Bug 1900138 - [OCP on RHV] Remove insecure mode from the installer [NEEDINFO]
Summary: [OCP on RHV] Remove insecure mode from the installer
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.7
Hardware: All
OS: All
unspecified
medium
Target Milestone: ---
: 4.7.0
Assignee: Gal Zaidman
QA Contact: Guilherme Santos
URL:
Whiteboard:
Depends On: 1895874
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-11-20 22:39 UTC by Janos Pasztor
Modified: 2021-02-24 15:35 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Deprecated Functionality
Doc Text:
This change removes support for the insecure mode from the oVirt installer. Previously, when no certificate could be obtained from the oVirt engine the installer would proceed without certificate verification. Due to recent improvements this is no longer a valid use case and is being deprecated. The user is instead presented with a message explaining the situation and linking to the to-be-written documentation. If the user wants to use insecure mode they have to create a file named ~/.ovirt/ovirt-config.yaml with the following contents before running the installer: ovirt_url: https://ovirt.example.com/ovirt-engine/api ovirt_fqdn: ovirt.example.com ovirt_pem_url: "" ovirt_username: admin@internal ovirt_password: super-secret-password ovirt_insecure: true
Clone Of:
Environment:
Last Closed: 2021-02-24 15:35:07 UTC
Target Upstream Version:
gzaidman: needinfo? (pelauter)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift installer pull 4404 0 None closed Bug 1900138: Removed support for insecure mode for oVirt/RHV installation 2021-01-11 16:14:34 UTC
Red Hat Bugzilla 1857945 0 medium CLOSED ovirt: raise a question to users if they would like to continue without TLS verify 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1895874 1 low CLOSED [OCP on RHV] installer should use oVirt certificate during installation 2021-02-24 15:31:58 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:35:33 UTC

Description Janos Pasztor 2020-11-20 22:39:14 UTC
This change proposes dropping support for "insecure" mode on RHV from the installer as #1895874 / PR #4387 adds support for a user friendly way to accept certificates.

Steps required for this change:

1. Close #1857945 / PR #4400 unmerged
2. Merge #1895874 / PR #4387
3. Write and publish documentation that explains this change and how to enable insecure mode by creating an ovirt-config.yaml manually.
4. Cap code paths that lead to the insecure mode and add a message with a link to the documentation.
5. Test all certificate-related installer paths to make sure that certificates are properly stored in ovirt-config.yaml

Impact on customers:

This change is expected to have minimal customer impact as the certificate confirmation gives them an easy way to download and trust certificates.

Reason for this change:

Supporting "insecure" mode does not represent the best practices (using encryption) and should not be readily offered to users. With the improvements to the installer flow it is not expected to affect customers.

References:

PR #4387 adding support for storing certificates in ovirt-config.yaml: https://github.com/openshift/installer/pull/4387
PR #4400 (to be closed) adding confirmation to using insecure mode: https://github.com/openshift/installer/pull/4400

Comment 1 Gal Zaidman 2020-11-22 08:31:11 UTC
@Peter Lauterbach Can you look at this proposal

Comment 2 Janos Pasztor 2020-11-23 10:45:50 UTC
@Gal Zaidman this BZ has been created after a discussion with Peter. See https://bugzilla.redhat.com/show_bug.cgi?id=1857945#c9

Comment 3 Janos Pasztor 2020-11-23 12:32:48 UTC
Proposed

Comment 4 Janos Pasztor 2020-11-23 14:20:05 UTC
@Gal please review

Comment 7 michal 2021-01-14 12:36:57 UTC
verify on: 
rhv 4.4.4.7
openshift - ./openshift-install 4.7.0-0.nightly-2021-01-12-150634

steps:
1) before installation add 'ovirt_insecure: true' field to ovirt-config.yaml file
2) install ocp
3) make sure the installation work good

results:
installation complete without any errors

Comment 9 errata-xmlrpc 2021-02-24 15:35:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633


Note You need to log in before you can comment on or make changes to this bug.