Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-13535

AdditionalTrustBundle is only included when doing mirroring

    XMLWordPrintable

Details

    • Important
    • No
    • Sprint 236
    • 1
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      Previously, during an Agent-based installation, the certificates in the `AdditionalTrustBundle` field of the `install-config.yaml` file were only propagated to the final image when the `ImageContentSources` field was also set for mirroring. If mirroring was not set, then the additional certificates were on the bootstrap but not the final image.

      This can cause issues when the user has set up a proxy and wants to add additional certs as described link:https://docs.openshift.com/container-platform/4.12/networking/configuring-a-custom-pki.html#installation-configure-proxy_configuring-a-custom-pki[here].

      With this update, these additional certificates are propagated to the final image whether or not the `ImageContentSources` field is also set. (link:https://issues.redhat.com/browse/OCPBUGS-13535[*OCPBUGS-13535*])
      Show
      Previously, during an Agent-based installation, the certificates in the `AdditionalTrustBundle` field of the `install-config.yaml` file were only propagated to the final image when the `ImageContentSources` field was also set for mirroring. If mirroring was not set, then the additional certificates were on the bootstrap but not the final image. This can cause issues when the user has set up a proxy and wants to add additional certs as described link: https://docs.openshift.com/container-platform/4.12/networking/configuring-a-custom-pki.html#installation-configure-proxy_configuring-a-custom-pki [here]. With this update, these additional certificates are propagated to the final image whether or not the `ImageContentSources` field is also set. (link: https://issues.redhat.com/browse/OCPBUGS-13535 [* OCPBUGS-13535 *])
    • Bug Fix
    • Done

    Description

      Description of problem:

      The AdditionalTrustBundle field in install-config.yaml can be used to add additional certs, however these certs are only propagated to the final image when the ImageContentSources field is also set for mirroring. If mirroring is not set then the additional certs will be on the bootstrap but not the final image.

This can cause a problem when user has set up a proxy and wants to add additional certs as described here https://docs.openshift.com/container-platform/4.12/networking/configuring-a-custom-pki.html#installation-configure-proxy_configuring-a-custom-pki

      Version-Release number of selected component (if applicable):

       

      How reproducible:

       

      Steps to Reproduce:

      1. In install-config.yaml set additionalTrustBundle and don't set imageContentSources.
2. Do an installation using the install-config.yaml.
3. After the final image is installed and rebooted view the certs in /etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt.

      Actual results:

      The certs defined in additionalTrustBundle are not in /etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt.

      Expected results:

      The certs defined in additionalTrustBundle will be in /etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt even when imgeContentSources are not defined.

      Additional info:

       

      Attachments

        Issue Links

          blocks

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-13752 AdditionalTrustBundle is only included when doing mirroring

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-13752 AdditionalTrustBundle is only included when doing mirroring

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          links to

          GitHub openshift/installer#7182: OCPBUGS-13535: Set AdditionalTrustBundle in override when mirroring not enabled

          Web Link RHSA-2023:5006 OpenShift Container Platform 4.14.z security update

          Activity

            People

              bfournie@redhat.com Robert Fournier
              bfournie@redhat.com Robert Fournier
              Biagio Manzari Biagio Manzari
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: