Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-54744

Work around excess CA certs in additionalTrustBundle

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • Done
    • Bug Fix
    • Hide
      * Before this update, for clusters that were installed with the Agent-based Installer for versions 4.15.0 to 4.15.26, root certificates that were built in from CoreOS were added to the user-ca-bundle, even though they were not explicitly specified by the user. In previous releases, when you added a node to one of these clusters using the `oc adm node-image create` command, the `additionalTrustBundle`value obtained from the cluster's user-ca-bundle was too large to process, resulting in a failure to add the node. With this release, the built-in certificates are filtered out when generating the `additionalTrustBundle` value, so that only explicitly user-configured certificates are included, and nodes can be added successfully. (link:https://issues.redhat.com/browse/OCPBUGS-54744[OCPBUGS-54744])
      Show
      * Before this update, for clusters that were installed with the Agent-based Installer for versions 4.15.0 to 4.15.26, root certificates that were built in from CoreOS were added to the user-ca-bundle, even though they were not explicitly specified by the user. In previous releases, when you added a node to one of these clusters using the `oc adm node-image create` command, the `additionalTrustBundle`value obtained from the cluster's user-ca-bundle was too large to process, resulting in a failure to add the node. With this release, the built-in certificates are filtered out when generating the `additionalTrustBundle` value, so that only explicitly user-configured certificates are included, and nodes can be added successfully. (link: https://issues.redhat.com/browse/OCPBUGS-54744 [ OCPBUGS-54744 ])
    • None
    • None
    • None
    • None

      This is a clone of issue OCPBUGS-43990. The following is the description of the original issue:

      Some clusters that were created with the agent-based installer and born in 4.15 contain all of the built-in CAs from CoreOS in the user-ca-bundle because of OCPBUGS-34721.

      This causes adding a node on day 2 to fail because the InfraEnv manifest created is huge, and gets rejected by assisted-service with a 422 error.

      We know the list of CAs that were present in 4.15, so we should work around this problem by ignoring those ones whenever they appear in the user-ca-bundle instead of adding them to the additionalTrustBundle in the InfraEnv.

              zabitter Zane Bitter
              openshift-crt-jira-prow OpenShift Prow Bot
              None
              None
              zhenying niu zhenying niu
              None
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: