Description of problem: As per the documentation if we add the custom CA certificates in the install-config.yaml file using "additionalTrustBundle" parameter then the installer program creates a configmap containing that certificate and add it to the proxy. --> https://docs.openshift.com/container-platform/4.8/networking/configuring-a-custom-pki.html#installation-configure-proxy_configuring-a-custom-pki However, in my testing for a customer's use-case, I added the "additionalTrustBundle" parameter only for a custom CA that needs to be trusted and avoided the "proxy" parameter since the proxy wasn't required. Later on, I found that the config map with name "user-ca-bundle" was created by the installer inside "openshift-config" namespace but the proxy CRD wasn't having the configmap name under the "trustedCA" section and hence the CA certificate wasn't added over the nodes. Version-Release number of selected component (if applicable): ❯ ./oc version Client Version: 4.8.9 Server Version: 4.8.9 Kubernetes Version: v1.21.1+9807387 How reproducible: Everytimeme Steps to Reproduce: 1. Add a custom CA in the install-config.yaml file using "additionalTrustBundle" parameter and don't add the proxy parameter. 2. Deploy the cluster and check if configmap "user-ca-bundle" created or not inside "openshift-config" namespace. 3. Check "oc get proxy/cluster -o yaml", it won't be containing the configmap name under "trustedCA". Actual results: The proxy CRD wasn't referencing the configmap name under "trustedCA" post-installation when the custom CA was added in the install-config.yaml using "additionalTrustBundle" parameter without proxy. Expected results: The configmap name must get referenced in "trustedCA" field for Proxy. Additional info: I am not sure if this is the expected behavior and the configmap name will be referenced in "trustedCA" field for Proxy only if the proxy parameters were also added in the install-config.yaml file. If this is the expected behavior then it would be really great for more information on why is this so. ❯ cat install-config.yaml apiVersion: v1 baseDomain: ayush.com additionalTrustBundle: | -----BEGIN CERTIFICATE----- MIIC1zCCAb+gAwIBAgIUAyyEn70rv8PRBvjegOO5Sr5gfxgwDQYJKoZIhvcNAQEL BQAwEzERMA8GA1UEAwwIY3VzdG9tQ0EwHhcNMjEwOTIwMTIwNjQwWhcNMjUwOTE5 MTIwNjQwWjATMREwDwYDVQQDDAhjdXN0b21DQTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBAMVy7fa8Jrz/r1R2QEw3Yzv6myLH7srVfochk7I5ZkstMFXd HfVWRYmFuGWNFLHridzoW6/Kis79WDS9cNCH4KAkthuZ6l2xx8WyRePZRTLo5Sdq yRI8I1id25kc11/JOZy6Y04flX7ugDrWwkZFXRBoWk+YWvmxrFcGuRLWEh1oIBi7 Xo2eO2EAuFccf+gsEz/DjYO+GAd2NjBqCwQ3c/YaKtlB5CgEO/g/ghOmOQdWHFFJ pR817MHeoUsmhFmy6vEc3A/xYhku8+qLsVbc+0kP84llV++mIFe7ytotNAt4Px6O ePyTqnituwIK3tdHsbO408D5KSUNHRYtGmWWIWMCAwEAAaMjMCEwDgYDVR0PAQH/ BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFfs7cL4 4PSMTOrV7u/en1OQ67+frsc7vlN2Ze/tuCCI/XbvsqSuN7hAuhNfUd18iEbsfAZM YySHb4cq+ndcHnhJzJryWpJ8XiaaOLtln/MNCMAGPV2qvbJfr7YEUgECegxM93Wi mxysgIu5NBWDrx9kq/e0lt12V5V0cO6qByCBGqYRMpVaDMix4TUiC/XfKYr/ae0A zh1RU2H22p90KyiP0nlnEEOG6WBM7HK/7mROWBaJcdZS9HWV6Z+Fs1uzoBYYA570 4JxpzwRP9FyyLj02I05H2utmSwQRqWh0Hkbdng6JPlos2pkhyzIHXd25pUV/1X80 YygKuTHdaaJ/5J4= -----END CERTIFICATE----- compute: - architecture: amd64 hyperthreading: Enabled name: worker platform: ... ... ... ❯ oc get cm user-ca-bundle -oyaml -n openshift-config apiVersion: v1 data: ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIC1zCCAb+gAwIBAgIUAyyEn70rv8PRBvjegOO5Sr5gfxgwDQYJKoZIhvcNAQEL BQAwEzERMA8GA1UEAwwIY3VzdG9tQ0EwHhcNMjEwOTIwMTIwNjQwWhcNMjUwOTE5 MTIwNjQwWjATMREwDwYDVQQDDAhjdXN0b21DQTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBAMVy7fa8Jrz/r1R2QEw3Yzv6myLH7srVfochk7I5ZkstMFXd HfVWRYmFuGWNFLHridzoW6/Kis79WDS9cNCH4KAkthuZ6l2xx8WyRePZRTLo5Sdq yRI8I1id25kc11/JOZy6Y04flX7ugDrWwkZFXRBoWk+YWvmxrFcGuRLWEh1oIBi7 Xo2eO2EAuFccf+gsEz/DjYO+GAd2NjBqCwQ3c/YaKtlB5CgEO/g/ghOmOQdWHFFJ pR817MHeoUsmhFmy6vEc3A/xYhku8+qLsVbc+0kP84llV++mIFe7ytotNAt4Px6O ePyTqnituwIK3tdHsbO408D5KSUNHRYtGmWWIWMCAwEAAaMjMCEwDgYDVR0PAQH/ BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFfs7cL4 4PSMTOrV7u/en1OQ67+frsc7vlN2Ze/tuCCI/XbvsqSuN7hAuhNfUd18iEbsfAZM YySHb4cq+ndcHnhJzJryWpJ8XiaaOLtln/MNCMAGPV2qvbJfr7YEUgECegxM93Wi mxysgIu5NBWDrx9kq/e0lt12V5V0cO6qByCBGqYRMpVaDMix4TUiC/XfKYr/ae0A zh1RU2H22p90KyiP0nlnEEOG6WBM7HK/7mROWBaJcdZS9HWV6Z+Fs1uzoBYYA570 4JxpzwRP9FyyLj02I05H2utmSwQRqWh0Hkbdng6JPlos2pkhyzIHXd25pUV/1X80 YygKuTHdaaJ/5J4= -----END CERTIFICATE----- kind: ConfigMap metadata: creationTimestamp: "2021-09-20T12:16:32Z" managedFields: - apiVersion: v1 fieldsType: FieldsV1 fieldsV1: f:data: .: {} f:ca-bundle.crt: {} manager: cluster-bootstrap operation: Update time: "2021-09-20T12:16:32Z" name: user-ca-bundle namespace: openshift-config resourceVersion: "1377" uid: 514d07c4-7494-4c55-a38c-88953b6ef4cc ❯ oc get proxy/cluster -o yaml apiVersion: config.openshift.io/v1 kind: Proxy metadata: creationTimestamp: "2021-09-20T12:16:09Z" generation: 1 managedFields: - apiVersion: config.openshift.io/v1 fieldsType: FieldsV1 fieldsV1: f:spec: .: {} f:trustedCA: .: {} f:name: {} f:status: {} manager: cluster-bootstrap operation: Update time: "2021-09-20T12:16:09Z" name: cluster resourceVersion: "675" uid: ef42f2f1-74ad-4b30-8da5-7e2db5b6e09e spec: trustedCA: name: "" status: {}
(In reply to aygarg from comment #0) > However, in my testing for a customer's use-case, I added the > "additionalTrustBundle" parameter only for a custom CA that needs to be > trusted and avoided the "proxy" parameter since the proxy wasn't required. Previous report of this as surprising behavior in bug 1771564, which we'd addressed by landing installer-side docs [1]: If `additionalTrustBundle` and at least one `proxy` setting are configured, the `cluster` Proxy object will be configured with `trustedCA` referencing the additional trust bundle. But I don't see similar wording in openshift-docs, in either of the two locations I'd expect to mention it [2,3]. I'm moving this bug to docs so they can add similar wording in their more official, more discoverable repository. And I'm moving the version back to 4.6 (our oldest, currently-supported version) because this is how the installer has always treated this property. [1]: https://github.com/openshift/installer/pull/3039/files [2]: https://github.com/openshift/openshift-docs/blame/2ff0a7d0016de46dbca9e09de952c5794e7249a8/modules/installation-configure-proxy.adoc#L114-L121 [3]: https://github.com/openshift/openshift-docs/blame/2ff0a7d0016de46dbca9e09de952c5794e7249a8/modules/installation-configuration-parameters.adoc#L445
Bug 2009629 is also up in this space, and may result in refined suggestions for install-config for transparent proxies. The installer's doc string quoted in comment 1 would still apply, so I don't think this doc work needs to block on bug 2009629, but it might be worth giving some time for bug 2009629 to reach consensus before moving on the docs front.
PR: https://github.com/openshift/openshift-docs/pull/37992