-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
MCE 2.9.0
-
None
-
Incidents & Support
-
False
-
-
False
-
-
-
Workload Mgmt Train 32 - 2, Workload Mgmt Train 33 - 1, Workload Mgmt Train 33 - 2, Workload Mgmt Train 34 - 1, App Mgmt - Train-34 - Sprint 2, App - Train 35 - 1, App - Train 35 - 2
-
Important
-
Customer Facing
-
None
Description of problem:
MCE 2.9 does not respect the trusted-ca-bundle with a customer ca in an environment with a MITM proxy
Version-Release number of selected component (if applicable):
MCE 2.9
How reproducible:
always
Steps to Reproduce:
- set up a MITM proxy
- install MCE
- try to create a new cluster
Actual results:
$ oc logs cluster-image-set-controller-76fd5c5698-rrvkc| less ... 2025-08-25T13:43:32.486303395Z error syncing clusterImageSets: Get "https://github.com/stolostron/acm-hive-openshift-releases.git/info/refs?service=git-upload-pack": tls: failed to verify certificate: x509: certificate signed by unknown authority
Release image is empty when you want create a new cluster
Expected results:
cluster-image-set-controller should respect the trusted-ca-bundle and be able to pull the releases with a MITM proxy
Additional info:
workaround possible by adding the configmap to the deployment:
oc -n multicluster-engine set volume deployment/cluster-image-set-controller --add --type configmap --configmap-name trusted-ca-bundle --name trusted-ca-bundle --mount-path /etc/pki/tls/certs/ --overwrite
