+++ This bug was initially created as a clone of Bug #1807103 +++ Description of problem: When attempting a disconnected Baremetal IPI installation of 4.3.x using a self signed certificate and specifying additionalTrustBundle in install-config.yaml, installation fails. Version-Release number of the following components: How reproducible: Every time. Steps to Reproduce: 1. Include self signed certificate data in additionalTrustBundle section of install-config.yaml. 2. Run openshift-baremetal-install create manifests 3. Attempt deployment using openshift-baremetal-install create cluster Actual results: user-ca-bundle-config.yaml manifest file generated during create manfiest process does not include cert data. apiVersion: v1 data: ca-bundle.crt:"" kind: ConfigMap metadata: creationTimestamp: null name: user-ca-bundle namespace: openshift-config Expected results: ca-bundle.crt should contain certificate info supplied in additionalTrustBundle section of install-config.yaml Additional info: --- Additional comment from Amit Ugol on 2020-02-25 15:42:54 UTC --- Please set severity. --- Additional comment from Steve Reichard on 2020-02-25 15:46:00 UTC --- Marked urgent - install at customer fails --- Additional comment from Stephen Benjamin on 2020-02-25 16:00:26 UTC --- additionalTrustBundle isn't a baremetal platform option, this should get looked at by the installer team --- Additional comment from W. Trevor King on 2020-02-25 16:06:48 UTC --- We only inform the Proxy config object of the additionalTrustBundle ConfigMap if you also set a proxy property. Docs around this landed in [1]. Dup of bug 1771564. [1]: https://github.com/openshift/installer/pull/3039 --- Additional comment from Mark McLoughlin on 2020-02-25 16:15:57 UTC --- FWIW, from bz #1771564: > If a user supplies additionalTrustedCAs in the install-config, but does not supply any other proxy configuration (proxy hostname, no_proxy domains), the installer copies the supplied CAs into a user-ca-bundle CM in the openshift-config namespace, but it does not link that CM into the proxy config resource via the "proxy.spec.trustedCA" field. This does not sound like what Jay describes. He says his CAs did not get copied into the user-ca-bundle. --- Additional comment from Jay Cromer on 2020-02-25 16:20:36 UTC --- Correct, there is no proxy used here. --- Additional comment from W. Trevor King on 2020-02-25 16:33:52 UTC --- > He says his CAs did not get copied into the user-ca-bundle. Can you attach the CA that did not get copied? There may have been issues in the past about forwarding v1 X.509 certs (although looking through the installer history I can't find a reference). --- Additional comment from Jay Cromer on 2020-02-25 16:43:40 UTC --- Cert as requested.
Reproduce this bug with 4.4.0-0.nightly-2020-02-24-224042. [root@preserve-jialiu-ansible ~]# openshift-install version openshift-install 4.4.0-0.nightly-2020-02-24-224042 built from commit 98773b31eca6002e6f44375118d9eae8467cd016 release image registry.svc.ci.openshift.org/ocp/release@sha256:d595bc5b3f5056c2e32bf3457a2ad8af1c95431c7127ee8b0807ec8212cb4c2c [root@preserve-jialiu-ansible ~]# rm -rf demo7/* # cat ipi_template/install-config.yaml.aws.cert_v1 apiVersion: v1 baseDomain: qe.devcluster.openshift.com compute: - hyperthreading: Enabled name: worker platform: {} replicas: 3 controlPlane: hyperthreading: Enabled name: master platform: {} replicas: 3 metadata: creationTimestamp: null name: jialiu networking: clusterNetwork: - cidr: 10.128.0.0/14 hostPrefix: 23 machineCIDR: 10.0.0.0/16 networkType: OpenShiftSDN serviceNetwork: - 172.30.0.0/16 additionalTrustBundle: | -----BEGIN CERTIFICATE----- MIIDqDCCApACCQClGgm0m62AFDANBgkqhkiG9w0BAQsFADCBlTELMAkGA1UEBhMC VVMxEDAOBgNVBAgMB0Zsb3JpZGExDjAMBgNVBAcMBVRhbXBhMQ8wDQYDVQQKDAZq dGNsYWIxDjAMBgNVBAsMBW15bGFiMR8wHQYDVQQDDBYqLm9jcDRsYWIuanRjbGFi Lm15bGFiMSIwIAYJKoZIhvcNAQkBFhNqYXljcm9tZXJAZ21haWwuY29tMB4XDTIw MDIxMTAwMDQxN1oXDTIxMDYyNTAwMDQxN1owgZUxCzAJBgNVBAYTAlVTMRAwDgYD VQQIDAdGbG9yaWRhMQ4wDAYDVQQHDAVUYW1wYTEPMA0GA1UECgwGanRjbGFiMQ4w DAYDVQQLDAVteWxhYjEfMB0GA1UEAwwWKi5vY3A0bGFiLmp0Y2xhYi5teWxhYjEi MCAGCSqGSIb3DQEJARYTamF5Y3JvbWVyQGdtYWlsLmNvbTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMTObEZSGb2tvneTPHylmfe8pqyYZSUMKQNSnQtG JUee8ws61p7V/zG/OpkBWw9GgEik1TGyGVGJ3RkN2BGK8DMWaM4LJhcAnyrMnXf+ l1DtCzl0isW0c5M7Ax1e+V1y/GQiy7Kcy4lcX2h5ZOUygtehvT9Fyil5Zfrwx3Yn e22CT6POnRvzMIskBg5KrXBR5hIRJ1bcoXP1EkIKWe2JLNxqtTJqguqjmv3TWODv s552XbCtZVn8fxXmufCFVNMQzPhkB7s6XAXW+IRR2YexgxIFbic8IYOf3L7a2B5W dwOiwG7pVoE2jt7/MZCUmyAy2PS/Y+KNmT+BkqObGYo+L2UCAwEAATANBgkqhkiG 9w0BAQsFAAOCAQEAtqD3p6ExrxiUyM2XdfcF6rdBSjz2aml3YPSJkheBS9QP1x22 Fs3SJoWrTiqMwJ6Hz/agH5Umd8WPsQLjQekFdqOwvlwtaPKQcbuXd94XcwKF42E2 ka7FLIq82QcVf1fWhL5yLfOj3035NlnR8E+gLS4+7rtOgwZk81jVQet1c0fLjWVn r+n91+7JlsFF9phYafSNtydic9U8Is13N9RuY4RhjiDDG/ffQSPB3PHH6x+kIM1M 1sGZrOW/eT0TJTA8qyojYp+kCzBD/SmSuiR3j/innAqckqEmSljIQFdSUcMWAfha b0SgVHPZ0Vr6PCk47OFhn6SL/vftlHnmiKMEFw== -----END CERTIFICATE----- platform: aws: region: us-east-2 <--snip--> [root@preserve-jialiu-ansible ~]# cp ipi_template/install-config.yaml.aws.cert_v1 demo7/install-config.yaml [root@preserve-jialiu-ansible ~]# openshift-install create manifests --dir demo7 INFO Credentials loaded from the "default" profile in file "/root/.aws/credentials" INFO Consuming Install Config from target directory [root@preserve-jialiu-ansible ~]# cat demo7/manifests/user-ca-bundle-config.yaml apiVersion: v1 data: ca-bundle.crt: "" kind: ConfigMap metadata: creationTimestamp: null name: user-ca-bundle namespace: openshift-config Verified this bug with 4.4.0-0.nightly-2020-02-26-063555, and PASS. [root@preserve-jialiu-ansible ~]# rm -rf demo7/* [root@preserve-jialiu-ansible ~]# cp ipi_template/install-config.yaml.aws.cert_v1 demo7/install-config.yaml [root@preserve-jialiu-ansible ~]# openshift-install create manifests --dir demo7 INFO Credentials loaded from the "default" profile in file "/root/.aws/credentials" INFO Consuming Install Config from target directory WARNING Certificate A51A09B49BAD8014 from additionalTrustBundle is x509 v1 [root@preserve-jialiu-ansible ~]# cat demo7/manifests/user-ca-bundle-config.yaml apiVersion: v1 data: ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIDqDCCApACCQClGgm0m62AFDANBgkqhkiG9w0BAQsFADCBlTELMAkGA1UEBhMC VVMxEDAOBgNVBAgMB0Zsb3JpZGExDjAMBgNVBAcMBVRhbXBhMQ8wDQYDVQQKDAZq dGNsYWIxDjAMBgNVBAsMBW15bGFiMR8wHQYDVQQDDBYqLm9jcDRsYWIuanRjbGFi Lm15bGFiMSIwIAYJKoZIhvcNAQkBFhNqYXljcm9tZXJAZ21haWwuY29tMB4XDTIw MDIxMTAwMDQxN1oXDTIxMDYyNTAwMDQxN1owgZUxCzAJBgNVBAYTAlVTMRAwDgYD VQQIDAdGbG9yaWRhMQ4wDAYDVQQHDAVUYW1wYTEPMA0GA1UECgwGanRjbGFiMQ4w DAYDVQQLDAVteWxhYjEfMB0GA1UEAwwWKi5vY3A0bGFiLmp0Y2xhYi5teWxhYjEi MCAGCSqGSIb3DQEJARYTamF5Y3JvbWVyQGdtYWlsLmNvbTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMTObEZSGb2tvneTPHylmfe8pqyYZSUMKQNSnQtG JUee8ws61p7V/zG/OpkBWw9GgEik1TGyGVGJ3RkN2BGK8DMWaM4LJhcAnyrMnXf+ l1DtCzl0isW0c5M7Ax1e+V1y/GQiy7Kcy4lcX2h5ZOUygtehvT9Fyil5Zfrwx3Yn e22CT6POnRvzMIskBg5KrXBR5hIRJ1bcoXP1EkIKWe2JLNxqtTJqguqjmv3TWODv s552XbCtZVn8fxXmufCFVNMQzPhkB7s6XAXW+IRR2YexgxIFbic8IYOf3L7a2B5W dwOiwG7pVoE2jt7/MZCUmyAy2PS/Y+KNmT+BkqObGYo+L2UCAwEAATANBgkqhkiG 9w0BAQsFAAOCAQEAtqD3p6ExrxiUyM2XdfcF6rdBSjz2aml3YPSJkheBS9QP1x22 Fs3SJoWrTiqMwJ6Hz/agH5Umd8WPsQLjQekFdqOwvlwtaPKQcbuXd94XcwKF42E2 ka7FLIq82QcVf1fWhL5yLfOj3035NlnR8E+gLS4+7rtOgwZk81jVQet1c0fLjWVn r+n91+7JlsFF9phYafSNtydic9U8Is13N9RuY4RhjiDDG/ffQSPB3PHH6x+kIM1M 1sGZrOW/eT0TJTA8qyojYp+kCzBD/SmSuiR3j/innAqckqEmSljIQFdSUcMWAfha b0SgVHPZ0Vr6PCk47OFhn6SL/vftlHnmiKMEFw== -----END CERTIFICATE----- kind: ConfigMap metadata: creationTimestamp: null name: user-ca-bundle namespace: openshift-config
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581