Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-52172

Cluster fails to complete provisioning when using proxy with custom trust bundle

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • 4.19.0
    • HyperShift
    • None
    • Proposed
    • False
    • Hide

      None

      Show
      None
    • Hide
      Previously,konnectivity-https-proxy did not have additional trust bundles that were set in configuration.proxy.trustCA applied. This caused hosted clusters fail to complete their provisioning. With this release, the specified certificates get added to Konnectivity and propagates the proxy environment variables, allowing hosted clusters with both secure proxies and custom certificates to successfully complete their provisioning.
      Show
      Previously,konnectivity-https-proxy did not have additional trust bundles that were set in configuration.proxy.trustCA applied. This caused hosted clusters fail to complete their provisioning. With this release, the specified certificates get added to Konnectivity and propagates the proxy environment variables, allowing hosted clusters with both secure proxies and custom certificates to successfully complete their provisioning.

      This is a clone of issue OCPBUGS-51296. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-51098. The following is the description of the original issue:

      Description of problem:

      When the cluster is created with a secure proxy enabled, and certificate is set in configuration.proxy.trustCA, the cluster fails to complete provisioning.
4.19.0-0.nightly-2024-12-10-040415   

      Version-Release number of selected component (if applicable):

      How reproducible:

          always

      Steps to Reproduce:

          1. Create a cluster with a secure proxy, certificate is set in .spec.configuration.proxy.trustCA.
    3.

      Actual results:

          cluster does not complete provisioning

      Expected results:

          cluster completes

      Additional info:

          root cause is that certificate in additionalTrustBunlde isn't propagated into ingress proxy. 
slack:
https://redhat-internal.slack.com/archives/G01QS0P2F6W/p1734047816669079?thread_ts=1734023627.636019&cid=G01QS0P2F6W

              cewong@redhat.com Cesar Wong
              openshift-crt-jira-prow OpenShift Prow Bot
              Jie Zhao Jie Zhao
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: