Bug 1839896 (OCPRHV-80-4.5) - OCPRHV-80: RFE: Installer automatically import CA Cert from Engine
Summary: OCPRHV-80: RFE: Installer automatically import CA Cert from Engine
Alias: OCPRHV-80-4.5
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.5
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.6.0
Assignee: Douglas Schilling Landgraf
QA Contact: Guilherme Santos
URL: https://issues.redhat.com/browse/OCPR...
Depends On: OCPRHV-176 1850723
Blocks: 1850707
TreeView+ depends on / blocked
Reported: 2020-05-25 21:22 UTC by Douglas Schilling Landgraf
Modified: 2020-10-27 16:01 UTC (History)
0 users

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1850707 (view as bug list)
Last Closed: 2020-10-27 16:01:02 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift installer pull 3637 0 None closed oVirt: general improvements 2020-10-22 06:49:39 UTC
Github openshift installer pull 3692 0 None closed BUG 1839896: ovirt: General Improvements 2020-10-22 06:49:39 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:01:27 UTC

Description Douglas Schilling Landgraf 2020-05-25 21:22:30 UTC
Description of problem:

Currently the installer ask user to copy/past the CA Cert from engine.


e. For oVirt’s CA bundle, if you entered Yes for the preceding question, copy the certificate content from /etc/pki/ca-trust/source/anchors/ca.pem and paste it here. Then, press Enter twice. Otherwise, if you entered No for the preceding question, this question does not appear.

What's expected?
Installer should be able to download the cert and import if users decide to import it.

Comment 2 Douglas Schilling Landgraf 2020-05-27 12:19:27 UTC
Setting Target Release to make installer bot happy.

@dougsland: This pull request references Bugzilla bug 1839896, which is invalid:

expected the bug to target the "4.5.0" release, but it targets "---" instead
Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

Comment 7 Douglas Schilling Landgraf 2020-06-15 14:56:23 UTC
Just a note: 

   The OpenShift installer do not allow us to use sudo command. Based on that, we cannot write a helper to import any cert to customers in their system. Instead, we will load the cert from Engine into the http request or just use non ssl connection.
In fact, no need to ask users copy/past the cert.

Comment 8 Douglas Schilling Landgraf 2020-06-15 15:01:00 UTC
Setting no doc but we depend on:
OCPRHV-175: [Docs]: Update IPI install documentation

Comment 9 Guilherme Santos 2020-07-22 13:14:43 UTC
Verified on:

1. guarantee there is no engine CA certificate imported in the machine beforehand:
# rm /etc/pki/ca-trust/source/anchors/ca.pem
2. # openshift-install create cluster --log-level=debug --dir=resources

Installation succeeded and no message asking for the CA certificate

Comment 11 errata-xmlrpc 2020-10-27 16:01:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.