Bug 2010921 - Azure Stack Hub does not handle additionalTrustBundle
Summary: Azure Stack Hub does not handle additionalTrustBundle
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.10
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.10.0
Assignee: Patrick Dillon
QA Contact: Mike Gahagan
URL:
Whiteboard:
Depends On:
Blocks: 2012173
TreeView+ depends on / blocked
 
Reported: 2021-10-05 15:54 UTC by Patrick Dillon
Modified: 2022-03-10 16:17 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2012173 (view as bug list)
Environment:
Last Closed: 2022-03-10 16:17:15 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift installer pull 5248 0 None open Bug 2010921: Azure Stack: add trust bundle to cloud config 2021-10-05 16:02:37 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:17:38 UTC

Description Patrick Dillon 2021-10-05 15:54:44 UTC
Platform: Azure Stack Hub
IPI & UPI

Azure Stack Hub does not add the additionalTrustBundle to the cloud provider config or the bootstrap ignition stub, so this does not allow for installation in environments that need certificates signed by internal CAs. 

Our new environment Azure Stack environment, WWT, uses certificates signed by internal CAs so we see that installations fail there.

First, installations fail when trying to pull ignition from the storage blob. This can be handled in the UPI instructions.

Second, installations fail when operators do not have the trust bundle. 

The installer needs to place the additional trust bundle in the cloud provider config, then we need to follow up with operators to make sure they are using it. The operators we know we need to follow up with are:
CCM (cloud team and machine-api for 4.10 only)
image registry
storage
network edge for ingress controller

Comment 4 Mike Gahagan 2021-12-06 18:33:00 UTC
Confirmed we can now handle the self-signed certificate our ASH instance uses for cluster installation. Once the bootstrap ignition is updated to include the cert the bootstrap node will then download necessary content for installation and the cluster will use it without issues.

Comment 7 errata-xmlrpc 2022-03-10 16:17:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.