Uploaded image for project: 'OpenShift Windows Containers'
  1. OpenShift Windows Containers
  2. WINC-688

Clear proxy certs from Windows nodes during deconfiguration

    XMLWordPrintable

Details

    • Story
    • Resolution: Done-Errata
    • Normal
    • WMCO 9.0.0
    • None
    • None
    • 5
    • False
    • False
    • OCPSTRAT-292 - Support cluster-wide proxy on Windows Containers
    • WINC - Sprint 242, WINC - Sprint 243

    Description

      Description

      This story covers undoing changes the operator made to Windows nodes’ local CA trust stores. Any certs imported as part of proxy configuration should be deleted during node deconfiguration. This includes during node upgrades and when a BYOH node is removed from the windows-instances ConfigMap. Only the certs present in the trusted CA ConfigMap should be removed.

      Acceptance Criteria

      • Delete all user-provided certs, and only these, from the Windows instance’s local trust store when a node is deconfigured

       

      QE testing:

      • Case 1: removing a customer user certificate from the `openshift-config/user-ca-bundle` configmap should result in that certificate being removed from all Windows node's local trust stores
      • Case 2: removing a BYOH node from the cluster should result in all certificates from the `openshift-windows-machine-config-operator/trusted-ca` configmap being removed from the instance's local trust store
      • Case 3: removing the cluster-wide proxy entirely (including trustedCA and env vars) all certificates from the `openshift-windows-machine-config-operator/trusted-ca` configmap being removed from all Windows node's local trust stores

      Attachments

        Issue Links

          is blocked by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-19716 Enable proxy cert test run in CI

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. WINC-1090 Import custom CA certificates into Windows node system store

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          is related to

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. WINC-687 Update node certs on the Windows nodes when they are rotated

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          links to

          GitHub openshift/windows-machine-config-operator#1834: WINC-688: Support removing proxy certs from Windows nodes

          GitHub openshift/windows-machine-config-operator#1903: [release-4.14] WINC-688: Support removing proxy certs from Windows nodes

          Web Link RHBA-2023:120235 Red Hat OpenShift support for Windows Containers 10.15.0 product release

          Web Link RHSA-2023:110725 Red Hat OpenShift support for Windows Containers 9.0.0 security update

          mentioned on

          GitLab Merge request - Updated US source to: bf4999e Merge pull request #1834 from saifshaikh48/clear-proxy-certs

          GitLab Merge request - Updated US source to: e18f4e4 Merge pull request #1903 from openshift-cherrypick-robot/cherry-pick-1834-to-release-4.14

          Activity

            People

              mohashai Mohammad Shaikh
              mohashai Mohammad Shaikh
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: