Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Minor
Fix Version/s: 4.19.0
Affects Version/s: 4.17.0
Component/s: Installer / Agent based installation
Labels:
- triaged

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:

4.17.z, 4.18.z
Target Version:

4.19.0
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
Done
Release Note Type:
Bug Fix
Release Note Text:

Hide
* For clusters that were installed with the Agent-based Installer for versions 4.15.0 to 4.15.26, root certificates that were built in from CoreOS were added to the user-ca-bundle, even though they were not explicitly specified by the user. In previous releases, when adding a node to one of these clusters using the `oc adm node-image create` command, the `additionalTrustBundle` obtained from the cluster's user-ca-bundle was too large to process, resulting in a failure to add the node. With this release, the built-in certificates are filtered out when generating the `additionalTrustBundle`, so that only explicitly user-configured certificates are included, and nodes can be added successfully. (link:https://issues.redhat.com/browse/OCPBUGS-43990[~~OCPBUGS-43990~~])

Show
* For clusters that were installed with the Agent-based Installer for versions 4.15.0 to 4.15.26, root certificates that were built in from CoreOS were added to the user-ca-bundle, even though they were not explicitly specified by the user. In previous releases, when adding a node to one of these clusters using the `oc adm node-image create` command, the `additionalTrustBundle` obtained from the cluster's user-ca-bundle was too large to process, resulting in a failure to add the node. With this release, the built-in certificates are filtered out when generating the `additionalTrustBundle`, so that only explicitly user-configured certificates are included, and nodes can be added successfully. (link: https://issues.redhat.com/browse/OCPBUGS-43990 [ OCPBUGS-43990 ])

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Some clusters that were created with the agent-based installer and born in 4.15 contain all of the built-in CAs from CoreOS in the user-ca-bundle because of ~~OCPBUGS-34721~~.

This causes adding a node on day 2 to fail because the InfraEnv manifest created is huge, and gets rejected by assisted-service with a 422 error.

We know the list of CAs that were present in 4.15, so we should work around this problem by ignoring those ones whenever they appear in the user-ca-bundle instead of adding them to the additionalTrustBundle in the InfraEnv.

blocks

OCPBUGS-54744 Work around excess CA certs in additionalTrustBundle

Closed

is cloned by

OCPBUGS-54744 Work around excess CA certs in additionalTrustBundle

Closed

is duplicated by

AGENT-920 agent-register-infraenv fails in day2 node (appliance flow)

Closed

is related to

OCPBUGS-42173 Agent installer should validate the size of additionalTrustBundle

ASSIGNED

relates to

AGENT-939 Day2 add node via agent-install leftover tasks

Release Pending

OCPBUGS-32042 Incorrect usage of install-config.yaml additionalTrustBundle field

Closed

OCPBUGS-34721 Incorrect usage of install-config.yaml additionalTrustBundle field

Closed

links to

openshift/installer#9641: OCPBUGS-43990: Filter out excess CA certs when adding node

RHEA-2024:11038 OpenShift Container Platform 4.19.z bug fix update

(2 relates to, 2 links to)

Assignee:: Zane Bitter

Reporter:: Zane Bitter

Need Info From:: None

Contributors:: None

QA Contact:: Biagio Manzari

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 11 Start watching this issue

Created:: 2024/06/03 10:39 PM

Updated:: 2025/09/13 7:28 PM

Resolved:: 2025/06/17 4:54 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide