Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-57208

AdditionalTrustBundlePolicy still cannot be set in ABI

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Moderate
    • None
    • None
    • Agent Sprint 272
    • 1
    • Done
    • Bug Fix
    • Hide
      When the additionalTrustBundlePolicy is set to Always in install-config.yaml, it is not taking affect in the installed cluster. In addition, when this field is set to Always, other fields that are overridden in install-config.yaml such as FIPs enabled, also do not take affect in the installed cluster. The cause was an incomplete definition of install-config.yaml in assisted-service. With this fix, additionalTrustBundlePolicy, along with other fields such as FIPs, can now be correctly set in the cluster
      Show
      When the additionalTrustBundlePolicy is set to Always in install-config.yaml, it is not taking affect in the installed cluster. In addition, when this field is set to Always, other fields that are overridden in install-config.yaml such as FIPs enabled, also do not take affect in the installed cluster. The cause was an incomplete definition of install-config.yaml in assisted-service. With this fix, additionalTrustBundlePolicy, along with other fields such as FIPs, can now be correctly set in the cluster
    • None
    • None
    • None
    • None

      This is a clone of issue OCPBUGS-56596. The following is the description of the original issue:

      When using the agent-based installer, setting the additionalTrustBundlePolicy field is not taking effect. The reason for this is that assisted-service does not import the InstallConfig struct from the installer, but instead has its own independent copy in which this field is missing. Therefore the install-config-overrides cannot be applied.

      This should be validated at the time the install-config-overrides are applied (and the code appears to do so), but for unknown reasons the overrides are being silently ignored.

      A side-effect of this is that any other install-config-overrides are also silently ignored when the additionalTrustBundlePolicy is set to a non-default value. This can be observed e.g. by setting fips: true at the same time - the resulting cluster will not have FIPS enabled.

      We need to both fix the validation (since users could manually edit the install-config-overrides annotation to add invalid fields) and populate additionalTrustBundlePolicy in assisted-service's copy of the InstallConfig type.

              bfournie@redhat.com Robert Fournier
              openshift-crt-jira-prow OpenShift Prow Bot
              None
              None
              zhenying niu zhenying niu
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: