Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-43990

Work around excess CA certs in additionalTrustBundle

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • Done
    • Bug Fix
    • Hide
      * For clusters that were installed with the Agent-based Installer for versions 4.15.0 to 4.15.26, root certificates that were built in from CoreOS were added to the user-ca-bundle, even though they were not explicitly specified by the user. In previous releases, when adding a node to one of these clusters using the `oc adm node-image create` command, the `additionalTrustBundle` obtained from the cluster's user-ca-bundle was too large to process, resulting in a failure to add the node. With this release, the built-in certificates are filtered out when generating the `additionalTrustBundle`, so that only explicitly user-configured certificates are included, and nodes can be added successfully. (link:https://issues.redhat.com/browse/OCPBUGS-43990[OCPBUGS-43990])
      Show
      * For clusters that were installed with the Agent-based Installer for versions 4.15.0 to 4.15.26, root certificates that were built in from CoreOS were added to the user-ca-bundle, even though they were not explicitly specified by the user. In previous releases, when adding a node to one of these clusters using the `oc adm node-image create` command, the `additionalTrustBundle` obtained from the cluster's user-ca-bundle was too large to process, resulting in a failure to add the node. With this release, the built-in certificates are filtered out when generating the `additionalTrustBundle`, so that only explicitly user-configured certificates are included, and nodes can be added successfully. (link: https://issues.redhat.com/browse/OCPBUGS-43990 [ OCPBUGS-43990 ])
    • None
    • None
    • None
    • None

      Some clusters that were created with the agent-based installer and born in 4.15 contain all of the built-in CAs from CoreOS in the user-ca-bundle because of OCPBUGS-34721.

      This causes adding a node on day 2 to fail because the InfraEnv manifest created is huge, and gets rejected by assisted-service with a 422 error.

      We know the list of CAs that were present in 4.15, so we should work around this problem by ignoring those ones whenever they appear in the user-ca-bundle instead of adding them to the additionalTrustBundle in the InfraEnv.

              zabitter Zane Bitter
              zabitter Zane Bitter
              None
              None
              Biagio Manzari Biagio Manzari
              None
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: