This is a clone of issue OCPBUGS-44380. The following is the description of the original issue:
—
Description of problem:
https://access.redhat.com/errata/RHSA-2024:5422 did not seemingly fix the issue https://issues.redhat.com/browse/OCPBUGS-37060 in ROSA HCP so opening new bug.
The builds installed in the hosted clusters are having issues to git-clone repositories from external URLs where their CA are configured in the ca-bundle.crt from trsutedCA section:
spec:
configuration:
apiServer:
[...]
proxy:
trustedCA:
name: user-ca-bundle <---
In traditional OCP implementations, the *-global-ca configmap is installed in the same namespace from the build and the ca-bundle.crt is injected into this configmap. In hosted clusters the configmap is being created empty:
$ oc get cm -n <app-namespace> <build-name>-global-ca -oyaml
apiVersion: v1
data:
ca-bundle.crt: ""
As mentioned, the user-ca-bundle has the certificates configured:
$ oc get cm -n openshift-config user-ca-bundle -oyaml
apiVersion: v1
data:
ca-bundle.crt: |
-----BEGIN CERTIFICATE----- <---
Version-Release number of selected component (if applicable):
4.16.17
How reproducible:
Steps to Reproduce:
1. Install hosted cluster with trustedCA configmap 2. Run a build in the hosted cluster 3. Check the global-ca configmap
Actual results:
global-ca is empty
Expected results:
global-ca injects the ca-bundle.crt properly
Additional info:
Created a new ROSA HCP cluster behind a transparent proxy at version 4.16.8 as it was mentioned as fixed in the above errata and the issue still exists. The transparent proxy certificate provided at cluster installation time is referenced in proxy/cluster as "user-ca-bundle-abcdefgh" and both "user-ca-bundle" and "user-ca-bundle-abcdefgh" configmaps in the "openshift-config" contain the certificate. However starting a template build for example such as "oc new-app cakephp-mysql-persistent" still results in the certificate not being injected into the "cakephp-mysql-persistent-1-global-ca" configmap and the build failing unlike the same scenario in an OCP cluster. oc logs build.build.openshift.io/cakephp-mysql-persistent-1 Cloning "https://github.com/sclorg/cakephp-ex.git" ... error: fatal: unable to access 'https://github.com/sclorg/cakephp-ex.git/': SSL certificate problem: unable to get local issuer certificate Also upgraded the cluster to 4.16.17 and still the issue persists.
- blocks
-
OCPBUGS-45268 ca-bundle.crt is not injected in the global-ca configmaps from builds in HCP cluster
-
- New
-
- clones
-
-
- ON_QA
-
- is blocked by
-
-
- ON_QA
-
- is cloned by
-
-
- New
-
- links to
