Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-46546

IPI fails in AWS ISO regions due to non-commercial CA used for AWS API endpoints

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • 4.15, 4.16, 4.17
    • Documentation / Installer
    • None
    • Yes
    • False
    • Hide

      None

      Show
      None

      Description of problem:

          The bootstrap ign is too large for AWS EC2 user data. It is placed in an S3 bucket. The bootstrap EC2 instance is then instructed to fetch its ignition config from the https endpoint of the S3 bucket. In AWS ISO regions the AWS APIs use a customer provided, non-commercial, CA. This means that the bootstrap instance cannot pull the bootstrap.ign from the S3 HTTPS endpoint because it doesn't trust the certificate.

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:

          1. openshift-install create cluster #In the us-iso regions
    2. bootstrap instance is started

      Actual results:

      bootstrap instance reports that it cannot pull the bootstrap ign due to the CA being untrusted    

      Expected results:

      bootstrap instance pulls the bootstrap.ign file from the HTTPS endpoint of the S3 API

      Additional info:

          OpenShift has supported the AWS us-iso regions and custom endpoints for quite some time. When the bootstrap.ign became to large to fit in the user data field and was put into S3, it means that the "additionalTrustBundle" is needed much earlier in the process, or a way to allow the bootstrap to trust the S3 HTTPS API endpoint.

              ocp-docs-bot OCP DocsBot
              dan5179 Dan Clark
              Gaoyun Pei Gaoyun Pei
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: