Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-52657

The trusted-ca-bundle-managed ConfigMap requirement breaks those with their own PKI

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Critical Critical
    • 4.17.z
    • 4.18.z
    • HyperShift
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • Yes
    • Done
    • Bug Fix
    • Hide
      Previously, the `trusted-ca-bundle-managed` ConfigMap component was a mandatory component. If you attempted to use a custom Public Key Infrastructure (PKI), the deployment would fail because the OpenShift API server expected the presence of the `trusted-ca-bundle-managed` ConfigMap component. With this release, this component is optional and allows you to deploy clusters without the `trusted-ca-bundle-managed` ConfigMap component when you use a custom PKI. (link:https://issues.redhat.com/browse/OCPBUGS-52657[*OCPBUGS-52657*])
      ------
      In OpenShift 4.17.19, the managed-trust-bundle VolumeMount and trusted-ca-bundle-managed ConfigMap were introduced as mandatory components. This requirement caused deployment failures for users utilizing their own Public Key Infrastructure (PKI), as the OpenShift API server expected the presence of the trusted-ca-bundle-managed ConfigMap. To address this issue, these components are now optional, allowing clusters to deploy successfully without the trusted-ca-bundle-managed ConfigMap when custom PKI is in use.
      Show
      Previously, the `trusted-ca-bundle-managed` ConfigMap component was a mandatory component. If you attempted to use a custom Public Key Infrastructure (PKI), the deployment would fail because the OpenShift API server expected the presence of the `trusted-ca-bundle-managed` ConfigMap component. With this release, this component is optional and allows you to deploy clusters without the `trusted-ca-bundle-managed` ConfigMap component when you use a custom PKI. (link: https://issues.redhat.com/browse/OCPBUGS-52657 [* OCPBUGS-52657 *]) ------ In OpenShift 4.17.19, the managed-trust-bundle VolumeMount and trusted-ca-bundle-managed ConfigMap were introduced as mandatory components. This requirement caused deployment failures for users utilizing their own Public Key Infrastructure (PKI), as the OpenShift API server expected the presence of the trusted-ca-bundle-managed ConfigMap. To address this issue, these components are now optional, allowing clusters to deploy successfully without the trusted-ca-bundle-managed ConfigMap when custom PKI is in use.
    • None
    • None
    • None
    • None

      This is a clone of issue OCPBUGS-52516. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-52323. The following is the description of the original issue:

      Description of problem:

         The new `managed-trust-bundle` VolumeMount / `trusted-ca-bundle-managed` ConfigMap has recently been required given this latest change here: https://github.com/openshift/hypershift/pull/5667. However, this should be optional since folks that bring their own PKI shouldn't need this.

      Version-Release number of selected component (if applicable):

          4.18.2

      How reproducible:

          Every time.

      Steps to Reproduce:

          1. Deploy ROKS (HyperShift) version 4.18.2 cluster.

      Actual results:

          Cluster fails to deploy as the OpenShift API server fails to come up since it expects the `trusted-ca-bundle-managed` ConfigMap to exist.

      Expected results:

          Cluster should deploy successfully.

      Additional info:

              evan.reilly Evan Reilly
              openshift-crt-jira-prow OpenShift Prow Bot
              None
              None
              Evan Reilly Evan Reilly
              None
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: