+++ This bug was initially created as a clone of Bug #1807202 +++
+++ This bug was initially created as a clone of Bug #1807103 +++
Description of problem:
When attempting a disconnected Baremetal IPI installation of 4.3.x using a self signed certificate and specifying additionalTrustBundle in install-config.yaml, installation fails.
Version-Release number of the following components:
Steps to Reproduce:
1. Include self signed certificate data in additionalTrustBundle section of install-config.yaml.
2. Run openshift-baremetal-install create manifests
3. Attempt deployment using openshift-baremetal-install create cluster
user-ca-bundle-config.yaml manifest file generated during create manfiest process does not include cert data.
ca-bundle.crt should contain certificate info supplied in additionalTrustBundle section of install-config.yaml
--- Additional comment from Amit Ugol on 2020-02-25 15:42:54 UTC ---
Please set severity.
--- Additional comment from Steve Reichard on 2020-02-25 15:46:00 UTC ---
Marked urgent - install at customer fails
--- Additional comment from Stephen Benjamin on 2020-02-25 16:00:26 UTC ---
additionalTrustBundle isn't a baremetal platform option, this should get looked at by the installer team
--- Additional comment from W. Trevor King on 2020-02-25 16:06:48 UTC ---
We only inform the Proxy config object of the additionalTrustBundle ConfigMap if you also set a proxy property. Docs around this landed in . Dup of bug 1771564.
--- Additional comment from Mark McLoughlin on 2020-02-25 16:15:57 UTC ---
FWIW, from bz #1771564:
> If a user supplies additionalTrustedCAs in the install-config, but does not supply any other proxy configuration (proxy hostname, no_proxy domains), the installer copies the supplied CAs into a user-ca-bundle CM in the openshift-config namespace, but it does not link that CM into the proxy config resource via the "proxy.spec.trustedCA" field.
This does not sound like what Jay describes. He says his CAs did not get copied into the user-ca-bundle.
--- Additional comment from Jay Cromer on 2020-02-25 16:20:36 UTC ---
Correct, there is no proxy used here.
--- Additional comment from W. Trevor King on 2020-02-25 16:33:52 UTC ---
> He says his CAs did not get copied into the user-ca-bundle.
Can you attach the CA that did not get copied? There may have been issues in the past about forwarding v1 X.509 certs (although looking through the installer history I can't find a reference).
--- Additional comment from Jay Cromer on 2020-02-25 16:43:40 UTC ---
Cert as requested.
Saw Jay comment that he found a workaround:
what i did to workaround was
after you run create manifests
you can edit the manifest file to copy the cert data
before you run create cluster
Verified this bug with 4.3.0-0.nightly-2020-03-09-200240, and PASS.
[root@preserve-jialiu-ansible ~]# openshift-install create manifests --dir demo2
INFO Consuming Install Config from target directory
WARNING Certificate A51A09B49BAD8014 from additionalTrustBundle is x509 v1
[root@preserve-jialiu-ansible ~]# cat demo2/manifests/user-ca-bundle-config.yaml
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.