Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: None
Affects Version/s: 4.19
Component/s: HyperShift
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:

4.14.z, 4.15.z, 4.17.z, 4.16.z, 4.18.z
Target Version:

4.19.0
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
Done
Release Note Type:
Bug Fix
Release Note Text:

Hide
* Previously, when you set a secure proxy for a `HostedCluster` resource that served a certificate signed by a custom CA, that CA was not included in the initial ignition configuration for the node. As a result, the node did not boot due to failed ignition. This release fixes the issue by including the trusted CA for the proxy in the initial ignition configuration, which results in a successful node boot and ignition. (link:https://issues.redhat.com/browse/OCPBUGS-56896[~~OCPBUGS-56896~~])

Show
* Previously, when you set a secure proxy for a `HostedCluster` resource that served a certificate signed by a custom CA, that CA was not included in the initial ignition configuration for the node. As a result, the node did not boot due to failed ignition. This release fixes the issue by including the trusted CA for the proxy in the initial ignition configuration, which results in a successful node boot and ignition. (link: https://issues.redhat.com/browse/OCPBUGS-56896 [ OCPBUGS-56896 ])

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description

When setting a secure proxy for a HostedCluster that is serving a certificate signed by a custom CA, you need to set the proxy's spec.trustedCA . However, that CA cert won't be included in the node's initial ignition config and it'll fail to do proper ignition.

Steps to Reproduce:

    1. Create a proxy serving http and https. For the https, use a certificate that's signed by a custom CA. 
    2. Create a {{HostedCluster}} and set the `spec.configuration.proxy` and make sure to set the `trusterCA` field in the `proxy`.

Actual results:

Nodes won't reach ignition.

Expected results:

Nodes reach ignition successfully.

Additional info:

blocks

OCPBUGS-56912 ignition config doesn't include the proxy trusted CA for hosted cluter's proxy

is cloned by

OCPBUGS-56912 ignition config doesn't include the proxy trusted CA for hosted cluter's proxy

is related to

OCPBUGS-57060 https proxy prevents nodes from starting

OCPBUGS-44439 When creating a cluster with KubeVirt virtual machines as nodes on a bare metal cluster using Hosted Control Plane in an environment that requires a proxy certificate, the NodePool fails to be created.