Bug 2049169 - oVirt CSI driver should use the trusted CA bundle when cluster proxy is configured
Summary: oVirt CSI driver should use the trusted CA bundle when cluster proxy is confi...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Storage
Version: 4.10
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.11.0
Assignee: Jan Safranek
QA Contact: Wei Duan
URL:
Whiteboard:
Depends On:
Blocks: 2050118
TreeView+ depends on / blocked
 
Reported: 2022-02-01 17:01 UTC by Jan Safranek
Modified: 2022-08-10 10:46 UTC (History)
0 users

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-08-10 10:46:22 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift ovirt-csi-driver-operator pull 83 0 None open Bug 2049169: Add custom CA bundle support 2022-02-01 17:30:46 UTC
Red Hat Product Errata RHSA-2022:5069 0 None None None 2022-08-10 10:46:54 UTC

Description Jan Safranek 2022-02-01 17:01:04 UTC
Description of problem:
When trusted CA bundle is configured, oVirt CSI driver should use it.

Version-Release number of selected component (if applicable):
4.10.nightly

How reproducible:
always

Steps to Reproduce:
1. Configure HTTPS proxy with a custom CA.

Actual results:
The CSI driver does not use the CA bundle and can't connect through it.

This is fallout of https://bugzilla.redhat.com/show_bug.cgi?id=2038934, we forgot about oVirt when updating library-go in all CSI driver operators.

Comment 3 Wei Duan 2022-04-12 03:56:17 UTC
Verified pass on 4.11.0-0.nightly-2022-04-07-053433 with following steps: 
1. Check the proxy and user-ca-bundle
$ oc get proxy cluster -o yaml
spec:
  httpProxy: http://10.37.141.131:3128
  noProxy: localhost,example.com,oauth-openshift.apps.ge3n1.ocp.rhev.lab.eng.brq.redhat.com
  trustedCA:
    name: user-ca-bundle
status:
  httpProxy: http://10.37.141.131:3128
  noProxy: .cluster.local,.svc,10.0.0.0/16,10.128.0.0/14,127.0.0.1,172.30.0.0/16,api-int.ge3n1.ocp.rhev.lab.eng.brq.redhat.com,example.com,localhost,oauth-openshift.apps.ge3n1.ocp.rhev.lab.eng.brq.redhat.com

2. Check user-ca-bundle content 
# oc -n openshift-config get cm user-ca-bundle -o yaml
apiVersion: v1
data:
  ca-bundle.crt: |
    -----BEGIN CERTIFICATE-----
    MIIEJjCCAw6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCVVMx
    
3. The user-ca-bundle content in following configmap
# oc -n openshift-cluster-csi-drivers get cm ovirt-csi-driver-trusted-ca-bundle -o yaml | grep "MIIEJjCCAw6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCVVMx"
    MIIEJjCCAw6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCVVMx

4. Check CSI pod:
# oc -n openshift-cluster-csi-drivers get pod ovirt-csi-driver-controller-78b8cb7586-9xs44 -o yaml
    - name: HTTP_PROXY
      value: http://10.37.141.131:3128
    - name: NO_PROXY
      value: .cluster.local,.svc,10.0.0.0/16,10.128.0.0/14,127.0.0.1,172.30.0.0/16,api-int.ge3n1.ocp.rhev.lab.eng.brq.redhat.com,example.com,localhost,oauth-openshift.apps.ge3n1.ocp.rhev.lab.eng.brq.redhat.com
    volumeMounts:
    - mountPath: /etc/pki/ca-trust/extracted/pem
      name: non-standard-root-system-trust-ca-bundle
      readOnly: true

5. Check inside the pod the user-ca-bundle content is included in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem file
sh-4.4# grep "MIIEJjCCAw6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCVVMx" /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem 
MIIEJjCCAw6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCVVMx

6. Check CSI provisioning works.
# oc get pvc,pod
NAME                               STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
persistentvolumeclaim/mypvc-test   Bound    pvc-51da5357-c38d-4ad2-b7b2-bb9f7caab8b1   20Gi       RWO            ovirt-csi-sc   47s

NAME             READY   STATUS    RESTARTS   AGE
pod/mypod-test   1/1     Running   0          47s

Comment 6 errata-xmlrpc 2022-08-10 10:46:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069


Note You need to log in before you can comment on or make changes to this bug.