Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-9983

MGMT-14070: Document - OSImageCACertRef feature of AgentServiceConfig

XMLWordPrintable

    • False
    • None
    • False
    • No

      If the image service is provided OSImage references that are directed towards an HTTPS server for which the CA is unknown to the image service, it is now possible to specify the CA during installation of the image service so that the CA may be correctly handled.

      This is performed using a combination of a ConfigMap containing the certificate `tls.crt` and a LocalObjectReference `OSImageCACertRef` added to the `AgentServiceConfig`

      Create an informative issue (See each section, incomplete templates/issues won't be triaged)

      Using the current documentation as a model, please complete the issue template. 

      Note: Doc team updates the current version and the two previous versions (n-2). For earlier versions, we will address only high-priority, customer-reported issues for releases in support.

      Prerequisite: Start with what we have

      Always look at the current documentation to describe the change that is needed. Use the source or portal link for Step 4:

       - Use the Customer Portal: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes

       - Use the GitHub link to find the staged docs in the repository: https://github.com/stolostron/rhacm-docs 

      Describe the changes in the doc and link to your dev story

      Provide info for the following steps:

      1. - [x] Mandatory Add the required version to the Fix version/s field.

      2. - [x] Mandatory Choose the type of documentation change.

            - [x] New topic in an existing section or new section
            - [ ] Update to an existing topic

      3. - [x] Mandatory for GA content:
                  
             - [x] Add steps and/or other important conceptual information here: 
             

      • The user will install the infrastructure operator on their cluster. This guide assumes that this is installed.
      • The user will have a copy of the CA certificate that they want to use
      • This will be placed into a ConfigMap called `image-service-additional-ca` within the same namespace as the infrastructure operator.
      • The content of this ConfigMap should be a single key `tls.crt` with a string representation of the certificate as the value.
      • Typically, a command such as the one below may be used to create the certificate.
                
               oc -n multicluster-engine create configmap image-service-additional-ca --from-file=tls.crt

        Once the certifcate has been created, the user is expected to add a reference to the certificate to their `AgentServiceConfig` as can be seen below.
        The infrastructure operator should then proceed to bring up the assisted-service, assisted-image-service and so on, these should launch without error.   

             apiVersion: agent-install.openshift.io/v1beta1
       kind: AgentServiceConfig
       metadata:
              name: agent
       spec:
              OSImageCACertRef:
                     name: image-service-additional-ca
              osImages:
                     - openshiftVersion: "4.14"
                     version: "414.92.202310170514-0"
                     url: "https://my-image-server/rhcos-4.14.0-rc.0-x86_64-live.x86_64.iso"
                     cpuArchitecture: "x86_64"
                     - openshiftVersion: "4.15"
                     version: "414.92.202310170514-0"
                     url: "https://my-image-server/rhcos-4.15.0-rc.0-x86_64-live.x86_64.iso"
                     cpuArchitecture: "x86_64"
       ...
       ...

                  
             - [x] Add Required access level for the user to complete the task here:

      •        The user is expected to have permissions to create an installation of the infrastructure operator using AgentServiceConfig.
      •        For verification, the user should have access to OC and be able to fully list and view objects in the same namespace as the infrastructure operator.

             - [x] Add verification at the end of the task, how does the user verify success (a command to run or a result to see?)
             
             The user should make a call to OC, where `multicluster-engine` should be substituted for the namespace in which the infrastructure operator is installed.
             

             oc get pods -n multicluster-engine

             
             They should see that the assisted-service, assisted-image-service are correctly brought up and running.
             
             Especially checking the logs of the assisted-image-service, they should witness that there are no reported errors and that after some time (to download necessary ISO's) that all ISO's should be downloaded.
           
             - [x] Add link to dev story here:

      4. - [x] Mandatory for bugs: What is the diff? Clearly define what the problem is, what the change is, and link to the current documentation:
      This is not a bug but is a new feature.

              rh-ee-ofischer Oliver Fischer
              pmaidmen Paul Maidment
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: