-
Story
-
Resolution: Done
-
Normal
-
None
-
None
-
None
-
None
-
False
-
True
-
-
Hypershift Sprint 5, Hypershift Sprint 6, Hypershift Sprint 7, Hypershift Sprint 8, Hypershift Sprint 9, Hypershift Sprint 10, Hypershift Sprint 11, Hypershift Sprint 12, Hypershift Sprint 13, Hypershift Sprint 14
-
0
-
0
-
0
The standalone OCP installer allows specifying an additional trust bundle in the install-config.yaml (https://github.com/openshift/installer/blob/342906e784513271fa0bb4f1bf0e808d0cc2b44b/pkg/types/installconfig.go#L80)
The installer uses this to create a configmap named user-ca-bundle in the openshift-config namespace of the target cluster (https://github.com/openshift/installer/blob/master/pkg/asset/manifests/additionaltrustbundleconfig.go#L65-L75)
The MCO also uses the additional trust bundle to place it in the filesystem of nodes via ignition (https://github.com/openshift/machine-config-operator/blob/b50080b6bdc344496dc001bf7f0b25fce5d039d6/cmd/machine-config-operator/bootstrap.go#L69)
In Hypershift, we would need to:
1) add an AdditionalTrustBundle field to the spec of HostedCluster and HostedControlPlane (we need to decide if the pem-encoded bundle should be embedded directly in the CR as in install-config or referenced via LocalObjectReference)
(https://github.com/openshift/hypershift/blob/main/api/v1alpha1/hostedcluster_types.go#L74 and https://github.com/openshift/hypershift/blob/a6c7ef84e75eb401b6fc7bd3a2f4a5d0d1ad0588/api/v1alpha1/hosted_controlplane.go#L27 )
2) ensure that the new field is copied from the HostedCluster to the HostedControlPlane (and if we choose to go the reference route, copy the configmap to the control plane namespace)
(https://github.com/openshift/hypershift/blob/a6c7ef84e75eb401b6fc7bd3a2f4a5d0d1ad0588/hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go#L990-L1018 and similar to https://github.com/openshift/hypershift/blob/a6c7ef84e75eb401b6fc7bd3a2f4a5d0d1ad0588/hypershift-operator/controllers/hostedcluster/hostedcluster_controller.go#L681-L705)
3) add code to the hosted-cluster-config-operator to lay down the additional trust bundle into the openshift-config namespace (Similar to https://github.com/openshift/hypershift/blob/a6c7ef84e75eb401b6fc7bd3a2f4a5d0d1ad0588/hosted-cluster-config-operator/controllers/resources/resources.go#L308-L311)
4) Update the code that generates the MCO/MCS pod to pass the additional trust bundle parameter to the MCO bootstrap command (https://github.com/openshift/hypershift/blob/a6c7ef84e75eb401b6fc7bd3a2f4a5d0d1ad0588/ignition-server/controllers/machineconfigserver_ignitionprovider.go#L182-L440)
