Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-32042

Incorrect usage of install-config.yaml additionalTrustBundle field

XMLWordPrintable

    • Important
    • No
    • Sprint 252
    • 1
    • Proposed
    • False
    • Hide

      None

      Show
      None
    • Hide
      *Cause*: CA certificates built in to CoreOS were automatically added to those in the user-provided userTrustBundle when doing a disconnected deployment with the agent-based installation method.
      *Consequence*: When installing with the agent-based installer in a disconnected environment (i.e. from a mirrored release image), the {{user-ca-bundle}} ConfigMap in the cluster was huge and contained CA Certs not managed by the user.
      *Fix*: The built-in trusted CA Certs are not added to the additional trust bundle when a mirror registry is in use.
      *Result*: The {{user-ca-bundle}} ConfigMap contains only CAs explicitly specified by the user.
      Show
      *Cause*: CA certificates built in to CoreOS were automatically added to those in the user-provided userTrustBundle when doing a disconnected deployment with the agent-based installation method. *Consequence*: When installing with the agent-based installer in a disconnected environment (i.e. from a mirrored release image), the {{user-ca-bundle}} ConfigMap in the cluster was huge and contained CA Certs not managed by the user. *Fix*: The built-in trusted CA Certs are not added to the additional trust bundle when a mirror registry is in use. *Result*: The {{user-ca-bundle}} ConfigMap contains only CAs explicitly specified by the user.
    • Bug Fix
    • In Progress

      Description of problem:

      When the user configures the install-config.yaml additionalTrustBundle field (for example, in a disconnected installation using a local registry),
      the user-ca-bundle configmap gets populated with more content than strictly required

      Version-Release number of selected component (if applicable):

          

      How reproducible:

      Always

      Steps to Reproduce:

          1. Setup a local registry and mirror the content of an ocp release
          2. Configure the install-config.yaml for a mirrored installation. In particular, configure the additionalTrustBundle field with the registry cert
          3. Create the agent ISO, boot the nodes and wait for the installation to complete
          

      Actual results:

          The user-ca-bundle cm does not contain onyl the registry cert

      Expected results:

      user-ca-bundle configmap with just the content of the install-config additionalTrustBundle field

      Additional info:

           

            afasano@redhat.com Andrea Fasano
            afasano@redhat.com Andrea Fasano
            Biagio Manzari Biagio Manzari
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: