Description of problem: When trusted CA bundle is configured, oVirt CSI driver should use it. Version-Release number of selected component (if applicable): 4.10.nightly How reproducible: always Steps to Reproduce: 1. Configure HTTPS proxy with a custom CA. Actual results: The CSI driver does not use the CA bundle and can't connect through it. This is fallout of https://bugzilla.redhat.com/show_bug.cgi?id=2038934, we forgot about oVirt when updating library-go in all CSI driver operators.
Verified pass on 4.11.0-0.nightly-2022-04-07-053433 with following steps: 1. Check the proxy and user-ca-bundle $ oc get proxy cluster -o yaml spec: httpProxy: http://10.37.141.131:3128 noProxy: localhost,example.com,oauth-openshift.apps.ge3n1.ocp.rhev.lab.eng.brq.redhat.com trustedCA: name: user-ca-bundle status: httpProxy: http://10.37.141.131:3128 noProxy: .cluster.local,.svc,10.0.0.0/16,10.128.0.0/14,127.0.0.1,172.30.0.0/16,api-int.ge3n1.ocp.rhev.lab.eng.brq.redhat.com,example.com,localhost,oauth-openshift.apps.ge3n1.ocp.rhev.lab.eng.brq.redhat.com 2. Check user-ca-bundle content # oc -n openshift-config get cm user-ca-bundle -o yaml apiVersion: v1 data: ca-bundle.crt: | -----BEGIN CERTIFICATE----- MIIEJjCCAw6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCVVMx 3. The user-ca-bundle content in following configmap # oc -n openshift-cluster-csi-drivers get cm ovirt-csi-driver-trusted-ca-bundle -o yaml | grep "MIIEJjCCAw6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCVVMx" MIIEJjCCAw6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCVVMx 4. Check CSI pod: # oc -n openshift-cluster-csi-drivers get pod ovirt-csi-driver-controller-78b8cb7586-9xs44 -o yaml - name: HTTP_PROXY value: http://10.37.141.131:3128 - name: NO_PROXY value: .cluster.local,.svc,10.0.0.0/16,10.128.0.0/14,127.0.0.1,172.30.0.0/16,api-int.ge3n1.ocp.rhev.lab.eng.brq.redhat.com,example.com,localhost,oauth-openshift.apps.ge3n1.ocp.rhev.lab.eng.brq.redhat.com volumeMounts: - mountPath: /etc/pki/ca-trust/extracted/pem name: non-standard-root-system-trust-ca-bundle readOnly: true 5. Check inside the pod the user-ca-bundle content is included in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem file sh-4.4# grep "MIIEJjCCAw6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCVVMx" /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem MIIEJjCCAw6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCVVMx 6. Check CSI provisioning works. # oc get pvc,pod NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE persistentvolumeclaim/mypvc-test Bound pvc-51da5357-c38d-4ad2-b7b2-bb9f7caab8b1 20Gi RWO ovirt-csi-sc 47s NAME READY STATUS RESTARTS AGE pod/mypod-test 1/1 Running 0 47s
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069