-
Bug
-
Resolution: Done
-
Normal
-
ACM 2.10.Z
-
False
-
None
-
False
-
-
-
Moderate
-
Customer Facing, Customer Reported
-
?
-
No
Description of problem:
The install is successfully creating the required CoreOS image and ignition image in glance and then deploying x3 masters and x1 bootstrap. Which is where the install now fails. Looking at the console on the bootstrap node we can see that it is attempting to pull the ignition image from glance and failing with the below error:
GET error: Get "https://openstack-disconnected.co.uk:13292//v2/images/<< imageID >>/file" tls: failed to verify certificate: x509: certificate signed by unknown authority.
Deloying on OpenStack
Version-Release number of selected component (if applicable):
- ACM 2.10
How reproducible:
Always
Steps to Reproduce:
- Set own cacert in clouds.yaml
Actual results:
Expected results:
Additional info:
The issue is with the OpenStack Credentials, specifically under the section "Red Hat OpenStack Platform"
It requires 3 inputs
- OpenStack clouds.yaml
- Cloud name
- Internal CA
When you provide it with the clouds.yaml provided by OpenStack it doesn't include a section for "cacert" which is used for when you are using a custom CA. This line gets injected by ACM into the clouds.yaml files when you put the CA into the "Internal CA" input field. However, it is putting the cacert entry into the wrong section (e.g. incorrectly indented - See below) As it is incorrectly indented it is ignored.
Example of where ACM inserts the cacert line
clouds: openstack: auth: auth_url: .. username: .... password: ... project_id: ... project_name: ... user_domain_name: ... cacert: /etc/openstack-ca/ca.crt <<<<<<<---- ACM is inserting the cacert line here region_name: "regionOne" interface: "public" identity_api_version: 3
Example of where it should have inserted the cacert line
clouds: openstack: auth: auth_url: .. username: .... password: ... project_id: ... project_name: ... user_domain_name: ... cacert: /etc/openstack-ca/ca.crt <<<<<<<---- Correct indentation for the cacert line here region_name: "regionOne" interface: "public" identity_api_version: 3
Current work around is to duplicate the line entry but with the correct indentation e.g. working config below:
clouds: openstack: auth: auth_url: .. username: .... password: ... project_id: ... project_name: ... user_domain_name: ... cacert: /etc/openstack-ca/ca.crt <<<<<<<---- ACM is inserting the cacert line here cacert: /etc/openstack-ca/ca.crt <<<<<<<---- Duplicate Correct indentation for the cacert line here region_name: "regionOne" interface: "public" identity_api_version: 3
With this config I can now successfully deploy a cluster and ACM / OCP Installer is now trusting the CA on the OpenStack endpoints.
- links to
-
RHSA-2024:135868 Red Hat Advanced Cluster Management 2.12.0 security and bug fixes