-
Bug
-
Resolution: Done-Errata
-
Major
-
4.15
This is a clone of issue OCPBUGS-35905. The following is the description of the original issue:
—
Description of problem:
The builds installed in the hosted clusters are having issues to git-clone repositories from external URLs where their CA are configured in the ca-bundle.crt from trsutedCA section:
spec:
configuration:
apiServer:
[...]
proxy:
trustedCA:
name: user-ca-bundle <---
In traditional OCP implementations, the *-global-ca configmap is installed in the same namespace from the build and the ca-bundle.crt is injected into this configmap. In hosted clusters the configmap is being created empty:
$ oc get cm -n <app-namespace> <build-name>-global-ca -oyaml
apiVersion: v1
data:
ca-bundle.crt: ""
As mentioned, the user-ca-bundle has the certificates configured:
$ oc get cm -n openshift-config user-ca-bundle -oyaml
apiVersion: v1
data:
ca-bundle.crt: |
-----BEGIN CERTIFICATE----- <---
Version-Release number of selected component (if applicable):
How reproducible:
Easily
Steps to Reproduce:
1. Install hosted cluster with trustedCA configmap 2. Run a build in the hosted cluster 3. Check the global-ca configmap
Actual results:
global-ca is empty
Expected results:
global-ca injects the ca-bundle.crt properly
Additional info:
- blocks
-
-
- POST
-
- clones
-
-
- Verified
-
- is blocked by
-
-
- Verified
-
- is cloned by
-
-
- POST
-
- links to
-
RHBA-2024:5422
OpenShift Container Platform 4.16.z bug fix update
