydic9U8Is13N9RuY4RhjiDDG/ffQSPB3PHH6x+kIM1M
    1sGZrOW/eT0TJTA8qyojYp+kCzBD/SmSuiR3j/innAqckqEmSljIQFdSUcMWAfha
    b0SgVHPZ0Vr6PCk47OFhn6SL/vftlHnmiKMEFw==
    -----END CERTIFICATE-----
kind: ConfigMap
metadata:
  creationTimestamp: null
  name: user-ca-bundle
  namespace: openshift-config
[root@preserve-jialiu-ansible ~]# openshift-install version
openshift-install 4.5.0-0.ci-2020-02-28-072816
built from commit 25fe53340d9a45f7979537989d7d850bdfacc301
release image registry.svc.ci.openshift.org/ocp/release@sha256:36d92e7996da682aa3880fce90e546c2f26ae58517b8ca1377d1e05c711a04eb

Comment 12 Dana Safford 2020-04-02 18:58:56 UTC
As this is becoming important, I raised the Customer Escalation Flag.

Comment 14 errata-xmlrpc 2020-07-13 17:21:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409


Note You need to log in before you can comment on or make changes to this bug.