Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-13535

AdditionalTrustBundle is only included when doing mirroring

XMLWordPrintable

    • Important
    • No
    • Sprint 236
    • 1
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      Previously, during an Agent-based installation, the certificates in the `AdditionalTrustBundle` field of the `install-config.yaml` file were only propagated to the final image when the `ImageContentSources` field was also set for mirroring. If mirroring was not set, then the additional certificates were on the bootstrap but not the final image.

      This can cause issues when the user has set up a proxy and wants to add additional certs as described link:https://docs.openshift.com/container-platform/4.12/networking/configuring-a-custom-pki.html#installation-configure-proxy_configuring-a-custom-pki[here].

      With this update, these additional certificates are propagated to the final image whether or not the `ImageContentSources` field is also set. (link:https://issues.redhat.com/browse/OCPBUGS-13535[*OCPBUGS-13535*])
      Show
      Previously, during an Agent-based installation, the certificates in the `AdditionalTrustBundle` field of the `install-config.yaml` file were only propagated to the final image when the `ImageContentSources` field was also set for mirroring. If mirroring was not set, then the additional certificates were on the bootstrap but not the final image. This can cause issues when the user has set up a proxy and wants to add additional certs as described link: https://docs.openshift.com/container-platform/4.12/networking/configuring-a-custom-pki.html#installation-configure-proxy_configuring-a-custom-pki [here]. With this update, these additional certificates are propagated to the final image whether or not the `ImageContentSources` field is also set. (link: https://issues.redhat.com/browse/OCPBUGS-13535 [* OCPBUGS-13535 *])
    • Bug Fix
    • Done

      Description of problem:

      The AdditionalTrustBundle field in install-config.yaml can be used to add additional certs, however these certs are only propagated to the final image when the ImageContentSources field is also set for mirroring. If mirroring is not set then the additional certs will be on the bootstrap but not the final image.

This can cause a problem when user has set up a proxy and wants to add additional certs as described here https://docs.openshift.com/container-platform/4.12/networking/configuring-a-custom-pki.html#installation-configure-proxy_configuring-a-custom-pki

      Version-Release number of selected component (if applicable):

       

      How reproducible:

       

      Steps to Reproduce:

      1. In install-config.yaml set additionalTrustBundle and don't set imageContentSources.
2. Do an installation using the install-config.yaml.
3. After the final image is installed and rebooted view the certs in /etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt.

      Actual results:

      The certs defined in additionalTrustBundle are not in /etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt.

      Expected results:

      The certs defined in additionalTrustBundle will be in /etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt even when imgeContentSources are not defined.

      Additional info:

       

              bfournie@redhat.com Robert Fournier
              bfournie@redhat.com Robert Fournier
              Biagio Manzari Biagio Manzari
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: