Created attachment 1692828 [details]
CAMap and ContainerImagePrepare environment file.

Description of problem:
When using a CAMap, it is not applied soon enough on the Overcloud nodes. This leads to issues pulling containers from an internal registry that uses a TLS/SSL certificate signed by a custom certificate authority.


Version-Release number of selected component (if applicable):
RHOSP 16.1
RHEL 8.2


How reproducible:
100%


Steps to Reproduce:
1. `openstack overcloud deploy -e ~/ca-map.yaml`


Actual results:
Error message during deploy:
```
2020-05-27 14:03:25,676 p=8956 u=mistral |  fatal: [overcloud-controller-0]: FAILED! => {"changed": true, "cmd": "pod
man pull registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20200524.1", "delta": "0:00:05
.435411", "end": "2020-05-27 18:03:25.620966", "msg": "non-zero return code", "rc": 125, "start": "2020-05-27 18:03:2
0.185555", "stderr": "Trying to pull registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20
200524.1...\n  Get https://registry-proxy.engineering.redhat.com/v2/: x509: certificate signed by unknown authority\n
Error: error pulling image \"registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20200524.1\": unable to pull registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20200524.1: unable to pull image: Error initializing source docker://registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20200524.1: error pinging docker registry registry-proxy.engineering.redhat.com: Get https://registry-proxy.engineering.redhat.com/v2/: x509: certificate signed by unknown authority", "stderr_lines": ["Trying to pull registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20200524.1...", "  Get https://registry-proxy.engineering.redhat.com/v2/: x509: certificate signed by unknown authority", "Error: error pulling image \"registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20200524.1\": unable to pull registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20200524.1: unable to pull image: Error initializing source docker://registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20200524.1: error pinging docker registry registry-proxy.engineering.redhat.com: Get https://registry-proxy.engineering.redhat.com/v2/: x509: certificate signed by unknown authority"], "stdout": "", "stdout_lines": []}
```


Expected results:
The container images should be pulled and the deployment will continue to finish.


Additional info:
Using the inject-trust-anchor template can be used as a workaround. However, it has the limitation of only allowing one CA trust to be created and managed.

~/templates/environments/ssl/inject-trust-anchor.yaml