Bug 1807203 - Disconnected Installation of 4.3.x fails when using a self signed certificate and additionalTrustBundle in install-config.yaml
Summary: Disconnected Installation of 4.3.x fails when using a self signed certificat...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.3.z
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: ---
: 4.3.z
Assignee: Joseph Callen
QA Contact: Johnny Liu
URL:
Whiteboard:
Depends On: 1807202
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-25 19:44 UTC by Joseph Callen
Modified: 2020-03-24 14:34 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1807202
Environment:
Last Closed: 2020-03-24 14:33:46 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift installer pull 3190 0 None closed [release-4.3] Bug 1807203: additionalTrustBundle IsCA check to warn instead of drop 2020-06-11 05:06:34 UTC
Red Hat Product Errata RHBA-2020:0858 0 None None None 2020-03-24 14:34:14 UTC

Description Joseph Callen 2020-02-25 19:44:16 UTC
+++ This bug was initially created as a clone of Bug #1807202 +++

+++ This bug was initially created as a clone of Bug #1807103 +++

Description of problem:
When attempting a disconnected Baremetal IPI installation of 4.3.x using a self signed certificate and specifying additionalTrustBundle in install-config.yaml, installation fails.

Version-Release number of the following components:

How reproducible:
Every time.

Steps to Reproduce:
1. Include self signed certificate data in additionalTrustBundle section of install-config.yaml.
2. Run openshift-baremetal-install create manifests
3. Attempt deployment using openshift-baremetal-install create cluster

Actual results:
user-ca-bundle-config.yaml manifest file generated during create manfiest process does not include cert data.

apiVersion: v1
data:
  ca-bundle.crt:""
kind: ConfigMap
metadata:
  creationTimestamp: null
  name: user-ca-bundle
  namespace: openshift-config

Expected results:

ca-bundle.crt should contain certificate info supplied in additionalTrustBundle section of install-config.yaml

Additional info:

--- Additional comment from Amit Ugol on 2020-02-25 15:42:54 UTC ---

Please set severity.

--- Additional comment from Steve Reichard on 2020-02-25 15:46:00 UTC ---

Marked urgent - install at customer fails

--- Additional comment from Stephen Benjamin on 2020-02-25 16:00:26 UTC ---

additionalTrustBundle isn't a baremetal platform option, this should get looked at by the installer team

--- Additional comment from W. Trevor King on 2020-02-25 16:06:48 UTC ---

We only inform the Proxy config object of the additionalTrustBundle ConfigMap if you also set a proxy property. Docs around this landed in [1].  Dup of bug 1771564.

[1]: https://github.com/openshift/installer/pull/3039

--- Additional comment from Mark McLoughlin on 2020-02-25 16:15:57 UTC ---

FWIW, from bz #1771564:

> If a user supplies additionalTrustedCAs in the install-config, but does not supply any other proxy configuration (proxy hostname, no_proxy domains), the installer copies the supplied CAs into a user-ca-bundle CM in the openshift-config namespace, but it does not link that CM into the proxy config resource via the "proxy.spec.trustedCA" field.

This does not sound like what Jay describes. He says his CAs did not get copied into the user-ca-bundle.

--- Additional comment from Jay Cromer on 2020-02-25 16:20:36 UTC ---

Correct, there is no proxy used here.

--- Additional comment from W. Trevor King on 2020-02-25 16:33:52 UTC ---

> He says his CAs did not get copied into the user-ca-bundle.

Can you attach the CA that did not get copied?  There may have been issues in the past about forwarding v1 X.509 certs (although looking through the installer history I can't find a reference).

--- Additional comment from Jay Cromer on 2020-02-25 16:43:40 UTC ---

Cert as requested.

Comment 1 Steve Reichard 2020-02-26 19:23:43 UTC
Saw Jay comment that he found a workaround:

 what i did to workaround was
after you run create manifests
you can edit the manifest file to copy the cert data
before you run create cluster

Comment 4 Johnny Liu 2020-03-10 02:38:01 UTC
Verified this bug with 4.3.0-0.nightly-2020-03-09-200240, and PASS.

[root@preserve-jialiu-ansible ~]# openshift-install create manifests --dir demo2
INFO Consuming Install Config from target directory 
WARNING Certificate A51A09B49BAD8014 from additionalTrustBundle is x509 v1 
[root@preserve-jialiu-ansible ~]# cat demo2/manifests/user-ca-bundle-config.yaml 
apiVersion: v1
data:
  ca-bundle.crt: |
    -----BEGIN CERTIFICATE-----
    MIIDqDCCApACCQClGgm0m62AFDANBgkqhkiG9w0BAQsFADCBlTELMAkGA1UEBhMC
    VVMxEDAOBgNVBAgMB0Zsb3JpZGExDjAMBgNVBAcMBVRhbXBhMQ8wDQYDVQQKDAZq
    dGNsYWIxDjAMBgNVBAsMBW15bGFiMR8wHQYDVQQDDBYqLm9jcDRsYWIuanRjbGFi
    Lm15bGFiMSIwIAYJKoZIhvcNAQkBFhNqYXljcm9tZXJAZ21haWwuY29tMB4XDTIw
    MDIxMTAwMDQxN1oXDTIxMDYyNTAwMDQxN1owgZUxCzAJBgNVBAYTAlVTMRAwDgYD
    VQQIDAdGbG9yaWRhMQ4wDAYDVQQHDAVUYW1wYTEPMA0GA1UECgwGanRjbGFiMQ4w
    DAYDVQQLDAVteWxhYjEfMB0GA1UEAwwWKi5vY3A0bGFiLmp0Y2xhYi5teWxhYjEi
    MCAGCSqGSIb3DQEJARYTamF5Y3JvbWVyQGdtYWlsLmNvbTCCASIwDQYJKoZIhvcN
    AQEBBQADggEPADCCAQoCggEBAMTObEZSGb2tvneTPHylmfe8pqyYZSUMKQNSnQtG
    JUee8ws61p7V/zG/OpkBWw9GgEik1TGyGVGJ3RkN2BGK8DMWaM4LJhcAnyrMnXf+
    l1DtCzl0isW0c5M7Ax1e+V1y/GQiy7Kcy4lcX2h5ZOUygtehvT9Fyil5Zfrwx3Yn
    e22CT6POnRvzMIskBg5KrXBR5hIRJ1bcoXP1EkIKWe2JLNxqtTJqguqjmv3TWODv
    s552XbCtZVn8fxXmufCFVNMQzPhkB7s6XAXW+IRR2YexgxIFbic8IYOf3L7a2B5W
    dwOiwG7pVoE2jt7/MZCUmyAy2PS/Y+KNmT+BkqObGYo+L2UCAwEAATANBgkqhkiG
    9w0BAQsFAAOCAQEAtqD3p6ExrxiUyM2XdfcF6rdBSjz2aml3YPSJkheBS9QP1x22
    Fs3SJoWrTiqMwJ6Hz/agH5Umd8WPsQLjQekFdqOwvlwtaPKQcbuXd94XcwKF42E2
    ka7FLIq82QcVf1fWhL5yLfOj3035NlnR8E+gLS4+7rtOgwZk81jVQet1c0fLjWVn
    r+n91+7JlsFF9phYafSNtydic9U8Is13N9RuY4RhjiDDG/ffQSPB3PHH6x+kIM1M
    1sGZrOW/eT0TJTA8qyojYp+kCzBD/SmSuiR3j/innAqckqEmSljIQFdSUcMWAfha
    b0SgVHPZ0Vr6PCk47OFhn6SL/vftlHnmiKMEFw==
    -----END CERTIFICATE-----
kind: ConfigMap
metadata:
  creationTimestamp: null
  name: user-ca-bundle
  namespace: openshift-config

Comment 6 errata-xmlrpc 2020-03-24 14:33:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0858


Note You need to log in before you can comment on or make changes to this bug.