Bug 1889006
| Summary: | cvo downloading update graph is not using (ignoring) installed pki root certificates | ||||||
|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Kai-Uwe Rommel <kai-uwe.rommel> | ||||
| Component: | Cluster Version Operator | Assignee: | Over the Air Updates <aos-team-ota> | ||||
| Status: | CLOSED DUPLICATE | QA Contact: | Johnny Liu <jialiu> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 4.5 | CC: | aos-bugs, jokerman, wking | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2020-10-16 20:00:52 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Kai-Uwe Rommel
2020-10-16 18:40:35 UTC
> Apparently, the cluster operator that is downloading the update graph is ignoring the root certificates in /etc/pki/ca-trust in the node's OS. Yeah, CVO's trust store is isolated from the node's. To configure the CVO's trust store, set trustedCA in the Proxy object [1]. Up through 4.5, the CVO needed both trustedCA and httpsProxy set there in order to consume the trustedCA store. With 4.6 and later, the CVO will consume the trustedCA store regardless of the presence of httpProxy or httpsProxy [2]. Also some related discussion in bug 1773419, which seems like this use case, so I'm closing this one as a dup. Feel free to add further comments to this bug if it doesn't seem like a dup to you. [1]: https://docs.openshift.com/container-platform/4.5/networking/enable-cluster-wide-proxy.html#nw-proxy-configure-object_config-cluster-wide-proxy [2]: https://bugzilla.redhat.com/show_bug.cgi?id=1797123#c15 *** This bug has been marked as a duplicate of bug 1773419 *** Yes, it indeed is a duplicate of bug 1773419. Please see my note there. I would expect that it could be easily fixed ... the reporter there already reports that there is a solution which sounds pretty much like a one-liner. |