1840886 – CA trust (CAMap) is not applied soon enough

Bug 1840886 - CA trust (CAMap) is not applied soon enough [NEEDINFO]

Summary: CA trust (CAMap) is not applied soon enough

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	16.1 (Train)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	zstream
Target Release:	16.1 (Train on RHEL 8.2)
Assignee:	Ade Lee
QA Contact:	Jeremy Agee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-05-27 19:33 UTC by Luke Short
Modified:	2023-09-15 18:39 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-05-03 19:36:30 UTC
Target Upstream Version:
Embargoed:
Flags:	pweeks: needinfo? (dwilde)

Attachments	(Terms of Use)
CAMap and ContainerImagePrepare environment file. (2.79 KB, text/plain) 2020-05-27 19:33 UTC, Luke Short	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	743633	None	MERGED	Move CA cert injection to host_prep_tasks	2021-02-17 15:50:29 UTC
OpenStack gerrit	839296	None	MERGED	Manage CA certificates using ansible	2023-01-16 02:12:59 UTC
Red Hat Issue Tracker	OSP-1115	None	None	None	2022-03-10 23:42:27 UTC

Description Luke Short 2020-05-27 19:33:25 UTC

Created attachment 1692828 [details]
CAMap and ContainerImagePrepare environment file.

Description of problem:
When using a CAMap, it is not applied soon enough on the Overcloud nodes. This leads to issues pulling containers from an internal registry that uses a TLS/SSL certificate signed by a custom certificate authority.


Version-Release number of selected component (if applicable):
RHOSP 16.1
RHEL 8.2


How reproducible:
100%


Steps to Reproduce:
1. `openstack overcloud deploy -e ~/ca-map.yaml`


Actual results:
Error message during deploy:
```
2020-05-27 14:03:25,676 p=8956 u=mistral |  fatal: [overcloud-controller-0]: FAILED! => {"changed": true, "cmd": "pod
man pull registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20200524.1", "delta": "0:00:05
.435411", "end": "2020-05-27 18:03:25.620966", "msg": "non-zero return code", "rc": 125, "start": "2020-05-27 18:03:2
0.185555", "stderr": "Trying to pull registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20
200524.1...\n  Get https://registry-proxy.engineering.redhat.com/v2/: x509: certificate signed by unknown authority\n
Error: error pulling image \"registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20200524.1\": unable to pull registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20200524.1: unable to pull image: Error initializing source docker://registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20200524.1: error pinging docker registry registry-proxy.engineering.redhat.com: Get https://registry-proxy.engineering.redhat.com/v2/: x509: certificate signed by unknown authority", "stderr_lines": ["Trying to pull registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20200524.1...", "  Get https://registry-proxy.engineering.redhat.com/v2/: x509: certificate signed by unknown authority", "Error: error pulling image \"registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20200524.1\": unable to pull registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20200524.1: unable to pull image: Error initializing source docker://registry-proxy.engineering.redhat.com/rh-osbs/rhosp16-openstack-rabbitmq:16.1_20200524.1: error pinging docker registry registry-proxy.engineering.redhat.com: Get https://registry-proxy.engineering.redhat.com/v2/: x509: certificate signed by unknown authority"], "stdout": "", "stdout_lines": []}
```


Expected results:
The container images should be pulled and the deployment will continue to finish.


Additional info:
Using the inject-trust-anchor template can be used as a workaround. However, it has the limitation of only allowing one CA trust to be created and managed.

~/templates/environments/ssl/inject-trust-anchor.yaml

Comment 4 Ade Lee 2021-01-11 16:53:40 UTC

Issues with upstream patch - pushed to 16.1.5

Note You need to log in before you can comment on or make changes to this bug.