Bug 1945659 - [oVirt] remove ovirt_cafile from ovirt-credentials secret
Summary: [oVirt] remove ovirt_cafile from ovirt-credentials secret
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.8
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.8.0
Assignee: Gal Zaidman
QA Contact: Guilherme Santos
URL:
Whiteboard:
Depends On: 1946097
Blocks: 1948398
TreeView+ depends on / blocked
 
Reported: 2021-04-01 14:44 UTC by Gal Zaidman
Modified: 2021-07-27 22:57 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-07-27 22:57:07 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift installer pull 4809 0 None open WIP: Bug 1945659: remove ovirt_cafile from ovirt-credentials secret 2021-04-01 15:29:25 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:57:42 UTC

Description Gal Zaidman 2021-04-01 14:44:49 UTC
Description:

When the user tried to use an ovirt.config with a ca_file the ca_file path is written to the secret but this will not be the path of the file in the created machines which will cause connection errors in the machine object that tries to find the file that doesn't exist.
Instead we should read the file content and write it as the ovirt_ca_bundle in case the ovirt_ca_bundle is not set on the ovirt.config file.

How to test:
1. try to install with insecure true
2. try to install with insecure false and ovirt_ca_bundle and ovirt_cafile set -> make sure that the secret contains the ovirt_ca_bundle content.
3. try to install with insecure false and ovirt_ca_bundle and ovirt_cafile empty -> make sure that the secret contains the ovirt_ca_bundle content.
4. try to install with insecure false and ovirt_ca_bundle empty and ovirt_cafile set to a real file -> make sure that the secret contains the ovirt_cafile content in the ovirt_ca_bundle field.
5. try to install with insecure false and ovirt_ca_bundle empty and ovirt_cafile empty -> install should fail on trying to connect unsuccessfully.

To see the secret without installing just run:
1. openshift-install --dir=${install-dir} create manifests
2. look at cat /${install-dir}/openshift/99_cloud-creds-secret.yaml

Comment 2 Guilherme Santos 2021-04-30 09:47:09 UTC
Verified on:
4.8.0-0.nightly-2021-04-26-151924

Steps:
Generate the manifests file according with the steps in the description
# cat ${installer_working_dir}/openshift/99_cloud-creds-secret.yaml

Results:
1. ovirt_ca_bundle present and empty 
2. ovirt_ca_bundle present with ca file content
3. ovirt_ca_bundle present with ca bundle content
4. ovirt_ca_bundle present with ca file content 
5. ovirt_ca_bundle present and empty with connection issue when generating manifests

Comment 5 errata-xmlrpc 2021-07-27 22:57:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438


Note You need to log in before you can comment on or make changes to this bug.