Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-52323

The trusted-ca-bundle-managed ConfigMap requirement breaks those with their own PKI

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • 4.18.z
    • HyperShift
    • None
    • Important
    • Yes
    • False
    • Hide

      None

      Show
      None
    • Hide
      In OpenShift 4.18.2, the `managed-trust-bundle` VolumeMount and `trusted-ca-bundle-managed` ConfigMap were introduced as mandatory components. This requirement caused deployment failures for users utilizing their own Public Key Infrastructure (PKI), as the OpenShift API server expected the presence of the `trusted-ca-bundle-managed` ConfigMap. To address this issue, these components are now optional, allowing clusters to deploy successfully without the `trusted-ca-bundle-managed` ConfigMap when custom PKI is in use.
      Show
      In OpenShift 4.18.2, the `managed-trust-bundle` VolumeMount and `trusted-ca-bundle-managed` ConfigMap were introduced as mandatory components. This requirement caused deployment failures for users utilizing their own Public Key Infrastructure (PKI), as the OpenShift API server expected the presence of the `trusted-ca-bundle-managed` ConfigMap. To address this issue, these components are now optional, allowing clusters to deploy successfully without the `trusted-ca-bundle-managed` ConfigMap when custom PKI is in use.
    • Bug Fix
    • In Progress

      Description of problem:

         The new `managed-trust-bundle` VolumeMount / `trusted-ca-bundle-managed` ConfigMap has recently been required given this latest change here: https://github.com/openshift/hypershift/pull/5667. However, this should be optional since folks that bring their own PKI shouldn't need this.

      Version-Release number of selected component (if applicable):

          4.18.2

      How reproducible:

          Every time.

      Steps to Reproduce:

          1. Deploy ROKS (HyperShift) version 4.18.2 cluster.

      Actual results:

          Cluster fails to deploy as the OpenShift API server fails to come up since it expects the `trusted-ca-bundle-managed` ConfigMap to exist.

      Expected results:

          Cluster should deploy successfully.

      Additional info:

              evan.reilly Evan Reilly
              evan.reilly Evan Reilly
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: