Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-52857

The trusted-ca-bundle-managed ConfigMap requirement breaks those with their own PKI

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • 4.18.z
    • HyperShift
    • Important
    • Yes
    • False
    • Hide

      None

      Show
      None
    • Hide
      In OpenShift 4.16.37, the managed-trust-bundle VolumeMount and trusted-ca-bundle-managed ConfigMap were introduced as mandatory components. This requirement caused deployment failures for users utilizing their own Public Key Infrastructure (PKI), as the OpenShift API server expected the presence of the trusted-ca-bundle-managed ConfigMap. To address this issue, these components are now optional, allowing clusters to deploy successfully without the trusted-ca-bundle-managed ConfigMap when custom PKI is in use.
      Show
      In OpenShift 4.16.37, the managed-trust-bundle VolumeMount and trusted-ca-bundle-managed ConfigMap were introduced as mandatory components. This requirement caused deployment failures for users utilizing their own Public Key Infrastructure (PKI), as the OpenShift API server expected the presence of the trusted-ca-bundle-managed ConfigMap. To address this issue, these components are now optional, allowing clusters to deploy successfully without the trusted-ca-bundle-managed ConfigMap when custom PKI is in use.
    • Bug Fix
    • In Progress

      This is a clone of issue OCPBUGS-52657. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-52516. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-52323. The following is the description of the original issue:

      Description of problem:

         The new `managed-trust-bundle` VolumeMount / `trusted-ca-bundle-managed` ConfigMap has recently been required given this latest change here: https://github.com/openshift/hypershift/pull/5667. However, this should be optional since folks that bring their own PKI shouldn't need this.

      Version-Release number of selected component (if applicable):

          4.18.2

      How reproducible:

          Every time.

      Steps to Reproduce:

          1. Deploy ROKS (HyperShift) version 4.18.2 cluster.

      Actual results:

          Cluster fails to deploy as the OpenShift API server fails to come up since it expects the `trusted-ca-bundle-managed` ConfigMap to exist.

      Expected results:

          Cluster should deploy successfully.

      Additional info:

              evan.reilly Evan Reilly
              openshift-crt-jira-prow OpenShift Prow Bot
              Evan Reilly Evan Reilly
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: