Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-52516

The trusted-ca-bundle-managed ConfigMap requirement breaks those with their own PKI

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Critical Critical
    • 4.18.0
    • 4.18.z
    • HyperShift
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • Yes
    • Done
    • Bug Fix
    • Hide
      In OpenShift 4.18.2, the managed-trust-bundle VolumeMount and trusted-ca-bundle-managed ConfigMap were introduced as mandatory components. This requirement caused deployment failures for users utilizing their own Public Key Infrastructure (PKI), as the OpenShift API server expected the presence of the trusted-ca-bundle-managed ConfigMap. To address this issue, these components are now optional, allowing clusters to deploy successfully without the trusted-ca-bundle-managed ConfigMap when custom PKI is in use.
      Show
      In OpenShift 4.18.2, the managed-trust-bundle VolumeMount and trusted-ca-bundle-managed ConfigMap were introduced as mandatory components. This requirement caused deployment failures for users utilizing their own Public Key Infrastructure (PKI), as the OpenShift API server expected the presence of the trusted-ca-bundle-managed ConfigMap. To address this issue, these components are now optional, allowing clusters to deploy successfully without the trusted-ca-bundle-managed ConfigMap when custom PKI is in use.
    • None
    • None
    • None
    • None

      This is a clone of issue OCPBUGS-52323. The following is the description of the original issue:

      Description of problem:

         The new `managed-trust-bundle` VolumeMount / `trusted-ca-bundle-managed` ConfigMap has recently been required given this latest change here: https://github.com/openshift/hypershift/pull/5667. However, this should be optional since folks that bring their own PKI shouldn't need this.

      Version-Release number of selected component (if applicable):

          4.18.2

      How reproducible:

          Every time.

      Steps to Reproduce:

          1. Deploy ROKS (HyperShift) version 4.18.2 cluster.
          

      Actual results:

          Cluster fails to deploy as the OpenShift API server fails to come up since it expects the `trusted-ca-bundle-managed` ConfigMap to exist.

      Expected results:

          Cluster should deploy successfully.

      Additional info:

          

              evan.reilly Evan Reilly (Inactive)
              openshift-crt-jira-prow OpenShift Prow Bot
              None
              None
              Jie Zhao Jie Zhao
              None
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: