This change proposes dropping support for "insecure" mode on RHV from the installer as #1895874 / PR #4387 adds support for a user friendly way to accept certificates.
Steps required for this change:
1. Close #1857945 / PR #4400 unmerged
2. Merge #1895874 / PR #4387
3. Write and publish documentation that explains this change and how to enable insecure mode by creating an ovirt-config.yaml manually.
4. Cap code paths that lead to the insecure mode and add a message with a link to the documentation.
5. Test all certificate-related installer paths to make sure that certificates are properly stored in ovirt-config.yaml
Impact on customers:
This change is expected to have minimal customer impact as the certificate confirmation gives them an easy way to download and trust certificates.
Reason for this change:
Supporting "insecure" mode does not represent the best practices (using encryption) and should not be readily offered to users. With the improvements to the installer flow it is not expected to affect customers.
PR #4387 adding support for storing certificates in ovirt-config.yaml: https://github.com/openshift/installer/pull/4387
PR #4400 (to be closed) adding confirmation to using insecure mode: https://github.com/openshift/installer/pull/4400
@Peter Lauterbach Can you look at this proposal
@Gal Zaidman this BZ has been created after a discussion with Peter. See https://bugzilla.redhat.com/show_bug.cgi?id=1857945#c9
@Gal please review
openshift - ./openshift-install 4.7.0-0.nightly-2021-01-12-150634
1) before installation add 'ovirt_insecure: true' field to ovirt-config.yaml file
2) install ocp
3) make sure the installation work good
installation complete without any errors
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.