Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-44380

ca-bundle.crt is not injected in the global-ca configmaps from builds in HCP cluster

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 4.16.z
    • HyperShift / ROSA
    • None
    • Hypershift Sprint 262, Hypershift Sprint 263
    • 2
    • False
    • Hide

      None

      Show
      None
    • Customer Escalated

      Description of problem:

      https://access.redhat.com/errata/RHSA-2024:5422 did not seemingly fix the issue https://issues.redhat.com/browse/OCPBUGS-37060 in ROSA HCP so opening new bug.
      
      The builds installed in the hosted clusters are having issues to git-clone repositories from external URLs where their CA are configured in the ca-bundle.crt from trsutedCA section:
      
       spec:
          configuration:
            apiServer:
             [...]
            proxy:
              trustedCA:
                name: user-ca-bundle <---
      
      In traditional OCP implementations, the *-global-ca configmap is installed in the same namespace from the build and the ca-bundle.crt is injected into this configmap. In hosted clusters the configmap is being created empty: 
      
      $ oc get cm -n <app-namespace> <build-name>-global-ca  -oyaml
      apiVersion: v1
      data:
        ca-bundle.crt: ""
      
      
      As mentioned, the user-ca-bundle has the certificates configured:
      
      $ oc get cm -n openshift-config user-ca-bundle -oyaml
      apiVersion: v1
      data:
        ca-bundle.crt: |
          -----BEGIN CERTIFICATE----- <---

      Version-Release number of selected component (if applicable):

          4.16.17

      How reproducible:

          

      Steps to Reproduce:

      1. Install hosted cluster with trustedCA configmap
      2. Run a build in the hosted cluster
      3. Check the global-ca configmap     

      Actual results:

          global-ca is empty

      Expected results:

          global-ca injects the ca-bundle.crt properly

      Additional info:

      Created a new ROSA HCP cluster behind a transparent proxy at version 4.16.8 as it was mentioned as fixed in the above errata and the issue still exists.
      The transparent proxy certificate provided at cluster installation time is referenced in proxy/cluster as "user-ca-bundle-abcdefgh" and both "user-ca-bundle" and "user-ca-bundle-abcdefgh" configmaps in the "openshift-config" contain the certificate.
      
      However starting a template build for example such as "oc new-app cakephp-mysql-persistent" still results in the certificate not being injected into the "cakephp-mysql-persistent-1-global-ca" configmap and the build failing unlike the same scenario in an OCP cluster.
      
      oc logs build.build.openshift.io/cakephp-mysql-persistent-1
      Cloning "https://github.com/sclorg/cakephp-ex.git" ...
      error: fatal: unable to access 'https://github.com/sclorg/cakephp-ex.git/': SSL certificate problem: unable to get local issuer certificate
      
      Also upgraded the cluster to 4.16.17 and still the issue persists.

              cewong@redhat.com Cesar Wong
              rhn-support-bmchugh Brendan McHugh
              Jie Zhao Jie Zhao
              Votes:
              4 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: